How widespread is this practice? Real time form validation is very widespread and as we all know validating form input is security best practice.

 

An obvious example of something which is near ubiquitous these days is the password strength meter.

 

Type more and more characters in and the meter changes colour from red to green to show the password is now at an acceptable level of strength - so they're clearly reviewing your input before final submission.

 

That being said, there's a difference between what happens as I've described above, which is just a piece of script running and checking your input as it's typed through an API, and actually recording your input until it's finally submitted.

 

How do you know what they're doing with your input either fully submitted or otherwise? I guess you're reliant on reading their T&Cs and ultimately making a judgement on whether or not you trust them? Or at the very least trust in any regulatory system they are required to abide by to control them accordingly. (Or punish them if they break the rules.)

 

Maybe if they are recording everything that's input into their form fields they are opening themselves up for a denial of service attack where someone sends them endless reams of useless data to fill up their storage? Or at the least an economic denial of service where the volume of storage they're forced to use becomes cost prohibitive.

 

BTW - I'm assuming in your example there's something else (e.g. a cookie) telling them who you are in order to load up your list of previously used passwords via the API. As otherwise it could be used as part of a password guessing mechanism. e.g. Type in the username of your target and start guessing passwords and the system will handily tell you if they've been used before so you can check if they're still in use on other sites.

 

> ericgeater (Newcomer III) posted a new topic in Tech Talk on 08-07-2019 07:12 PM

> Does anyone else have a problem knowing that field input can occur without
> pressing ENTER?

Yup. (You probably have to run traffic analysis to figure it out ...)


>   To me, pressing ENTER is committing the input.  Having it passed at
> keystroke time seems a bit intrusive for some reason.

Well, there is usually no (or little) indication that it is doing so.

>   But I don't know how widespread
> the practice is, so it's a bit unnerving to know that ANY site could be capture
> input data without it actually being INPUT.  I could mistakenly type another
> site's password (which could lead to an inference attack if the site's owner is
> unscrupulous), or be questioned for things I typed into a field, only to
> backspace out of editorial courtesy, or... ???   Like I said, talk me down. 

No, I'm not going to talk you down. You aren't paranoid. They are doing it. And
usually without any indication that it is going on.

The "community" does it. Type something in the search box, and, as you type,
you start seeing completion suggestions. Same thing happens when you start
typing in a subject for a new topic. (And when entering a label.) Obviously the
Website is taking your keystrokes as you type them, long before you hit enter.
(Same thing is happening when you are entering stuff in the editor, but that tends
to be more expected, I suppose.)

Pretty much any entry field can do it, if the site is set up that way.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

---

@ericgeater wrote:

Does anyone else have a problem knowing that field input on a website can occur without pressing ENTER?

---

Not surprised, nor do I see it as a problem. As Alec mentioned, the functionality is often helpful and well received.  One of my favorite examples is ticking complexity rules as they are met. 

 

The bottom line is that when visiting a web site, you are giving that site permission to run their program (javascript) in your browser window.  Their program has access to anything you give it, including keystrokes.  Pretty much the best one can do is to keep the "foreign entity" out of their browser in the first place by doing things like disabling JavaScript (etc.) and disabling phone home.  Of course, doing so tends to cause breakage.

 

The bigger concern to me is that browsers have a history of allowing JavaScript access to things I did not authorize (even if in error), such as the local file system, other browser windows, etc.  Fortunately, browser manufacturers are pretty good about closing these faults as they are found.

 

Do note that I am reacting to the "press enter" question, not the "previous password"  statement.  I would hope that a password-reset site would not divulge any information (including correctness of username/email) until after having validated yourself through some secondary channel (e.g. a "confirmation" email).  If the website in question got that order wrong, I am standing aside CISOScott.

 

P.S.  @rslade, why would you have a problem with knowing something? :-).