So this has been getting quite a bit of airtime today:
@Sacro Hi Ben, I understand but as a business we've chosen not to have the compatibility with password managers. Thanks, Joe— British Gas Help (@BritishGasHelp) July 14, 2015
Yes, it’s ridiculous and British Gas are getting the lambasting they so deserve, but egregious security faux pas is hardly a new thing for them:
@passy We'd lose our security certificate if we allowed pasting. It could leave us open to a "brute force" attack. Thanks ^Steve— British Gas Help (@BritishGasHelp) May 6, 2014
But here’s what really gets me and this tweet sums it up perfectly:
This is not about allowing password managers as though British Gas has to invest effort to make them work – that’s Internet Explorer 8 compatibility! This would make perfect sense:
As a business we’ve chosen not to have the compatibility with six year old browsers
This makes sense because it’s an investment that has to be made and you simply cannot justify the ROI in this day and age.
Lack of support for password managers is not because the organisation doesn’t want to invest the effort, it’s because they’ve been stupid enough to actively set out to disable them.
I’ve written about this before in The “Cobra Effect” that is disabling paste on password fields and that post from a year ago remains just as relevant today. But hey, they’re a large corporate which frequently means not being bound by the same rules of logic that actually explain how things work (or don’t). They’ve indicated this was a conscious decision and large corporates have to make these decisions after many spread sheets written and PowerPoint decks are shown so how about this:
British Gas – share with us the information on which you’ve based your decision to consciously invest effort in disabling security.
Hey, maybe the rest of us will learn something! If that’s the case then we can all be happy in having picked up some newfound wisdom. If not, I’ll happily show them exactly how to fix the problem :)