[Update: TreasuryDirect upgraded its website. The new site doesn’t use the virtual keyboard anymore.]
When you buy I Bonds in multiple accounts for yourself, spouse, kids, trust, business, and as gifts, logging in to the TreasuryDirect website can be a pain.
Separate Logins
You have to log in separately using each assigned TreasuryDirect account number, not a user ID you register for yourself. It’s difficult to remember the TreasuryDirect account numbers. You’d have to save them somewhere, ideally in a password manager such as KeePass, Bitwarden, or LastPass.
You copy the account number from the password manager and paste it on the login page. You’ll receive a one-time passcode at your registered e-mail address. The one-time passcode is case sensitive. You copy and paste it on the next page. So far so good.
Virtual Keyboard
Now comes the password part. You can’t copy and paste directly into the password field in your web browser. The TreasuryDirect website uses this virtual keyboard:
You click on the buttons with your mouse or finger to enter your password. If you follow the recommended security practice and use a long password with a mix of letters, numbers, and symbols, it’s painful to enter your long password.
Some password managers can fill in the password automatically. 1Password and Keychain on Mac work out of the box. If your password manager doesn’t, you may be tempted to reset your password to a simpler one just to avoid this pain. Don’t. There’s a workaround.
Remove HTML Attribute
The reason you can’t paste into the password field is that the TreasuryDirect web page instructs your browser to set that field to read-only. When you’re on your laptop, if you right-click on the password field and choose “Inspect” in the context menu (it works at least in Chrome and Firefox), you will see this:
<input type="password" autocomplete="off" readonly="readonly" name="password" size="20" maxlength="16" class="pwordinput" value="" data-cip-id="blah blah">When you double-click in that area and simply remove the part in red, the password field won’t be read-only anymore. Now you can copy and paste your password!
Whether the password field is read-only or not only affects the behavior of your browser. Whether you click on the virtual keyboard or copy and paste your password, the password will be transmitted to TreasuryDirect securely via SSL in the same way.
This works in a desktop browser. It’s difficult or impossible on a mobile device.
Browser Bookmark
If you’d like to eliminate the extra steps to right-click and remove the HTML attribute every time you log in, you can use a browser bookmark to automate the task. Create a bookmark in your browser and use this as the URL:
javascript:(function(){document.querySelector(".pwordinput").removeAttribute("readonly")})();Even if you don’t know anything about coding, you can see this looks for the password field (“pwordinput”) and removes the read-only attribute.
Next time you’re on the password page in TreasuryDirect, click on that bookmark. Nothing visible happens but it removes the read-only attribute from the password field. You can copy and paste your password from the password manager now.
It works the same way as manually removing the HTML attribute. It just happens in one click instead of multiple steps.
Browser Extension
If you’re more technical and you already use a browser extension or add-on such as Greasemonkey for Firefox or Tampermonkey for Chrome, you can put a script in the browser extension and eliminate that one click of a bookmark.
Using a browser extension is beyond the scope of this post. Here’s a solution I found on the Internet:
I didn’t test either script. It may not be the only solution or the best one. Please inspect and use it at your own risk. Because I don’t log into the TreasuryDirect system frequently, clicking on a bookmark once per session is easy enough for me.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
John Endicott says
Nice workaround for one of my biggest gripes with TD. Thanks.
always_gone says
Thank you for promoting the use of Password Managers – they are a critical step in protecting online accounts. They make it easier for heirs to gain access, and they easily allow for random words to be stored for the answers to “My favorite food” or “My high school mascot is” questions.
Walt says
Apple safari keychain works well for me.
GeezerGeek says
Thanks for the work around script for the manual entry of the password. That part of logging onto the site was a real PITA. I guess they thought the manual entry added an additional level of security but if a script can bypass that feature, it isn’t any obstacle for a hacker.
Rex says
Plus, it makes people to create shorter passwords!
Ray says
Thank-you! Big improvement.
Mark L says
Using the hint in the article was able to build the following auto-type sequence for KeePass, which seems to work for me
{USERNAME}{ENTER}{DELAY 3000}^+J{DELAY 3000}{TAB}{DELAY 2000}document.querySelector{(}”.pwordinput”{)}.removeAttribute{(}”readonly”{)}{ENTER}{DELAY 2000}^+J{DELAY 1000}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{PASSWORD}{ENTER}
Adam P says
Whoa, would not have thought of this. I got it working after a few tweaks. On my computer/browser the “^+J” does not do the right thing, so I replaced the two “^+J”s with “{F12}” and dropped a “{TAB}”
{USERNAME}{ENTER}{DELAY 3000}{F12}{DELAY 3000}document.querySelector{(}”.pwordinput”{)}.removeAttribute{(}”readonly”{)}{ENTER}{DELAY 2000}{F12}{DELAY 1000}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{PASSWORD}{ENTER}
Mark L says
My solution was for Chrome, though it’s not super robust. Are you on a different browser?
Adam P says
Yes, different browser. I use Firefox
Mark L says
This solution for KeePass seems a bit more robust and works with Chrome. Haven’t tested it in other browsers. It works by typing in the JavaScript into the address bar.
On the following web site https://www.treasurydirect.gov/RS/UN-Display.do
Use the following auto type sequence
{USERNAME}{ENTER}{DELAY 2500}%d{DELAY 500}javascript:{(}function{(}{)}{{}document.querySelector{(}”.pwordinput”{)}.removeAttribute{(}”readonly”{)}{}}{)}{(}{)};{ENTER}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{PASSWORD}{ENTER}
David Carter says
Thank you! As an IT professional, the TD website frustrates me to no end. With TamperMonkey & Dashlane, and the user script you referenced, it now works like any other website!
Kevin says
Harry, you rock!
Jake says
Thank you! This is by far the most irritating thing about that website. This is really helpful!
Michael says
The bookmark trick doesn’t work in Microsoft Edge it seems. Have tried it multiple times on a few computers.
I looked over the Tampermonkey solution, and it works as expected and the code in the one linked from the post above does nothing more than what Harry posted as his bookmark fix. So it’s completely benign and safe to use it appears.
Works great with LastPass and MS Edge as my main browser.
Old mariner says
To Harry Sit: Have you written an article about the pros and cons of using a password manager? I guess that’s not a strictly financial subject. I searched your site, but didn’t find anything of that nature. I’m wary of using a password manager. I guess I think anything can be hacked, and if that were hacked it would be hugely disastrous. I’d be interested in your thoughts if ever you wanted to write about the subject.
Harry Sit says
I have it in my book My Financial Toolbox. Some password managers are 100% local. They aren’t centrally located. Some password managers that are in the cloud store the passwords encrypted with a master password. The master password stays local. These setups all greatly reduce the risk of hacking.
Kevin says
@Old mariner,
There was a good article about Password Managers recently posted on Reddit:
On the Feeding and Care of Password Managers
Old mariner says
To Harry: Thank you. I’ll look for your book on Amazon. You write and explain in a way I can easily understand.
To Kevin: Thank you. I followed your link and read it all. Very interesting. I might need to update my way of managing my passwords.
Pete says
Thanks for this!
On Mac Safari I didn’t think this was working because the input field didn’t change visually. After running the script you have to click on the field then it will change visually to a typical input field.
BTW, This simpler script works too:
javascript:document.querySelector(“.pwordinput”).removeAttribute(“readonly”)
Bob Duke says
Works great on Edge – Thank you!
Andy says
Great tip. I have been doing this with Tampermonkey for a while, but it’s nice to see the other options. I like the Javascript bookmark trick.
Matthew says
Thanks for this clear and useful writeup! I couldn’t get the bookmark to work when I initially tried this months ago. I figured out my problem today, and learned two things in the process.
1) Treasury Direct passwords cannot use lowercase letters. I created a random password in my password manager and when I saved it to TD via the virtual keyboard, TD converted the lower case to upper case whereas my password manager retained the lowercase characters. This caused a mismatch that prevented the bookmark trick from working. Updating lowercase characters in my password manager to upper case resolved the problem.
2) TD passwords have a maximum of 16 characters. My password had more, but TD only reads the first 16! Updating my password manager to only the first 16 characters of my password still allows me to access TD. This may have been mentioned when I initially created my TD password, but if so I missed it.
Bruce says
Harry, this is absolutely brilliant; many thanks! Why TD would implement a sign-in procedure requiring a virtual keyboard is beyond me. Our tax dollars (not) at work.
compuguy says
Heads up, it looks like they’ve changed the page during the 10/29/22-10/30/22 maintenance and added some Javascript to prevent any of the current scripts from working. Fun times!
Harry Sit says
I just tried the browser bookmark. It’s still working for me.
Bob Duke says
Still working for me. 🙂
ec on says
Always write down all your personal identifier codes and question/answer values for Treasury Direct in a secure place. Where nobody else goes. If one of the many becomes lost, or mistyped a few times, the site blocks you out. To recover your account requires several headaches. In effect reapplying where the other side controls the answers and will throw you out at any point of difference. Telephones are answered within 1-2 hours or not at all. Much worse than changing funding checking account which is itself off-putting. Remember people this agency is run like its sister agency the IRS with slightly less attitude.
andre breton says
Hell ya brother! Thank you!
Goran says
Thank you. Excellent tip, to get around the antiquated security requirement. Removing the read-only attribute worked exactly as described.
Ashley Connor says
uBlock rule for removing TD readonly attribute
! TreasuryDirect ro password
treasurydirect.gov##+js(ra.js, readonly, input#password)
Ashley Connor says
! TreasuryDirect RO password
treasurydirect.gov##input#password:remove-attr(readonly)
also works