Today I logged in to pay my cellphone bill, and I found that the site has disabled paste functionality in password field.
I'm a webdev and I know how to fix this, but for regular user is REALLY annoying having to type a random password like o\&$t~0WE'kL.
I know that is normal to make users write the password when creating an account, but is there any reason to disable pasting passwords during login?
There is no substantial security benefit to disallowing pasted passwords; on the contrary it is likely to weaken security by discouraging the use of password managers to generate and autofill randomized passwords. While some password managers are capable of overriding pasting restrictions, the point still stands that users should not be forced to type their password by hand.
Excerpt from a relevant WIRED article:
Websites, Please Stop Blocking Password Managers. It’s 2015
But what’s crazy is that, in 2015, some websites are intentionally disabling a feature that would allow you to use stronger passwords more easily—and many are doing so because they wrongly argue it makes you safer.
Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.
Disabling pasting a password field introduces a "Cobra effect". A Cobra effect "occurs when an attempted solution to a problem actually makes the problem worse."
Troy Hunt recently wrote an article where he explains it in more detail. It's essentially a security theater, like what happens at airports to "make us safer". Troy Hunt calls it a Cobra effect because it disables the use of secure, 50-character passwords that would be pasted from a password manager. At best, it forces people to create passwords that are easy to remember and thus more hackable.
Some might say that it makes you safer because it prevents your clipboard from being copied by malware, but they ignore the fact that if malware can already do that, they can also copy all kinds of keypresses, not just Ctrl+V. It's pointless.
From a UX perspective, it's just annoying, like you say. So it's annoying from a UX perspective, and it doesn't make us safer. There's no point to this "feature".
No, there is no sensible reason for doing this. It is bad UX, plain and simple. Disabling pasting into a password field is actually encouraging bad passwords. Password managers automatically clear out the clipboard after pasting, so that argument is no longer valid.
The main security argument to disallow copy&pasting of passwords is that the password remains in the users clipboard afterwards. This can lead to accidental exposure of the password in an unrelated context. For example when the user then accidently pastes it into a different input field in a different application (web or otherwise). Another possible scenario could be when the user walks away from their device without locking it and someone else presses ctrl+v to check what they have in their clipboard.
However, this is a really small risk compared to the huge security advantages password managers have. Also, password managers often have a feature to auto-clear the clipboard a few seconds after copying a password from them which greatly reduces this risk.
There are reasons to do it, though not very good ones.
Basically, it discourages copy and pasting. This means users are less likely to forget it on their clipboard and have it accidentally leaked. Also if they are pasting it, it means they have it saved somewhere (like a text file), which is not as secure as their brain - so if the text file becomes useless, maybe they'll rely on their memory more.
Of course these don't actually make sense. A lot of people who copy and paste are doing so from their password manager, which is very well protected. Password managers automatically clear the clipboard as well, and as pointed out elsewhere, what are the odds that your user got a keylogger that can read the clipboard but not the key presses?
To me, things like this reveal a kind of contempt for the user's intelligence. It's basically saying, "you are too dumb to not get your password stolen, you are too dumb to follow simple security guidelines, we are just going to strap this baby harness on you to protect you from yourself". Nevermind that when your login details are stolen, it's far more likely to be because of a data breach on the server side, rather than some clipboard leak on the client side. I try to avoid such sites if at all possible, since they make me think I'm not the right audience for the site.
Luckily many password managers these days are starting to just emulate key presses instead of straight up pasting, so in the end the joke's on them.
I can actually think of exactly one good reason to disallow password pasting. When initially setting your password, or changing it.
The reason is that there does exist a small chance that for whatever reason, you failed to copy your password into the clipboard when you thought you had, and so what you paste into the password field is actually just whatever nonsense was on your clipboard before that. Since the password field is masked, you'd have no way of knowing that you've just pasted
826 W. Main St. into the new password field, instead of
Bubblez84-l0ve!
or
h*7dn$l83k&(4;p
like you thought you had. Which will be a real problem the next time you try to log in.
I'm a product manager for online security at a very large company.
I actually had a meeting today regarding the disabling of pasting passwords. We do allow to paste passwords at the moment but think about changing it.
There are different perspectives you can take on this approach and the pros/cons may completely vary depending on the use case you have and how your site is secured and if you use 2FA or not.
Personally i would not disable the pasting of passwords for sites that only rely on username & password for the login.
I'm thinking about disabling it in our case for several reasons
The strength of your password does not make you more secure in our case. Yeah, i know we are telling people since ages that they should choose a reasonably secure password but in the end this won't help you/us a bit if your computer is infected by malware. Malware doesn't care if your password is "12345" or some super complicated 100 character cypher. It either steals it or takes over your session.
We don't face the risk of brute-force or password-guessing attacks. There are ways to mitigate against that which are in place in our case.
There are behavioral biometrics solutions where profiles are built based on keystroke dynamics etc. which allow with a high degree of certainty to identify if a user that enters the credentials is indeed the user we expect. Credentials are true or false. If somebody has your credentials he is able to authenticate. This is why i would like to know if the person who is entering the correct credentials is indeed the person that we expect to know them. Username and password have to be entered every time during the login process so those fields are pretty interesting to check if such a solution is deployed at the organisation. This is not possible if somebody copy/pastes their password.
I have not made up my mind about disabling it in our case yet. As always we need to keep a balance between usability and security.
Many of the answers point out this is bad practice because it can break password managers. While the use of password managers should be encouraged storing passwords in the clipboard should be strongly discouraged. The clipboard is not some special secure locker for information and by design makes it contents easy to access and offers no encryption.
Here is just one scenario of how this could be exploited:
There have even been cases where someone bought a bunch of rich media ads on a bunch of well know websites. While they looked like a seemingly harmless flash ad it was actually stealing the visitors clipboard data in hopes of getting useful information.
So in closing, if you have something you want to keep safe and secure don't store it in the clipboard.
Other answers have given more in-depth explanations, but in short remember that the biggest security risk with regards to passwords still comes from attacks targeted at the servers, not at a client. In other words, having your password on the clipboard doesn't really put it at much risk because if the password were to be cracked it would more likely be cracked from a password database stolen from the server or even bruteforced than stolen from your clipboard.
Hence why it is significant that, as other answers have pointed out, preventing a user from pasting their password discourages them from having a complex password, making their password easier to bruteforce and therefore less secure.
I think it depends on the services which are secured by the login form. It is important to consider that a password manager can restrict the login to the device where the password manager is installed, which is not always what the service provider agrees with. For example, if the service was a bank which wants to give their users the opportunity to lock cards in case of loss or thievery, it may want to preserve this privilege in cases where the device running the password manager was also lost or stolen.
