Ask HN: Disabling paste in password boxes - why is it practiced?

No doubt some self-proclaimed "security expert" did it long ago and it got picked up by a few places and the rest is history.

There are many such anti-patterns around like requiring "complex" passwords with upper, lower, special, etc. characters yet do not work with >16 characters. Something that pisses me off to no end is Microsoft not allowing spaces in their passwords for some unknown reason.

If it were up to me I would have one limit to passwords, length. A minimum of 12 characters. Sure you will get some moron using aaaaaaaaaaaa but they are the kind of people who will find a way to use an idiotic password no matter what.

The reality is passwords need to die. We should be encouraging pass-phrases.

In 2012 I had to set up a password for BankID with DNB, (The Norwegian Bank), and used the automatically generated password "P0Q1u-A(Va,?mO?nIrBl" from KeePass. Their entropy estimate showed this password as very weak and did not accept it, even though much simpler passwords were shown as "strong". I sent them an email asking them about their entropy estimation, and complained about their implementation disallowing pasting of passwords.

They quickly replied that their entropy estimation was flawed in handling some characters and that they would fix this. They also said that copy/pasting was disallowed as this password should not be stored in any form. I sent them an email back arguing that this policy forces people to use weaker passwords, to which they replied that this would be taken to their product manager.

Now in 2016 they've updated their implementation which allows pasting passwords, making life easier.

https://www.troyhunt.com/the-cobra-effect-that-is-disabling/ nope.

(For the "type your new password twice to change it" fields there's somewhat of a justification: if someone mistypes their password then pastes it twice, they'll be locked out of their account, the point of the double field is to prevent typing errors, which means it should be typed twice.)

My thought was that this stems from the idea that while the clipboard may be a legitimate and secure way to transfer across programs from a password manager to the password field, it is also an OS-wide shared space. After you tab away to the next app, it will have access to that password that remains in the clipboard. Browsers couldn't clear it (and apps aren't supposed to touch the user's clipboard anyway) so they discouraged it.

You could also alt-tab over to your IRC client (IRC because this was state of the art probably about when this practice started) and forget what is in your clipboard and paste+enter quickly.

I don't think this is a _good_ reason to do it, but that was why I thought it was done. I have no idea if that's the real reason it got started though.

The only reason I can think of is to infuriate every user using a password manager and help move the world to a place where stickies with passwords on your screen are commonplace (again).

Annoyingly so Apple has taken to this practice in certain OS password fields, like when you need to enter a password to decrypt a FileVault encrypted disk.

Another equally irritating problem are sites that use just keyup/down events for validation and when you paste a value (or if password manager fills it for you), they don't let you submit the form until you actually type something in that field.

Probably the same reason why some sites have a maximum password length of 8. Security design by people who are clueless about security.

Really this question should be asked in the relevant forum. A better place to ask might probably be: https://security.stackexchange.com/

The main reason is the clipboard is plain text and shared with everything. I recently had it last week where my other half was using my laptop. The cat walked over the keyboard and she wondered where this person's name had come from. Turns out it was from me using the clipboard 5 days earlier.

It dawned on me then, the clipboard needs a time limit. It needs to clear after an hour of inactivity, it needs to clear on resume.

None that I can see. It's a stupid practice to annoy users. I store my passwords in a password manager and copy and paste all the time.

I don't use software that disables paste.

I also find it annoying when sites make me type my email twice and won't let me copy-and-paste it the second time - I know my email address and can tell by looking at it if I've typed it correctly, I really don't need to type it again to prove that I can type it.

Am I the only one here who memorizes passwords, types them in, and it works and they serve their purpose? I've got a few "schemes" to systematize a bit, I share passwords for non critical things, etc.

My biggest beef is the constant asking "do you want the browser to insecurely save this?" How did that become the default? No wonder people can't remember passwords if they never type them. I use many machines, and multiple browsers per machine and I don't synchronize them, so changing the remember passwords setting is such a chore I usually stick to clicking "remember never".

I don't think I can recall (dozens of years of computing) ever having a password hacked. Privilege escalation is the main threat.

It might discourage people from storing their passwords in plain text files and force them to memorise it.

It adds to the image that passwords are something special and secret if you cannot use basic functionality.

At least one of the reasons is that Windows often picks up rich formatting characters if you cut/copy.

TurboTax does this and it's very close to making me quit using it.

I use autoit and automater to bind ctrl+alt+v to "type" from clipboard for just this reason.

Was there a historical reason about JavaScript on other pages pulling what was in your paste buffer?

Making it worse are some websites totally disabling right click. Very very annoying.

My bank does this - no idea why. I use a bookmarklet to re-enable paste.

My guess is to stop copying and pasting from Desktop\passwords.doc.

Paypal used to do this, for example.