
Ask HN: Disabling paste in password boxes - why is it practiced? - BIackSwan
I have the practice of disabling paste functionality into password fields. I don&#x27;t understand why it is necessary - on the contrary - it discourages use of password managers - especially on mobile devices.<p>The justification by the app builders is that it &quot;improves security&quot;. I dont buy it.<p>Is there a good reason to disable this functionality? What does it improve since automated hacking programs can always by pass it?
======
satysin
No doubt some self-proclaimed "security expert" did it long ago and it got
picked up by a few places and the rest is history.

There are many such anti-patterns around like requiring "complex" passwords
with upper, lower, special, etc. characters yet do not work with >16
characters. Something that pisses me off to no end is Microsoft not allowing
spaces in their passwords for some unknown reason.

If it were up to me I would have one limit to passwords, length. A minimum of
12 characters. Sure you will get some moron using aaaaaaaaaaaa but they are
the kind of people who will find a way to use an idiotic password no matter
what.

The reality is passwords need to _die_. We should be encouraging pass-phrases.

~~~
quaunaut
Using newer cracking techniques[1], pass-phrases are as quick to crack as many
others. I honestly think password managers should not exist without the
ability to randomly generate new passwords.

1\. [https://hashcat.net/oclhashcat/](https://hashcat.net/oclhashcat/)

~~~
satysin
For sure in an ideal world all users would have a password manager that
generates 60+ character long passwords that are unique to every service but
sadly that probably won't happen for a long time.

~~~
imtringued
In an ideal world we wouldn't have blackhat hackers.

A more practical solution is to simply generate a public/private key pair on
registration.

------
pveierland
In 2012 I had to set up a password for BankID with DNB, (The Norwegian Bank),
and used the automatically generated password "P0Q1u-A(Va,?mO?nIrBl" from
KeePass. Their entropy estimate showed this password as very weak and did not
accept it, even though much simpler passwords were shown as "strong". I sent
them an email asking them about their entropy estimation, and complained about
their implementation disallowing pasting of passwords.

They quickly replied that their entropy estimation was flawed in handling some
characters and that they would fix this. They also said that copy/pasting was
disallowed as this password should not be stored in any form. I sent them an
email back arguing that this policy forces people to use weaker passwords, to
which they replied that this would be taken to their product manager.

Now in 2016 they've updated their implementation which allows pasting
passwords, making life easier.

~~~
matthewmacleod
That's really nice. I wish that more organisations responded in that kind of
way; I certainly know that if someone wrote to us to complain about password
or other security issues we'd certainly take it on board.

What are the reasons that such inquiries often get stonewalled - is it simple
organisational complexity, and the difficulty of actually contacting the right
individual?

~~~
pveierland
Their response to the entropy issue (which was a clear bug) was "we confirm
that today's implementation yields a somewhat incorrect error message when
using some special characters in passwords and that this will be fixed".

When there is a clear bug it is fairly easy internally for them, since they
just need to confirm the issue and send it to the right people to get it
fixed.

With the copy-pasting issue, their reply simply stated that disallowing this
feature was intentional policy on their part and that their passwords should
not be stored in any way. Changing policy and implementation would require a
greater effort on their part, and admittance that a suggested change would
improve their service.

I then wrote a longer reply, arguing that following their password
recommendation for the ~150 online accounts I had at the time would be
infeasible without a password manager, and insisted that I would like a reply
which did not refer to existing policy. The response to this was that it would
be taken to their product manager.

If the person handling the issue didn't care about the company doing the right
thing or their job, or if they were convinced that their policy was correct,
or if they believed escalating would certainly not lead to change in policy,
the issue may not have been escalated. So the people handling issues must care
enough to escalate unresolved issues, or the company policy must force
escalation of unresolved issues, and at some point in the chain of escalation
some person must believe that following the suggestion would result in an
improvement.

------
ikeboy
[https://www.troyhunt.com/the-cobra-effect-that-is-
disabling/](https://www.troyhunt.com/the-cobra-effect-that-is-disabling/)
nope.

(For the "type your new password twice to change it" fields there's somewhat
of a justification: if someone mistypes their password then pastes it twice,
they'll be locked out of their account, the point of the double field is to
prevent typing errors, which means it should be typed twice.)

~~~
chrismorgan
But it doesn’t even _matter_ if someone puts the wrong password in: if they
get it wrong, you just nudge them to reset it and everyone’s happy.

Getting email address wrong is _far_ more important, but far fewer things do
the same doubling up on that.

~~~
lucb1e
Passwords are entered twice because you can't see them. You could make a
mistake and not see it. People recently mistakenly assumed it's "because your
password is important" and have consequently doubled the email address too.

I so hate places that make me write my email address twice and disallow
pasting, I'm not retarded and it's my own fault if I can't spell my own name
(or in this case, email address), _especially_ if I copy-paste it.

You know what? Why don't we make every field double before someone typoes
their address and ships it to the wrong place? That'd be such a bad customer
experience!

~~~
chrismorgan
I should clarify that I was commenting on the state of things, not endorsing
any specific actions. Like you, I am mildly annoyed by any doubling up. Still,
I can testify that people mistype email addresses with frightening regularity.

For things like shipping addresses, some types of errors can be assisted with
by something that checks plausibility: does that address make sense and do we
know that it exists as a shipping address? If not, confirm with the user that
it’s actually what they meant.

Email address errors are often the same: basic validation can catch the most
common types of errors. [http://www.mailgun.com/email-
validation](http://www.mailgun.com/email-validation) is an example of an API
to do just that. I think an ideal system would do something like send the
confirmation email and listen for a bounce message, showing a message to the
user as soon as such a bounce message pops up. Also, showing the email address
on the confirmation page for the user, with the ability to change the address
there and try again.

------
po
My thought was that this stems from the idea that while the clipboard may be a
legitimate and secure way to transfer across programs from a password manager
to the password field, it is also an OS-wide shared space. After you tab away
to the next app, it will have access to that password that remains in the
clipboard. Browsers couldn't clear it (and apps aren't supposed to touch the
user's clipboard anyway) so they discouraged it.

You could also alt-tab over to your IRC client (IRC because this was state of
the art probably about when this practice started) and forget what is in your
clipboard and paste+enter quickly.

I don't think this is a _good_ reason to do it, but that was why I thought it
was done. I have no idea if that's the real reason it got started though.

~~~
erichurkman
Thus why 1Password and other password managers automatically clear the
clipboard after X seconds. It's a handy feature.

------
daenney
The only reason I can think of is to infuriate every user using a password
manager and help move the world to a place where stickies with passwords on
your screen are commonplace (again).

Annoyingly so Apple has taken to this practice in certain OS password fields,
like when you need to enter a password to decrypt a FileVault encrypted disk.

~~~
jamessb
I've resorted to selecting the field, pasting into Quicksilver [1] and using
the "Type Text" action to get around these restrictions.

[1]: [https://qsapp.com/](https://qsapp.com/)

------
ivanhoe
Another equally irritating problem are sites that use just keyup/down events
for validation and when you paste a value (or if password manager fills it for
you), they don't let you submit the form until you actually type something in
that field.

------
Strom
Probably the same reason why some sites have a maximum password length of 8.
Security design by people who are clueless about security.

~~~
joshmn
Not too long ago Ticketmaster had a minimum length of _4_.

~~~
err4nt
Just as safe as my banking PIN then, was it just numbers?

------
nextweek2
Really this question should be asked in the relevant forum. A better place to
ask might probably be:
[https://security.stackexchange.com/](https://security.stackexchange.com/)

The main reason is the clipboard is plain text and shared with everything. I
recently had it last week where my other half was using my laptop. The cat
walked over the keyboard and she wondered where this person's name had come
from. Turns out it was from me using the clipboard 5 days earlier.

It dawned on me then, the clipboard needs a time limit. It needs to clear
after an hour of inactivity, it needs to clear on resume.

------
tony-allan
None that I can see. It's a stupid practice to annoy users. I store my
passwords in a password manager and copy and paste all the time.

I don't use software that disables paste.

------
Johnny555
I also find it annoying when sites make me type my email twice and won't let
me copy-and-paste it the second time - I know my email address and can tell by
looking at it if I've typed it correctly, I really don't need to type it again
to prove that I can type it.

~~~
dannysu
Plenty of people don't even type their email correctly. Ask anybody that runs
a service and sends email, then you'll see. E.g. "myname@domain.com" vs the
typo missing the final 'm' "myname@domain.co"

But I do agree it's rather annoying and not allowing paste is even worse.

I actually trust my copy-and-paste more than me not making a typo because I am
human. By not allowing paste, websites are asking me to potentially make
mistakes.

Perhaps a better solution is for the browser to have a button on <input
type="email"> fields to allow me to select from a list of emails I have. The
browser needs to protect this data from being website accessible until I give
permission for privacy reasons, but that would have been a way better UX.

------
sheepleherd
Am I the only one here who memorizes passwords, types them in, and it works
and they serve their purpose? I've got a few "schemes" to systematize a bit, I
share passwords for non critical things, etc.

My biggest beef is the constant asking "do you want the browser to insecurely
save this?" How did that become the default? No wonder people can't remember
passwords if they never type them. I use many machines, and multiple browsers
per machine and I don't synchronize them, so changing the remember passwords
setting is such a chore I usually stick to clicking "remember never".

I don't think I can recall (dozens of years of computing) ever having a
password hacked. Privilege escalation is the main threat.

------
98Windows
It might discourage people from storing their passwords in plain text files
and force them to memorise it.

It adds to the image that passwords are something special and secret if you
cannot use basic functionality.

------
tyingq
At least one of the reasons is that Windows often picks up rich formatting
characters if you cut/copy.

~~~
teilo
This is not a problem with Windows. This is only a problem if the site's
implementation allows rich text, which I have never ever seen in a password
field.

Windows will paste plain text unless the text field in question is explicitly
identified as rich text.

------
minikites
TurboTax does this and it's very close to making me quit using it.

~~~
bblough
H&R Block Online also does this, and is the primary reason that I switched
away from them this year.

Ironically, I switched to TurboTax, but didn't have the same issue because the
login is done automatically via my bank login.

Does anyone know of a decent online tax app that doesn't disable the pasting
of passwords?

------
papageek
I use autoit and automater to bind ctrl+alt+v to "type" from clipboard for
just this reason.

------
IanCal
Was there a historical reason about JavaScript on other pages pulling what was
in your paste buffer?

------
livus
Making it worse are some websites totally disabling right click. Very very
annoying.

------
fareesh
My bank does this - no idea why. I use a bookmarklet to re-enable paste.

------
regularfry
My guess is to stop copying and pasting from Desktop\passwords.doc.

~~~
Johnny555
Is keeping a plaintext password file worse than forcing users to use a
password that's easy to type and encouraging them to use the same password
everywhere?

------
mschuster91
Paypal used to do this, for example.

------
Sacro
Because some places like to watch keystroke speeds as a biometric factor. It
can be quite accurate.

~~~
lucb1e
I know this is technically possible, but I've never seen it being used. This
is definitely not the reason why so many sites disable pasting.

~~~
gmac
Coursera use it (plus a webcam shot) to try to verify that every coursework
submission is from the same person.

~~~
lucb1e
Well they are trying to justify their certificates are legitimate, of course
they use every cheater-catching trick they can. This is not just logging into
a random site anymore, this is trying to do fraud detection for exams while
not physically present.

(Also, one example doesn't make something true.)

~~~
komaromy
> (Also, one example doesn't make something true.)

Neither does "I've never seen it being used".

------
mkagenius
A side question: why would a normal person paste password in the password
field? Its either autofilled or he types it in. Only case I see this happening
is when you get the password in the email from website and are asked to enter
that, which itself would be a bad practice.

~~~
rifung
Is it bad practice to get your password in an email? I thought that's what
happens when you reset your password

~~~
paxunix
If a site can email you your password, they are basically storing it in clear
text. Otherwise they could not send you your password (because they would only
have the hash of it). This is clearly a huge security risk.

~~~
prashnts
I suppose they can generate the password, and email it to you before storing
the hashed password in database?

~~~
greenpizza13
They could. The real issue is when you do a 'forgot password' and they send it
to you. That's a big red flag.

