
Let them paste passwords - matthewbadeau
https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords
======
discreditable
On Chrome you can use "Don't Fuck With Paste" to override these bad forms:
[https://chrome.google.com/webstore/detail/dont-fuck-with-
pas...](https://chrome.google.com/webstore/detail/dont-fuck-with-
paste/nkgllhigpcljnhoakjkgaieabnkmgdkb)

~~~
sillysaurus3
I was hoping this would also prevent websites from messing with the input to
the clipboard. It's a bit annoying to copy a sentence from a website only to
have "Read more on XYZ!" appended to it.

~~~
thebouv
Fork the Don't Fuck with paste code and add that feature (or use it as an
example to make your "Don't fuck with copy" extension).

[https://github.com/jswanner/DontFuckWithPaste](https://github.com/jswanner/DontFuckWithPaste)

I hate sites that do that (or prevent right-click as if that somehow secures
their code).

~~~
majewsky
I'd actually like an extension along the lines of "This is not Google Docs,
for fuck's sake", that just disables all these APIs that are only ever useful
with rich apps, but not with content-heavy websites, for example:

\- copy/paste hijacking

\- sensor access: microphone, camera, GPS, etc.

Maybe even go further and introduce some sort of rate-limiting for

\- XHR requests

\- relayout events

to save power and data.

~~~
artursapek
Incidentally, what are these APIs? I am building a rich content app (SVG
editor) and have been starting to think about what copy + paste will look
like.

~~~
akubera
I think you want to investigate the "ClipboardEvent" web API. Try starting
here: [https://developer.mozilla.org/en-
US/docs/Web/API/ClipboardEv...](https://developer.mozilla.org/en-
US/docs/Web/API/ClipboardEvent)

~~~
artursapek
Thanks!

------
_jal
In general, more and more sites encourage me to just leave Javascript turned
off all the time. If they break, screw them, I'll go elsewhere. The only sites
"sticky" enough to make me put up with it are financial, and that's only
because they all suck so changing solves nothing. 'Missing out' on Angular
sites hasn't left me feel like I'm missing anything in my life.

This ties in to the discussion of Craig's List the other day. It is so
refreshing to use a site that doesn't try to be clever. I understand if people
find it ugly, but I don't - simple is good, and I don't care if sites follow
whatever design trend is hot this week. Usability is far more important.

~~~
hn_throwaway_99
> If they break, screw them, I'll go elsewhere.

I think that option is going to _greatly_ constrain where you are able to go
on the web. The vast majority of ecommerce sites I visit will break with JS
completely turned off.

~~~
devrandomguy
OTOH, these "universal" web apps/sites can work quite well without JS. As long
as the developer isn't doing silly things like using <button> as a link, or
using an anchor to submit a form.

At one point, I built a sortable filterable table for an admin UI, using
React. One of the admins was a "no js" guy, and he thanked me for building the
whole thing in functional HTML. Up until that point, I had no idea that the
admin side of the system was even usable without JS; that was just a natural
consequence of optimizing for SEO and load speed (server side rendering, URL
representation for all significant state).

------
artursapek
Of course it reduces security. It makes you resort to either

1.) typing it out manually while you can't see if you made a mistake

2.) using developer tools to set the 'value' attribute directly

"SPP" discourages use of a password manager. End of story. I also see this
pattern used on banking websites for inputs like an account number. This
drives me crazy as well for the same reason. The computer can get it right
more reliably than my eyes and fingers.

Whenever I see a website that blocks paste I immediately assume it's built by
incompetent people and trust it with as little as possible.

~~~
thesuitonym
Other signs that a site was built by incompetent developers (Or had too much
management interference--Devs aren't always to blame!):

Only works with Internet Explorer

 _Doesn 't_ work with Internet Explorer

Password must have one of 4-10 special characters, but not other special
characters. (e.g.: Must contain !, @, ^, &, or parentheses, but not ;, ", etc)

Passwords have no requirements

Right-click is disabled

Video plays as soon as the site loads

Share buttons that use javascript to follow the viewport

Share buttons that pop up over every single image

"Want to see more" when you move the mouse to the top of the screen (Or reach
the bottom of the page) (or as soon as the page loads)

Slideshows of any sort

~~~
joshvm
We had a gem at my last university (UCL): you must rotate your password every
few months, your password can't be anything like any of the previous ones
(i.e. previous ones are stored, and they're not hashed), your password must
contain special characters etc.

Except.. it can only be 8 characters long. Anything else gets truncated (they
explicitly said so). The mind boggles.

I have no idea where this limitation comes from, do people just set an 8
character field in their database? Was this a problem decades ago that they
figured they'd save a few megabytes of storage space?

I think they've _finally_ changed it so that the reset period is determined on
your password complexity, no length limitations, and you can have 2FA (or at
least mobile password reset).

~~~
jameshart
> your password can't be anything like any of the previous ones (i.e. they're
> not stored hashed)

That's... not necessarily the case. You can implement that check by only
storing hashes of previous passwords, or of patterns derived form them that
are also forbidden (e.g. store a bcrypt of every previous password converted
to all lowercase and with numbers and symbols removed).

~~~
kbenson
Manager: We need to ensure people aren't using similar passwords on reset, but
we can't store the password unhashed.

Developer: Similar passwords? Or Same passwords. Similar is hard.

M: Similar. Can't let people be lazy with their passwords.

D: Well, if we really _have_ to do it, I guess we could store a bunch of
hashed variations of the password, but...

M: Good! Let's do that.

D: ...but that could be a massive amount of space for long passwords.

M: Okay, we'll just enforce short passwords then.

D: ...doesn't that more than negate all the benefit of preventing similar
passwords when rotating them?

M: Doesn't matter, the CEO said he wants this. Hop to it!

 _Developer laments the stupidity of their life_

~~~
spinsser
Why would they need to store the hash for all the combinations?

Why not generate a list of similar passwords to the new password, hash them
all using the same salt of the previous password and then compare them.

~~~
kbenson
Depending on what is considered "similar", every extra password character may
exponentially increase the number of similar passwords.

~~~
joshvm
Well in my case, there was only an 8 character limit, so there was a least a
bound on it. I didn't investigate how far you could deviate from an old
password before it was allowed though.

------
dmh2000
"Justification 2: 'Pasting passwords makes them easier to forget, because you
have fewer chances to practise them'."

if you can remember your password, its probably too weak

~~~
mrob
>if you can remember your password, its probably too weak

As XKCD famously pointed out[0], Diceware[1]-style pass phrases can be both
secure and memorable. XKCD's four word example isn't secure when fast brute-
force attacks are feasible, but eight words is still easily memorable and
secure enough for anything. The important point here is that "random words"
really does mean "random", i.e. not picked by a human.

[0] [https://xkcd.com/936/](https://xkcd.com/936/)

[1]
[https://en.wikipedia.org/wiki/Diceware](https://en.wikipedia.org/wiki/Diceware)

~~~
Santosh83
But how many of these can you remember? I currently use almost fifty different
passwords. I can't imagine committing fifty different pass phrases to memory.

~~~
heypete
That's what password managers are for. Just remember the password for the
manager, plus maybe one or two critical accounts (e.g. email) and you're good
to go. Let the manager deal with the complexity of generating and remembering
random passwords.

------
libeclipse
> Justification 1: 'Password pasting allows brute force attacks'

This really pisses me off every time I see it.

JavaScript is client-side code. If the attacker you're protecting against
can't trivially bypass this bullshit "security" feature in three seconds, then
he/she is not something you should be concerned about.

Attackers like that probably have other skills like counting to 5 with a 60%
accuracy, and pointing out their own nose with a 40% accuracy. (Just like you
do if you have this on your website.)

------
pc2g4d
Here's another weird restriction: password length limits. I've had websites
tell me I can't use more than 8 or 16 characters. Even if they let me use a
thousand characters that's just going to get hashed to the same length anyway,
right?

Even worse: sites that silently truncate your pasted password to the maximum
length. When all you see is those little dots and the password is wider than
the text field, it's very difficult or perhaps even impossible to tell how
many characters were successfully pasted. And obviously truncation sets you up
for disaster when you try to log in using your saved password and it just
doesn't work.

~~~
tdeck
> Even if they let me use a thousand characters that's just going to get
> hashed to the same length anyway, right?

That assumes they're not storing your password in a VARCHAR(16) field, which
is what I always assume when I see a max password length restriction like
this. Or perhaps they're using the ridiculous LANMan hash algorithm [1].

[1]:
[https://en.wikipedia.org/wiki/LAN_Manager#LM_hash_details](https://en.wikipedia.org/wiki/LAN_Manager#LM_hash_details)

------
coldpizza
So the main complaint about SPP is that it screws password managers, but then
there's this:

> Most password managers erase the clipboard as soon as they have pasted your
> password into the website, and some avoid the clipboard completely by typing
> in the password with a 'virtual keyboard' instead.

Isn't the latter approach much safer? If so, shouldn't it be the de facto
standard since it prevents "clipboard stealing" and also removes the issue of
not being able to paste content into an SPP form input?

~~~
jhasse
Allowing apps to create virtual keyboards with which they may manipulate all
other apps might not be a good idea. That's why it won't work with Wayland for
example.

~~~
ben_jones
I mean your password manager already has all your passwords. The argument can
be made that you can trust the man who already has a knife to your throat.

~~~
jhasse
True, I trust my password manager. But having the ability to create virtual
keyboards at all might be a risk for the apps I don't trust.

------
majewsky
My mind, upon reading the submission title: "Your majesty! The country people
don't have any usernames!" \- "Then let them paste passwords!"

([https://en.wikipedia.org/wiki/Let_them_eat_cake](https://en.wikipedia.org/wiki/Let_them_eat_cake))

------
mderazon
I don't care much when it happens on a website, because I can bypass that
easily, but it's enraging when I see this practice in mobile apps.

For example, my bank's app don't let you paste passwords. I have a strong
random password which basically means I can't access it from my phone...

~~~
apostacy
Chase.com is one of the worst. The desktop version of the site does all sorts
of browser fingerprinting with javascript. It does things like tries opening
up websockets to random local ports, and stuff like that.

I had to just throw up my hands and do all of my access to chase.com through a
sandboxed browser profile, where I could automate logins.

~~~
JadeNB
> Chase.com is one of the worst. The desktop version of the site does all
> sorts of browser fingerprinting with javascript. It does things like tries
> opening up websockets to random local ports, and stuff like that.

I'm not fond of this, but what does it have to do with passwords? I
(reluctantly) use Chase's online banking on the desktop, and it lets me paste
passwords.

------
waffl
This is an incredibly frustrating thing with the way OS X handles encrypted
disk images as well. Needing to share confidential documents with coworkers,
we were hoping to store them in an encrypted disk image. (GPG proved way too
complex for anyone to adopt) Of course, the standard OS X GUI prevents you
from pasting a password when mounting, which of course led to coworkers
resorting to short, easy to type, easy to remember (and easy to crack)
passwords.

The best solution I found was to mount via the command line but that
definitely wasn't an option for any coworker unfamiliar with the terminal.

[https://apple.stackexchange.com/questions/42257/how-can-i-
mo...](https://apple.stackexchange.com/questions/42257/how-can-i-mount-an-
encrypted-disk-from-the-command-line)

Also while this may be ultra paranoid, I really don't like typing passwords in
public places where endless he cameras can record my screen and keystrokes.

~~~
joantune
Yes!! Ditto on the weirdness of not allowing to paste from the clipboard to
decrypt a hard drive on OS X.

It's like it's on purpose to make you save the password on the keychain or to
make it more predictable somehow. I think that's either a very bad decision or
evidence of NSA/CIA infiltration/influencing of Apple's software

------
Khol
As irritating as this is my bank's app which implements its own soft keyboard,
so not only can I not paste my (complex) banking password, the password
manager doesn't recognise it as an input.

Since I can't have the password visible in the password manager on the phone
at the same time as the login prompt in the app, this means that I can only
use the bank app if I'm 1) next to another device I can get that password on
or 2) if I write the password down on something.

~~~
egypturnash
This sounds like a reason to consider switching to a new bank. Or a credit
union.

------
rcthompson
If you're on Mac OS, there's a nice little app I use to bypass almost any
mechanism of preventing pasting. It simply uses a virtual keyboard to type out
the contents of your clipboard.
[http://dae.me/blog/1741/](http://dae.me/blog/1741/)

------
defined
If it didn't point crackers to these sites, I would love to call out all the
sites that do incredibly misguided things such as:

\- Allow you to paste passwords into their smartphone app, but not into their
web site being accessed from the same device.

\- When entering new passwords, limit the password length but not tell you
what the limit is ("password is too long"), so you have to reduce it 1
character at a time and keep trying.

\- (Mentioned elsewhere in this post) Limit the special characters to some
inexplicable subset like !@#$, so you have to edit your generated random
password and replace the non-compliant characters with ones from their subset.

\- Limit password lengths to (say) 20 characters, allow you to enter a new 20
character password, but _only store the first 19 characters_ so you get an
invalid password error when you subsequently log in! I figured it out because
I _knew_ I was pasting the correct password, so I just thought, "Hmm, UI team
!= DB team..." and tried one less character. Bingo.

This happened to me with an old version of (IIRC) a Bank of America iOS online
banking app (I am not concerned about mentioning a name here because it's been
fixed since then).

\- Limit your password to something really short like 10 alphanumerics.

\- Require password entry for (say) iCloud before you can get into your
password manager, forcing you either to pull up the password on another device
and painstakingly enter by hand a 30 character random string, including many
special characters, and not letting you see the password (only the last
character, for a second). This is so unpleasant that I am sure many people
would just change the password to their dog's name or something.

~~~
marmshallow
Some of these are actual reasons why I don't use password managers. I'd rather
have the convenience of being able to quickly type in a password that I can
easily remember than have to worry about which special characters I'm using or
manually typing in an insane hash.

------
jomkr
There is a subtle valid use-case.

On "change your password" screens, you don't want the second "confirm
password" field to be pastle-able to stop this scenario.

1) User tries to type "mypassword" but enters "mypasswor" instead.

2) User copy-pastes "mypasswor" into "confirm password field"

3) User hits "submit".

Now when the user tries to login with "mypassword" it fails.

~~~
crazygringo
But you can't copy from password fields, so that won't actually work.

When changing your password, if you're pasting at all, it's from another
(presumably correct) source -- so pasting is fine, whether once or twice.

------
phkahler
I find the issue around clipboard security a bit disturbing. No program should
be able to access the clipboard at will, it should only get the data there if
the user pastes it in the application. This is a bit harder at the API level,
but I think a good environment would do this right. It's like the security
holes in X that are being closed with Wayland.

------
tibbon
As someone who has used password managers and exceedingly long, impossible to
remember and cryptic passwords for years; this quite upsets me when sites
prevent it

~~~
graphitezepp
I can't make any sense whatsoever of it. Does ANY scenario exist where this
stops unintended access?

~~~
namdnay
The only scenario I can accept paste-blocking is double-field password
creation. At least one should refuse paste, just to make sure I haven't copied
the wrong string.

Whilst we're on the topic: I hate stupid input fields that don't ignore
whitespace and have a maximum number of characters. So you paste the space-
separated number (I'm looking at you IBAN), get an exception because of the
spaces, go back and remove them, get another exception, and then realise that
the number was truncated due to the field length restriction applied on paste.
ARGHHHHHH

~~~
thesuitonym
>At least one should refuse paste, just to make sure I haven't copied the
wrong string.

I disagree with this. If you paste a password into both fields, then paste it
into your password manager, it doesn't matter if you've copied the wrong
thing, because your password manager will still remember it.

------
crystaln
Until password managers are ubiquitously integrated with mobile apps, we are
forced to use the clipboard to transfer passwords. Unfortunately, any app can
access the clipboard, revealing passwords. Copying passwords from 1password
always feels dirty for this reason, and unfortunately I don't have a good
solution to this problem.

~~~
burkaman
On Android versions since Lollipop password managers don't need to use the
clipboard. I think on iOS they still need to.

------
alvarosevilla95
Please correct me if I'm wrong, as this is all conjecture.

I feel passwords used to be thought of as a combination of characters that you
keep in your head, and should only leave your head when being entered in a
password field. Preventing paste discourages storing your password in a file
called passwords.txt, and accidentally pasting it somewhere else as well.

Of course, we now understand passwords should have some qualities (larger
alphabet, avoid common words/phrases as your passwords) which go against ease
of remembering, so we now use passwords managers and other tools.

So this behaviour is probably and old common practice that most people used
without knowing why and that's why we still see it even if its outdated and
harms security in the end

~~~
Santosh83
Could be, but it's flawed reasoning anyway. Preventing copy/paste won't
prevent people from storing their passwords in passwords.txt.

Nobody other than those who use very simple, high risk passwords can remember
them all. It has to be stored somewhere. Preventing copy/paste seems like a
completely useless step (security wise) that only causes unnecessary bother.

~~~
WorldMaker
Also, depending on threat model, a passwords.txt clear text file can be
perfectly cromulent security that is better than many alternatives (password
reuse, weak passwords). It's not going to stop people with physical access to
your machine or attackers specifically targeting you looking for weaknesses in
your documents. But vulnerability to some threat models is not vulnerability
to all of them and it's okay to take a security stance with known
vulnerabilities.

Similarly with Post-It Notes and physical written Notebooks of passwords. If
your threat model isn't concerned about people with physical access to those
notes, and you are comfortable with the physical security of those notes, that
can be perfectly acceptable for you, and an overall better security stance
from bad passwords.

"Don't write down your passwords", has always been bad advice, from that
perspective. "If you write down your passwords, keep them safe" is slightly
more accurate.

------
sowbug
Slightly off-topic: why didn't client-side certificates ever become a thing?

~~~
dfox
There are two main reasons:

1) In the beginning the whole X.509/PKCS PKI mechanism was seen as something
that came out of X.500 and other telco stuff, is centralized, complex and
expensive (all of these things are in fact true for the originally envisioned
usage) and thus irrelevant for decentralized internet. (for example, the L for
"Lightweight" in "LDAP" essentially means that it uses passwords instead of
client side certificates)

2) The UX in early SSL capable browsers for client-side certificates was
horrible (In Netscape the whole SSL configuration was in completely separate
dialog from browser settings, which was incredibly complex. IE uses SSL
implementation from windows which is also used for lots of other things and
has centralized configuration and also even today creates confusing dialogs
when site requests client certificate). It's somewhat ironic that various
ActiveX/Java based replacements of this horrible UX are in fact often even
more unusable.

~~~
zeveb
What's really sad to me is that SPKI (RFCs 2692 & 2693) addressed
centralisation, complexity and cost, and was more-or-less completely ignored.
If the browser and server vendors had just supported it, I really think that
it could have had a chance.

It was even backwards-compatible with X.509!

------
agentgt
I'm somewhat guilty of pushing the don't copy'n paste passwords (not the
actual input limitation) and the reason why is because several of our guys at
work have actually accidentally pasted passwords into Slack/Skype windows.

For what its worth I did write a small utility to make it easy to create
memorable passwords using a master password:

[https://github.com/agentgt/ezpwdgen](https://github.com/agentgt/ezpwdgen)

It uses the Emoji word database to help you remember passwords.

------
jcoffland
The Wells Fargo CEO portal makes me change my password every 90 days, won't
let me paste and accepts some special characters but not others. How is it
that a bank can get it so wrong?

~~~
ryanisnan
J2EE people, man... J2EE people.

------
raesene6
I'm very glad to see this advice for the NCSC, they have been taking a good
practical stance on many security issues and helping to provide weight to more
pragmatic approaches.

I've never actually managed to find out where the idea of websites banning
copy/paste came from. Presumably it's been as a result of security audits, but
I can't find any security people who would argue that it's a good idea...

------
daxorid
Good, but bear in mind that the Xorg clipboard is, in many cases, readable by
arbitrary applications.

If you can run Wayland, do it. If for no other reason, this.

------
intrasight
Another reason SPP is less secure is keyloggers. I remember reading an article
by someone that discussed this. When he visited China, he always entered
passwords by copying and pasting from a secured thumb drive as this would
defeat keyloggers. He mentioned that unfortunately some sites stupidly prevent
this.

------
inian
I had filed an intervention to prevent websites from disabling the paste
functionality in password fields -
[https://github.com/WICG/interventions/issues/41](https://github.com/WICG/interventions/issues/41)

------
jwl
I can see some logic behind number 3 of having your password in the clipboard.
It could lead to users pasting their password somewhere else where it was not
intended. However, if you have malware on your machine that can read your
clipboard, it can also simply read your keystrokes anyway.

~~~
MyNameIsFred
I haven't done Windows development for a long time, but I think that this may
be an overstatement, at least on that platform.

You need to have cursor focus to receive key events, right?

The clipboard, by contrast, can be continually monitored, while playing
completely "by the rules", right?

------
probablycarrots
There is another version of SPP being done by the Wells Fargo Commercial
Electronic Office site, and probably others.
[https://wellsoffice.wellsfargo.com](https://wellsoffice.wellsfargo.com)

It does allow you to paste into the login fields, but you cannot submit your
login credentials this way because the "Sign On" button is greyed out until
you've actually typed in each field. I let my password manager fill the
fields, then I manually delete and re-type the last character from each of the
3 fields.

------
joveian
IMO, sites should generate a >20 character random base64 password as a form
prefill on the registration form, which hopefully would cause browsers to
remember it (don't actually let the user change this). Provide "show password"
and "copy password" options for those who need to write it down for use on
other machines or want to export it to a non-browser based password manager or
sync tool. Encourage users to have a master password for the browser password
storage.

Also, many sites should have an easy email based login.

------
arunc
All I can say is use keepass. Just remember one crazy long master password for
the database and change it regularly. Or use a combination of password and key
file.

> Justification 2: 'Pasting passwords makes them easier to forget, because you
> have fewer chances to practise them'.

Difficult to remember and easy to forget passwords will be auto generated. In
fact I encountered few websites that didn't accept long passwords.

> Justification 3: 'Passwords would hang around in the clipboard'

Only for 12 seconds after which keepass will clear the clipboard.

------
graton
I know that Battle.net does this :( I went to change my password and I
couldn't paste the new one I had generated. Motivated me to install a simple
Greasemonkey script to override that.

------
kobayashi
I agree with the premise. Though, there's one more issue/potential reason not
to endorse people using the clipboard for passwords, and it's not that malware
will grab them from the clipboard. It's that many non-malicious programs will
regularly query the clipboard for legitimate reasons, but what they do with
that data may be insecure. For example, think of how Pocket checks the
macOS/iOS clipboard for URLs to add to the Pocket list.

------
hammock
Everyone's talking about password at sign-in or credit card numbers but that's
not the only use case for paste restriction.

The more common place I've seen it is email address confirmation (or PW
confirmation), which while probably unnecessary, is not the worst thing in the
world. You are retyping an address that's displayed in the field above. Less
intrusive than a captcha.

~~~
tomku
Blocking pasting in a password confirmation input accomplishes nothing because
you're already blocked from copying the contents of the first password input
anyways. All it does is inconvenience people who use password managers.

------
deathanatos
> _Justification 3: 'Passwords would hang around in the clipboard'_

Password managers could wipe the clipboard, if it still contains the password,
after a defined amount of time, such as 60 seconds.

(If you think that's "confusing", show a notification that explains the
behavior; "clipboard wiped" or something.)

------
EdgarVerona
Just yesterday, I ran into a site that was doing this for the first time in
years. It annoyed me to the point where I used the console to override it and
allow pasting again.

Password managers are a thing. Please don't force me to type out 32 random
symbols twice while I sign up for your service.

------
bikamonki
I've pasted my ultra long pwd in the username field and hit enter. It happened
more than once on logins where the form is split into two steps (I am talking
to you Google). Why do they split the u/p fields into two steps? Does it add
security? Better UX?

~~~
Santosh83
The first login page allows you to choose from multiple accounts. But yes,
this could just as easily have been done through browser auto complete, but
doing it this way means Google can track/link your multiple accounts.

~~~
dredmorbius
Reference on this?

------
xir78
Only argument I can think of for preventing it in is maybe it makes it harder
for bots in some cases.

The QQ messenger blocks pasting passwords on iOS I suspect for this reason,
perhaps there are teams of people guessing passwords and manually typing them
in like gold farming.

------
sengork
For macOS users, at least, there is another option: select text and drag and
drop it from password manager text field to a website input field.

From what I gather this should use IPC between applications, rather than the
clipboard itself.

------
davotoula
Preventing copy/paste is a pet peeve of mine. Hey websites, you are breaking
the browser/os functionality!

Another annoyance is having to enter 2nd,4th,7th etc letter of the password
using a dropdown. ARrrgh.

------
joantune
May i also say that the 'feature' of not allowing clipboard pasting on the Mac
Os X to decrypt a hard drive is one of the most conspicuous interface
decisions that I have ever seen

------
hashkb
Bank info pasting is more annoying, more common, and just as stupid.

------
toyg
Forbidding copypaste is equivalent to forcing one to recite his address and
credit card details loudly in public every time he wants to enter his own
house. In an age where videosurveillance is trivial to set up, it's just
stupid; there is a reason every cash machine/atm asks you to cover the number
pad as you type your PIN.

If the problem is the risk posed by password vaults and clipboard managers,
promote better vaults and better utilities. Personally, I'd love a password
vault that could check which application or website I'm pasting to, blocking
transmission if it looks wrong. But it's not the website's job to tell me how
to manage my secrets.

------
liveoneggs
I see passwords pasted into chatrooms constantly and they are often of
randomly-generated form. Password manages are also, apparently, not immune to
their own security issues.

~~~
epistasis
The nice thing about that is it's just one site's security token to change!
Compromising that single password doesn't compromise all logins, just the one.

Whereas if you reuse a password on multiple sites, and one of those sites is
compromised, all of the rest of your logins are compromised.

------
hobarrera
FWIW, middle-click pasting (PRIMARY) doesn't seem to be inhibited anywhere
(maybe this technique only invalidates the CLIPBOARD pasting?).

------
nathancahill
If you use Quicksilver on Mac, you can virtually type the text to get around
the paste limitation. [text input] -> [Type Text]

------
SurrealSoul
Assuming you are creating an account, UN: Hello PW: World123

My largest issue is that its extremely possible to fat-finger your UN to be
Hellow, and its extremely easy to see and fix that mistake.

However since passwords are hidden its hard to see ######## is actually
Worls123. Now your new account has essentially a one-time login because you
have no idea what your password is. Typing it out again, ensures you catch
your mistake

~~~
noir_lord
I hate hidden passwords, it's stupid.

I'd notice someone shoulder surfing so I'd prefer if they wheren't starred out
by default with starring out as an option if I do have people around.

~~~
blauditore
What about e.g. sharing a screen during a presentation?

~~~
macintux
Or cameras you don't know about.

~~~
noir_lord
If I have a camera I don't know about in my home then I have bigger issues
than a password field on hacker news no?

~~~
macintux
If you never leave your home then you have much bigger issues than a password
field.

------
ytch
I also hate websites that force users use virtual keyboard to enter password.

~~~
matthewbadeau
This is supposed to prevent keylogging.. but I think anything with that amount
of access to your PC can tap into the browser to read the request before it's
sent. So, probably not as good as it sounds.

~~~
Cthulhu_
It would prevent physical keyloggers (small dongles in between keyboard and
computer) and possibly even RF keylogging, but yeah, it's a false sense of
security.

------
nofunsir
yubikeys help here a little bit.

------
maxxxxx
This whole discussion is a good example for everything that's​ wrong with
computer security. Instead of coming up with solutions that make it easy for
people to follow good practices the "experts" make it even more cumbersome.
Most people just want to use the computer and not think about security.

~~~
acdha
You're cherry-picking pretty heavily: there's a lot of cargo-culted password
advice but the current push for user-friendlier password management practices
and fundamental model changes (e.g. two-factor with U2F) has been lead by
security experts who have, for many years, been loudly reminding everyone that
usability is a security requirement rather than an inherent conflict.

~~~
maxxxxx
You are probably right about cherry picking. I know a lot of experts are aware
of the problems but from an end user perspective security usability is still
horrible and inconsistent.

~~~
acdha
No argument there — it's really interesting seeing the divide ultimately
becoming users and experts on one side and people who are not experts but are
setting policies anyway on the other.

~~~
maxxxxx
"people who are not experts but are setting policies "

That seems to be the key issue.

------
dragonwriter
If you are pasting passwords, you are really using an ad hoc third-party SSO
authentication provider (which may or may not also use the equivalent of 2FA)
via a manual token-exhange mechanism. Better than allowing pasting passwords,
just support OpenID or some similar federated authentication solution, which
does the same thing without manual token exchange and the attendant
opportunities for errors.

You might want to allow paste, too, but it's the clumsy solution.

~~~
epistasis
>ad hoc third-party SSO authentication provider (which may or may not also use
the equivalent of 2FA) via a manual token-exhange mechanism

This is a huge step up from a memorized password. Go ahead and implement
OpenID too, but don't force people down to the level of memorized passwords
needlessly. Expending effort to prevent pasting is a stupid move.

~~~
dragonwriter
> Expending effort to prevent pasting is a stupid move.

Oh, I agree. I was more talking about people who have already expended that
effort (so its zero marginal effort) and are considering reversing it (which
as a small but non-zero cost.)

