

The Cobra Effect that is disabling paste on password fields - traxmaxx
http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html

======
cyphax
I hope everybody who thinks it's a good idea to "forbid" pasting in password
fields at least uses the same trick (onpaste="return false" or something
similar) so that I can remove that attribute from the HTML before pasting my
password like the insubordinate fool I am. :P

Blizzard does the same as Paypal, I noticed: not allowing pasting of passwords
when changing passwords, but you can paste it when logging in. Thankfully, I
noticed yesterday, Starcraft II allows me to paste the password in-game! That
was a nice surprise. Looks like they've given their policy some thought, at
least.

The only reason I can think of is perhaps reducing the risk of people not
knowing their password when accidentally pasting the wrong thing in the
password fields. It's possible that your clipboard contains something else
since you copied your password. Which is understandable, but it seems to me
like they're replacing one problem with another whereby everybody gets to deal
with the new one, whereas the old problem could be circumvented with a
password-forgotten function that everybody has anyway.

Yeah, not a big fan of this practice all in all.

~~~
5h
Disabling paste makes sense when setting your password.

If presented with two input fields for password & confirm your password, the
lazy among us will type the desired new password in the first input box, then
copy the contents and paste into the second... if you type it incorrectly in
the first box you then have to reset it before you can log in again.

~~~
dsego
Browsers disable copy on password fields.

~~~
5h
hah, I was in firefox at the time and checked that I can copy and paste
between password fields, it appeared to work.

I didn't look at what had been inserted into the clipboard though, it was just
the asterisk characters visually displayed in the password field.

------
cliveowen
I'm told not to use easy to guess passwords, so I generate them randomly with
Apple's Keychain. I can't possibly remember a random password, so I store them
in a text file which I diligently encrypt with a strong master password I
remember. Now, if you don't let me paste my passwords I don't have any means
to sign in, other than typing a long string of numbers, letters and symbols or
picking a simple, non secure password. This practice punishes security
conscious users and benefits no one. Please stop doing that.

------
danudey
Some of these policies (like not allowing paste into change-password fields) I
can understand conceptually; for example, you don't want someone to mistype
their password, paste it twice, and then not be able to get in again later.
This example works around problems that most people have, and really screws
over people who use secure passwords and password managers.

It's that old pattern of trying to be 'clever' to work around a problem, which
in turn screws over anyone who doesn't actually have that problem, akin to
plugging a sideways AC adapter[1] into a horizontal power strip[2]. The
sideways AC adapter is a suitable workaround if you don't have a sideways
power strip, but if you do it's often much worse (especially if you have two
to plug in).

Perhaps LastPass et al should provide a browser extension to prevent this kind
of behaviour in the first place (e.g. removing onpaste events from password
fields).

[1] [http://i.imgur.com/zMSX7K2.jpg](http://i.imgur.com/zMSX7K2.jpg) [2]
[http://i.imgur.com/AFfgq9a.jpg](http://i.imgur.com/AFfgq9a.jpg)

~~~
npsimons
_for example, you don 't want someone to mistype their password, paste it
twice_

And right there, you've made the wrong assumption that so many have in this
thread; the whole _point_ of password managers is that you're _not_ typing
anything in, ever. You generate the password, preferably in your password
manager, _then_ paste it twice. No possibility of typos.

------
oneeyedpigeon
This bit me in the ass the other day when trying to change my PayPal password
(because, you know, the company that owns them can't be trusted to securely
manage my password in the first place). So not only could the 32-byte
hexadecimal password I'd generated not be used at all, I had to manually type
out the first 20 characters of it. Twice. The punchline was that PayPal rates
the password as "fair" whilst hindering the best method of making it more
secure.

------
justncase80
The opposite should be true: you should only be allowed to paste passwords.

In fact password keepers should put passwords onto the clipboard into some
custom format that the password controls know about so that you have to paste
from a tool. And then mandate that the password is at least 256 characters
long. That would help move us in the right direction.

~~~
x1798DE
While I'm hoping this is a hyperbolic suggestion, it's almost certainly a bad
idea to use the clipboard for this sort of thing, because none of that is
sandboxed properly, and creating a special format that says, "I'M A PASSWORD"
sounds to me like designing an API for malware authors, frankly.

At the moment, it seems like copy-paste in passwords is a nice intermediate
step between the "password you can remember" era and an era where we have
secure keyring managers. In the end, you can imagine that you'd want them
stored not on the clipboard (where anything - including Javascript running on
a site - can get them easily), but in a secured area of memory, and entered on
demand on trusted sites.

------
projecteternity
I imagine that some of the examples are just left over from when browsers were
allowing reading from the clipboard from js. In which case having a password
in your clipboard was a huge security vulnerability.

Even if the issue has been resolved, few companies seem to be in a hurry to
remove parts of their security policy.

------
oridecon
For throw away accounts I paste my password on the browser URL field and drag
to the password input. So hardcore.

~~~
irq
I hope you're not doing this in a browser like, for example, Chrome, where it
sends everything you type into the address bar to Google.

------
seacious
I downloaded Hawken and played it once and enjoyed. When I went to play again
I realized that I would have to type my 20 character random password in in
order to be able to play, alt tabbing between the password manager and the
game repeatedly.

I uninstalled the game.

~~~
theandrewbailey
I thought Hawken completely moved to Steam. It still asked for your password?

------
NaNaN
If I can't paste directly, I'll paste it elsewhere (except URL address bars).
And I must ensure that I did not copy password right before I open a flash.

------
dreamcompiler
1\. Disable js. 2\. Paste. 3\. Reenable js. (Of course this assumes you're
using a browser where it is easy to disable js.)

------
joosters
There's an extra reason why pasting might be disabled on password creation
fields: to prevent typos. If I mistype my password in the first box and then
copy-paste it into the second, the text will match and my account gets given
the mistyped password. You'll then never be able to log in.

If you force the user to type the password in twice, typos will be spotted
immediately and can be fixed.

None of this affects password lockers like LastPass since they can autofill
these forms in despite the HTML.

~~~
bra1n
The thing is, you can't copy FROM a password field. So you need to type it
somewhere else first, and it will probably be readable there.

~~~
eldelshell
Wooosh! Time to re-read your "HTML for Dummies book"

------
phkahler
Two things. 1) Change password screens want you to enter the new password
twice so that a typo doesn't end up in your password and prevent your own
access in the future. If you copy/paste you will be copying any typo and
circumventing this mild protection. 2) The whole time I kept thinking this
forces people to type their password which makes it an easy target for key
loggers - which are AFAICT designed to snif user credentials.

~~~
pornel
You cannot copy a mistyped password, because password fields by default forbid
_copying_.

------
danielweber
This all seems rather bonkers. But 1Password isn't exactly the impartial
"they've spent more time thinking about this so they must get it right" party.
Their entire product and way of thinking depends on being able to auto-enter
passwords. Anything that interferes with that, _regardless of whether it works
or not_ , is going to get a thumbs-down from them.

As for pasting into the second password field on change-password, maybe they
don't want people copying out of the original field and pasting into the
second? I'd get that, and the organization-wide costs of password recovery are
probably very significant for a company like PayPal. . . . But don't all
browsers already disable copying out of password fields?

This is the silliest kind of arms race. Users try to keep ahead of security
nonsense, and self-styled security gurus keep on trying to stop them.

~~~
SideburnsOfDoom
> But 1Password isn't exactly impartial ... their entire product and way of
> thinking depends on being able to auto-enter passwords.

You're not just talking about a product, 1Password, you're talking about the
whole class of password managers - 1Password, KeePass, lastpass etc.
[http://lifehacker.com/5944969/which-password-manager-is-
the-...](http://lifehacker.com/5944969/which-password-manager-is-the-most-
secure)

There are many and they all do this. Many of them also offer "auto-type" i.e.
simulated keystrokes, as an alternative to paste. It works even when paste is
disabled.

On the whole, using a password manager is a very good thing:
[http://anthonysteele.co.uk/nobody-knows-anything-about-
passw...](http://anthonysteele.co.uk/nobody-knows-anything-about-passwords)
[http://www.troyhunt.com/2011/03/only-secure-password-is-
one-...](http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-
cant.html)

