
Is there any reason to disable paste password on login? - EvanAnderson
http://security.stackexchange.com/questions/131106/is-there-any-reason-to-disable-paste-password-on-login
======
hexadec0079
No.

This is such a terrible idea I cannot wrap my head around why any one thinks
pasting a password is a vulnerability. If someone is on the system and can see
the clip board, you are screwed regardless.

------
bllguo
This is the only sensible reason I've read so far, from a comment in that
thread:

"There are behavioral biometrics solutions where profiles are built based on
keystroke dynamics etc. which allow with a high degree of certainty to
identify if a user that enters the credentials is indeed the user we expect.
Credentials are true or false. If somebody has your credentials he is able to
authenticate. This is why i would like to know if the person who is entering
the correct credentials is indeed the person that we expect to know them.
Username and password have to be entered every time during the login process
so those fields are pretty interesting to check if such a solution is deployed
at the organisation. This is not possible if somebody copy/pastes their
password."

Nevertheless, I strongly feel that this is not reason enough to disable paste.

------
pjdorrell
The reason for this type of password security theatre is that it maintains the
fantasy world of purely human password management:

1\. Every password only ever exists inside the brain of the user, or inside
the password entry field in the UI of the application at the time of login.

Unfortunately there are additional requirements, which make it impossible for
anyone who is not superhuman to satisfy the first requirement:

2\. All passwords should be unique across applications (or websites)

3\. All passwords are long and random enough that they cannot be guessed by
password-cracking software in a reasonable amount of time.

4\. There is an ever-growing list of applications and websites that require
passwords.

------
SNvD7vEJ
Password managers clears the clipboard after a specified timeout (if the
clipboard still contains the password at that point).

For KeePass I think the default timeout is 30 seconds.

------
parent5446
The better question I'm interested in: is there any good way to easily disable
password-paster-disablers?

~~~
EvanAnderson
I've been using the "Don't Fuck With Paste" Chrome extension for awhile now:
[https://chrome.google.com/webstore/detail/dont-fuck-with-
pas...](https://chrome.google.com/webstore/detail/dont-fuck-with-
paste/nkgllhigpcljnhoakjkgaieabnkmgdkb?hl=en)

------
_lm_
Betteridge's Law of Headlines applies here.

Here's a long article on why this is a bad idea:

[https://www.troyhunt.com/the-cobra-effect-that-is-
disabling/](https://www.troyhunt.com/the-cobra-effect-that-is-disabling/)

~~~
dllthomas
> Betteridge's Law of Headlines applies here.

Strictly, the answer is yes. There is _any_ reason; not sufficient reason
compared to the reasons not to.

