Hacker News new | past | comments | ask | show | jobs | submit login

I also enjoy sites that prevent pasting into password fields. Makes using a password manager a pita.



I feel the same way. A bandaid for the situation: you can use browser extensions/add-ons to restore paste functionality on these web pages. For example, I use this one:

https://github.com/aaronraimist/DontFuckWithPaste


I had an idea for Firefox, which is to restrict copy/paste overriding completely from the DOM.

This would put a stop to Google's BS of overriding normal links top google-analytics-full redirect urls.


You can disable this API in about:config fully and natively.


To save people some time, it's `dom.event.clipboardevents.enabled` in about:config.


Also their cousin; those that allow programmatic entry/pasting, but then detect whether the user has provided a value based on keystroke listeners rather than current field value. So you still need to hit space+backspace in the field to let the client JS know you've entered something.


The scary cousin of this antipattern: the login form that browsers' built-in password managers can't see. Building the DOM using pathologically dynamic methods, using nonstandard input fields, giving the username/password fields ridiculous names, etc.

This tells me that the developers don't use password managers themselves, which means they probably use hunter2 for all their passwords, which means they don't know or care about conscientious security practices... not the folks I want to have built the site I'm about to use.


Agreed, I always double check that the browser password manager works, but it's tricky because there is no standard around what the fields should be called to make it always work. The best way to make sure it works is to put the username directly above the password in the same form, that will result in most password managers working, and this is especially important on registration forms.

Also for those that don't know why hunter2 was used above, enjoy! http://i0.kym-cdn.com/photos/images/original/001/065/965/989...


I can’t believe this is a thing. It makes me rage every time. I have to go into dev tools and just insert the value myself.


On macOS I use https://github.com/EugeneDae/Force-Paste to get around this. It uses virtual keyboard to type in the text from your clipboard. Also helpful for using the password in programs that don't allow paste.


The GNOME DE does this as well. Whenever I have a fresh Linux install and I try to enter the passwords in the "Online Accounts" section I'm reminded of it... so frustrating.


Yet another reason not to use Gnome. They seem to have decided to make the DE as unusable and obtuse as possible.


document.getElementById("password").value = "myvoiceismypassword";

var event = new Event('change');

document.getElementById("password").dispatchEvent(event);

done


My general solution here is, if I can possibly avoid it, to not use that site/service.


Some password managers (like keepassxc) can emulate keyboard input.


Generally speaking, that's one of the best ways to get me to not use your site - It's both inconvenient and shows your security team to be incompetent.


Is this restriction more common in certain countries?

In the US, I've fortunately never seen paste blocked on a login page. Wondering why.


Its common in the US, i see it every couple weeks. It effected me last night on the Costco Travel site when creating an account. It let me paste the password but not the confirm password field.


I’ve seen it when entering in my bank’s routing and account number. Like, seriously? I’m less likely to type a digit incorrectly if I copy and paste...


It's like a physician recommending the USDA food pyramid (the one filled with HFCS)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: