The 16-character limit is not as bothersome to me as the fact that they go out of their way to set onpaste="false" in their HTML, making even 16-character passwords annoying because the average user has to type it all in by hand.
I will never understand the rationale for preventing me from pasting a strong password versus picking a weaker password that I have to type by hand. Currently, my workaround is to use "Inspect Element" with a Web Developer Extension and remove this rather unfortunate attribute.
I know that password manager tools like KeePass can type in the password letter-by-letter (but then, why not just allow paste?), but this automation is normally designed for login screens, not for password change forms.
Rather than doing this by hand via Firebug/Chrome Inspect Element, it might be worth looking into creating a quick Chrome Extension or Firefox Add-On (or even a userscript) to do this for you.
I understand the initial rationale behind not allowing you to paste a password:
(1) Pasting a password can allow a malicious user to find your password somewhere and paste it in (as it would take much more time to type by hand).
This doesn't make any sense - as you pointed out, there are programmatic ways to avoid actually being unable to paste. Furthermore, a malicious user going through a password list would likely be using a command line interface or script, and not bothering with a GUI anyway. I'd call this issue completely moot.
(2) You could accidentally paste it somewhere else.
This has a little more value, but it doesn't come anywhere close to being a valid reason to disallow pasting. The security benefits of using a secure password manager (like KeePass or a TrueCrypt volume with a password list) are so much greater than Blizzard (or anyone) worrying about what you're going to do with your paste buffer.
The problem with putting any limitations on passwords that a user can use is that they almost always backfire. Sure, it might have made more sense when hashing algorithms crapped out after several characters, but in today's world those hashing algorithms shouldn't be used anyway.
(3) you type your intended password wrong, copy it, paste it, and lock yourself out. The sites make you type the password twice is to make sure you did it right. People who can't be bothered to type a password twice are probably heavily intersecting with people who didn't type it right the first time.
This seems somewhat contrived, but in realm of plausible, so let's say it's in the fact the reason for doing so. If so, why do you think that the old/current password field also has paste disabled?
I think an easy solution (that perhaps I just haven't found) in KeePass is to have a feature like "Perform Auto-Type" (which does the full login and password typing sequence), but for any arbitrary field. If I could find that, then this would be a moot issue for me.
I will never understand the rationale for preventing me from pasting a strong password versus picking a weaker password that I have to type by hand. Currently, my workaround is to use "Inspect Element" with a Web Developer Extension and remove this rather unfortunate attribute.
I know that password manager tools like KeePass can type in the password letter-by-letter (but then, why not just allow paste?), but this automation is normally designed for login screens, not for password change forms.