Ask HN: Disabling paste in password boxes - why is it practiced?

62 points by BIackSwan ↗ HN
I have the practice of disabling paste functionality into password fields. I don't understand why it is necessary - on the contrary - it discourages use of password managers - especially on mobile devices.

The justification by the app builders is that it "improves security". I dont buy it.

Is there a good reason to disable this functionality? What does it improve since automated hacking programs can always by pass it?

62 comments

[ 353 ms ] story [ 1468 ms ] thread
The only reason I can think of is to infuriate every user using a password manager and help move the world to a place where stickies with passwords on your screen are commonplace (again).

Annoyingly so Apple has taken to this practice in certain OS password fields, like when you need to enter a password to decrypt a FileVault encrypted disk.

Have you got Full Keyboard Access enabled? (Preferences > Keyboards > Shortcuts). Works fine for me on El Capitan.
I've resorted to selecting the field, pasting into Quicksilver [1] and using the "Type Text" action to get around these restrictions.

[1]: https://qsapp.com/

TurboTax does this and it's very close to making me quit using it.
H&R Block Online also does this, and is the primary reason that I switched away from them this year.

Ironically, I switched to TurboTax, but didn't have the same issue because the login is done automatically via my bank login.

Does anyone know of a decent online tax app that doesn't disable the pasting of passwords?

Right click inspect element. Edit the value attribute pasting your password... Should work
Probably the same reason why some sites have a maximum password length of 8. Security design by people who are clueless about security.
Not too long ago Ticketmaster had a minimum length of _4_.
Just as safe as my banking PIN then, was it just numbers?
None that I can see. It's a stupid practice to annoy users. I store my passwords in a password manager and copy and paste all the time.

I don't use software that disables paste.

Because some places like to watch keystroke speeds as a biometric factor. It can be quite accurate.
I know this is technically possible, but I've never seen it being used. This is definitely not the reason why so many sites disable pasting.
Coursera use it (plus a webcam shot) to try to verify that every coursework submission is from the same person.
Well they are trying to justify their certificates are legitimate, of course they use every cheater-catching trick they can. This is not just logging into a random site anymore, this is trying to do fraud detection for exams while not physically present.

(Also, one example doesn't make something true.)

> (Also, one example doesn't make something true.)

Neither does "I've never seen it being used".

https://www.troyhunt.com/the-cobra-effect-that-is-disabling/ nope.

(For the "type your new password twice to change it" fields there's somewhat of a justification: if someone mistypes their password then pastes it twice, they'll be locked out of their account, the point of the double field is to prevent typing errors, which means it should be typed twice.)

But it doesn’t even matter if someone puts the wrong password in: if they get it wrong, you just nudge them to reset it and everyone’s happy.

Getting email address wrong is far more important, but far fewer things do the same doubling up on that.

Passwords are entered twice because you can't see them. You could make a mistake and not see it. People recently mistakenly assumed it's "because your password is important" and have consequently doubled the email address too.

I so hate places that make me write my email address twice and disallow pasting, I'm not retarded and it's my own fault if I can't spell my own name (or in this case, email address), especially if I copy-paste it.

You know what? Why don't we make every field double before someone typoes their address and ships it to the wrong place? That'd be such a bad customer experience!

I should clarify that I was commenting on the state of things, not endorsing any specific actions. Like you, I am mildly annoyed by any doubling up. Still, I can testify that people mistype email addresses with frightening regularity.

For things like shipping addresses, some types of errors can be assisted with by something that checks plausibility: does that address make sense and do we know that it exists as a shipping address? If not, confirm with the user that it’s actually what they meant.

Email address errors are often the same: basic validation can catch the most common types of errors. http://www.mailgun.com/email-validation is an example of an API to do just that. I think an ideal system would do something like send the confirmation email and listen for a bounce message, showing a message to the user as soon as such a bounce message pops up. Also, showing the email address on the confirmation page for the user, with the ability to change the address there and try again.

(comment deleted)
If they can paste it twice they can paste it three times.
My guess is to stop copying and pasting from Desktop\passwords.doc.
It only stops the pasting, not the copying.
Is keeping a plaintext password file worse than forcing users to use a password that's easy to type and encouraging them to use the same password everywhere?
No doubt some self-proclaimed "security expert" did it long ago and it got picked up by a few places and the rest is history.

There are many such anti-patterns around like requiring "complex" passwords with upper, lower, special, etc. characters yet do not work with >16 characters. Something that pisses me off to no end is Microsoft not allowing spaces in their passwords for some unknown reason.

If it were up to me I would have one limit to passwords, length. A minimum of 12 characters. Sure you will get some moron using aaaaaaaaaaaa but they are the kind of people who will find a way to use an idiotic password no matter what.

The reality is passwords need to die. We should be encouraging pass-phrases.

Using newer cracking techniques[1], pass-phrases are as quick to crack as many others. I honestly think password managers should not exist without the ability to randomly generate new passwords.

1. https://hashcat.net/oclhashcat/

For sure in an ideal world all users would have a password manager that generates 60+ character long passwords that are unique to every service but sadly that probably won't happen for a long time.
In an ideal world we wouldn't have blackhat hackers.

A more practical solution is to simply generate a public/private key pair on registration.

oclhashcat is weak against a properly chosen 7 word diceware phrase.
That is why, with a pass phrase, the number of WORDS should be equal to the number of LETTERS in a random alphanumeric password.

So if the password rule is 8 truly random characters, you should be aiming for 8 words in your pass phrase password. This is an easy rule to remember and to teach people.

The actual explanation for this is a little complex and includes things like the average person's vocabulary, known sentence structure inc. transition words, language itself, and enigma cracking techniques.

The biggest criticism phrase based passwords receive is that people go from an 8 character random password to a three word phrase-based password and then act like they've improved security because it contains more characters.

Phrase based passwords can be secure with a little bit of education, even against the best available crackers.

I was honestly surprised when i touched that software again after many years and more than one major hardware upgrade. 7 Chars WPA2 would be cracked within a few seconds, 8 chars takes like 10 minutes or a little more.

And i dont even own a really good graphic card.

A side question: why would a normal person paste password in the password field? Its either autofilled or he types it in. Only case I see this happening is when you get the password in the email from website and are asked to enter that, which itself would be a bad practice.
Because I'm using a password manager.

Why shouldn't normal people use password managers?

Is it bad practice to get your password in an email? I thought that's what happens when you reset your password
Yes it is. The recommended approach these days for password resets is to email you a single-use, time-limited link to a page where you can choose a new password.
If a site can email you your password, they are basically storing it in clear text. Otherwise they could not send you your password (because they would only have the hash of it). This is clearly a huge security risk.
I suppose they can generate the password, and email it to you before storing the hashed password in database?
They could. The real issue is when you do a 'forgot password' and they send it to you. That's a big red flag.
If you use a site where you store sensible information and send your unencrypted password back by mail, delete all your information from there and leave.

Email is not designed for secure information transfer, in a lot of cases your password will travel in plain text over the network and passing that way potentially over several servers.

And besides that, if they store your password in plain text a way that can be recovered the original version, if that site gets hacked the other sites where you may be using that password or a trivial modification of it (i.e. if you use a base password+site name) will give them your password. Happened to 38M Adobe users 3 years ago https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-pas...

I also find it annoying when sites make me type my email twice and won't let me copy-and-paste it the second time - I know my email address and can tell by looking at it if I've typed it correctly, I really don't need to type it again to prove that I can type it.
You might, plenty don't, and I have the bounce backs to prove it.
I always feel like this is protecting against the wrong userbase. A user who is advanced enough to want to copy-paste his email is not the same user who lacks the skills to type it correctly the first time
Plenty of people don't even type their email correctly. Ask anybody that runs a service and sends email, then you'll see. E.g. "myname@domain.com" vs the typo missing the final 'm' "myname@domain.co"

But I do agree it's rather annoying and not allowing paste is even worse.

I actually trust my copy-and-paste more than me not making a typo because I am human. By not allowing paste, websites are asking me to potentially make mistakes.

Perhaps a better solution is for the browser to have a button on <input type="email"> fields to allow me to select from a list of emails I have. The browser needs to protect this data from being website accessible until I give permission for privacy reasons, but that would have been a way better UX.

It might discourage people from storing their passwords in plain text files and force them to memorise it.

It adds to the image that passwords are something special and secret if you cannot use basic functionality.

Was there a historical reason about JavaScript on other pages pulling what was in your paste buffer?
In 2012 I had to set up a password for BankID with DNB, (The Norwegian Bank), and used the automatically generated password "P0Q1u-A(Va,?mO?nIrBl" from KeePass. Their entropy estimate showed this password as very weak and did not accept it, even though much simpler passwords were shown as "strong". I sent them an email asking them about their entropy estimation, and complained about their implementation disallowing pasting of passwords.

They quickly replied that their entropy estimation was flawed in handling some characters and that they would fix this. They also said that copy/pasting was disallowed as this password should not be stored in any form. I sent them an email back arguing that this policy forces people to use weaker passwords, to which they replied that this would be taken to their product manager.

Now in 2016 they've updated their implementation which allows pasting passwords, making life easier.

As an avid password manager user, thank you for taking up this fight
That's really nice. I wish that more organisations responded in that kind of way; I certainly know that if someone wrote to us to complain about password or other security issues we'd certainly take it on board.

What are the reasons that such inquiries often get stonewalled - is it simple organisational complexity, and the difficulty of actually contacting the right individual?

Their response to the entropy issue (which was a clear bug) was "we confirm that today's implementation yields a somewhat incorrect error message when using some special characters in passwords and that this will be fixed".

When there is a clear bug it is fairly easy internally for them, since they just need to confirm the issue and send it to the right people to get it fixed.

With the copy-pasting issue, their reply simply stated that disallowing this feature was intentional policy on their part and that their passwords should not be stored in any way. Changing policy and implementation would require a greater effort on their part, and admittance that a suggested change would improve their service.

I then wrote a longer reply, arguing that following their password recommendation for the ~150 online accounts I had at the time would be infeasible without a password manager, and insisted that I would like a reply which did not refer to existing policy. The response to this was that it would be taken to their product manager.

If the person handling the issue didn't care about the company doing the right thing or their job, or if they were convinced that their policy was correct, or if they believed escalating would certainly not lead to change in policy, the issue may not have been escalated. So the people handling issues must care enough to escalate unresolved issues, or the company policy must force escalation of unresolved issues, and at some point in the chain of escalation some person must believe that following the suggestion would result in an improvement.

Another equally irritating problem are sites that use just keyup/down events for validation and when you paste a value (or if password manager fills it for you), they don't let you submit the form until you actually type something in that field.
My bank does this - no idea why. I use a bookmarklet to re-enable paste.
At least one of the reasons is that Windows often picks up rich formatting characters if you cut/copy.
This is not a problem with Windows. This is only a problem if the site's implementation allows rich text, which I have never ever seen in a password field.

Windows will paste plain text unless the text field in question is explicitly identified as rich text.

My thought was that this stems from the idea that while the clipboard may be a legitimate and secure way to transfer across programs from a password manager to the password field, it is also an OS-wide shared space. After you tab away to the next app, it will have access to that password that remains in the clipboard. Browsers couldn't clear it (and apps aren't supposed to touch the user's clipboard anyway) so they discouraged it.

You could also alt-tab over to your IRC client (IRC because this was state of the art probably about when this practice started) and forget what is in your clipboard and paste+enter quickly.

I don't think this is a _good_ reason to do it, but that was why I thought it was done. I have no idea if that's the real reason it got started though.

Thus why 1Password and other password managers automatically clear the clipboard after X seconds. It's a handy feature.
Making it worse are some websites totally disabling right click. Very very annoying.
Am I the only one here who memorizes passwords, types them in, and it works and they serve their purpose? I've got a few "schemes" to systematize a bit, I share passwords for non critical things, etc.

My biggest beef is the constant asking "do you want the browser to insecurely save this?" How did that become the default? No wonder people can't remember passwords if they never type them. I use many machines, and multiple browsers per machine and I don't synchronize them, so changing the remember passwords setting is such a chore I usually stick to clicking "remember never".

I don't think I can recall (dozens of years of computing) ever having a password hacked. Privilege escalation is the main threat.

Really this question should be asked in the relevant forum. A better place to ask might probably be: https://security.stackexchange.com/

The main reason is the clipboard is plain text and shared with everything. I recently had it last week where my other half was using my laptop. The cat walked over the keyboard and she wondered where this person's name had come from. Turns out it was from me using the clipboard 5 days earlier.

It dawned on me then, the clipboard needs a time limit. It needs to clear after an hour of inactivity, it needs to clear on resume.

I use autoit and automater to bind ctrl+alt+v to "type" from clipboard for just this reason.