48

I use a few websites that prevent me from copying & pasting into the username or password fields. It's quite frustrating when using a password manager, and if anything I'd think it discourages users from good password-management because they're going to have to choose something they can type manually over and over again.

Are there actually any benefits to preventing the paste operation on an application or website?

Volker Siegel
  • 119
  • 8
realworldcoder
  • 1,123
  • 11
  • 10

6 Answers6

33

In my opinion, I don't think it's a net win. Those restrictions always frustrate me.

(I'm hoping someone here will post details about how to defuse or work around them. Maybe a tweak to Firefox's user_prefs.js? An extension?)

Presumably the reason why sites disable the password manager is because they're worried that Alice might sit down in front of Bob's browser and log into the web site as Bob, maybe purchasing something on Bob's tab. This is particularly an issue for roommates, family members, etc. who live together with each other. (See also "friendly fraud".) A related risk is that Bob might actually purchase something, but then claim that Alice did it to get out of paying for it. Presumably, the sites hope that by disabling the password manager, Bob will be forced to type in his password anew every time; Alice won't know the password and won't be able to type it in.

However, these restrictions come at a significant cost. They make the website less usable and more annoying for users. They also drive users to either select poor passwords (which may be more susceptible to password-guessing attacks) or to write down their passwords (potentially enabling roommates and family members to learn the password, leaving everyone back where we started). For users who do trust everyone else who has physical access to their computer, these restrictions strictly decrease security.

Personally, I suspect most sites should be reluctant to employ such measures. Odds are that you will annoy your users more than you will help them. But you will be in a better position to make an informed decision.

If you do decide to employ such restrictions, you might consider providing users a way to opt out if they do not share their computer with others. Perhaps this may only be of interest to power users, so I don't know if it's worth your time, but you could consider it.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • By the way if Alice uses Bob's incautiousness to purchase something, then how can Bob possibly blame the website for this action? – Utku Jan 06 '16 at 09:02
  • Since you were asking for workaround, here I what I use http://pastebin.com/8jtqhVps. I use this with TamperMonkey but I hope it will work with GreaseMonkey too. It captures the data whenever you paste anything. `Ctrl+Y` set the value of focused element to last captured value. Never caused any issue so far – VarunAgw May 26 '16 at 16:42
  • As a workaround, I use an AutoHotkeys script. I needed it for situations where the clipboard doesn't work due to lack of functionality (VNC and VMWare windows) but it works equally well on manually disabled controls, since it pipes the clipboard into keystrokes. http://pastebin.com/YzgS8YBd – cscracker Nov 03 '16 at 17:41
  • 2
    I do: right-click the password field > "Inspect Element" > right-click the element selected > "Use In console" > temp0.value = '{mypassword}' – kemp Nov 29 '18 at 21:06
10

The two core reasons always indicated to me are:

  1. Allowing copy and paste means people will have their passwords saved in a text file somewhere, which is unsafe (yes, I know with applications like PassSafe this is a bit outdated, as the place to save passwords is 'safe')
  2. People will forget their passwords if they don't have to remember them.

Number 2 is the most important one, I think - it's hard enough persuading people to remember their passwords when they get back off holiday - the helpdesk load is high after any major holiday, and companies try to reduce this.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 2
    Yeah, but if I use keychain, 1password or some other mechanism, then my passwords are stored in a 'safe' fashion (after some definition of 'safe', of course) and I just lose the usability benefit of not having to be a touch-typist. –  Mar 06 '11 at 18:21
  • 4
    People will forget their passwords even if they have to remember them. It just means passwords are written down on paper instead of encrypted somewhere. – Bradley Kreider Aug 31 '11 at 19:40
  • It's just that the copied item is saved to DRAM which could be forced to be leaked out of active state while in middle of an attack. – Shritam Bhowmick Nov 03 '16 at 03:36
  • Shritam - that is a very unlikely scenario, but feel free to add a new answer rather than commenting on others. – Rory Alsop Nov 03 '16 at 07:33
  • 1
    @RoryAlsop Correct me if I am wrong, people use password managers so they do not have to remember passwords. right ? So why would a website wants us to remember our password ? – Umair Afzal Nov 03 '16 at 10:34
  • Umair - I cannot understand what you are asking – Rory Alsop Nov 03 '16 at 10:41
  • For number 2, I literally remember just one password: the password I encrypt my password file with. Each website gets a different password I copy from that encrypted file. I never use my local password online. Its far more secure. I know most people won't be doing this, but what makes you think someone that will be copy pasting a password won't have their password stored if one stupid site disables pasting? – B T Dec 06 '18 at 21:40
9

I personally don't think there are any real benefits. I'm agreeing with the idea that you'll probably just annoy your users into picking something that isn't helpful.

That said, I believe the rationales used are either to

  • avoid the password being saved somewhere where it might be stolen,
  • or because they believe passwords must be typed by the user for irrational reasons.

While it might be rational that it could defend against Little Johnny emptying his mother's bank account, I don't see much else in practicality. I figure if you can snag the password file, you can probably snoop on the keyboard input.

IBam
  • 275
  • 2
  • 8
Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • On the contrary, the clipboard areas consumes memory in DRAM which can be leaked otherwise. In might just happen when you save data to memory, during an attack - there could be leaks? – Shritam Bhowmick Nov 03 '16 at 03:37
6

One example of this behaviour is Paypal - they prevent pasting in the password boxes when changing your password (but not when entering your password to log in, work that one out!!). Their rationale is:

The feature of using control-V is not available in resetting the password as this is one of our ways to insure (sic) that it is indeed the account holder who is accessing the account.

In this example, and in others I have come across, you can disable javascript in order to enable pasting. Chrome, for example, allows you to do this on a site-by-site basis, so you can just prevent Paypal from using javascript, and put up with the reduced functionality.

Ebay have also been infected by Paypal's pseudo-security virus. They've disabled pasting into the Credit/debit card field when you go to update your automatic payment method.

Anyway, frankly I don't buy their rationale. A tech-savvy user (or hacker) can disable javascript in order to bypass this feature, so all it does is force novice users to use weak passwords (i.e. those they can be bothered to type). I reported this to them, but was predictably fobbed off - for some reason customer service people never appreciate talking about tech / security issues...

The UK government officially think Paypal / Ebay are stupid for doing this - see the National Cyber Security Centre's Website.

schroeder
  • 125,553
  • 55
  • 289
  • 326
IBam
  • 275
  • 2
  • 8
  • I can copy to PayPals login textboxes. Without disabeling JS or anything... – Tokk Feb 03 '15 at 12:36
  • @Tokk - my mistake, I thought I'd written that it only happens when changing your password. Updated the answer! – IBam Feb 03 '15 at 14:08
  • Actually the whole notion that passwords must always be remembered and never written down or recorded was utter foolishness from the start. I much rather prefer that users generate longer, better, and different passphrases per important site that they use only weekly or less often, and either use a password manager, or even write them down on paper, and lock that paper in a home safe or even a locking desk drawer. The mandate that *all* passwords (regardless of use and value) must only be remembered has no place in the realities of today's cyber-world. – cybermike Apr 03 '15 at 15:13
  • Well disabling copy-paste on the "new password" form actually makes some sort of sense, because the whole point of entering the password twice there is to avoid typos making it so you don't know your password after all. If you can just copy-paste the typo, it defeats the purpose. Still annoying, for those of us using password managers. – Ben Apr 07 '16 at 20:08
  • 1
    @Ben- this isn't about copying from the first new password box to the second (which you are correct in saying would be bonkers), it's about copying from an authoritative source and pasting the same thing twice. – IBam Apr 08 '16 at 08:06
2

Clearly down to misguided security polices at the company. Bet365 is another guilty party in this. Note enforcing typing of passwords is not the same as blocking auto complete.

Enforcing manual typing of passwords has the following security implications. It encourages weak passwords that can be remembered. It encourages passwords that are used across multiple websites (as after all easier to remember) It encourages weak passwords because "well" they easier to type. A keylogger on the machine can intercept typed in passwords. Stored complex passwords probably have to be pasted into notepad or something first, so they can be typed in. So then vulnerable to things like screen grabbers.

The risk of allowing a paste is only one really, in that it may be stored in a clear text file somewhere, but that may still be the case anyway when typing it in.

ChrisC79
  • 21
  • 1
1

This is an old post, a really old one, but I know why these sites block password pasting and its not because of security reasons that actually matter. So when I got my second job, at a relatively large scale software services firm (read technology sweatshop), they had us go through 3 months of paid training (read vacaction) The people who were working there started out with coding in HTML/Javascript first to design the user interface(read badly designed spaghetti code)

So they built the validations on javascript for checking empty fields, regex etc and ofcourse they had to validate on keypress. The problem was that it didn't work if the user pasted in the input, so they blocked copying/pasting to prevent users from inputting unsafe data. Ofcourse server side validations would completely solve the problem, but no one had any tech skills there. These people then went on to build/work on enterprise software and many banks and enterprise solutions thus have this restriction.

That is the real reason we have these "validations" because people couldn't figure out how to validate pasted data and had no idea how to validate stuff on server side.

One of the "instructors" there actually suggested validating on client side reduces load on the server.

SoWhat
  • 169
  • 1
  • 1
  • 6