It’s 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it’s recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don’t have to memorize anything or know a single digit/character!
I have to use the Don’t Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.
There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying “password paste-in” as antiquated/bad advice:
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets
Edit: I discovered that for Firefox users there’s a simpler way than exposing your secrets to someone’s third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.
Edit 2: As some have pointed out, that config value interferes with regular functionality on some sites. Probably best to leave it alone unless you know what you’re doing.
Some intentions behind this are mentioned in this WIRED article.
Related well-intentioned albeit misguided and possibly harmful concept is annoying password expiration that is also no longer recommended.
Everyone tangentially related to cybersecurity knows by now that frequent password expirations encourage users to set insecure passwords for a net negative to security, so why the hell do cybersecurity insurance providers still require expirations? We have this for my org even though we have SSO backed up with MFA for all accounts. So frustrating!
Password1, 90 days later “Password2”, 90 days later…
Real top tier security.
On a similar note, copying the password to the clipboard is the weakest link in the usage of password managers today. Everything that is running on your system has access to your clipboard content and even get notified when you copy something to it.
Your tool of choice should have an option to generate easy to read/write passphrases and you should prefer those whenever possible (without weakening the password itself), so that you can avoid moving your passwords to the clipboard whenever possible.
Yes however, they also have access to your keyboard in realtime with getAsyncKeyState or event hooks in windows at least, so I’m not sure that’s a strong argument.
This is exactly what I was going to say. Copying and pasting passwords is definetely a no-no for me.