Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Are Sites Making It Difficult for Password Managers?

Question:

Following your advice, I use a password manager so I can use long, secure passwords and simply copy-paste into websites. Recently, however, it seems more sites use a technology that prevents this. The temptation now is to use shorter passwords, making them less secure so copying and typing them is easier. Why are sites doing this?

I haven’t seen a site that actually prevents pasting a password in the Password field, but I definitely have seen sites that either intentionally or unintentionally make password managers more difficult to use.

It’s backwards thinking, if you ask me.

Become a Patron of Ask Leo! and go ad-free!

Why do sites do this?

I honestly don’t believe that most sites do this on purpose. It’s a side effect of whatever new technology they happen to be using to ask for passwords – and often that newer technology just isn’t something that your specific password vault software knows how to handle.

There are some sites that actually do this on purpose. That raises the level to something more than just annoying.

Basically, they don’t want you to save your password anywhere but in your head. They see saving your password in any way as a security risk. The problem is that it leads to shorter and less secure passwords … as you’ve pointed out.

Extracting a PasswordWhichever it is, I use LastPass and I do the following:

  • Open the information that I have on that site in LastPasse’s vault.
  • Make the password visible.
  • Select and copy it to the clipboard.
  • Return to that site and paste it in.

I personally haven’t run into a site that doesn’t allow me to paste in the password. It’s a bit of a pain, but once again, it’s much less of one than having your account stolen.

Often, password managers will update their technologies to be able to handle the latest and greatest things that sites happen to be using. So do make sure that you are up-to-date.

If you’re encountering a site that actually prevents you from pasting something in the Password field, complain to them. Explain your logic. Tell them what it is you are doing and why what they are doing is actually leading to people using less secure passwords.

Please DO resist that temptation to make shorter, less secure passwords.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

23 comments on “Why Are Sites Making It Difficult for Password Managers?”

  1. Internet Explorer 11 in Windows 8.1 won’t let me use Lastpass yet. I hope it will be resolved eventually. There is a red Lastpass link on the links bar but it isn’t functional. I could do what you do as a temporary work around but it’s a little bit of a hassle.
    Spybot Search and Destroy wouldn’t work with Windows 8.1 either until I updated it to the new version. Last week when I used it with Windows 8 it worked fine. This week I had to update it to get it to work. Maybe the same fix will occur with Lastpass.

    Reply
      • Yes, my Chrome Browser works with 8.1 too, but I just had to try the Tile World Internet Explorer to see if it was everything I’d been told. I only got as far as the first web site that I couldn’t remember the password for before I gave it up.

        Reply
  2. One site (app) that won’t allow pasting a plain text password is the Android version of the Amazon Appstore. It simply will not allow pasting into the password field. A very annoying regression from how it worked a year ago. I haven’t complained to Amazon about this because they have trained me in past interactions not to bother.

    BTW, I use Password Safe on all my computers, Windows, Linux and Android and save the encrypted password file on DropBox. It does interface directly with a few programs, but the password copying functionality is so simple that I just use that. (Right click on the item, long press in mobile, and select Copy Password… no need to show the password.) It then “forgets” the clipboard contents after a timeout so it isn’t left lying around.

    Reply
  3. Hi Leo – You said you haven’t run into a site that doesn’t let you paste passwords or userids. Allow me to show you one:
    https://www.gogecapital.com/en/consumer-credit-financing/index.html
    I have used eWallet for years and it works on all the platforms I need it on. Normally it will “paste” the userid and password automatically, similar to LastPass. A few sites like GECapital don’t accept this action. In fact, GECapital doesn’t allow any form of paste. Some sites force the user to copy/paste passwords by splitting the userid and password entry into two pages (i.e., enter userid, press enter, get new page, enter password, press enter to go to get into the site). Let me know if you want an example.
    While I don’t like the inconvenience (like other commenters, I use generated passwords for everything and they can be cumbersome to type in), I get why some firms are not allowing any pasting or are splitting the userid and password input. They don’t want to be hacked or have their users accounts hacked and the “you must type it” is the method their security people are telling them to use. However, in this day and age, typing such information may be even more risky than pasting it.
    What do experts like yourself propose as a solution that protects firms and customers alike without creating a maze for the user?
    Thanks for your very informative Newsletters!!
    Jon J.

    Reply
    • Well, to be clear, my bank does use the two-page approach, which I think is fine. It’s two lastpass entries for the data that needs to get pasted is all. Companies that disable pasting of any sort, as I point out, are just getting it wronger than wrong.

      Current best practice (IMO): passwords of at least 12 characters, completely random, using a password safe like LastPass. Add two factor authentication if you can do it.

      There’s talk that the use of passwords is broken in general, and it’s hard to disagree, but I currently see no viable alternative for the masses in the short term.

      Reply
  4. Thunderbird has a password quirk. You can download and read all of the IMAP e-mails you want, but every time you send an e-mail it asks for a password even though you’ve given them that password to set up the account. So you have to open a browser to access the password vault, search for the site, copy the password and paste it into Thunderbird. That’s your recommendation above. Inconvenient. Windows Live is the same way sending, and won’t even set up IMAP or POP incoming with the free Yahoo web mail.

    Reply
    • The next time you enter the password make sure to check the box that says to have TB remember the PW. It was probably checked when you read your mail the first time and saved for the download of mail but not saved for the sending of mail. To see what’s saved click the Menu icon (3 horizontal bars), Options, Passwords, Saved Passwords, Show Passwords.

      Reply
      • The risk with having your browser remember passwords is that, as you’ve shown, anyone can walk up to your machine and see your passwords. Browser password caches are often easy(ish) to crack into.

        Reply
  5. Two financial institutions that I use will NOT allow the password even to be typed in, let alone pasted in. I have been using and comparing RoboForm, LastPass and now Dashlane as password managers (all very good), but none of them can handle these two sites. In both cases, a keyboard is displayed on the login screen and you have to click the keys spelling the password one at a time to build up the password. One of them displays an alphanumeric keyboard (numbers and letters) which is always the same; the other displays a numeric-only keypad, but the order of the “keys” changes each time you log in – presumably to thwart keyloggers. (Reload the page to see the key order change.)

    In both cases, it extremely annoying when trying to log in. I have been forced to memorize both passwords which of necessity are not as long or as secure as I would normally employ.

    The respective login screens are:
    https://www.ingdirect.com.au/client/index.aspx
    https://online.westpac.com.au/esis/Login/SrvPage?referrer=http%3A%2F%2Fwww.westpac.com.au%2FHomepageAlternative%2F

    Reply
  6. I’ve been using RoboForm for months. I ope RoboForm, and I just click on the website. I’m taken there, and the password is filled in for me. Quick and easy.

    Reply
  7. I use KeePassX myself, and I never ran into any problems with copying-and-pasting into login fields. It’s also cross-platform, so I can use the software on every major platform, including my Android phone.

    Reply
  8. The person who asked the question in the article: I was wondering if he couldn’t paste the password using the mouse (right-click and selecting “Paste”). Because I’ve run into that as well. However, I have always been able to paste the password with CTRL + V. Perhaps that might be the trouble…

    Reply
    • I’ve actually seen a few sites that don’t let me paste anything into the password field. They have pasting blocked. I guess the only thing we can do in a case like that is contact their web developers and ask them to subscribe to the Ask Leo newsletter!

      Reply
  9. One of my banks will not allow pasting of the required secret code they send me each time I try to log in. Further, this super secret code is emailed to me *in the clear*. Sheesh!

    Another way companies make it difficult for password managers (I’ve used RoboForm for years) is the seemingly constant changes to their web pages. For example, where they use to have one security question, they now have two; requiring me to make additional entries in RoboForm.
    Or they add buttons to the page or rearrange the buttons, which sometimes causing RoboForm to “press” the wrong one; requiring me to re-teach RoboForm which button to press.

    By the way, a big THANK YOU to all veterans of our Armed Forces.

    Reply
  10. i have bought a windows phone 8, Microsoft lumia. how do i enable paste in sites that restrict it. and which browser do i use? i use firefox and chrome in my desktop they work just fine and allow me to paste in restricted sites also but not in windows phone. if you can help send me a reply. thx.

    Reply
  11. I just found that Dishnetwork will not accept any pasting of passwords at all. I complained heatedly about it to the rep but I think it will take a direct letter to management to get their attention to Leo’s common sense ideas.

    Reply
  12. Hi, Leo!
    You KNOW I have the utmost respect for you and the work you do, but if you haven’t run into a site that PREVENTS copying and pasting of your password into the log-in screen…..you aren’t getting out enough!! LOL There are lots of them out there.

    New subject, new gripe . I’m Canadian, YOU’RE Canadian: so, how about one of our big five banks (who shall remain nameless, but their initials are CIBC) not allowing special characters or passwords longer than 12 characters? By those two “rules” alone, they multiply the chances of your account being hacked by a factor of MILLIONS!

    You’ve heard the old expression: you can’t fix stupid, well apparently you can’t fix cheap, greedy banks, either, because there’s no other reason for having such lackluster security measures at a major financial institution. They simply don’t wanna cough up the required funds to improve their system. Ridiculous.

    Reply
  13. Hi Leo,
    There are two websites that prevent pasting of a password. My contact to one site requesting they change this was ignored and the contact to the other site merely resulted in a response telling me how to enter a password. Here are the URL’S
    {URLs removed}

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.