A case of misguided security.
I encounter this from time to time, and it’s frustrating.
It’s a design decision made by that website in the name of improving security. The problem? It makes security worse.
If I were a more grumpy person, I’d say someone should be fired over it, because they really don’t understand security and shouldn’t be in charge of it.
Password-pasting problems
You copy your password from your password manager, try to paste it, and… nothing. It’s incredibly frustrating and completely backwards from a security standpoint. Before you give up, try a few alternative paste tricks. If it keeps happening, a browser extension might be able to fix it.
Can’t paste
To fill in your credentials, password managers like 1Password or others rely on the ability to paste into password fields. In addition, they sometimes can’t determine that there is a password field, and you have to do the copy/paste yourself. And of course, if you keep your passwords elsewhere, such as a spreadsheet you maintain yourself, the ability to copy/paste is essential.
And on some websites, for some reason, nothing works. You can copy all you want, but you can’t paste into the password field. The web developer has blocked the paste function from working in that field.
The one I find doubly frustrating is the form that requires you to enter the password twice, and paste works in only one of the two password fields. Why? 
Help keep it going by becoming a Patron.
Misguided security
So why on earth would a website do this? The claims vary.
They say it prevents brute-force attacks. Not only are there better ways to prevent brute-force attacks (rate limiting), but the reality is that brute-force attempts probably bypass the sign-in form entirely.
They say hackers paste, not real users. False. Real people paste, as our questioner — and dozens of password management tools — prove.
They say the clipboard is a security risk. Technically true. But if malware on your computer is monitoring your clipboard, you’ve got bigger issues. For example, that same malware could be logging the keystrokes you’ve been forced to use to enter your password.
They say it prevents typos on confirmation fields. Again, technically true: it prevents you from pasting the same typo twice. But this is a minor issue, because the source you copied from is likely correct to begin with, since you saved it when you created the password. There is no typo, except now possibly in the second field where you’re forced to type.
It’s a stupid way to enforce password length limits. If a field takes only 20 characters for a password and you paste in a 50-character password, your password may be silently truncated. Typing forces you to realize there’s a limit. The problem, of course, is that 99 times out of 100, you’re pasting in the working password that you saved when you created it, not some random over-length string.
Security theatre. It’s a way to make a site seem more secure when it’s not. This is sometimes (often?) promoted by inexperienced developers or those responding to middle/upper management who don’t know any better.
How this makes security worse
Say you regularly visit a site that doesn’t allow you to paste a password. How do you deal with it? Aside from grumping that someone should be fired as you type in your password, that is.
Easy: you choose a password that’s easy to type.
Rather than a nice, long, random password (like “VnPYJbALeuEJ4xJ2xuWh”), you chose a short(er), more memorable one. In other words, you choose a less secure password.
Preventing you from pasting into the password field has just made it more likely that your password will be cracked and your account compromised.1
Ugh.
Now let’s look at how we can work with this dilemma.
All the flavors of paste
Before you give up, it’s worth trying the many ways you can paste into a password field.
Right-clicking to paste is likely the most common thing to try, and perhaps among the first techniques to be disabled.
The other approach is to click in the field and type a paste keystroke. There are several.
- CTRL+V
- CTRL+SHIFT+V (technically CTRL+V without formatting, but sometimes form designers overlook it)
- SHIFT+Insert
+ V (technically opens the Clipboard history, but can sometimes bypass paste restrictions)
+ V (technically opens the Clipboard history, but can sometimes bypass paste restrictions)Which of those might work depends on the technique used by the web developer to block pasting. Sadly, the most common techniques block all of them, but it’s worth a shot2.
If none of those work, it’s time to either give up or look for help.
Browser extensions
I haven’t used either of these extensions, but they do appear popular.
- Don’t F*** With Paste – Yes, that’s its real name. It tells the browser to accept all paste events. It’s in the Chrome Web Store, and I’m told there’s a version available for Firefox. It allows per-site configuration so as not to interfere with other sites.
- Enable Copy Paste E.C.P. – Includes an “aggressive mode” when the standard approach it uses doesn’t work.
These extensions should enable paste for the majority of websites, though not all.
I haven’t installed either because I don’t encounter the problem often enough to add yet another extension. Your situation may be different, of course.
You should be able to paste
A properly designed website allows you to paste your password.
NIST (the U.S. National Institute of Standards and Technology), in its identity guidelines, explicitly states that sites should allow users to paste passwords.
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.
Password managers allow you to make better choices.
The paste function allows password managers to work.
Seems like simple math to me.
Do this
If you’re faced with this rarely — which I certainly hope is the case — after trying the alternative approaches and keystrokes to paste, I’d just suck it up and type the password.
On the other hand, if this is something you run into frequently, a) I’m sorry, and b) consider one of the browser extensions. I’m on the fence about complaining to the site owner, but if you do, perhaps include the NIST quote above and the Troy Hunt article listed in the references below.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: I’m not saying it WILL be compromised; just that a shorter, memorable password makes it more likely.
2: Especially since we’ve already determined that the web developer isn’t necessarily the sharpest.
References
The “Cobra Effect” that is disabling paste on password fields – Troy Hunt
I’ve run into a slight variation of this on one website. I use a password manager and this particular website periodically requires that passwords get changed. When I use the password manager to generate a new password, the website won’t allow the new password to be pasted into the password field. I have to write down the new password that has been generated and then type it into the password fields twice to change it.
The kicker is that when I go to the website and log in, the user name and password fields can be filled using the password manager. Out of over a hundred log in cards in the password manager, this is the only site that behaves this way so I just shake my head and move on.
Just finished reading “The Cobra Effect”. Mr. Hunt mentioned this issue, as well as others. I recommend that others click on the link. Always did find Aussie humor entertaining, especially when making valid arguments.