Don't Stop Me From Pasting Passwords
Heya,
Whether you are copying a password from a password manager or copying a presentation to tweak, the copy/paste concept is so foundational to modern user interfaces that it’s shockingly frustrating when it doesn’t work.
I recently was logging into Zwift, a consumer application I use to ride my bike indoors. I was first surprised, then frustrated when I tried to copy my password from my password manager into the application.
I ended up having to copy my password into a terminal window, then type it in manually. I had to do it 3-4 times because I mistyped it, and even did a password reset.
Now, I use a password manager so I can have long, unique, complex passwords tied to each application I use that I don’t need to remember. These application specific passwords are all protected by the password manager and one memorized complex password (which is also backed up physically and stored securely, “just in case”).
With a password manager, if one application’s database includes passwords and gets compromised, all my other accounts are not affected.
The lack of copy/paste support was frustrating enough that I posted about it on bluesky, meme included.
Here are the reasons why this is a bad idea:
a user can’t easily use a password manager, which means your users who do use one get a degraded experience
this encourages weaker passwords; if I have to type it in, I’m going to use a shorter password and might re-use one
it frustrates your users right when you don’t want to--when they are trying to get into your application
security is not actually improved; if an attacker has compromised a user’s clipboard, it’s game over anyway (bonus you can configure most password managers to clear the clipboard)
Why might you want to allow this? I can only think of two reasons:
your compliance auditor or the specifications they reference haven’t caught up with the times (probably why someone guessed it was a bank)
you don’t trust password managers and want to discourage their use
If you are in the first bucket, I’m sorry. Please mention it to your auditor as a frustrating user experience. If you can, track paste attempts to have some data on how your users are being frustrated.
If you are in the second bucket, here’s data that might change your mind. This is well-established research and newer studies still rely on decades-old findings:
From a 2014 paper, cited by a 2019 paper: “Users have too many passwords, and users have difficulty matching their passwords to accounts. These problems lead users to insecure coping mechanisms such as picking passwords that are memorable but easy for attackers to guess, reusing passwords across multiple accounts, and writing passwords down.”
From a 2012 paper, cited by a 2022 paper: “… passwords are often easy for attackers to compromise.”
From a 2024 report: “Users with password managers were less likely to experience identity theft or credential theft in the past year compared to those without (17 percent vs. 32 percent).”
Of course there are occasionally password managers that have issues, but you don’t stop sending email because some folks phish. Instead, you do your due diligence before replying. Users should do the same with a password manager.
Finally, disallowing paste is discouraged by the NIST guidelines:
Verifiers SHALL allow the use of password managers and autofill functionality. Verifiers SHOULD permit claimants to use the “paste” function when entering a password to facilitate password manager use when password autofill APIs are unavailable. Password managers have been shown to increase the likelihood that subscribers will choose stronger passwords, particularly if the password managers include password generators.
If you don’t speak NIST-ese:
verifiers are entities authenticating users
SHALL means allowing password managers is required for spec compliance
SHOULD indicates a strong recommendation
Please, stop blocking copy/paste of passwords.
Cheers,
Dan