The “Cobra Effect” that is disabling paste on password fields

TradeKing went full idiot and disabled entering your password by keyboard completely. They implemented an on-screen keyboard and there&#x27;s no way to opt out.<p>Their support forum is full of angry customers, people who can&#x27;t use their screen readers anymore, etc. They argue [1] it&#x27;s to protect their customers from key loggers.<p>[1]: <a href="https:&#x2F;&#x2F;community.tradeking.com&#x2F;forum&#x2F;categories&#x2F;suggestions&#x2F;topics&#x2F;664-new-tradeking-login-password-on-screen-keyboard-why&#x2F;forum_posts" rel="nofollow">https:&#x2F;&#x2F;community.tradeking.com&#x2F;forum&#x2F;categories&#x2F;suggestions...</a>

The worst is websites which not only disable pasting but don&#x27;t even let you <i>type</i> your password in. Instead you have to use their janky on-screen keyboard to fumble your way through login.<p>I got so fed up with TradeKing (which has horrible security practices in general) that I close my account.

I doubt that the motivation for preventing paste in a &quot;confirm password&quot; context is to prevent workarounds to character limits.<p>Why does the &quot;confirm password&quot; field exist anyway? It exists to remove the risk of input error. They want to avoid you locking into a mistyped password and not being able to recover. To this end, it makes some sense to prevent copy&#x2F;paste, as a user may simply copy their mistyped password and paste it into the confirmation field. Especially risky if the input fields are obfuscated with placeholder characters (<i></i><i></i><i></i>*).<p>Not to argue that it&#x27;s the right answer, it certainly makes more sense than a heavy-handed enforcement of character limits.

Here in Norway, almost all financial and government institutions allow a form of authentication called BankID (<a href="https:&#x2F;&#x2F;www.bankid.no&#x2F;en&#x2F;company&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bankid.no&#x2F;en&#x2F;company&#x2F;</a>). I use the mobile variant and it works for all government related stuff like taxes, health, relocation notices and also with all banks both when logging in and paying bills, signing contracts etc. It is a legally binding identification akin to signing a paper.<p>The procedure for the mobile version is to input your phone number and birthday on the login and you get a popup on the phone (via the gsm network and sim toolkit, not ip) to input your password along with a short phrase like &quot;pink bridge&quot; so you can verify that it was the web page that sent it. This also works with a lot of credit cards for paying online via 3dsecure.<p>It&#x27;s become so common that a large majority of our customers (I work in a bank) are using this as the sole mechanism of identification.<p>(And yes, for the non mobile version of BankID you can paste the password!)

I always assumed it was for the same reason sites make you enter your email address twice without pasting - to reduce the chance of mistyping. If you only have to enter something once, then you could easily mistype it and then you end up with an account you can&#x27;t log in to or even recover. But if you have to type it twice, then the chance is greatly reduced, since you&#x27;d have to make the exact same typo twice in a row.<p>Edit: This is regarding account creation&#x2F;changes like the PayPal example. I have no idea why login forms would disallow pasting.

Fortunately, it&#x27;s not hard to get around this on desktop (for Mac at least) with an applet like Paste Typer. But when I see this on iOS it infuriates me. I use 1Password to generate strong (long) passwords and having to type them out manually is a huge PIA.

If it helps anyone, this Chrome extension has worked every time I&#x27;ve tried it:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jswanner&#x2F;DontFuckWithPaste" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jswanner&#x2F;DontFuckWithPaste</a><p>(I usually keep it disabled, but enable it when I&#x27;m about to use a site that has paste disabled on any fields.)

I believe that copy and paste is needed in login forms, as a UX expectation. Typing a secure random password is really painfully hard, especially on mobile.<p>Sometimes password managers don&#x27;t recognize the target form fields correctly, so copy&#x2F;paste is the next step. The act is even encouraged through the use of convenient helper buttons in the password managers.<p>However. In MacOs Sierra, Apple will introduce the Universal Clipboard feature. This means when someone copies a password on desktop, it would be available on their phone. Which is just one step away from being pasted, by mistake, into an IM chat or worse.<p>I&#x27;m uncomfortable with the idea that when I copy something it&#x27;s being sent around to different devices, and available to everything running.<p>I&#x27;ve actually made the terrible mistake of doing that - pasting a password into a group chat my accident, because I didn&#x27;t copy text correctly, and my last paste buffer was still around. Or messing up when using pbcopy&#x2F;pbpaste in a shell script.<p>1Password for instance can actually reset the copy&#x2F;paste buffer after some time, but the settings need to be enabled. I wonder if Apple has any kind of security around this planned. Maybe applications and scripts should not be able to access the paste buffer until the user explicitly allows it (via the act of using it)?

I always assumed this anti-pasting was a requirement of some braindead auditor who insisted that this was a necessary security mechanism.<p>If they aren&#x27;t, there&#x27;s a lot of &quot;debt&quot; in the passwords space, like Troy mentions. This is just something that will get better as websites get better. Webapps are much more complicated today than 5 years ago, on average, and as complexity increases things like user auth will get better and more homogeneous. This is especially true if Google and Apple have their way with the Credential Management RFC and get people to have a reason to save their passwords with chrome.<p>&quot;Passwords&quot; are getting better but we need another 5 years to get us there.

Perhaps the companies involved have been told by their lawyers that choosing a password is a legal action, like an electronic signature, that must be performed by a human, letter by letter, to have certain legal ramifications.<p>It is only stupidity if you assume the only purpose of a password (or a physical key) is security, and not also <i>authorized</i> entry. It may still be a poor engineering solution to the requirement (because engineers were told the solution, to asked to meet the requirement). But it is wrong to assume there is no reason for the requirement.<p>You can&#x27;t paste your legally binding electronic signature either, I&#x27;ll warrant. I&#x27;ve had to type out my name plenty of times, in digital contracts, even though my browser is quite capable of auto-filling.

Until better minds prevail.., Disable JavaScript, paste password, enable JavaScript, login. A pain, but usually effective.

Luckily middle click paste on unix seems to bypass everything.<p>It doesn&#x27;t trigger not copy events (so the website can&#x27;t mess with the text), nor paste events. Just the way it should be.

I always assumed that the reason paste is disabled on change password forms is to prevent you from changing it to something you don&#x27;t know. The whole point of making you type it twice is so that you get it right. If you type the password once and paste it twice, that is moot.<p>Not that I necessarily agree with that notion (just make it easy for me to change it again) but that&#x27;s the idea. I thought.

I have a crazy idea: what if we held people responsible for their own mistakes, instead of turning the world into a padded room? You messed up your password? Reset it. You have a virus &#x2F; XSS that is slurping the clipboard? It&#x27;s probably logging keystrokes too, and that&#x27;s not the devs problem (well, XSS is, but blocking paste isn&#x27;t the solution)

On OSX using Hammerspoon to type from the clipboard into whatever for you has been a life-saver for me.<p>Especially ever since Apple disabled pasting for decrypting external drives.

Is there a way to disable just pieces of JS, so I can turn off &quot;onpaste&quot;?<p>note: sorry, accidentally deleted earlier version of this comment.

Great article. The only point missed is that password length limits AND re-type fields AND disabling copy and paste are all measures that when, implemented correctly, are supposed to help you remember your password and prevent easy access to reset mechanisms by forcing you to type it twice and not accidentally copy and paste it twice.<p>Of course, in an era where weak password re-use and leaked hashes are one of the biggest problems facing normal internet users, we really should re-evaluate all the above assumptions.<p>Or if it&#x27;s too hard, let email providers handle the login security requirements... Since most places allow email-based password resets anyway.

I encountered this once. &quot;xdotool type password&quot;. If they&#x27;re checking for a delay, xdotool can introduce that for you (defaults to 12ms though).<p>That said, we should never have let websites have this kind of control over the user agent. For the one time disabling right click was helpful (context menus in Google Docs), 99% of the time it&#x27;s something dumb (&quot;don&#x27;t steal our images!&quot;).<p>Finally, I loved the comment about losing their security certificate. I&#x27;m sure the average CA will give you a cert for google.com if you ask nicely enough.

There is a piece of terrible, unwarranted analysis in this article:<p>&gt; But there’s one angle to this that helps explain the madness and it goes back to that earlier PayPal screen grab. This was of the change password page, not the login page. You can easily paste into the login page and in fact you can even paste into the original password field on the change password page, just not the new password field or the other field that confirms it.<p>&gt; The reason lies in the earlier message I showed from PayPal, in particular this part of the password criteria:<p>&gt; Use[] 8-20 characters<p>&gt; Ah, so because you’ve gone and put an arbitrary limit on the length of my password and taken away my ability to create a nice a 50 character random string, you’ve had to kill the paste function because otherwise I’d go around thinking I’ve got a 50 char password but it was actually truncated to 20 due to the maxlength attribute of the password field. Nice one guys, good work there<p>Having spoken to no one about this, I&#x27;m <i>still</i> confident that Troy Hunt is full of crap. The reason to disallow copy-and-pasting into the <i>new</i> password field(s) is obviously the same as the reason you have a confirmation field in the first place: you want to make sure the user hasn&#x27;t entered the password wrong, inadvertently locking <i>themselves</i> out of their own account. Allowing them to enter their password once and then paste it, typos and all, into the &quot;confirm password&quot; field completely defeats the purpose of having the confirm password field at all.

Any web developer who does this should be shot. Same with silently dropping characters from passwords when signing up and poor validation of email addresses

Although relevant, this dates from 2014. It&#x27;s been submitted a few times, although the only time it got any discussion was here:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7832938" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7832938</a><p>There were 33 comments on that submission, so that discussion might be relevant. I wonder if this discussion repeats any of the points made there ...

Backblaze is another company that does this, which is infuriating when you&#x27;re entering your long private key into their client. CTRL-V doesn&#x27;t work, but surprisingly, right-clicking and selecting paste does. I didn&#x27;t realize this until I the second time I had to enter the key.

Not that I think it&#x27;s a good reason, but I think the rationale behind disabling paste is to prevent users from implementing their own &quot;password managers&quot; via a .txt file full of passwords on their Desktop (more common than you&#x27;d think).

This is from 2014. I&#x27;d forgotten the Cobra Effect but remembered the BG tweet. :)

For a mathematically rigorous password strength meter library, check out zxcvbn: <a href="http:&#x2F;&#x2F;github.com&#x2F;dropbox&#x2F;zxcvbn" rel="nofollow">http:&#x2F;&#x2F;github.com&#x2F;dropbox&#x2F;zxcvbn</a>

I am starting to be even bigger fan of 2FA. I had once bank account that prevented me from pasting pw first I made grease monkey script to remove this blocking then I removed my bank account from that bank.

Why do browsers all them to do this? Surely there should be some way to determine it&#x27;s just a textbox and prevent the side from screwing up the user&#x27;s actions? Same for autocomplete.

Every time I see an apparently stupid security restriction reason I feel obligated to check if &quot;Password1&quot; is a valid entry...<p>You won&#x27;t ever believe how often this work while gibberish keychain-generated passwords get rejected because they contain a &quot;-&quot; character ...<p>Wake up IT departments it can&#x27;t always be users fault. People born with Window95 starts to work, they won&#x27;t take your shady security reasons for granted as did people born in the 60&#x27;s! They just will just think that your are incompetent...

Disabling pasting on forms is like... security through cargo cultism. If we make things seem secure, maybe the bad guys will just leave us alone!

I get the meaning of the &quot;Cobra Effect&quot;, but I&#x27;m not understanding it here w.r.t. disabling paste on password fields.

I find it slightly annoying there were repeated hypotheticals that blamed the developer for designing these password pages. It&#x27;s highly unlikely it was a rogue developer... Most of these companies probably use contract work and likely provide these stupid password requirements and use cases arbitrarily and weren&#x27;t properly challenged...

I recently read that Slack has combined salting and hashing with 2FA after their data breach in March 2015. But if I remember well, whenever you want to connect, you can get a &quot;magic link&quot; with an automatically generated password right in your mailbox and then copy-paste it in the app. Has someone tested if it&#x27;s bullet proof?

In Turkey there must be law which says that mobile carriers must cooperate with banks because when I enter my ID and my first password to the web page of the bank it says &quot;oups! it appears that you have changed your SIM card, please re-validate yourself before we SMS you a 2fa password&quot;.<p>And in Bulgaria I saw use of client-side certificates.

Disabling paste on changing password strikes me as a good idea. If you&#x27;re not pasting from a password manager, it&#x27;s easy to accidentally select additional whitespace or miss the first or last character. If you then paste it, you end up with a different password than you thought.<p>But for login, I see no reason to prevent it.

I could see it having at least some benefit if you not only disabled paste, but tracked the individual letters as they were typed in. It&#x27;d give you a little statistical information, like how Google watches how you click a checkbox for a captcha.<p>But it seems like an actual captcha would be better, then.

The final inanity; what supports a compromised user device from simply submitting it&#x27;s own copy of the form that it populated, or even transparently proxing the client and MitM on the compromised machine it&#x27;s self so that it can change the submitted values?

Hopefully we&#x27;ll all start using login methods like SQRL and alike and all this nonsense will be a thing of the past.<p>Link for the interested: <a href="https:&#x2F;&#x2F;www.grc.com&#x2F;sqrl&#x2F;sqrl.htm" rel="nofollow">https:&#x2F;&#x2F;www.grc.com&#x2F;sqrl&#x2F;sqrl.htm</a>

Windows doesn&#x27;t let you paste when changing your password either. It&#x27;s annoying.

One of the local bank in my city not only disable pasting, it disable typing altogether! It pops up a virtual keyboard and let client click on those virtual buttons. Since noticing that, not one single service from that bank was used anymore

I&#x27;ve recently seen this on credit card pages as well.<p>I store my credit card data in 1Password - so I dont have to pull out my card each&#x2F;every time I want to buy something online.<p>Not been able to paste my credit card number into the field is a PITA.

Can someone school me in why we don&#x27;t just throttle login attempts (each fail extends time to next attempt exponentially) and put an attempt cap that requires password reset?

So what banks out there actually have password systems that let you use secure passwords, or maybe even real 2FA that aren&#x27;t German banks with their TIN systems?

I just ran in to this using Google Drive for Mac yesterday. I assumed it was a bug and sent them feedback to fix it. I had no idea this was a thing.

Obligatory XKCD: <a href="https:&#x2F;&#x2F;xkcd.com&#x2F;936&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;936&#x2F;</a>

Thank god I use &quot;babababa&quot; for all my passwords. No copy paste for me! I also defeat microphones with tape!

In Finland there are several banks which restrict passwords to 6-8 digits. Is that worse than disabling paste?

Well, I go around these using the Dev Tools - even taught my kids how to go around such idiotisms!

Are there add-ons (particularly for Firefox) that disable these checks. This is quite annoying.

I have a feeling that while Ctrl+V is prohibited, maybe Shift+Insert isn&#x27;t...

and at this point, who isn&#x27;t using a mobile device to enter passwords where potential shoulder surfers (human and camera) lurk? Without copy and paste, you have to what? Go into a bunker to type in passwords safely?

...whatever. Use NoScript. Problem solved.

It always amazes me that someone is hired to implement strong security and they come up with things like paste-blocking. Or &quot;security questions.&quot; Security questions are a social engineers best friend. Unless you&#x27;re savvy and your answers are all strong passwords themselves, and if they are you&#x27;re probably using keepass or something like it with 400+ bit passwords and you hate wasting time on security questions too.

&gt;Sometimes you want to use the same credentials on multiple domains of the same service and auto-fill only works against the domain the pattern was recorded on.<p>That&#x27;s why you should use Lastpass.

One reason to dissuade users from using the clipboard to paste passwords is this: the password stays in the clipboard.<p>Not all users realize this, and so .. don&#x27;t &#x27;clear&#x27; the clipboard after logging in .. which means their password is still available to anyone else who might use that computer.

Disagree that it&#x27;s a conscious decision on the developers&#x27; part. Developers get told to do this, so they do.