Ever tried to paste a password into a log-in field, only to be told to type it in manually?
I really hate it when websites do this.
Some websites still don’t accept pasted passwords, even though the reasoning behind such a policy is pretty weak. In fact, because it stops password management tools from working properly, a restriction on password pasting can actually make users less secure.
This annoyance bit me recently, which prompted me to write this article. I had to open a business account with a European bank. When asked to create a password I generated a random 45 character password, one with symbols, numbers, upper and lowercase characters etc. The usual to make brute forcing it hard. Of course I come to login on the website and the app and try to paste the password from my password manager. NO. Not allowed, the site and the app have disabled pasting!! Which means I have to type in my 45-character random password every time I log in!!!! OR find a way around it.
Here’s a closer look at the issue, and how you can get around it.
Why do companies have a stop password pasting (SPP) restriction?
Occasionally, you’ll still come across websites that stop you from pasting passwords into the log-in box. Usually when this restriction exists, it’s there by design: i.e. the HTML code used on the website specifically prevents a pasted fragment from being entered into the field.
So why do companies deliberately include this block? It’s not exactly clear. As the UK’s National Cyber Security Centre (NCSC) points out, there’s no rule, technical standard or best practice point that recommends it.
There are a number of possible justifications for it. Although once these reasons are scrutinised, they don’t really stand up:
It prevents brute-force attacks. The argument is that it stops malicious software from repeatedly pasting password guesses into the box to crack it. But this ignores the fact that the website should, in any event, have controls in place to identify and block a high number of log-in attempts relating to a single account.
Avoiding sensitive data in the clipboard. The idea is that you shouldn’t have sensitive information such as passwords hanging around on your clipboard. This is because malware apps have the ability to scrape your clipboard. The trouble is, the majority of malware apps with clipboard-scraping capabilities are able to read your keystrokes, too. So being required to type in your password does nothing for malware protection.
Pasting prevents you from remembering. In theory, the ability to paste your password provides less of an incentive to remember it. But in reality, the average person has 70-80 active passwords. Even if you wanted to, you are never going to memorize all of them.
Password manager tools and pasting
- As this year’s Verizon Data Breach Investigations Report revealed, the majority of hacking-related breaches involve the use of lost or stolen credentials.
- Poor password hygiene is behind a lot of these breaches. People still reuse passwords, often across both personal and work accounts, even though they know they shouldn’t.
- Best practice says you need a unique password for each account. Ideally, these passwords should be unique, long, and consisting of a combination of letters, numbers and symbols.
- It’s a practical impossibility to memorise a string of such passwords. That’s why a password manager tool can be so useful.
- Your password manager can generate a secure, random password for each account. Later, when you need to log into a site, you type your master password into the password manager. The tool will then automatically paste the login information into the website.
- But if the website doesn’t allow pasting, it interrupts this process. For the user, it means having to manually input a long, randomly generated and unfamiliar password. It’s a needless hassle. In fact, for some users, it’s going to cause them to revert back to using a weak, easily-remembered password.
We’ve seen a couple of fixes that allow you to bypass the ‘no password pasting’ restriction: one for Chrome and one for Firefox. Here they are…
Get the Don’t F*ck with Paste extension here. Created by developer, Vivek Gite, the extension instructs your browser to bypass any paste restrictions on the page.
You can fix the problem by changing the browser’s behaviour in the settings.
Go to about:config in Firefox. Click the “I’ll be careful, I promise!” disclaimer to carry on.
Now, in the search box, search for dom.event.clipboardevents. A single entry should come up in the list of preferences.
Double-click on the setting. This should change the value from “true” to “false”. Now, you should be able to copy and paste without any website-specific restrictions stopping you.
There is a downside to doing this that I found. It stopped me being able to paste into Google sheets and docs. So I use Chrome and Firefox interchangeable as needed.