It’s 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it’s recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don’t have to memorize anything or know a single digit/character!

I have to use the Don’t Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.

There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying “password paste-in” as antiquated/bad advice:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets

Edit: I discovered that for Firefox users there’s a simpler way than exposing your secrets to someone’s third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.

Edit 2: As some have pointed out, that config value interferes with regular functionality on some sites. Probably best to leave it alone unless you know what you’re doing.

  • eth0p@iusearchlinux.fyiEnglish
    7·
    1 year ago

    A couple years back, I had some fun proof-of-concepting the terrible UX of preventing password managers or pasting passwords.

    It can get so much worse than just an alert() when right-clicking.

    The codepen.

    A small note: It doesn’t work with mobile virtual keyboards, since they don’t send keystrokes. Maybe that’s a bug, or maybe it’s a security feature ;)

    But yeah, best tried with a laptop or desktop computer.

    How it detects password managers:

    • Unexpected CSS or DOM changes to the input element, such as an icon overlay for LastPass.

    • Paste event listening.

    • Right clicking.

    • Detecting if more than one character is inserted or deleted at a time.

    In hindsight, it could be even worse by using Object.defineProperty to check if the value property is manipulated or if setAttribute is called with the value attribute.