Let Me Paste My Password

May 2018 · 3 minute read

An unfortunately common tactic taken by websites in a misguided attempt at security is to prevent pasting a password. The NIST officially recommends against this.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

I ran into this personally a few days ago. An organization I belong to forced a password change. Upon generating my random password, I was unable to paste it into the field. I decided to reach out to the organization, pointing out that this actually encourages worse passwords, not better ones.

Their initial response:

Thanks for reaching out. [Our] decision on updating the password requirements comes from an increase in security requirements. The extended minimum length, mandatory special, upper, lower and number characters, and one year life span increases the complexity and lowers the chance of any breach attempt. We do not allow copy and pasting due for security reasons. Viruses, Malware, and other intrusive programs can copy all data saved to the clipboard for later use. Furthermore, users may by accidentally past their password to their username and save it as auto fill, thus view-able to other programs.

This is always the response. “Security reasons.” Of course neither of the examples they game me make any sense.

I raised these objections. The response back:

Thanks for getting back to us. We do not allow copying an pasting passwords upon creating as to mitigate possible typos and for security. Yes as key loggers would most likely be user use on a comprised computer, we still want to mitigate any other possible problems. After creation users who use complex passwords are more than welcome to copy and paste their password on the login page though.

So in order to prevent typos, they require you to type. Um? You know how to guarantee you aren’t making a typo? Copy and Paste!!!

I gave up on the communication at this point. I ended up manually typing my extremely long and complex password into the form. But how many users will do this versus just give up and type out P@ssw0rd1 instead? After all, it meets all of the requirements, and it sure is easy.

If you run a website or service that uses passwords, I beg of you. Read the NIST guidelines. Please help those of us who are trying to teach users good security habits.