Is It Safe to Copy and Paste Passwords on Websites?

Designing an online service is not easy, and doing it properly is even harder. You have many things to think about, including the look of the product, the usability, the performance, and, of course, the users' security. There are many dos and don'ts when it comes to keeping people's data safe, and diligent developers usually do their homework, figuring out what they need to do well before launching the product. Not all of them do that, unfortunately. Some even try to reinvent the wheel, and judging by the results, they do it after they've had a significant number of beers. Worse still, others then proceed to copy the said wheel, and it all goes wrong pretty quickly.

We can only assume that this is what happened when someone, somewhere decided that they're going to deny users the ability to paste passwords. This practice appeared a while ago, and it's been condemned by everyone from security experts to government agencies. Despite this, many websites continue to implement the no-pasting rule to this day. This is not just a nuisance for the people who are too lazy to type. It's a security problem.

The security implications of disallowing pasting

Disabling the paste function does nothing more than stop you from using a password manager. Good password management applications like Cyclonis Password Manager come with built-in password generators that let you automatically create complex, unique passwords for all your accounts. These passwords are not exactly easy to type which is why password managers also implement auto-fill functionality that puts the right password in the right field. The trouble is, it relies on the ability to paste passwords.

A no-paste policy is a big problem for one simple reason – when users can't rely on their password manager to automatically fill in the information for them, they just pick a simple password and try to remember it. And simple passwords that can be remembered leave users vulnerable to attacks.

What were they thinking?

Despite the fact that the no-paste rule leads to some serious risks, the developers who follow this policy say that they've implemented it for security reasons. They have put forward quite a few arguments, and today, we'll dissect the most popular ones to see just how invalid they are.

• A no-paste rule prevents brute-force and dictionary attacks.
  In theory, you can perform a brute-force attack by navigating to the targeted login page and trying out a large number of different passwords until you guess the right one. In the real world, however, this doesn't happen very often.While you can program automatic tools to fill all the different passwords in the field, hackers rarely do that because responsible developers won't let you make an infinite number of login attempts from the same IP. And in any case, criminals have a number of other methods of cracking open a password, and more often than not, they don't involve the login form at all.
• Sensitive data should not stay in the clipboard.
  As you probably know, when you copy something, be it a password or a file, the data is put in the device's clipboard where it stays until it's either overwritten by other information or cleared. You might also have heard that there are malware applications that can scrape the clipboard. That's why, some website operators will tell you that if your password is in the clipboard, it could fall into the wrong hands, which, they say, is a good enough reason to implement the no-pasting rule.The trouble is, if your device is infected by malware, the said rule will likely do nothing at all to stop the crooks from getting your password because virtually all malicious applications that can scrape the clipboard can also record all your keystrokes. Some of them can also take screenshots which means that even the on-screen keyboard won't help you. Furthermore, you usually don't understand that pasting is disabled until you've already copied your password which means that it's now in the clipboard and the malicious apps can steal it.If physical access is involved, the clipboard argument might just hold a bit more water. There are quite a few prerequisites, though. First of all, you have to be doing something you shouldn't really do: store your passwords in a plain text file from where you copy and paste them. As we mentioned already, when you copy a piece of information, it stays in the clipboard even after you've pasted it which means that if you leave your computer unattended (another thing you shouldn't be doing), someone might open Notepad, press ctrl+v and get the password you last copied.If you use a password manager, this is not something you should be worrying about. Good password management applications clear the clipboard shortly after they've pasted the required information, and some, like Cyclonis Password Manager, can automatically log you out of your account after a period of inactivity to protect you from people with physical access to your PC.
• Security certificates.
  We see this one every now and again. A security specialist spots a vendor that doesn't allow password pasting and calls them out on Twitter. The vendor's social media team responds by saying that if they allow pasting, they will lose the security certificate they've invested so much into getting, and the whole communication is wrapped up by a "sorry for the inconvenience" message.We've already seen that there is no viable reason for disabling the paste functionality, and we've also seen that it actually worsens the user's security instead of improving it. It's fair to say that if you need to disable the pasting of passwords in order to get a security certificate, you're better off without that certificate.

Developers (and the people who hire them) often struggle to understand the cybersecurity problems we're faced with in this day and age. They want to keep their users safe, but sometimes, their lack of knowledge leads to horrific results. The no-pasting rule is a good example of this.