Don’t Disable Copying / Pasting Passwords

4 min readJul 18, 2017

We’ve seen countless websites who disable the ability to copy/paste passwords for “security”…

When you inquire how allowing users to copy and paste passwords hurts security you get a gambit of responses, let’s review some of the more common ones, and see how well the hold up in the real world…

Our Security Certification Requires Us to Prevent Pasting Passwords

Okay, if true that could be a major concern! One, you don’t want to lose your important certifications which could perhaps have significant legal and financial implications! Two, apparently some horribly misguided security certification thinks disabling copying and pasting will do anything beyond annoying users.

In order to proceed I decided to look into security certifications that might have such a measure to publically shame them, I mean write a nicely worded email about why it’s a bad idea… Except after reviewing 28 separate security certifications ranging from a variety of industry specific certifications, to government related certifications, from the United States to Australia I came up with exactly zero certifications that had anything related to the copy and pasting of passwords… (and believe me the reading was riveting, not to spoil it, but give the HIPAA evaluation standard § 164.308(a)(8) a gander. “Requiring periodic technical and nontechnical evaluation…” Edge of my seat!)

If anyone finds a certification that has a measure disallowing the copy/pasting of passwords please point me to it!

Conclusion: Invalid Reason, you’re not going to lose your certification by allowing the copy/pasting of passwords.

To Prevent Hackers From Brute Forcing Our Website

Interesting… the idea would imply they believe hackers will use a program to open their website, paste in a user name and password, click login, and repeat until they gain access…

Let’s dig in! First, hackers aren’t going to setup some bot to pull up the website and hammer away, that’s really inefficient and honestly way more complicated then just dealing directly with your server. Instead they’ll look at what their computer sends your server when they attempt to login, then write a bot that just changes the username and password in that and blasts requests at your server until they get in or you lock them out.

With that said the blocking pasting prevents exactly none of that… Even further blocking me from pasting a password will be done client side via Javascript, which means I can circumvent it easily. Making it a trivial annoyance at best…

Also if you believe people can reasonably brute force your login, it means you’re allowing them to just go nuts. This is a huge no-no, instead you should setup rate limits. If an IP address hammers away at your login page, once they exceed a reasonable number you block the IP. It’s not fool proof, but it is way more effective than preventing users from pasting passwords.

Conclusion: Invalid Reason, seriously a hacker is not going to use your UI to brute force, and if they did bypassing your disabling of pasting would be among the easiest steps in that process. This being a concern is also an indicator of far more serious security concerns.

To Prevent Malware From Stealing Our Users Passwords

We really don’t want people stealing our users passwords! I mean that happens a lot when a user is tricked into entering their information into a clever phishing websites, or when a database is compromised containing the user’s login information!

Let’s have a look though if disabling copy / paste will accomplish anything meaningful in preventing malware from stealing a user’s password.

Okay, so malware is involved this means already the user’s computer is compromised. In such a case it’s more common for malware to contain a key logger than something to scan what’s in your clip board (what the user copied). That means by making me type in my password you’re making it MORE likely my password will get stolen. (because when I type in “SecureWebsite.com” you know the next thing I’m typing in is going to be my credentials, easy pickings.)

Beyond that, once a computer is compromised you should assume everything and anything done on that computer is compromised.

Conclusion: Invalid Reason, if anything this will increase the odds users passwords get stolen. Honestly though if the user’s computer is compromised there’s little you can do to help them on your end.

Users Need to Know Their Passwords

I can’t actually agree with this… The easier a password is to remember for you, the easier it’ll be for someone else to figure out and remember.

Let’s dig into some password theory.

Generally speaking the longer and more complex a password is the harder it is for someone to figure out, and the better it holds up against computers cracking it. Longer tends to be more valuable than complexity.

The most secure passwords tend to be utter gibberish for example `J!r%whtmfggTswU^&xAiO573`the downside is your human brain will never be able to remember that, on the plus side neither will anyone else's.

Of coarse that means it’s totally impractical to use that… except… there are these clever programs called password managers like LastPass and 1Password designed to accommodate this specific problem. They can handle safely generating, storing, and autofilling these passwords as needed! That is… unless you’ve disabled allowing your users to copy and paste passwords…

Since they can’t use these handy password managers, instead of a near uncrackable password, they use something like “Password1” or “Starwars” something that is super easy to defeat. Or they just forget their password every third visit, which is borderline infuriating.

Conclusion: Invalid Reason, even worse than invalid, this actually will make users use WORSE passwords which means your site is LESS secure as a result.

Final Summary:

All of the common reasons given for disallowing the copy and pasting of password are ill-informed at best. In reality doing this is likely to make your website and users LESS secure. So please, stop disabling the copy and pasting of passwords.

If you want to really improve your security, consider instead allowing your users to use an Identity Provider like Google, Facebook, Microsoft, etc (let them choose whichever they prefer!) and add 2 Factor Authentication, that way even if their password is compromised their account is not!