Allowing passwords to paste allows web forms to work well with password managers, software (or services) that enable you to choose, save and then enter passwords into forms online at your request.
Password handlers can be very useful in that they:
- Make it easier to have different passwords for each website you use;
- Improve productivity and reduce frustration by preventing typing errors during authentication;
- Make it easier to use long and complex passwords.
However, it should be remembered that while they may offer better protection and prove more convenient than keeping your passwords in a standard, unprotected document on your computer, they are not necessarily the ideal solution to solve an enterprise’s password problems.
Indeed, some of these services may face security breaches. This is the case, LastPass, which recently had to plug a flaw related to its two-factor authentication system.
It is important to note that this type of service/application may encourage:
- Have multiple passwords on different sites;
- Do not choose passwords easy to remember;
- Do not record passwords on a sheet of paper that will be placed on the screen of a computer.
In addition, many services offer you access to your passwords from any platform. Simply update your ID/PIN list on your computer, and you can almost instantly access it on your tablet or phone.
What are the reasons that developers forbid them?
There are also reasons that may justify the fact that developers want to put an end to the possibility for users to paste passwords.
First, one of the reasons mentioned is that pasting passwords allows brute force attacks. If pasting passwords are allowed, this is a vulnerability in which malicious software or Web pages can repeatedly paste passwords into the password box until they can guess your password.
This is true, but it is also true that there are other ways of making assumptions (e.g. via an API) that are just as easy to set up for attackers, and that is much faster. Also, according to the National Cyber Security Center (NCSC), the risk of raw force attacks using the copy/paste function is very low.
Another reason is that pasting passwords makes them easier to forget since users will no longer have to type them. In principle, It is true that the more you appeal to your memories, the less likely you are to forget them.
However, users may have accounts on services that they use on an occasional basis. It means that they do not have enough opportunities to write it and therefore have little chance of remembering it.
For the NCSC, this reason is valid only if you assume, for starters, that users should always try to remember their passwords and this is not always true.
Another reason is that passwords will drag on to the clipboard. When someone copies and pastes, the copied content is kept in a “clipboard” from which it can paste it as many times as it wishes. Any software installed on the computer (or anyone who uses it) has access to the clipboard and can see what is there. Copying anything else usually overloads what was already in the clipboard and destroys it.
Many password managers copy your password to the clipboard so that they can paste it into the password box on the websites. The possible risk is that an attacker (or malicious software) steals your password before it is erased from the clipboard.
Passwords that remain on the clipboard may be a problem if you manually copy and paste your passwords from a document that you have on your computer as you may forget to clear the clipboard.
Most password managers delete the clipboard as soon as they pasted your password on the site, and some even completely avoid the clipboard by typing the password with a “virtual keyboard” at the square.
Viruses installed on your computer can embed clipboard copies on them and grab your pasted passwords. This is still not a good reason to prevent password hack. When your computer is infected, you should simply not trust it at all.
Viruses and other malicious software that copy the clipboard almost always copy all the letters, numbers, and symbols on your computer, including your passwords. They will, therefore, steal your password, whether or not the clipboard, so you do not gain much to prevent pasting passwords.