Asklemmy

43399 readers

645 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

742

Why do sites disable pasting in password fields? (lemmy.ml)

submitted 1 year ago* (last edited 1 year ago) by Caaaaarrrrlll@lemmy.ml to c/asklemmy@lemmy.ml

191 comments fedilink hide all child comments

It's 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it's recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don't have to memorize anything or know a single digit/character!

I have to use the Don't Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.

There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying "password paste-in" as antiquated/bad advice:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets

Edit: I discovered that for Firefox users there's a simpler way than exposing your secrets to someone's third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.

Edit 2: As some have pointed out, that config value interferes with regular functionality on some sites. Probably best to leave it alone unless you know what you're doing.

you are viewing a single comment's thread
view the rest of the comments

[–] HurlingDurling@lemm.ee 6 points 1 year ago (2 children)

I remember working at a company where this is the norm and their reasoning is that they don't want someone logging into their account at a public library and saving their ID and password on the browser (people do that) and then the next user can just log into this other person's account.

[–] sockenklaus@lemmy.world 23 points 1 year ago (1 children)

... but the scenario you describe is not related to pasting passwords, it is more related to staying logged in, isn't it?

[–] HurlingDurling@lemm.ee -2 points 1 year ago (1 children)

Not really, it's more of saving your credentials on the public computer so even if you are not logged in anyone has access

[–] brianorca@lemmy.world 8 points 1 year ago

Which is still not copy and paste.

[–] nomadjoanne@lemmy.world 7 points 1 year ago (1 children)

I hate it when we all must suffer to protect the retarded... 🙄

[–] Rodeo@lemmy.ca 4 points 1 year ago

Even worse, in this case the "protection" (not pasting in a password field) doesn't even address the presented problem (users not logging out).

I hate when we all must suffer to support retards who think they're protecting us from retards but are actually inconveniencing us for no good reason.