Counterproductive security: disable password paste

I saw it again today – a site where they had made the effort to disable pasting your password into the login form. The motive surely must be to increase security, but this may be the stupidest, most counterproductive security measure I know of. Let me explain why.

Basic password principles

The two most basic principles when it comes to online passwords are:

  1. Use strong passwords
  2. Do not use the same password on multiple sites

One reason for using a strong password is obvious – it should not be easy to guess your password (i.e. pet’s name etc). The less obvious reason is that long and complex passwords are harder for hackers to reveal using simple techniques like dictionary attacks. If you want to know more about creating strong passwords, just google it. But I have another suggestion below.

The reason not to use the same password on multiple sites, is that in the unfortunate – although not that uncommon – event that a site gets hacked, and that they stored the passwords in clear text or weakly hashed without salt (don’t be that guy), so hackers get hold of your login info, they should not be able log into all your other accounts. Just imagine some low profile (low security?) forum you may have posted in once or twice gets hacked, and suddenly someone can control both your Google/Apple, Facebook and LinkedIn account. Not a pleasant thought, huh? (Tip: Enable two-factor authentication!)

Password managers to the rescue

The easiest way to use strong, unique passwords for all your online accounts is to use a password manager and have it generate different, strong, random password for each site. Thanks to the password manager, you can have good passwords like ltAaxjykylfcq3yU1K9M for Site A and 8KtVtz2iKa0kEhJ6honf to Site B, without having to remember any of them. (But you will of course need to remember the – preferably – strong password to your password manager. This is where the tips for manually creating strong passwords come in handy!)

I personally use and highly recommend KeePass which is free and available on multiple platforms (so you can access your passwords on both your PC and your smartphone). In my KeePass file I have 400+ passwords, most of them with a complexity like the examples above. Even though my memory often serves me well, there is just no way I could ever remember 400+ passwords as strong as ltAaxjykylfcq3yU1K9M.

Counter productive paste disablement

Back to the problem with disabling pasting of passwords into the login form. The most straighforward way to use KeePass, is to open your safe file and then just copy/paste your password into the login form. You won’t even see the password, as KeePass will by default mask it. The problem with sites that have disabled pasting into the password field, is that they discourage the use of password managers. Admittedly there are other ways to use password managers, such as browser integration and drag-and-drop, but the average user probably won’t bother to set that up. So, if I can’t copy/paste ltAaxjykylfcq3yU1K9M from KeePass (and don’t know there are other options), which do you think is the most likely scenario: that I unmask the password in KeePass (which by the way could allow someone reading it over your shoulder) and type it in manually – or that I choose a password that is easier to remember and type, say maybe one of the most popular passwords in the world…? And do you think that it is more or less likely that the user will reuse the same password on multiple “paste disabled sites”, than “paste enable sites”? So by discouraging the use of password managers, do you agree these sites implicitly discourage the two basic principles for online passwords – strength and uniqueness?

If you are a developer, please don’t disable paste in your login form.

By all means, read Troy Hunt on the same subject.