Anti-Patterns in Security #1: Disabling Paste for Passwords

A recent security anti-pattern I’ve found is websites containing code to disable pasting into password fields. As far as I can make out, this is one of the most brutally effective ways of encouraging users to create insecure passwords.

With many backfiring policies, I can see some benefits; this one is rare in that I see zero benefits to the approach.

You’ll have some jQuery that looks like this:

$("#newPassword").bind('cut copy paste', function(event) {
  event.preventDefault();
});

So you’ll come to generate your long, secure password using 1Password or whatever, then come to paste it in and – bam! – nothing happens. Instead, you’re forced to transcribe it one character at a time. It’s enough to make you resort to pAssword1.

As far as I can see, this policy:

  • Encourages word-based passwords which are easy to type.
  • Encourages short passwords which are easy to remember.
  • Discourages random passwords.

I can’t see a way in which this doesn’t encourage the short, easy to remember, easy to type and trivially breakable MyPuppy12. Using a secure password like pKfwXwZDX4PGtbsQrZefu7ZtBVjFMV is incredibly cumbersome in comparison. But ho-hum, whatever, it’s only my power company/pension/bank/insurance firm so puppies and lost account data it is, I guess.

It’s easy to disable the events with some quick Javascript work in the browser’s console. However, this just got me one step further: I could paste my passwords and submit the form, but my passwords failed to pass muster even though they passed the stated rules.

Perhaps 30 characters is just too long for the bank’s puppy-password brigade.

(It wouldn’t be so annoying if Anti-Pattern #2 wasn’t involved: the expiring password of doom.)

Update: Turns out people haven’t worked out how to stop you dragging-and-dropping text into forms in browsers. And 30 characters was too long; thanks for not mentioning it Mr Website.

.:.