Is It Better or Not to Allow Users to Paste Their Passwords

//Is It Better or Not to Allow Users to Paste Their Passwords

Allowing passwords to paste allows web forms to work well with password managers, software (or services) that enable you to choose, save and then enter passwords into forms online at your request.

Password handlers can be very useful in that they:

  • Make it easier to have different passwords for each website you use;
  • Improve productivity and reduce frustration by preventing typing errors during authentication;
  • Make it easier to use long and complex passwords.

However, it should be remembered that while they may offer better protection and prove more convenient than keeping your passwords in a standard, unprotected document on your computer, they are not necessarily the ideal solution to solve an enterprise’s password problems.

Indeed, some of these services may face security breaches. This is the case, LastPass, which recently had to plug a flaw related to its two-factor authentication system.

It is important to note that this type of service/application may encourage:

  • Have multiple passwords on different sites;
  • Do not choose passwords easy to remember;
  • Do not record passwords on a sheet of paper that will be placed on the screen of a computer.

In addition, many services offer you access to your passwords from any platform. Simply update your ID/PIN list on your computer, and you can almost instantly access it on your tablet or phone.

What are the reasons that developers forbid them?

There are also reasons that may justify the fact that developers want to put an end to the possibility for users to paste passwords.

First, one of the reasons mentioned is that pasting passwords allows brute force attacks. If pasting passwords are allowed, this is a vulnerability in which malicious software or Web pages can repeatedly paste passwords into the password box until they can guess your password.

This is true, but it is also true that there are other ways of making assumptions (e.g. via an API) that are just as easy to set up for attackers, and that is much faster. Also, according to the National Cyber Security Center (NCSC), the risk of raw force attacks using the copy/paste function is very low.

Another reason is that pasting passwords makes them easier to forget since users will no longer have to type them. In principle, It is true that the more you appeal to your memories, the less likely you are to forget them.

However, users may have accounts on services that they use on an occasional basis. It means that they do not have enough opportunities to write it and therefore have little chance of remembering it.

For the NCSC, this reason is valid only if you assume, for starters, that users should always try to remember their passwords and this is not always true.

Another reason is that passwords will drag on to the clipboard. When someone copies and pastes, the copied content is kept in a “clipboard” from which it can paste it as many times as it wishes. Any software installed on the computer (or anyone who uses it) has access to the clipboard and can see what is there. Copying anything else usually overloads what was already in the clipboard and destroys it.

Many password managers copy your password to the clipboard so that they can paste it into the password box on the websites. The possible risk is that an attacker (or malicious software) steals your password before it is erased from the clipboard.

Passwords that remain on the clipboard may be a problem if you manually copy and paste your passwords from a document that you have on your computer as you may forget to clear the clipboard.

Most password managers delete the clipboard as soon as they pasted your password on the site, and some even completely avoid the clipboard by typing the password with a “virtual keyboard” at the square.

Viruses installed on your computer can embed clipboard copies on them and grab your pasted passwords. This is still not a good reason to prevent password hack. When your computer is infected, you should simply not trust it at all.

Viruses and other malicious software that copy the clipboard almost always copy all the letters, numbers, and symbols on your computer, including your passwords. They will, therefore, steal your password, whether or not the clipboard, so you do not gain much to prevent pasting passwords.

Hits: 605

By |2017-06-24T15:20:03+00:00June 24th, 2017|Tips & Tactics|6 Comments

6 Comments

  1. Md Yakub September 10, 2017 at 3:47 pm - Reply

    Your post is so nice and useful. I think we should remember our username and password instead of managed by password manager. Now a days all of the modern browser have built in support for manage password. But it is a bad habit to not remember password and only manage by browsers or password managers. As a result we forget our usernames and passwords. On digital technology it it not safe to store password on any local storage, they are easily accessible to others. It is considerable if you have many usernames and passwords, but keep it mind to manage your personal and business accounts.

  2. Vange September 19, 2017 at 1:44 am - Reply

    Good to know! I encouraged my parents to save their passwords in their mobile phones and taught them to just copy and paste it onto their accounts since they forget them every time. Users their age (or of their generation), as I have observed, do not have a knack on remembering passwords amidst the unending advancement of digital technology. I, too, wanted to have the same password on all of my accounts for the sake of uniformity and convenience. I didn’t know this could bring such risk on our accounts and privacy as well. I think it’s about time to pass this learning to my parents and have them start remembering their passwords for a change.

  3. Daniel Omwancha September 19, 2017 at 10:47 am - Reply

    A great article and a great read for me. Digital technology is growing exponentially, many if not all of us are connected to some digital device and as we know, they are many devices we use in a single day, all of which require us to log in first with a password. Now, current security best practices absolutely endorse having the ability to paste passwords; in fact, this is a core requirement for the use of password managers. Using password managers is also considered to be a best practice because they encourage better user password hygiene. They typically allow users to generate long, complex passwords and make it much easier for users to change their passwords on a regular basis. Most importantly, password managers help mitigate the extremely common problem of password reuse. By encouraging and enabling users to use strong, unique passwords for every site, there is less possibility that a password compromised by a website breach could be used to gain access to your information on another site. However, security is a constantly evolving target, and while these issues may have been relevant once, the landscape has changed greatly over the past several years. Ultimately, holding on to outdated security ideas provides very little benefit to users and can negatively impact both user security and site security. For me, allowing users to paste passwords is a great lifestyle tip for this digitally enabled age.

  4. Anthony October 9, 2017 at 7:36 am - Reply

    In my opinion on this article, I think it’s a bad idea to paste passwords we must have noticed that many websites just don’t allow the paste of password in the password field. Looking at how the paste of password works, When you copy any content, it gets stored in a part of your RAM, called the clipboard. The instant you give a paste command, the content is retrieved and put down at the location. It still exists in your RAM. Now you need to understand that the RAM is plugged upon your Motherboard, hence it is vulnerable to hacks. You can be cautious of keyloggers, and there is pretty much no other way that a password typed is detected. For the others, we have virtual keyboards without alerts. Makes it safe. Having another copy of the password on your RAM means compromising with your safety and the digital technology has gone wild which means you might be vulnerable to hacking.

  5. Jonney October 10, 2017 at 5:38 pm - Reply

    Honestly, if your excuse for not being able to paste passwords on your website is “we are concerned about malicious flash plugins stealing your credentials”, then I really wonder why you allow malicious flash plugins on your website in the first place. there are 2 ways any website could have this happen: through malvertising and through site compromise, and those usually do much worse stuff than steal one (usually unique) credential for one site.

  6. George Mburu December 26, 2017 at 4:27 pm - Reply

    Thanks God I came across this educative article. It seems I keep on learning new things every time I visit this website. I have noted and grabbed some useful cyber security information that I didn’t use to give a thought about. I have now known better on how to store my passwords. In fact, I have been using the same passwords for every account I opened online. I din’t think it was any kind of bad idea at all but after going through this article I learnt that to avoid being prone to cyber security crimes one should use different passwords for different accounts. There is no need to run away from saving passwords but a need to come up with ways through personal Development Skills to provide online security as a big amount of data is kept here thus a great need of digital empowerment for users

Leave A Comment