Blog post

Let them paste passwords

Created:  12 Jan 2017
Updated:  12 Jan 2017
Author:  Sacha B
Copy paste wall code

One of the things people often tweet to us @ncsc are examples of websites which prevent you pasting in a password. Why do websites do this? The debate has raged - with most commentators raging how annoying it is.

So why do organisations do this? Often no reason is given, but when one is, that reason is 'security'. The NCSC don't think the reasons add up. We think that stopping password pasting (or SPP) is a bad thing that reduces security. We think customers should be allowed to paste their passwords into forms, and that it improves security.

 

No one knows where it came from

It is a mystery where SPP came from. No one has pointed to a paper, a rule, an RFC (a technical standards document to plan how the Internet should work) or anything else that started it off. If you know of one, let us know using the comments form below. We believe it's one of those 'best practice' ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn't make sense. 

 

So why is password pasting a good thing?

The main reason why password pasting improves security is because it helps to reduce password overload, something that we cover in our Password Guidance. Allowing the pasting of passwords makes web forms work well with password managers. Password managers are software (or services) that choose, store and enter passwords into online forms for you. Password managers are very useful because they:

  • make it much easier to have different passwords for each website site you use
  • improve your productivity and reduce frustration by preventing typing errors during logins
  • make it simple to use long, complex passwords

Disclaimer: although password managers can offer better protection than - for example - keeping your passwords in a normal (and so unprotected) document on your computer, they are not a silver bullet to solve all of an organisation's password problems. We'll write more in a future blogpost about things to consider when picking a password manager.

Imagine if you didn't have a password manager, or even that unprotected document on your computer with your passwords in it. Without password managers, it would be pretty much impossible to remember all your passwords. To cope without them you'd have to do some of these bad things:

  • re-use the same passwords on different websites
  • choose very simple (and so easy to guess) passwords
  • write passwords down in places that are easy to find (like post-it notes next to the screen)

This is why we think SPP is bad, and allowing password pasting is good. The pros outweigh the cons, and by a lot.

 

Why stopping password pasting (SPP) is wrong

There are other reasons that are used to justify SPP. The small and misleading grain of truth in these reasons can sound very persuasive. Here's why they're wrong.

 

Justification 1: 'Password pasting allows brute force attacks'

If password pasting is allowed, that represents a vulnerability where malicious software or web pages could repeatedly paste password guesses into the password box until they break your password.

This is true, but it's also true that there are other ways to make guesses (for example through an API) that are just as easy for attackers to set up, but are much faster at guessing. The risk of brute force attacks using copy and paste is very small. 

 

Justification 2: 'Pasting passwords makes them easier to forget, because you have fewer chances to practise them'.

It's true  - in principle - that the more times you recall something, the easier it is next time.

In the real world though, people are made to have passwords for things that they hardly ever use. This means there isn't enough time to practise, and therefore little chance of remembering. This whole justification only works if you assume, to begin with, that users should always have to try and remember their passwords - and that's not always true.

People are also made to have passwords for things they use so often they couldn't forget the password even if they wanted to (which is quite inconvenient if you're forced to change the password regularly), and typing in the rotten thing again and again eats into their day. Password managers are a stick these people lean on, and SPP kicks it away.

 

Justification 3: 'Passwords would hang around in the clipboard'

When anyone copies and pastes, the copied content is kept in a 'clipboard' where it can be pasted as many times as they want. Any software installed on the computer (or any person operating it) has access to the clipboard, and can see what's in there.  Copying anything usually writes over what was already in the clipboard and destroys it. 

Many password managers copy your password to the clipboard so they can paste it into the password box on websites. The possible risk is that an attacker (or malware) will steal your password before it's erased from the clipboard.

Passwords remaining in the clipboard might be more of an issue if you're manually copying and pasting your passwords from a document you have on your computer. You might forget to clear the clipboard. However it's not much of a risk because:

  • Most password managers erase the clipboard as soon as they have pasted your password into the website, and some avoid the clipboard completely by typing in the password with a 'virtual keyboard' instead.
  • The web browser 'Internet Explorer 6' allows evil web pages to copy the clipboard; but very few people in the UK still use IE6 to browse the web.
  • Viruses installed on your computer can have clipboard copiers on them, and grab your pasted passwords. That's still not a good reason for SPP though; when your computer gets infected you can't trust it at all. Viruses and other malware that copy the clipboard nearly always also copy every letter, number and symbol typed on your computer, including your passwords. They would steal your password whether or not it was in the clipboard, so you're not really gaining much by SPP.

Rather than stopping password pasting, help your computers to avoid catching viruses in the first place by following our guidance on securing enterprise IT. And install software updates - the IT version of eating your fruit and veg. It's one of the very best ways of securing your computer.

 

Don't just take our word for it

You don't have to take our word for it that stopping password pasting is bad.  See Troy Hunt's blog (with a History lesson for us all), or this article in Wired

Improve your security by supporting your users.  Let them paste passwords.

 

Sacha B

Sociotechnical Security Researcher

48 comments

Steven Murdoch - 12 Jan 2017
Agreed. This is closely related to the other common practice of setting autocomplete="off" for password fields to disable the browser’s in-built password manager. For similar reasons to those outlined in this post I argued this was a bad idea: www.lightbluetouchpaper.org/2006/04/18/browser-storage-of-passwords-a-risk-or-opportunity/

I think some modern browsers now ignore the autocomplete setting, and instead respect the user’s preference, but it still causes problems with misguided websites.

In fact, as I argue, disabling autocomplete (and copy-and-paste) makes phishing easier because smart password managers bind passwords to web addresses and so creates an obstacle to typing a password for one site into another.
Sacha B - 18 Jan 2017
Dr. M

Hello! Thanks very much for commenting.

We like your idea about autocomplete. Passwords and password management are contentious, sometimes high passion topics. It's great to have such thoughtful contributions as this. Even when we agree with them! ;)
Simon - 16 Jan 2017
The password manager we use allows you to clear the clipboard after a given period if you used the clipboard, a feature that we use, since people accidentally paste passwords (even if IE6 is no longer a worry).

Re: Justification 2 - if people don't know their passwords, and it always auto-fills from the password manager, there is a sporting chance they'll spot phishing attacks (because they won't autofill).
Andrew Parsons - 15 Jun 2017
I agree completely with the comment about spotting phishing attacks. Very few people 'hover' to check that a URL is as it should be. If the URL is wrong, a password manager simply won't respond. So appropriate password managers (with pasting!) are the way ahead.
Phil Sheehan - 16 Jan 2017
It is refreshing when you see an organisation setting out to do the right things with the aim to make life easier for people. You do not normally associate a security organisation with the previous statement but I do like the guidance given by NCSC and they have some excellent articles on their site. This blog article and the NCSC past advice on password change frequency (or rather infrequency) is spot on and is an acceptance of the reality of today’s burden on users.
I would like to congratulate the NCSC on their service and on their site generally and specifically for applying some common sense and pragmatism to established practices that fall into the category “Oh, but we have always done it that way”. Well done and thank you and perhaps we can get some support for the thought that Security and convenience is not an oxymoron!
BEN - 18 Jan 2017
The reason SPP came about is because it promoted the writing down and storing of passwords which at the time usually meant in unprotected documents with names like ‘passwords.doc’.
The use of a password manager is what your whole article hinges on, hell it’s so intrinsic to your argument you’ve even had to add a disclaimer in your ‘for’ removal of SPP that password managers are ‘not a silver bullet to solve all of an organisation's password problems’.
Forget brute force, not remembering passwords and even the clipboard the security risk of removing SPP will be a perception that wiring down passwords is acceptable and an increase in the number of the general public storing them in unprotected files.
While titles like ‘Let them paste passwords’ are eye catching this has to be backed up with serious promotion of the general use of secure credential storage solutions.
Sacha B - 23 Jan 2017
BEN, Hi and thanks! You've hit the nail on the head about storage. We absolutely definitely approve of and encourage storage to be matched to the importance of the passwords you're storing: the more sensitive the passwords, the stronger their protections should be Helping users to store their passwords is on of our top seven passwords tips for organisations. See it in our Password Guidance (link is in the blog post or at https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach).
Christopher - 18 May 2017
If you think that they are not storing passwords in an insecure file whether you let them paste or not, you are not living in reality. At least in a file, the file should be on an encrypted disk behind a session login. If they can paste the password, they have an incentive to store it electronically. Without the ability to paste, they are just as likely to write it on a sticky note.
Max Vasilyev - 21 Jan 2017
Well, this is just talk. How about start fixing *.gov.uk services so they accept password from password manager? Let's start from passport application one: passportapplication.service.gov.uk ips-olc gs10_01.form
Jeff Sergeant - 14 Feb 2017
Check out the OWASP Application Security Verification Standard 2.7 "Verify password entry fields allow, or encourage, the use of passphrases, and do not prevent password managers, long passphrases or highly complex passwords being entered."

Maybe we should explicitly say "don't stop people pasting passwords" . A reference to a recognised comprehensive standard would be helpful!
Toby Newbatt - 15 Feb 2017
Great advice and an interesting topic! Also consider using 2FA as an additional step to protect the key single password in password managers and critical systems.
Tariq Rashid - 16 Feb 2017
I think the practice came from new account setup when pasting your pass into the verify field risked locking yourself out if you pasted the wrong pass.

Account setup is different to account login.
Frederik Vanhoutte - 17 Feb 2017
I wonder if this practice didn't start with a practical concern during registration or signup. I create an account, hidden type my password of choice and copy-paste it in the password confirmation window.
However, I made a(n invisible) typo and effectively created an account with a password unknown to me. "Recover password", etc...
Solution, disable copy-paste and force typing it twice.
Paul Moore - 18 Feb 2017
Hi Sacha

I know we're supposed to be debating this later, but until such time, here's my 2c.
paul.reviews/dont-let-them-paste-passwords/

TL;DR - There are perfectly legitimate reasons to disable paste, including increasing security.

Thanks,

Paul
DESMOND BOKSAN-CULLEN - 24 Feb 2017
One aspect many forget is that disabled users are often dependent on password manager software especially visually impaired,dyslexic (such as mysel) and those using eye flicker etc to control their computer. Using password managers with copy paste allows usders to have random and very long passwords like 20 digits or more, try to remember such long passwords would be very difficult
glenn tripp - 26 Feb 2017
Short story - notify someone pasting is blocked / prevented. If the site needs super security do that.
Jim Holmes - 27 Feb 2017
Tell TFL about this! On their password change page, they allow a password manager to paste into the first field but not into the confirmation field. I discovered this because they were affected by Cloudbleed so I smugly set about using Dashlane to change passwords quickly, only to be thwarted by this one. Oh, and their validation regexp doesn't allow some perfectly legit special chars, e.g., brace brackets.
Desmond Boksan-Cullen - 01 Mar 2017
My final previous point about using very long password being greatly aided by using a paste from password management software is that long passwords makes hackers' work harder. My windows password is 26 digits and my banking one is over that. Why forms etc on the Web talk about security but accept six digit passwords is beyond me.
Matthew Atkinson - 21 Mar 2017
Came here to mention TFL (part of the same Government as NCSC) but Jim Holmes has beaten me to it.

Exactly as Jim said, I went to account.tfl.gov.uk and had to manually type my 32 character strong password into the second box. I got it right luckily, but I could easily have just given up and put in a simple password.

Please bring them up to date and stop this restrictive practice.
Igor - 18 May 2017
Ha, I was signing up into home security software today and they didn't let me to paste password, so instead of the very long, random generated password, I choose to opt in with the weak one that I can easily type. I agree this reduces security.
John Woodward - 18 May 2017
Great Article. Preventing password pasting drives me crazy. If you are on a Mac, I have 2 apps that work around this. PW Master is a password manager that allows for typing passwords. Paste Master is a clipboard manager that allows for typing text clipboards.
BihtSift - 18 May 2017
Development tools always enable me to get around these form fields anyway by allowing me to paste in my password directly into the html.

Unrelated but related, dev tools are great to get rid of walled garden prompts or annoying ads (assuming the main content has already been downloaded)
Darryl Leckenby - 18 May 2017
Preventing copy and paste guarantees that a keylogger would reveal your password. Just a thought on where copy and paste has a useful application in the login form scenario.
Steve Slade - 18 May 2017
I think it is a wrong assumption to make about "remembering different passwords" being too difficult.

If we educate people into using a password pattern and "seed" approach, you can have unique and memorable passwords for every site.

For example. Your seed password might be
"TortoiSe" note the cap letter.

Your pattern might then be. Take the 1st and 3rd letter of the site name. Add it to the start and end. Also the number 65 (best to choose a memorable number for personal reasons)

Your password for Facebook would then be:
ftortoiSec65

For Gmail it would be
GtortoiSea65

This is a pretty simplified example, you might opt to add in a few non alphanumerics for added complexity.

You don't need to remember the passwords, just your pattern and seed. Once you have used it a few times, it becomes second nature.

It is also important to educate people at an early age to get them used to thinking about security and how to think about passwords.
Sacha B - 25 May 2017
Two contrasting approaches are to try to make people fit in with the 'system' better, or to try to make the 'system' fit in with people better. Your scheme could help some people. However, we believe that the greatest gains in useful security are possible if we do more of adapting the system and less of adapting the people.
Kevin Mills - 24 Mar 2018
Deterministic password algorithms like that are fatally flawed.

Two words: password resets. You're using a seed and public info (e.g. site name) to generate the password. So you can remember it, you always use the same seed. Problem - you have to use a different seed to change the password for a particular site, which you'd want to do if, say, the site got hacked.

Your only option is really to pick a different seed and update every password for every service you have whenever you think there's a chance even one of those passwords has been compromised.

You might be tempted to pick a different seed and only use it for that site, but that leads you down a dark road. Over time, more sites will need password resets and get moved to the second seed. And it's only a matter of time before one of those sites needs a second password reset, and you need to throw a third seed in the mix. Remembering three seeds isn't the issue; remembering which sites use which seeds is.

And all of this is ignoring the elephant in the room. Is it even possible to devise an algorithm that could be used for this purpose? No - different sites have different rules for what kinds of passwords they allow. Short of memorizing which specific combination of rules every site has and having that as an input to your algorithm so that it outputs a valid one, it isn't possible.

And honestly, memorizing which specific set of password restrictions every site uses doesn't sound much easier than memorizing passwords; I certainly wouldn't bet on us being able to memorize unique password restriction rules.

Just use a password manager. Even if your incredibly simplistic algorithm didn't have the problems I just mentioned (no good way to do password resets, won't work on sites with different password rules), there's no way it would be easier than a cloud password manager browser extension.
Grom moss - 18 May 2017
One additional point is that copy/paste stops keyloggers from capturing your password
Linus - 18 May 2017
I strongly disagree with your reasoning around justification 3; it's much easier for anti-malware to detect malicious keyboard hooks than to detect malicious clipboard reading. One tends to not handle passwords in regular old character pointers for a reason and all that work goes out the Windows when you store it in the clipboard instead.

While I can buy with your overall point that disallowing pasting of passwords is on average worse for usability than allowing it is for security I feel your reasoning is questionable.
Cb - 18 May 2017
When using a password with auto-type, you can sometimes change the autotype sequence to type your new password (or even twice with TAB inbetween) and not worry about the pasting thing. Works well in keepass for example.
Fernando - 18 May 2017
Congratulatios by your post.
Its really interesting
Wade Mealing - 19 May 2017
Reason #1 is absolutely incorrect, brute force passwords wouldn't result to pasting, that is far too slow, direct form submission for bruteforce is only the -first step- to feasible brute forcing in most cases. No sane attacker uses pasted brute force passwords.
Pattiyahoo - 19 May 2017
Should I change my passwordpattigibson
Sacha B - 25 May 2017
If your password is "pattigibson" then yes, probably!
Andrew - 19 May 2017
Security works in layers - like a castle with a moat, open field, etc. A key 'real world' aspect of security is the presence of the authorized person. An added layer is independent validation - a government issued id card. A different layer is a witness.
Similarly multi factor authentication - what you know, what you have, what you are - works in layers. A password is linked to an identifier and is intended to show what you know.
Stopping pasting is intended to increase the probability that a person who knows the password is present at the time it is entered.
Sacha B - 25 May 2017
Multi-factor authentication is very important, but also very difficult to do well. We're thinking hard about it. Watch this space!
Kevin Mills - 24 Mar 2018
Regardless of what the intentions happen to be, what stopping password pasting actually does in practice is ensures that people use short, easy to type, easy to guess passwords.

If someone said "We store passwords in plain text" and, after seeing your looks of horror, they said that "Storing passwords in plain text helps to cure cancer", the fact that they have ultimately noble intentions for compromising their security doesn't change anything. Their actions are not having the desired effect.
Adam - 19 May 2017
Awesome. While fixing this how about fixing the obfuscated password field? When was the last time you had somebody lurking over your shoulder while you typed your password or logged into anything sensitive for that matter?

All of these practices encourage people to have weak passwords.
Sacha B - 25 May 2017
We're always interested to hear about security and usability issues. Please keep them coming in!
LMH - 19 May 2017
Allowing a website to disable a user's ability to control their own software is frankly something that no browser should permit in the first place. Thankfully tools like greasemonkey can wrest back control and make clipboard restrictions completely ineffective, but I'm hopeful that someday browsers will just automatically ignore these inane limitations just like lovely <blink> tags.
m-p{3} - 19 May 2017
Thankfully I can use the auto-type feature to counter-those paste-less fields.
Sensitive data pasted from my clipboard - 19 May 2017
When you sign up for an account, making the user type their new password twice helps them remember it. Allowing them to paste will increase the number of forgotten passwords. However, having a checkbox which will allow the user to reveal their new password is more effective. This is only relevant to the signing up form and disabling paste on a login form has no logical purpose.
ana - 30 Jun 2017
It depends on the greatest perceived threat vetor/s:
. physical/domestic/local/line-of-sight => keep passwords locked-down in a locked-down account
. remote/drive-by credential collection/exfiltrate-and-run => physical-world record and all entry by hand
. long-term local digital security breach => oops!
. physhing => automated warnings should sound (& email clients should not allow click-through when a link doesn't pass a live security certificate check of authenticity)

also, perhaps consider the signature analogue - it's the way that it's written, not what is written, that counts: identical content is usual, but absolutely identical is a forgery; is password typing rhythm a clue? Perhaps a <website> should give the user the password, and the way that it's entered should be the key? just thinking out-loud...

anyway, interesting, tl;dr = it depends...
Jobst - 28 Jul 2017
Part of my job is to look after a questionnaire/assessment website. The questionnaires/assessments are filled out by people of all ages, jobs and education ... there are many, many people who (yes even these days!) are not capable users of computers.
I learned very early (as in many, many years back) that I have to make it easy for users entering their usernames and passwords, otherwise we would be on the phone for half a day to help these people.
Also, copying and pasting username/passwords clearly helps "typing" them in correctly reducing the calls of "I am 100% sure I typed my password correctly" although you could see in the logging mechanisms they did not.
I see it this way: While we need to educate people to have good security developers need to adapt to users, we need to meet half way. If I cannot tell a person to use a password manager I can tell them to use something similar to @Steve Slade's approach - which I have done for many years. Most people I explain that approach you can see their eyes lighting up "what a great idea, thank you".
Don't try to bash something into them (aka no pasting, 100character passwords) but rather help them to develop and learn.
Mark Scott - 10 Aug 2017
I'm having a discussion with Plusnet about this. Their mobile phone signup process misguidedly mandates the allowable password character set and disables pasting.
Passwords are supposed to be a shared secret, not a test of the user's memory or keyboard skills.
Rachel - 05 Oct 2017
If you allow copy and paste, why bother requesting double entry of the password at all?
Alexa Tilbrook - 13 Apr 2018
This isn't just in the UK, folks, either. Comcast (the USA's biggest cable television provider) prohibits this on their login page, effectively rendering password managers (like KeePass) useless. There is much lamenting on the Xfinity (Comcast's "rebranding") forums about this and their response is the same: "durrr, brute force attack." I don't like JavaScript to be abused like this in the name of security. Right click disable is also another egregious abuse of JavaScript. In that, it claims to prevent "stealing", but many assistive technology relies on the right click to copy and paste for screen readers. Some sites do both (prevent pasting password and disabling right click to get to the "Paste" command) to prevent pasting password. (Comcast does that.)

It's ridiculous.

Also, ridiculous password restrictions need to go, too. No website should tell me that [!|@|#|$|%|^|&|*|(|)|whatever] are "invalid." Maximum password lengths need to go, also. It's a problem that webmasters trained in the MS way, which you can blame the old WinNT [4.0-era] winlogin.exe for that... which used such draconian policy which most sites today still employ. (It was a holdover from VMS that made it that way.)

Thanks for this insightful post from the USA!
Erik - 05 May 2018
What about them Microsoft? Among other sites, Microsoft now displays account email field on one page and the password on another page. Very unfriendly for those of us who use password managers!
Andrew - 26 Jun 2018
Great article, great conversation. Anyway I’ll summarise it:
- if a malicious bit of code or actor is in memory, it’s game over, concerns elsewhere. Change all your passwords, consider any system, session, information or data, cached or used credentials compromised. That’s the reality.
- if the transport is unencrypted and you’re entering creds into a form, you’re probably using the wrong service or app and should re-evaluate what you are about to do, regardless of method
- whether you paste or type it in is irrelevant really. Scenario, your input is hacked through physical or logical means, typing it offers more risk because you’re competing with the physical vector and trusting peripherals, cables and the hardware inside your machine. If it’s stored encrypted at rest and only ever seen in memory before being transmitted/submitted (maybe written to disk if cached or user opts to save the creds), then the physical keyboard/peripheral jacking techniques aren’t of that much concern for the form scenario.They probably got your logon password and living in memory at that point any way, so your logon account is probably more valuable than a single credential used in a specific form). Time to ask ourselves the stats on how many ppl use the same password for logon as to password safe not to mention the different password stores that have their own vulnerabilities that may also be exploitable.
- if we are worried so much about passwords getting compromised, make it mandatory to use MFA, lower password complexity settings to make it easier for the users, reduce the frequency of password resets (but don’t remove it completely), and audit and alert on abuse use cases for the forms in question.
- use recaptcha and other technologies if bots are of concern and also ensure that you rate limit logon attempts, progressively compounding the retry interval to eventually make it unfeasible to continue to attack.
- last but not least, educate the users, empower them.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No