Blog post

Let them paste passwords

Created:  12 Jan 2017
Updated:  12 Jan 2017
Author:  Sacha B
Copy paste wall code

One of the things people often tweet to us @ncsc are examples of websites which prevent you pasting in a password. Why do websites do this? The debate has raged - with most commentators raging how annoying it is.

So why do organisations do this? Often no reason is given, but when one is, that reason is 'security'. The NCSC don't think the reasons add up. We think that stopping password pasting (or SPP) is a bad thing that reduces security. We think customers should be allowed to paste their passwords into forms, and that it improves security.

 

No one knows where it came from

It is a mystery where SPP came from. No one has pointed to a paper, a rule, an RFC (a technical standards document to plan how the Internet should work) or anything else that started it off. If you know of one, let us know using the comments form below. We believe it's one of those 'best practice' ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn't make sense. 

 

So why is password pasting a good thing?

The main reason why password pasting improves security is because it helps to reduce password overload, something that we cover in our Password Guidance. Allowing the pasting of passwords makes web forms work well with password managers. Password managers are software (or services) that choose, store and enter passwords into online forms for you. Password managers are very useful because they:

  • make it much easier to have different passwords for each website site you use
  • improve your productivity and reduce frustration by preventing typing errors during logins
  • make it simple to use long, complex passwords

Disclaimer: although password managers can offer better protection than - for example - keeping your passwords in a normal (and so unprotected) document on your computer, they are not a silver bullet to solve all of an organisation's password problems. We'll write more in a future blogpost about things to consider when picking a password manager.

Imagine if you didn't have a password manager, or even that unprotected document on your computer with your passwords in it. Without password managers, it would be pretty much impossible to remember all your passwords. To cope without them you'd have to do some of these bad things:

  • re-use the same passwords on different websites
  • choose very simple (and so easy to guess) passwords
  • write passwords down in places that are easy to find (like post-it notes next to the screen)

This is why we think SPP is bad, and allowing password pasting is good. The pros outweigh the cons, and by a lot.

 

Why stopping password pasting (SPP) is wrong

There are other reasons that are used to justify SPP. The small and misleading grain of truth in these reasons can sound very persuasive. Here's why they're wrong.

 

Justification 1: 'Password pasting allows brute force attacks'

If password pasting is allowed, that represents a vulnerability where malicious software or web pages could repeatedly paste password guesses into the password box until they break your password.

This is true, but it's also true that there are other ways to make guesses (for example through an API) that are just as easy for attackers to set up, but are much faster at guessing. The risk of brute force attacks using copy and paste is very small. 

 

Justification 2: 'Pasting passwords makes them easier to forget, because you have fewer chances to practise them'.

It's true  - in principle - that the more times you recall something, the easier it is next time.

In the real world though, people are made to have passwords for things that they hardly ever use. This means there isn't enough time to practise, and therefore little chance of remembering. This whole justification only works if you assume, to begin with, that users should always have to try and remember their passwords - and that's not always true.

People are also made to have passwords for things they use so often they couldn't forget the password even if they wanted to (which is quite inconvenient if you're forced to change the password regularly), and typing in the rotten thing again and again eats into their day. Password managers are a stick these people lean on, and SPP kicks it away.

 

Justification 3: 'Passwords would hang around in the clipboard'

When anyone copies and pastes, the copied content is kept in a 'clipboard' where it can be pasted as many times as they want. Any software installed on the computer (or any person operating it) has access to the clipboard, and can see what's in there.  Copying anything usually writes over what was already in the clipboard and destroys it. 

Many password managers copy your password to the clipboard so they can paste it into the password box on websites. The possible risk is that an attacker (or malware) will steal your password before it's erased from the clipboard.

Passwords remaining in the clipboard might be more of an issue if you're manually copying and pasting your passwords from a document you have on your computer. You might forget to clear the clipboard. However it's not much of a risk because:

  • Most password managers erase the clipboard as soon as they have pasted your password into the website, and some avoid the clipboard completely by typing in the password with a 'virtual keyboard' instead.
  • The web browser 'Internet Explorer 6' allows evil web pages to copy the clipboard; but very few people in the UK still use IE6 to browse the web.
  • Viruses installed on your computer can have clipboard copiers on them, and grab your pasted passwords. That's still not a good reason for SPP though; when your computer gets infected you can't trust it at all. Viruses and other malware that copy the clipboard nearly always also copy every letter, number and symbol typed on your computer, including your passwords. They would steal your password whether or not it was in the clipboard, so you're not really gaining much by SPP.

Rather than stopping password pasting, help your computers to avoid catching viruses in the first place by following our guidance on securing enterprise IT. And install software updates - the IT version of eating your fruit and veg. It's one of the very best ways of securing your computer.

 

Don't just take our word for it

You don't have to take our word for it that stopping password pasting is bad.  See Troy Hunt's blog (with a History lesson for us all), or this article in Wired

Improve your security by supporting your users.  Let them paste passwords.

 

Sacha B

Sociotechnical Security Researcher

43 comments

Steven Murdoch - 12 Jan 2017
Agreed. This is closely related to the other common practice of setting autocomplete="off" for password fields to disable the browser’s in-built password manager. For similar reasons to those outlined in this post I argued this was a bad idea: www.lightbluetouchpaper.org/2006/04/18/browser-storage-of-passwords-a-risk-or-opportunity/

I think some modern browsers now ignore the autocomplete setting, and instead respect the user’s preference, but it still causes problems with misguided websites.

In fact, as I argue, disabling autocomplete (and copy-and-paste) makes phishing easier because smart password managers bind passwords to web addresses and so creates an obstacle to typing a password for one site into another.
Sacha B - 18 Jan 2017
Dr. M

Hello! Thanks very much for commenting.

We like your idea about autocomplete. Passwords and password management are contentious, sometimes high passion topics. It's great to have such thoughtful contributions as this. Even when we agree with them! ;)
Simon - 16 Jan 2017
The password manager we use allows you to clear the clipboard after a given period if you used the clipboard, a feature that we use, since people accidentally paste passwords (even if IE6 is no longer a worry).

Re: Justification 2 - if people don't know their passwords, and it always auto-fills from the password manager, there is a sporting chance they'll spot phishing attacks (because they won't autofill).
Andrew Parsons - 15 Jun 2017
I agree completely with the comment about spotting phishing attacks. Very few people 'hover' to check that a URL is as it should be. If the URL is wrong, a password manager simply won't respond. So appropriate password managers (with pasting!) are the way ahead.
Phil Sheehan - 16 Jan 2017
It is refreshing when you see an organisation setting out to do the right things with the aim to make life easier for people. You do not normally associate a security organisation with the previous statement but I do like the guidance given by NCSC and they have some excellent articles on their site. This blog article and the NCSC past advice on password change frequency (or rather infrequency) is spot on and is an acceptance of the reality of today’s burden on users.
I would like to congratulate the NCSC on their service and on their site generally and specifically for applying some common sense and pragmatism to established practices that fall into the category “Oh, but we have always done it that way”. Well done and thank you and perhaps we can get some support for the thought that Security and convenience is not an oxymoron!
BEN - 18 Jan 2017
The reason SPP came about is because it promoted the writing down and storing of passwords which at the time usually meant in unprotected documents with names like ‘passwords.doc’.
The use of a password manager is what your whole article hinges on, hell it’s so intrinsic to your argument you’ve even had to add a disclaimer in your ‘for’ removal of SPP that password managers are ‘not a silver bullet to solve all of an organisation's password problems’.
Forget brute force, not remembering passwords and even the clipboard the security risk of removing SPP will be a perception that wiring down passwords is acceptable and an increase in the number of the general public storing them in unprotected files.
While titles like ‘Let them paste passwords’ are eye catching this has to be backed up with serious promotion of the general use of secure credential storage solutions.
Sacha B - 23 Jan 2017
BEN, Hi and thanks! You've hit the nail on the head about storage. We absolutely definitely approve of and encourage storage to be matched to the importance of the passwords you're storing: the more sensitive the passwords, the stronger their protections should be Helping users to store their passwords is on of our top seven passwords tips for organisations. See it in our Password Guidance (link is in the blog post or at https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach).
Christopher - 18 May 2017
If you think that they are not storing passwords in an insecure file whether you let them paste or not, you are not living in reality. At least in a file, the file should be on an encrypted disk behind a session login. If they can paste the password, they have an incentive to store it electronically. Without the ability to paste, they are just as likely to write it on a sticky note.
Max Vasilyev - 21 Jan 2017
Well, this is just talk. How about start fixing *.gov.uk services so they accept password from password manager? Let's start from passport application one: passportapplication.service.gov.uk ips-olc gs10_01.form
Jeff Sergeant - 14 Feb 2017
Check out the OWASP Application Security Verification Standard 2.7 "Verify password entry fields allow, or encourage, the use of passphrases, and do not prevent password managers, long passphrases or highly complex passwords being entered."

Maybe we should explicitly say "don't stop people pasting passwords" . A reference to a recognised comprehensive standard would be helpful!
Toby Newbatt - 15 Feb 2017
Great advice and an interesting topic! Also consider using 2FA as an additional step to protect the key single password in password managers and critical systems.
Tariq Rashid - 16 Feb 2017
I think the practice came from new account setup when pasting your pass into the verify field risked locking yourself out if you pasted the wrong pass.

Account setup is different to account login.
Frederik Vanhoutte - 17 Feb 2017
I wonder if this practice didn't start with a practical concern during registration or signup. I create an account, hidden type my password of choice and copy-paste it in the password confirmation window.
However, I made a(n invisible) typo and effectively created an account with a password unknown to me. "Recover password", etc...
Solution, disable copy-paste and force typing it twice.
Paul Moore - 18 Feb 2017
Hi Sacha

I know we're supposed to be debating this later, but until such time, here's my 2c.
paul.reviews/dont-let-them-paste-passwords/

TL;DR - There are perfectly legitimate reasons to disable paste, including increasing security.

Thanks,

Paul
DESMOND BOKSAN-CULLEN - 24 Feb 2017
One aspect many forget is that disabled users are often dependent on password manager software especially visually impaired,dyslexic (such as mysel) and those using eye flicker etc to control their computer. Using password managers with copy paste allows usders to have random and very long passwords like 20 digits or more, try to remember such long passwords would be very difficult
glenn tripp - 26 Feb 2017
Short story - notify someone pasting is blocked / prevented. If the site needs super security do that.
Jim Holmes - 27 Feb 2017
Tell TFL about this! On their password change page, they allow a password manager to paste into the first field but not into the confirmation field. I discovered this because they were affected by Cloudbleed so I smugly set about using Dashlane to change passwords quickly, only to be thwarted by this one. Oh, and their validation regexp doesn't allow some perfectly legit special chars, e.g., brace brackets.
Desmond Boksan-Cullen - 01 Mar 2017
My final previous point about using very long password being greatly aided by using a paste from password management software is that long passwords makes hackers' work harder. My windows password is 26 digits and my banking one is over that. Why forms etc on the Web talk about security but accept six digit passwords is beyond me.
Matthew Atkinson - 21 Mar 2017
Came here to mention TFL (part of the same Government as NCSC) but Jim Holmes has beaten me to it.

Exactly as Jim said, I went to account.tfl.gov.uk and had to manually type my 32 character strong password into the second box. I got it right luckily, but I could easily have just given up and put in a simple password.

Please bring them up to date and stop this restrictive practice.
Igor - 18 May 2017
Ha, I was signing up into home security software today and they didn't let me to paste password, so instead of the very long, random generated password, I choose to opt in with the weak one that I can easily type. I agree this reduces security.
John Woodward - 18 May 2017
Great Article. Preventing password pasting drives me crazy. If you are on a Mac, I have 2 apps that work around this. PW Master is a password manager that allows for typing passwords. Paste Master is a clipboard manager that allows for typing text clipboards.
BihtSift - 18 May 2017
Development tools always enable me to get around these form fields anyway by allowing me to paste in my password directly into the html.

Unrelated but related, dev tools are great to get rid of walled garden prompts or annoying ads (assuming the main content has already been downloaded)
Darryl Leckenby - 18 May 2017
Preventing copy and paste guarantees that a keylogger would reveal your password. Just a thought on where copy and paste has a useful application in the login form scenario.
Steve Slade - 18 May 2017
I think it is a wrong assumption to make about "remembering different passwords" being too difficult.

If we educate people into using a password pattern and "seed" approach, you can have unique and memorable passwords for every site.

For example. Your seed password might be
"TortoiSe" note the cap letter.

Your pattern might then be. Take the 1st and 3rd letter of the site name. Add it to the start and end. Also the number 65 (best to choose a memorable number for personal reasons)

Your password for Facebook would then be:
ftortoiSec65

For Gmail it would be
GtortoiSea65

This is a pretty simplified example, you might opt to add in a few non alphanumerics for added complexity.

You don't need to remember the passwords, just your pattern and seed. Once you have used it a few times, it becomes second nature.

It is also important to educate people at an early age to get them used to thinking about security and how to think about passwords.
Sacha B - 25 May 2017
Two contrasting approaches are to try to make people fit in with the 'system' better, or to try to make the 'system' fit in with people better. Your scheme could help some people. However, we believe that the greatest gains in useful security are possible if we do more of adapting the system and less of adapting the people.
Grom moss - 18 May 2017
One additional point is that copy/paste stops keyloggers from capturing your password
Linus - 18 May 2017
I strongly disagree with your reasoning around justification 3; it's much easier for anti-malware to detect malicious keyboard hooks than to detect malicious clipboard reading. One tends to not handle passwords in regular old character pointers for a reason and all that work goes out the Windows when you store it in the clipboard instead.

While I can buy with your overall point that disallowing pasting of passwords is on average worse for usability than allowing it is for security I feel your reasoning is questionable.
Cb - 18 May 2017
When using a password with auto-type, you can sometimes change the autotype sequence to type your new password (or even twice with TAB inbetween) and not worry about the pasting thing. Works well in keepass for example.
Fernando - 18 May 2017
Congratulatios by your post.
Its really interesting
Wade Mealing - 19 May 2017
Reason #1 is absolutely incorrect, brute force passwords wouldn't result to pasting, that is far too slow, direct form submission for bruteforce is only the -first step- to feasible brute forcing in most cases. No sane attacker uses pasted brute force passwords.
Pattiyahoo - 19 May 2017
Should I change my passwordpattigibson
Sacha B - 25 May 2017
If your password is "pattigibson" then yes, probably!
Andrew - 19 May 2017
Security works in layers - like a castle with a moat, open field, etc. A key 'real world' aspect of security is the presence of the authorized person. An added layer is independent validation - a government issued id card. A different layer is a witness.
Similarly multi factor authentication - what you know, what you have, what you are - works in layers. A password is linked to an identifier and is intended to show what you know.
Stopping pasting is intended to increase the probability that a person who knows the password is present at the time it is entered.
Sacha B - 25 May 2017
Multi-factor authentication is very important, but also very difficult to do well. We're thinking hard about it. Watch this space!
Adam - 19 May 2017
Awesome. While fixing this how about fixing the obfuscated password field? When was the last time you had somebody lurking over your shoulder while you typed your password or logged into anything sensitive for that matter?

All of these practices encourage people to have weak passwords.
Sacha B - 25 May 2017
We're always interested to hear about security and usability issues. Please keep them coming in!
LMH - 19 May 2017
Allowing a website to disable a user's ability to control their own software is frankly something that no browser should permit in the first place. Thankfully tools like greasemonkey can wrest back control and make clipboard restrictions completely ineffective, but I'm hopeful that someday browsers will just automatically ignore these inane limitations just like lovely <blink> tags.
m-p{3} - 19 May 2017
Thankfully I can use the auto-type feature to counter-those paste-less fields.
Sensitive data pasted from my clipboard - 19 May 2017
When you sign up for an account, making the user type their new password twice helps them remember it. Allowing them to paste will increase the number of forgotten passwords. However, having a checkbox which will allow the user to reveal their new password is more effective. This is only relevant to the signing up form and disabling paste on a login form has no logical purpose.
ana - 30 Jun 2017
It depends on the greatest perceived threat vetor/s:
. physical/domestic/local/line-of-sight => keep passwords locked-down in a locked-down account
. remote/drive-by credential collection/exfiltrate-and-run => physical-world record and all entry by hand
. long-term local digital security breach => oops!
. physhing => automated warnings should sound (& email clients should not allow click-through when a link doesn't pass a live security certificate check of authenticity)

also, perhaps consider the signature analogue - it's the way that it's written, not what is written, that counts: identical content is usual, but absolutely identical is a forgery; is password typing rhythm a clue? Perhaps a <website> should give the user the password, and the way that it's entered should be the key? just thinking out-loud...

anyway, interesting, tl;dr = it depends...
Jobst - 28 Jul 2017
Part of my job is to look after a questionnaire/assessment website. The questionnaires/assessments are filled out by people of all ages, jobs and education ... there are many, many people who (yes even these days!) are not capable users of computers.
I learned very early (as in many, many years back) that I have to make it easy for users entering their usernames and passwords, otherwise we would be on the phone for half a day to help these people.
Also, copying and pasting username/passwords clearly helps "typing" them in correctly reducing the calls of "I am 100% sure I typed my password correctly" although you could see in the logging mechanisms they did not.
I see it this way: While we need to educate people to have good security developers need to adapt to users, we need to meet half way. If I cannot tell a person to use a password manager I can tell them to use something similar to @Steve Slade's approach - which I have done for many years. Most people I explain that approach you can see their eyes lighting up "what a great idea, thank you".
Don't try to bash something into them (aka no pasting, 100character passwords) but rather help them to develop and learn.
Mark Scott - 10 Aug 2017
I'm having a discussion with Plusnet about this. Their mobile phone signup process misguidedly mandates the allowable password character set and disables pasting.
Passwords are supposed to be a shared secret, not a test of the user's memory or keyboard skills.
Rachel - 05 Oct 2017
If you allow copy and paste, why bother requesting double entry of the password at all?

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No