Blog post

Let them paste passwords

Created:  12 Jan 2017
Updated:  12 Jan 2017
Author:  Sacha B
Copy paste wall code

One of the things people often tweet to us @ncsc are examples of websites which prevent you pasting in a password. Why do websites do this? The debate has raged - with most commentators raging how annoying it is.

So why do organisations do this? Often no reason is given, but when one is, that reason is 'security'. The NCSC don't think the reasons add up. We think that stopping password pasting (or SPP) is a bad thing that reduces security. We think customers should be allowed to paste their passwords into forms, and that it improves security.


No one knows where it came from

It is a mystery where SPP came from. No one has pointed to a paper, a rule, an RFC (a technical standards document to plan how the Internet should work) or anything else that started it off. If you know of one, let us know using the comments form below. We believe it's one of those 'best practice' ideas that has a common sense instant appeal that may have made sense once. Considering the bigger picture today, it really doesn't make sense. 


So why is password pasting a good thing?

The main reason why password pasting improves security is because it helps to reduce password overload, something that we cover in our Password Guidance. Allowing the pasting of passwords makes web forms work well with password managers. Password managers are software (or services) that choose, store and enter passwords into online forms for you. Password managers are very useful because they:

  • make it much easier to have different passwords for each website site you use
  • improve your productivity and reduce frustration by preventing typing errors during logins
  • make it simple to use long, complex passwords

Disclaimer: although password managers can offer better protection than - for example - keeping your passwords in a normal (and so unprotected) document on your computer, they are not a silver bullet to solve all of an organisation's password problems. We'll write more in a future blogpost about things to consider when picking a password manager.

Imagine if you didn't have a password manager, or even that unprotected document on your computer with your passwords in it. Without password managers, it would be pretty much impossible to remember all your passwords. To cope without them you'd have to do some of these bad things:

  • re-use the same passwords on different websites
  • choose very simple (and so easy to guess) passwords
  • write passwords down in places that are easy to find (like post-it notes next to the screen)

This is why we think SPP is bad, and allowing password pasting is good. The pros outweigh the cons, and by a lot.


Why stopping password pasting (SPP) is wrong

There are other reasons that are used to justify SPP. The small and misleading grain of truth in these reasons can sound very persuasive. Here's why they're wrong.


Justification 1: 'Password pasting allows brute force attacks'

If password pasting is allowed, that represents a vulnerability where malicious software or web pages could repeatedly paste password guesses into the password box until they break your password.

This is true, but it's also true that there are other ways to make guesses (for example through an API) that are just as easy for attackers to set up, but are much faster at guessing. The risk of brute force attacks using copy and paste is very small. 


Justification 2: 'Pasting passwords makes them easier to forget, because you have fewer chances to practise them'.

It's true  - in principle - that the more times you recall something, the easier it is next time.

In the real world though, people are made to have passwords for things that they hardly ever use. This means there isn't enough time to practise, and therefore little chance of remembering. This whole justification only works if you assume, to begin with, that users should always have to try and remember their passwords - and that's not always true.

People are also made to have passwords for things they use so often they couldn't forget the password even if they wanted to (which is quite inconvenient if you're forced to change the password regularly), and typing in the rotten thing again and again eats into their day. Password managers are a stick these people lean on, and SPP kicks it away.


Justification 3: 'Passwords would hang around in the clipboard'

When anyone copies and pastes, the copied content is kept in a 'clipboard' where it can be pasted as many times as they want. Any software installed on the computer (or any person operating it) has access to the clipboard, and can see what's in there.  Copying anything usually writes over what was already in the clipboard and destroys it. 

Many password managers copy your password to the clipboard so they can paste it into the password box on websites. The possible risk is that an attacker (or malware) will steal your password before it's erased from the clipboard.

Passwords remaining in the clipboard might be more of an issue if you're manually copying and pasting your passwords from a document you have on your computer. You might forget to clear the clipboard. However it's not much of a risk because:

  • Most password managers erase the clipboard as soon as they have pasted your password into the website, and some avoid the clipboard completely by typing in the password with a 'virtual keyboard' instead.
  • The web browser 'Internet Explorer 6' allows evil web pages to copy the clipboard; but very few people in the UK still use IE6 to browse the web.
  • Viruses installed on your computer can have clipboard copiers on them, and grab your pasted passwords. That's still not a good reason for SPP though; when your computer gets infected you can't trust it at all. Viruses and other malware that copy the clipboard nearly always also copy every letter, number and symbol typed on your computer, including your passwords. They would steal your password whether or not it was in the clipboard, so you're not really gaining much by SPP.

Rather than stopping password pasting, help your computers to avoid catching viruses in the first place by following our guidance on securing enterprise IT. And install software updates - the IT version of eating your fruit and veg. It's one of the very best ways of securing your computer.


Don't just take our word for it

You don't have to take our word for it that stopping password pasting is bad.  See Troy Hunt's blog (with a History lesson for us all), or this article in Wired

Improve your security by supporting your users.  Let them paste passwords.


Sacha B

Sociotechnical Security Researcher


Steven Murdoch - 12 Jan 2017
Agreed. This is closely related to the other common practice of setting autocomplete="off" for password fields to disable the browser’s in-built password manager. For similar reasons to those outlined in this post I argued this was a bad idea: I think some modern browsers now ignore the autocomplete setting, and instead respect the user’s preference, but it still causes problems with misguided websites. In fact, as I argue, disabling autocomplete (and copy-and-paste) makes phishing easier because smart password managers bind passwords to web addresses and so creates an obstacle to typing a password for one site into another.
Sacha B - 18 Jan 2017
Dr. M Hello! Thanks very much for commenting. We like your idea about autocomplete. Passwords and password management are contentious, sometimes high passion topics. It's great to have such thoughtful contributions as this. Even when we agree with them! ;)
Simon - 16 Jan 2017
The password manager we use allows you to clear the clipboard after a given period if you used the clipboard, a feature that we use, since people accidentally paste passwords (even if IE6 is no longer a worry). Re: Justification 2 - if people don't know their passwords, and it always auto-fills from the password manager, there is a sporting chance they'll spot phishing attacks (because they won't autofill).
Phil Sheehan - 16 Jan 2017
It is refreshing when you see an organisation setting out to do the right things with the aim to make life easier for people. You do not normally associate a security organisation with the previous statement but I do like the guidance given by NCSC and they have some excellent articles on their site. This blog article and the NCSC past advice on password change frequency (or rather infrequency) is spot on and is an acceptance of the reality of today’s burden on users. I would like to congratulate the NCSC on their service and on their site generally and specifically for applying some common sense and pragmatism to established practices that fall into the category “Oh, but we have always done it that way”. Well done and thank you and perhaps we can get some support for the thought that Security and convenience is not an oxymoron!
BEN - 18 Jan 2017
The reason SPP came about is because it promoted the writing down and storing of passwords which at the time usually meant in unprotected documents with names like ‘passwords.doc’. The use of a password manager is what your whole article hinges on, hell it’s so intrinsic to your argument you’ve even had to add a disclaimer in your ‘for’ removal of SPP that password managers are ‘not a silver bullet to solve all of an organisation's password problems’. Forget brute force, not remembering passwords and even the clipboard the security risk of removing SPP will be a perception that wiring down passwords is acceptable and an increase in the number of the general public storing them in unprotected files. While titles like ‘Let them paste passwords’ are eye catching this has to be backed up with serious promotion of the general use of secure credential storage solutions.
Sacha B - 23 Jan 2017
BEN, Hi and thanks! You've hit the nail on the head about storage. We absolutely definitely approve of and encourage storage to be matched to the importance of the passwords you're storing: the more sensitive the passwords, the stronger their protections should be Helping users to store their passwords is on of our top seven passwords tips for organisations. See it in our Password Guidance (link is in the blog post or at
Max Vasilyev - 21 Jan 2017
Well, this is just talk. How about start fixing * services so they accept password from password manager? Let's start from passport application one: ips-olc gs10_01.form
Jeff Sergeant - 14 Feb 2017
Check out the OWASP Application Security Verification Standard 2.7 "Verify password entry fields allow, or encourage, the use of passphrases, and do not prevent password managers, long passphrases or highly complex passwords being entered." Maybe we should explicitly say "don't stop people pasting passwords" . A reference to a recognised comprehensive standard would be helpful!
Toby Newbatt - 15 Feb 2017
Great advice and an interesting topic! Also consider using 2FA as an additional step to protect the key single password in password managers and critical systems.
Tariq Rashid - 16 Feb 2017
I think the practice came from new account setup when pasting your pass into the verify field risked locking yourself out if you pasted the wrong pass. Account setup is different to account login.
Frederik Vanhoutte - 17 Feb 2017
I wonder if this practice didn't start with a practical concern during registration or signup. I create an account, hidden type my password of choice and copy-paste it in the password confirmation window. However, I made a(n invisible) typo and effectively created an account with a password unknown to me. "Recover password", etc... Solution, disable copy-paste and force typing it twice.
Paul Moore - 18 Feb 2017
Hi Sacha I know we're supposed to be debating this later, but until such time, here's my 2c. TL;DR - There are perfectly legitimate reasons to disable paste, including increasing security. Thanks, Paul
One aspect many forget is that disabled users are often dependent on password manager software especially visually impaired,dyslexic (such as mysel) and those using eye flicker etc to control their computer. Using password managers with copy paste allows usders to have random and very long passwords like 20 digits or more, try to remember such long passwords would be very difficult
glenn tripp - 26 Feb 2017
Short story - notify someone pasting is blocked / prevented. If the site needs super security do that.
Jim Holmes - 27 Feb 2017
Tell TFL about this! On their password change page, they allow a password manager to paste into the first field but not into the confirmation field. I discovered this because they were affected by Cloudbleed so I smugly set about using Dashlane to change passwords quickly, only to be thwarted by this one. Oh, and their validation regexp doesn't allow some perfectly legit special chars, e.g., brace brackets.
Desmond Boksan-Cullen - 01 Mar 2017
My final previous point about using very long password being greatly aided by using a paste from password management software is that long passwords makes hackers' work harder. My windows password is 26 digits and my banking one is over that. Why forms etc on the Web talk about security but accept six digit passwords is beyond me.
Matthew Atkinson - 21 Mar 2017
Came here to mention TFL (part of the same Government as NCSC) but Jim Holmes has beaten me to it. Exactly as Jim said, I went to and had to manually type my 32 character strong password into the second box. I got it right luckily, but I could easily have just given up and put in a simple password. Please bring them up to date and stop this restrictive practice.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No