Jen SimmonsMar 5, 2024

Dear people who make websites,

Do you ever block your users from being able to paste into a text field?

Why?

Do you need this ability for a good reason? What’s that reason?

Or, as a user, would you like to see it go away? Perhaps you encounter sites that prevent you from pasting your super complex password from your password manager into a password field, and wonder why they can do so?

What might be the downside of removing support of disallowing pasting from the web?

Show threadTerence EdenMar 5, 2024

@jensimmons
The only time it has saved me is when a site asked for my password twice. I usually copy and paste it from the first. But this time I'd made a typo. Retyping it helped me validate I'd got it right.

But that's about the only time it has ever been useful for me.

Show threadBen HardillMar 5, 2024
@Edent @jensimmons but if the password manager is generating them for you, you should never need to type them and make a typo...
Show threadPotato Enthusiast 🇵🇸Mar 5, 2024
@ben @Edent @jensimmons
There's a good argument that copy pasting the password is insecure, as many OS let all running apps read the clipboard, and some even keep a clipboard contents history.
Show threadAmgineMar 6, 2024

@Br3nda @ben @Edent @jensimmons

This is only true, aiui, for Windows.

In *nix OS, everything runs as a specific user. While I am logged in, apps I start up run as me, and only apps running as me have a chance to see my clipboard.

On Linux OSes using Wayland, there is a further wrinkle: the compositor is the only thing which can read from my clipboard,

So for something malicious to happen it has to

a. already be in the OS,
b. be running as me,
c. and be recognized by the compositor.

1/

Show threadEllie 🏴🏳️‍⚧️
@amgine @Br3nda @ben @Edent @jensimmons also password managers can use mime type x-kde-passwordManagerHint to make clipboard managers that respect that not save the password to history
Mar 6, 2024 at 2:02amWeb