[LINK] Disable clipboard for password input

Paul Bolger pbolger at gmail.com
Mon Jun 30 08:48:12 AEST 2014


My mobile phone company recently redid their website. When I tried to
log in to the new site - using my normal method, copy and paste the
password out of KeepassX - I discovered that they have disabled
clipboard access to the password input field via javascript.

I rang them up and the person on the other end told me that this was
intentional and had been done for security reasons. I asked if he was
aware of anyone else who had taken this step as I had never
encountered it before (actually, I think I may have, but that was back
in the 90s). He named some obscure gaming site.

It seems to be that disabling the pasting of passwords could only
really have a bad effect on security. I can see no mechanical benefit,
a keylogger is going to be just as good at recording a manually keyed
password as a pasted one, and forcing users to key in their password
just about guarantees worse passwords.

Can any linkers think of a reason why doing this would be a good idea?



More information about the Link mailing list