In an ideal world, hopefully sometime in the near future, we will never need to create or remember passwords.
Until then, we need to be aware of the fact that weak passwords can be easier to hack.
Paste Password, Let them
When you stumble on websites, especially those "security-conscious" ones, that stops you from pasting passwords, you know they are irritating, and idiotic.
Making password entry difficult is like attempting weight loss by eating bland food. It's not the flavour that makes you fat. There is this perception that something delicious can't be good for a diet. People have this notion that to lose weight, there must be penance. An element of punishing oneself for past transgressions seems essential.
Security people have the same mindset. Security must be a hassle. It must be in your face. It has to be onerous. A challenge. A hurdle to get past.
Often the slickest, most hassle-free approach is the most secure.
Allow your website to accept pasted passwords - it makes your site more secure, not less.
The main reason why password pasting improves security is because it helps to reduce password overload. Allowing the pasting of passwords makes web forms work well with password managers. Password managers are software (or services) that choose, store and enter passwords into online forms for you.
The idea of a website that does not allow you to paste passwords feels largely unmotivated, and dangerous. Somebody thinks that disallowing paste is a good idea so people actually need to write a password twice and they can't make typos. But this prevents using password managers, which are a good idea. This is a very old thing that some people thought being a good idea in the past, but I think it's not considered ideal since.... 2005?
Password managers are very useful because they:
- make it much easier to have different passwords for each website site you use
- improve your productivity and reduce frustration by preventing typing errors during logins
- make it simple to use long, complex passwords
Here is a very nice article from the Security Expert, Troy Hunt, The “Cobra Effect” that is disabling paste on password fields that details on why not to stop using the idea of not allowing password-pasting on websites.
This is a very old idea which was once recommended, because a leak of password hashes was considered possible, and the password was in plaintext or was using weak hashes, and reuse was frequent.
Nowadays, it's not recommended any more: unless there has been a known leak, if the password is properly salted and hashed, has a reasonable complexity, and hasn't been reused, there's no need for rotation.
Let’s hope that the new world of passwordless login will make some steps forward in the next years. The Fido alliance, Passkeys, backed by the likes of Google, Microsoft, and Apple is the way forward.
- Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements (pdf)
- NIST Password Guidelines is a password that meets the regulations set out by the National Institution for Standards in Technology’s Digital Identity Guidelines.
- Dumb Password Rules has a list of websites with, well, dumb password rules.
- Apple WWDC 2022 Developer Focused Talk on Passkeys.
A passkey is a digital credential that is used as an authentication method for a website or application. The passkeys standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance. They are often stored by the operating system or web browser and synchronized between devices from the same ecosystem using the cloud, however they can also be confined to a single device such as a physical security key. ↩︎