Email or username:

Password:

Forgot your password?
Jen Simmons

Dear people who make websites,

Do you ever block your users from being able to paste into a text field?

Why?

Do you need this ability for a good reason? What’s that reason?

Or, as a user, would you like to see it go away? Perhaps you encounter sites that prevent you from pasting your super complex password from your password manager into a password field, and wonder why they can do so?

What might be the downside of removing support of disallowing pasting from the web?

38 comments
bunnyhero+

@jensimmons as a user i hate when sites disable paste

RustyBertrand

@bunnyhero @jensimmons
So many now have disabled copy. Twitter can disable screenshots.

Like when you physically push the vol and off button. It knows.

Terence Eden

@jensimmons
The only time it has saved me is when a site asked for my password twice. I usually copy and paste it from the first. But this time I'd made a typo. Retyping it helped me validate I'd got it right.

But that's about the only time it has ever been useful for me.

Ben Hardill

@Edent @jensimmons but if the password manager is generating them for you, you should never need to type them and make a typo...

Jonathan Wight

@jensimmons please please save us from this nightmare.

Dan Dean

@jensimmons This hit me last week, turning a simple password entry task into spending about 10 minutes typing and re-typing a very complex password. I would LOVE to see the ability to block paste disabled at the platform level.

Philip Mallegol-Hansen

@jensimmons I've seen it a few times as a user (Not recently, but 5 - 10 years ago) on high value sites (I.e., banking).

I've never actually heard from anyone who implements this, why they do so. I assume it's a misguided notion of protecting the end user.

Absolutely not a fan.

sam henri gold

@jensimmons My old school's SSO page blocked pasting in password fields, which is a big reason why I started using 1Password since it mimics typing. It didn't make anyone more secure, it just punished strong passwords.

I am now out of school but I will die holding this grudge for making me type a 20 character random string every time I wanted to check my email.

BeerIsGood

@jensimmons
One of the most annoying restrictions. Closely followed by incorrectly set fields so that Safari does not offer autofill.

mark dorison

@jensimmons Please help make this go away. The blocking of pasting in a password field drives me nuts.

Jeremy Elbourn

@jensimmons I've seen people do this on confirmation fields. E.g., enter your account number a second time to make sure you didn't mistype it the first time. They want to prevent paste to prevent anyone from propagating a typo in the first field.

I suspect that, in reality, a user that's sophisticated enough to copy-and-paste is sophisticated enough to be pasting the value from the source of truth anyway.

Ste Grainer

@jensimmons it’s almost always the username and/or password field on login screens, and the whole argument that it’s for better security is bosh. It prevents users from effectively using password managers.

Aaron Gustafson

@jensimmons As a user, I find this UX incredibly hostile. As someone who uses a password management tool, I create & maintain my passwords elsewhere and when I need to manually type a random 20+ character password rather than pasting it in, it's incredibly frustrating, especially on mobile where special symbols are harder to find. And of course the fields are masked as well, so double frustrating.

cayleyh

@jensimmons the only case I’ve found that I don’t hate is a delete confirmation where you type something to prove you’re paying attention, and only then when it’s something short like “DELETE”

cayleyh

@jensimmons and even for this use case there are better UI alternatives (though they take more time and care to build)

Jonas Wisser

@jensimmons As a user, I would LOVE to see that "feature" go away.

Gemini6Ice

@jensimmons the only use I can think of is something entered twice to ensure accuracy. Without paste-blocking, people will copy from the first girls (possibly with typos) into the second field, and the typo will be considered a match.

Entering the information manually (twice) reduces the risk of typoed data not getting caught.

There are few fields where this would be important, imo

Fedor Indutny

@jensimmons I would love to see it go away as a user.

Sindarina, Edge Case Detective

@jensimmons Oh, please, I would absolutely LOVE it if that got removed. And while you're at it, please also remove the ability to meddle with copying selected text.

The user locally selects text, and the developer should not be allowed to change what ends up on the clipboard without the user's consent.

Paul Shryock

@jensimmons disabling copy/paste in a data entry form is the actual worst.

Dayton Lowell

@jensimmons As a web developer, no I don't ever do that. As a users it's very frustrating when you can't paste in a password field.

Ryan

@jensimmons Absolutely cannot stand this behaviour. Thankfully extensions can prevent it.

ppk 🇪🇺

@jensimmons To broaden this discussion and give you feedback you didn't ask for ...

I sometimes wonder if we should have a 'Turn off JavaScript' option in the context menu - possibly even suppressing event handlers on a per-element basis.

That would be very useful in a lot of circumstances, including this one.

mark

@ppk @jensimmons

That used to be a feature on the developer menus of several browsers. Although safari's used to switch it of for every window which occasionally had side effects.
I'm not sure why but it went away a few years ago.
Now you have to get plugins to do the same.

nrk

@jensimmons I've encountered websites that prevent selecting and copying text 😮‍💨

jmorahan

@jensimmons I'd love it if sites would stop doing this, but I don't see how the web as a platform could prevent it, short of removing the possibility to have *any* custom behaviour on paste? which might be a bit more controversial possibly

Ricard Torres

@jensimmons It used to be somewhat useful before password managers to prevent typos. For years now it doesn't seem to make sense disabling pasting though, I never type passwords by hand anymore.

Michael Kranz

@jensimmons I don't ever do that and neither does my team, but I have understood the use case to be when you want someone to confirm their email or password or whatever (whereas they could just copy and paste one with a typo). I think it's mad annoying, tho, which is why I never build forms with that "feature" in them

Keith J Grant

@jensimmons I hate it when paste is disabled. I also hate it when I have to type username, hit enter, then password on a second screen (very rarely doable with a PW manager)

David O'Brien

All I can think of is bots using harvested credentials.

But that wouldn't be a real user agent.

In general, for human users, disallowing paste/password managers is an anti-pattern, and #WCAG 2.2 gives you a very credible #a11y post to nail this to.

@jensimmons

Chuck Munson

@jensimmons I have been a web developer for nearly 30 years and this kind of nonsense has been a plague on usability. Also websites that add code to prevent you from copying and pasting text on the website. I'm simply trying to send people TO your website.

Hidde

@jensimmons maaybe a valid use case of disallowing paste could be in educational tech, eg to prevent cheating in certain cases? (cc @jpzwarte might know?)

Jeroen Zwartepoorte

@hdv @jensimmons I have no personal experience with this, but i know that some educational test applications explicitly want students to enter values themselves by typing, not pasting. Pasting in such scenarios is usually associated with cheating.

Chris Silverman 🌻

@jensimmons I have never, at any point, encountered a scenario where disabling pasting helped me in any way. I always resent it.

I'd go so far as to say that I don't think JavaScript should be allowed to influence the clipboard at all if it weren't for the fact that some code-generating sites have a "copy source" button that's convenient. Like 90% of the times that a site I use does anything with copying/pasting, it's abused.

MickNotMike 🇺🇦🇬🇧🇪🇺🏳️‍🌈🏁

@jensimmons I always presumed this was to prevent a brute force attack, preventing the automation of trying multiple passwords…?

Neil Ross

@jensimmons I have previously shipped a paste block in the "confirm email" field in en effort to prevent email bounces, we had data that showed people pasting and it worked to reduce our missed bookings due to email bounces

Jeff Watkins

@jensimmons @jackbrewster I’ve encountered this a few times and AFTER I’ve stopped swearing creatively at the imagined Web site creator and product manager, I calmly close the tab and go away. They don’t need my business any way.

But I’d love it were Safari to implement a super secret close this tab in flames option.

Go Up