views:

257

answers:

6

What do you web developers think? Should we disable pasting in masked password boxes in our web applications or not. Could this be a security hole or cause confusion or unwanted results? This is probably a question about user experience and not so much about programming.

+11  A: 

Pasting is OK, in IMHO, and is expected. Copying, however, is usually forbidden, with good reason. That is expected now, too. You really just want to go with what most users are familiar with unless you have a really good reason not to.

Lucas Jones
Yikes my grammar is bad today!
Lucas Jones
+1  A: 

No, don't disable pasting.

Some secure password management applications include support for putting their stored passwords directly into the C&P buffer without ever showing it on screen, and disabling paste would make those applications less useful.

Alnitak
A: 

No, I would not. I frequently paste passwords such as randomly generated ones for resets. I do not think it would be a security risk for the Web application, only that the risk would be inherited by the user.

Daniel A. White
+11  A: 

Pasting is perfectly OK actually disabling sometimes can cause bigger issues. Most of the users use keepass or similar applications to store strong passwords.

If you force people to type every time this can force them to choose weaker passwords.

dr. evil
For the anecdote, sometime I find sites limiting password length ("Only 6 chars or less") and even kind ("Only alphanumeric chars"). In general, they are the same...
PhiLho
oh yeah hate that as well, that's so much worse than this though.
dr. evil
+1  A: 

Allow pasting, but make sure the user notes that whatever he pasted did not fit the max length. I am using KeePass that autogenerates 10 character passwords for me, it's a mess when my password wont work because the registration only used the first 8 chars, or similar.

Also make sure that the login password boxes have the same max length as the registration password boxes.

Simon Svensson
A: 

Pasting can only be bad if it causes your database query to fail. Outside of that, everyone else has sane reasons for allowing it. Remote Desktop pisses me off when I can't paste a password because I use KeePass to manage complex passwords. What I'm left doing is leaving the password in plain text on the screen while I type it.

Nazadus