[MRSallee]

I doubt that the motivation for preventing paste in a "confirm password" context is to prevent workarounds to character limits.

Why does the "confirm password" field exist anyway? It exists to remove the risk of input error. They want to avoid you locking into a mistyped password and not being able to recover. To this end, it makes some sense to prevent copy/paste, as a user may simply copy their mistyped password and paste it into the confirmation field. Especially risky if the input fields are obfuscated with placeholder characters (*).

Not to argue that it's the right answer, it certainly makes more sense than a heavy-handed enforcement of character limits.

[DavidSJ]

I often use copy/paste to prevent typing errors. I save the password in some keychain software, then I copy/paste the password from that software into one of the password fields, and type it myself into the other.

[mankyd]

Yes, I am the same, but there's [at least] two different types of users here. I use a password generator + manager. I never type a password, so I never mis-type a password.

My father, on the other hand, hunts and pecks and I can't get him to use a manager despite my best protestations. Having to retype his password certainly avoids mis-types on his part, even if it encourages other bad behaviors in the process.

[okletsgoyayok]

> despite my best protestations

Is it Dickens that you're currently reading?

[foxylad]

This raises the interesting question of why we obscure the input when changing passwords. Showing the new password would allow people to check and correct it, so you'd only need one input.

Given that the contents of a password input can easily be revealed, the only security obscuring the input provides is from an attacker who can see the screen but not the keyboard, and has no physical access to the device - a pretty limited threat pool.

I guess the answer is that users expect passwords to be hidden. So we make their lives more difficult purely to keep them happy.

[Frank2312]

IE/Edge have at least one thing good about them : you can click on a little eye icon to the right of the obfuscated field to reveal the text in the field until you release the mouse button.

[a13xb]

I think the original intent of obscuring input password is to counter shoulder surfing.

[kevincox]

Showing the password can be nice in situations but I doubt I would catch most typos but re-reading my password. My eyes often see what my brain expects to see.

[GigabyteCoin]

>Why does the "confirm password" field exist anyway? It exists to remove the risk of input error. They want to avoid you locking into a mistyped password and not being able to recover.

It seems silly to force everybody to doubly enter their password, when I'd guess at most ~10% of people might enter an incorrect password on their first try at which point those unfortunate ones are only a few minutes away from a password reset... where they would be sure to get the password right that second time.

[derekdahmer]

I don't think thats right because browsers have always prevented password fields from being copied.

[davidwhodge]

Requiring input twice as input validation has a fair amount of use already, like with email addresses, so it doesn't seem super unreasonable to think that's a motivation for this limitation.

Also, while it sounds silly, disabling copy doesn't mean a user can't type the PW somewhere else and paste it in. I've totally done that before and suspect it's not super uncommon.