Requiring input twice as input validation has a fair amount of use already, like with email addresses, so it doesn't seem super unreasonable to think that's a motivation for this limitation.
Also, while it sounds silly, disabling copy doesn't mean a user can't type the PW somewhere else and paste it in. I've totally done that before and suspect it's not super uncommon.
Also, while it sounds silly, disabling copy doesn't mean a user can't type the PW somewhere else and paste it in. I've totally done that before and suspect it's not super uncommon.