[alvarosevilla95]

Please correct me if I'm wrong, as this is all conjecture.

I feel passwords used to be thought of as a combination of characters that you keep in your head, and should only leave your head when being entered in a password field. Preventing paste discourages storing your password in a file called passwords.txt, and accidentally pasting it somewhere else as well.

Of course, we now understand passwords should have some qualities (larger alphabet, avoid common words/phrases as your passwords) which go against ease of remembering, so we now use passwords managers and other tools.

So this behaviour is probably and old common practice that most people used without knowing why and that's why we still see it even if its outdated and harms security in the end

[lilei]

You are largely correct.

Passwords operate under the principle "something you know". (Unfortunately operating under this principle on the Internet is quite hard, but that's a different story). When you save passwords somewhere it's no longer with the assumption of being just "something you know", but more "something you have". Of course passwords are even less apt as "something you have", because they are hard to secure, both in storage and in use.

Nothing has fundamentally changed. That people can't imagine why someone would want to keep passwords "something you know" is because they don't understand they theory behind passwords. A password manager might seem like a solution, but in reality what you're getting is the worst of both worlds. You don't get the security of "something you have", like a key that can be stored in hardware and verified with disclosing it to the host. Nor do you get the flexibility, at least not as a user, of "something you know".

I actually think it would be a great idea to block password managers and offer an alternative protocol for authentication. That way if they want to keep their users they would have to implement that protocol. Suddenly you would have quite a lot of users using something more secure.

(just a random text on the subject: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeopl...)

[Santosh83]

Could be, but it's flawed reasoning anyway. Preventing copy/paste won't prevent people from storing their passwords in passwords.txt.

Nobody other than those who use very simple, high risk passwords can remember them all. It has to be stored somewhere. Preventing copy/paste seems like a completely useless step (security wise) that only causes unnecessary bother.

[WorldMaker]

Also, depending on threat model, a passwords.txt clear text file can be perfectly cromulent security that is better than many alternatives (password reuse, weak passwords). It's not going to stop people with physical access to your machine or attackers specifically targeting you looking for weaknesses in your documents. But vulnerability to some threat models is not vulnerability to all of them and it's okay to take a security stance with known vulnerabilities.

Similarly with Post-It Notes and physical written Notebooks of passwords. If your threat model isn't concerned about people with physical access to those notes, and you are comfortable with the physical security of those notes, that can be perfectly acceptable for you, and an overall better security stance from bad passwords.

"Don't write down your passwords", has always been bad advice, from that perspective. "If you write down your passwords, keep them safe" is slightly more accurate.

[raesene6]

The idea of passwords being something you remembered, died out when we started to see a proliferation of systems needing passwords for authentication.

Humans (in general there are some exceptions) aren't very good at remembering large numbers of arbitrary long random strings.

So using a password safe and then copy/pasting into the relevant dialog is likely to be a better option than relying on human memory (which inevitably means for most people using the same password in many places)