[MichaelGG]

Apparently to prevent paste. Their CheckEnter.js file has:

  function keyDown(a) {
      if (a.keyCode == 86) {
          a.preventDefault()
      }
  }

And that's assigned to onkeydown...

Funny enough, elsewhere in their code, they do explicitly check for Ctrl & V/C.

[ams6110]

And why prevent paste? Just ran into this recently on paypal when I wanted to change my password. I generated one in passpack and tried to paste it in, no can do. Ridiculous.

[machrider]

Apple does this, too. Not just on password change forms, but on login forms. Drives me nuts, as I use a password manager and my passwords are 24 characters of garbage.

Edit: Apparently I can't reply to the next comment, but keepassx also has the feature that passwords are cleared from the clipboard after 30 seconds.

[Foy]

Clearly, having your password on the clipboard is a security issue. Storing your password in plain text, however, isn't.

Gotta love half-assed security measures. :)

[SquareWheel]

I ran into this same problem. Had to use the Chrome Web Inspector to get around it. I believe it's a part of PCI compliance, but plenty of sites accept credit cards without that nonsense so I'm not sure. GetGamesGo.com does the same thing.

[tedunangst]

Please, in the future, whenever talking about PCI compliance, cite chapter and verse. There's more than enough wild speculation running around about it, all sorts of myths are repeated and propagated.

[SquareWheel]

I asked a GetGamesGo employee about the pasting issue and that is what he told me. Let me get the full quote:

  "Cut/paste passwords – that’s a stipulation of PCI compliance. We could scrap it, but they ask for it. We have to be PCI compliant on card processing."

I provided as much information as I had available, I do not know the chapter/verse. Apologies if I spread any misinformation, I took this rep at his word.

[einhverfr]

I have spent a fair bit of time reading the PCI standards and I have never seen such a requirement. I suppose it is possible that some sort of independent auditor is making that call but it isn't in the standard anywhere I can see. (Auditors seem to have a huge amount of discretion here.)

[kleiba]

In situations where you have a textfield "enter password" and another textfield "re-enter password", it would probably make sense to prevent pasting into the second field iff you didn't paste into the first field.

Better yet, if you pasted it into the first field, the second field should become disabled.

This is because usually password fields are not in clear-text but display stars for letters, so you don't know if you accidentally mistyped the password. But if you pasted it in in the first field already, there's no reason you should have to paste it a second time.

[ajuc]

I've changed password on one of my emails, typed it wrong in one input line, so I've ctrl+C and ctrl+V it from one input to the another. Stil didn't work, so I copied it the other way (I wasn't really thinking, then :)).

It worked, but I couldn't log in to that email for a few days, until I understood, that I've changed my password to

[gbvb]

I guess this is software's version of security theater. Make the users feel like the website is secure because there is a javascript running on the login screen to prevent you from pasting, never mind that you can probably not use pass phrases or spaces because the backend was built in 1995. :)

[jrockway]

I keep hearing about a shortage of programmers. Perhaps if we didn't write pointless code, there would be enough.

[naner]

I wonder if Shift+Insert works... (is that only a Linux thing?)

Or Rt-Click -> Paste.

[jarek]

To say nothing about right click - paste... unless they're doing the 1999 thing and blocking right click too (and if they are, hopefully it's with a 1999-tastic alert("Right click not allowed!");).

[naner]

Sorry, I edited my post to add the right-click thing as you were creating yours...

[troels]

Or click field. Go to the menu option Edit -> Paste. Let's see how they are going to dodge that with Javascript?

[Skalman]

"You entered too many characters too quickly."

[raverbashing]

In Linux selecting text and middle-click has saved me countless times

[einhverfr]

I would like to write some company that does this and say "control V doesn't work but I can paste the password in using the following methods.... this is a problem because it keeps me from using proper security for passwords on my clipboard. Can you please fix? PS Can I follow up with your PCI auditor directly?"

[reddiric]

Shift-insert has worked on Windows as far as I go back (3.1).

[DeepDuh]

That's... hilariously bad. Doesn't tell good things about their code review processes (as in: wtf is a code riiviiu???111!!).