And why prevent paste? Just ran into this recently on paypal when I wanted to change my password. I generated one in passpack and tried to paste it in, no can do. Ridiculous.
Apple does this, too. Not just on password change forms, but on login forms. Drives me nuts, as I use a password manager and my passwords are 24 characters of garbage.
Edit: Apparently I can't reply to the next comment, but keepassx also has the feature that passwords are cleared from the clipboard after 30 seconds.
I ran into this same problem. Had to use the Chrome Web Inspector to get around it. I believe it's a part of PCI compliance, but plenty of sites accept credit cards without that nonsense so I'm not sure. GetGamesGo.com does the same thing.
Please, in the future, whenever talking about PCI compliance, cite chapter and verse. There's more than enough wild speculation running around about it, all sorts of myths are repeated and propagated.
I asked a GetGamesGo employee about the pasting issue and that is what he told me. Let me get the full quote:
"Cut/paste passwords – that’s a stipulation of PCI compliance. We could scrap it, but they ask for it. We have to be PCI compliant on card processing."
I provided as much information as I had available, I do not know the chapter/verse. Apologies if I spread any misinformation, I took this rep at his word.
I have spent a fair bit of time reading the PCI standards and I have never seen such a requirement. I suppose it is possible that some sort of independent auditor is making that call but it isn't in the standard anywhere I can see. (Auditors seem to have a huge amount of discretion here.)
In situations where you have a textfield "enter password" and another textfield "re-enter password", it would probably make sense to prevent pasting into the second field iff you didn't paste into the first field.
Better yet, if you pasted it into the first field, the second field should become disabled.
This is because usually password fields are not in clear-text but display stars for letters, so you don't know if you accidentally mistyped the password. But if you pasted it in in the first field already, there's no reason you should have to paste it a second time.
I've changed password on one of my emails, typed it wrong in one input line, so I've ctrl+C and ctrl+V it from one input to the another. Stil didn't work, so I copied it the other way (I wasn't really thinking, then :)).
It worked, but I couldn't log in to that email for a few days, until I understood, that I've changed my password to
I guess this is software's version of security theater. Make the users feel like the website is secure because there is a javascript running on the login screen to prevent you from pasting, never mind that you can probably not use pass phrases or spaces because the backend was built in 1995. :)
Edit: Apparently I can't reply to the next comment, but keepassx also has the feature that passwords are cleared from the clipboard after 30 seconds.