Is there any reason to disable paste password on login?

There is no substantial security benefit to disallowing pasted passwords; on the contrary it is likely to weaken security by discouraging the use of password managers to generate and autofill randomized passwords. While some password managers are capable of overriding pasting restrictions, the point still stands that users should not be forced to type their password by hand.

Excerpt from a relevant WIRED article:

Websites, Please Stop Blocking Password Managers. It’s 2015

But what’s crazy is that, in 2015, some websites are intentionally disabling a feature that would allow you to use stronger passwords more easily—and many are doing so because they wrongly argue it makes you safer.

Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.


Disabling pasting a password field introduces a "Cobra effect". A Cobra effect "occurs when an attempted solution to a problem actually makes the problem worse."

Troy Hunt recently wrote an article where he explains it in more detail. It's essentially a security theater, like what happens at airports to "make us safer". Troy Hunt calls it a Cobra effect because it disables the use of secure, 50-character passwords that would be pasted from a password manager. At best, it forces people to create passwords that are easy to remember and thus more hackable.

Some might say that it makes you safer because it prevents your clipboard from being copied by malware, but they ignore the fact that if malware can already do that, they can also copy all kinds of keypresses, not just Ctrl+V. It's pointless.

From a UX perspective, it's just annoying, like you say. So it's annoying from a UX perspective, and it doesn't make us safer. There's no point to this "feature".


No, there is no sensible reason for doing this. It is bad UX, plain and simple. Disabling pasting into a password field is actually encouraging bad passwords. Password managers automatically clear out the clipboard after pasting, so that argument is no longer valid.