It’s 2023, why are websites actively preventing pasting into fields like passwords and credit card number boxes? I use a password manager for security, it’s recommended by my employer to use one, and it even avoids human error like accidentally fat-fingering keys, and best of all with the credit card number I don’t have to memorize anything or know a single digit/character!
I have to use the Don’t Fuck With Paste addon just to be able to paste my secrets into certain monthly billing websites; why is my electric provider and one of my banks so asinine that pasting cannot be allowed? I can only imagine downsides and zero upsides to this toxic dark-pattern behavior.
There is even a mention about this in NIST SP 800-63B, a standard for identity management that some companies must follow in the USA, which mentions forcefully rotating passwords and denying “password paste-in” as antiquated/bad advice:
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets
Edit: I discovered that for Firefox users there’s a simpler way than exposing your secrets to someone’s third-party addon. Simply open about:config, search for dom.event.clipboardevents.enabled, and change it from true to false.
Apps like tic-toc can see the text that you are holding in your “copy” cache. If you are copying passwords to log in to your bank or other sensitive site and then later open tic-toc, you just inadvertently gave them your password.
It is generally bad practice to ever “copy” your passwords, even if it is easier.
People frustrated by this will just pick weaker passwords. Of course, the main solution is to allow password managers to insert passwords directly, but I’ve noticed a few sites don’t seem to work with those, either…
That’s why most password managers only put it in the clipboard for 5-10 seconds and then empties it.
Modern Android also disallow pasting without interaction and it pops up a toast when an app pastes the content of your clipboard. TikTok stopped doing it as a result as it’s obvious when they do.
Most don’t even copy it to clipboard, they’ll inject it to the dom directly
I have some cameras with a web UI which actively blocks even that 😤
It seems like being able to view your copy cache or clipboard is an ability which should be blocked on all operating systems unless the user is literally initiating a paste.
Phones like Samsung, windows clipboard history, Linux depending on distro and what you install save clipboard history, so it is kinda unsafe
I specifically disabled clipboard history on my phone and the only device I have Windows on. It’s not 100% safe, but it’s better than the default.
I don’t have a TikTok account nor do I have the app installed on any device.
Funnily enough actually, when I went to register early on a few years back, my email had already been registered by some bot and TikTok had banned my email, their tech support has never replied to anything I’ve asked them regarding it and I never had any correspondence about it in my email messages prior. So, I never opened an account. Sure, I could have used another email or given it a throwaway, but by that time I was already aware of the invasive nature of TikTok and I just didn’t care for it after that. I only wanted to register my account to stake my presence there before others with my name, and I didn’t succeed, so I gave up pretty quickly. It’s a dead site to me. I’m also not a fan of all of the cheap imitations like YouTube Shorts, or the re-posts that happened(still happen?) on Reddit.