Is It a Best/Recommended Practice to Not Allow Desktop Clipboard Pastes for Password Fields on a Website?

Problem scenario
You think a website field for a password should allow a password to be pasted in. This could make the users not copy the password. Some hackers exploit memory/RAM. Should you avoid allowing a password to be pasted in?

Solution
Traditionally confirmation password fields did not allow pasting (with control-v) from the clipboard. Now NIST is saying you can do this: https://pages.nist.gov/800-63-FAQ/

Some people think it is not ideal to have sensitive information in RAM. It is not clear. If you make the field impossible to paste, and declare it, the user may not copy the password. But this would violate modern NIST standards.

You may want to read this too: https://www.auditboard.com/blog/nist-password-guidelines/

Leave a comment

Your email address will not be published. Required fields are marked *