2022-04-10

Unblocking paste in web pages

Have you ever tried to do the usual password manager thing on a web page and had it fail?  It could be because the web page blocks pasting into one or more of its password text fields.  This post will tell you how to get around this.

Some web sites block pasting into password fields -- typically on a login page and/or a password change page -- because they think that by blocking use of a password manager they are somehow making them or their users more secure.  That's plain dumb!

This blocking used to be a lot more prevalent than it is today, but a few days ago I found that one of my important service accounts would not let me paste into the password change page.  This prevented me from using my password manager's password generator tool to generate a very long random new password, something I do for all new and changed passwords.

I refused to change the password to something short and simple that I could type, as the website clearly intended me to.  So I did some research and found an extension that is able to fix this, Allow Right-Click:

I suggest configuring the extension so that it appears in your list of extension icons in the top right of your browser.  Later, when you run into a page that blocks pasting, do this:

  1. click on that extension icon to enable it (the icon will darken)
  2. do your pasting, or have your password manager do the pasting
  3. click on the extension icon again to disable it (the icon will change back).  
Note that I'm suggesting #3 only because keeping unnecessary extensions disabled when not needed is good for security.

N.B. Be aware that any pasting of passwords into web pages comes with the risk that you could get phished.  By pasting a password -- instead of using your password manager's autofill -- you are bypassing a key protection that the password manager provides you: verification of the login page domain name against the expected domain name prior to pasting.  

Many users forget to check the domain name before they blindly start typing their userid and password, which is a nice way to get phished.  Your password manager, though, is smarter than that and will always verify the domain name.  So always use the password manager's autofill feature instead of manually copying the password from the password manager and pasting it into the login page.  
If the autofill doesn't work for some reason -- this will happen occasionally -- and you need to manually paste, be darned sure you're pasting into a valid login page, not a phishing page.  Check this by carefully examining the domain name.

The above applies to password change pages too, as a phishing page could just as easily be a password change page as a login page.