The Basics of Password Strength
Before getting into the reasons why disallowing copying and pasting into a password field is bad practice, it should be mentioned that the general public has been misguided when it comes to password security. Password complexity is not the best means by which to increase security and hamper or thwart cracking/guessing attempts[^1], password length is. Yes, increasing the complexity of a password does, in fact, increase the effort needed to crack the password (or the time needed to guess it); however, simply adding a few more characters if far more effective. Further, a password which is not complex, but is long, can be easier to remember[^2].
A password that uses the English alphabet (uppercase and lowercase) has a relatively low complexity (i.e., fifty-two possible characters).
To brute force a one-digit password created from this set would take a maximum of fifty-two attempts. Not very difficult for a person at a keyboard, let alone for a computer.
Adding the numerals 0 through 9 to the character space would result in an increase to sixty-two possible characters.
To brute force a one-digit password created from this set would take a maximum of sixty-two attempts. Again, easily cracked even manually by someone sitting at a keyboard.
Now, let’s change this to a two-digit password.
To brute force a two-digit password created from this set (i.e., our sixty-two characters) would take a maximum of 3844 attempts. This could take a long time for a person at a keyboard, but would take seconds (or less) for a computer.
Now let’s skip a bit and make it a five-digit password.
To brute force a five-digit password created from our sixty-two-character character space would take a maximum of 916,132,832 attempts. This is pretty much not going to be possible for a human being at a keyboard (i.e., it would take years or luck). However, for a computer, this is still a relatively easy task.
Let’s skip a bit more and make a twenty-digit password.
To brute force a twenty-digit password created from our sixty-two-character character space would take a maximum of 704,423,425,546,998,022,968,330,264,616,370,176 attempts. This is literally uncrackable/unguessable by a desktop computer (and even most specialized hardware) without considerable luck.
So, does adding more characters to the character space make it more difficult for unsavory individuals to get your information by cracking or guessing your password? Of course it does. Is it the best method? Clearly not. Adding just a few more characters to your passwords will greatly improve your security.
Copy and Paste is Good
There are secure[^3] passwords which are not random assortments of characters (e.g., a sentence from a favorite poem could be used as a password and, if sufficiently long, would likely be secure), but with an ever-increasing number of logins, passwords, and codes to remember, sometimes it helps to have the ability to generate a password and just copy and paste it. If a trend toward doing this were to develop it would be a good thing for personal and information security. Why? If the end user does not have to remember the password, the password can be arbitrarily complex or long. Personally, I use many passwords in excess of fifty characters (and some in excess of a hundred characters). Do I know them by memory? Of course not. I have software which stores them securely and fills them in for me.
Disallowing copy and paste simply makes it more difficult (for those who are tech savvy, at least slightly more difficult the first time) to enter long, complex passwords. What purpose does this serve? Those who would attempt to brute force passwords or otherwise gain illegal access to information are not going to care about the fact that they cannot copy and paste, they aren’t using it anyway. The hacking and cracking tools used for these tasks are sophisticated enough to mimic human interaction with the sites and systems they visit and attempt to exploit, disallowing copy and paste is not even delaying these individuals and organizations. If the security threat at which disallowing copy and paste is directed isn’t hampered by it, who is? Well, end users.
When an end user isn’t able to copy and paste a password into a site, he’s more likely to make up his own password and the odds are that the password he makes up will be simple. This leaves him less secure. Who benefits from this? The hackers and crackers the site was attempting to thwart. A short, simple password is easily guessed or brute forced. Allowing copy and paste allows end users to visit sites or use tools that generate secure passwords (e.g., https://www.grc.com/passwords.htm) without having to go through the incredibly tedious process of typing out fifty or sixty characters, likely twice. It is a simple matter to store these passwords in a secure location or via password-management software (e.g., 1Password macOS, iOS, Windows, Android]). Thus, allowing copy and paste increases both security and convenience for the end user.
The bottom line is this: If sites want their users to be more secure, they should offer password generation tools as part of their signup forms (and disallow passwords below a certain length), they should not block copy and paste, and they should discontinue ridiculous limits on password length (personally, I have seen sites as low as eight, which is laughable). These are true measures targeted at actually increasing the security of end users and their information. Disallowing copy and paste, on the other hand, is just a misguided attempt with rather unfortunate unintended consequences.
The Math Behind This
For a given character set (n) and a given password length (r):
If the order matters and the characters can repeat (most passwords):
If the order matters and the characters cannot repeat:
These next two are unlikely with passwords, but, for completeness:
If the order doesn’t matter and the characters can repeat:
If the order doesn’t matter and the characters cannot repeat:
[^1]: There is an obvious caveat here: A minimum level of complexity is necessary before a password can even conceivably be secure. e.g., a password containing only uppercase A’s would be rather insecure. In essence, this article is assuming that your passwords are using, at a minimum, the basic sixty-two character dictionary comprised of the twenty-six uppercase letters of the Latin alphabet, the twenty-six lowercase letter of the Latin alphabet, and the numerals zero through nine.
[^2]: A truly random password is indisputably superior to an easy to remember non-random password; this holds true even in some cases where the non-random password is significantly longer. In short, use a password-generator and a password-manager.
[^3]: Again, random passwords are superior and non-random passwords should be used only where a random password would, for some reason, be infeasible.