Stop disabling copy/paste

Hey developers, please stop disabling copy/paste in form fields! 🚨

  • It’s awful UX.
  • It’s confusing.
  • It doesn’t improve security.
  • It breaks password managers.
  • It risks typos on critical info.

If asked to do so, push back. Please don’t break the web.

Who is asking for this? Have you been asked to do so? I suspect this is on a checklist at some overzealous security consultancy.

If you are asked to disable copy/paste, show your product owner this.

Many developers just “do what they’re told”. Sure, developers aren’t the final decision maker. But I believe it’s *everyone’s* responsibility to push back on decisions that negatively impact the user’s experience.

Update: @manicode added this line to the OWASP Auth Verification Requirements: Verify that “paste” functionality, browser password helpers, and external password managers are permitted. 👍 🥳

If any security people try to push this on you show them requirement 2.1.11 from the ASVS standard!

Related tweet