Troy Hunt comments on that incredibly silly tweet by British Gas explaining why they disable pasting into the password field on their site. I wrote about that here. Sadly, it turns out that this practice is more widespread than I thought.
Hunt explains how this is a fine example of the cobra effect. These sites aren’t, of course, doing this just to annoy their customers. They believe that they’re improving the security of their site. They aren’t; just the opposite. And that’s why it’s an example of the cobra effect: the supposed solution actually makes the problem worse.
Here’s what happens. Disallowing pasting into the password field essentially makes password managers useless1. No one is going to type a 20 character random string into a password field every time they want to log in. Therefore, they pick a short password but because they have to be able to remember it, they make it a real word, maybe trying to obscure it a bit with ‘leet speak. This guarantees that their password will be compromised as soon as someone gets a hold of the hash database. So rather than making the site more secure, they actually make it less secure: a perfect example of the cobra effect.
Take a look at Hunt’s post to see some of the other clueless sites that do this. He even gives a reason for doing it that makes a bit (but only a bit) more sense than the one British Gas offered.
Footnotes:
Some password managers use autofill instead pasting the password into the field. If the site is just using the onpaste
keyword in the Javascript input
statement to disable the pasting, these password managers may still be able to fill the field.