Another psycho HTML feature and how to workaround it...

Tonight, I needed to create a new account on a website. It has a typical registration form, with two <input> tags for the password, where the second has to match the first. No problem: I compose my passwords offline (using pwgen and additional punctuation), and paste them into both fields. I was able to do with the first field, but not the second. WTH?

So, I open DevTools on the site, and navigate to the the <input> tag in question. Immediately I saw the problem. Attributes called oncut and onpaste were set to return false;

I simply deleted those attributes, and was able to proceed normally. I refused to type the password, because:

  • I always copy my passwords from my offline password stash anyway. Password managers don't have a way to record all the things you need to know about your passwords. Things like which service did you use to login with anyway (FB, Github, Google+), which shitty giant tech company bought the cool site you are trying to use, and exactly how they did screw up their user migration at the time of merger anyway (nobody ever seems to get it right... Looking at you, Atlassian!) Not to mention recovery codes, answers to your security questions, etc.

  • I always generate them using CLI tools, ensuring they are much longer and more complex than any site requires, meaning they are painful to type.

  • It was late, my brain and eyes were tired, and I didn't think I could do it the first time anyway.


I have no way of knowing what particular kind of moron mandated this. It could have been a UX designer, security consultant, or overeager junior HTML coder.

This is how certain classes of tiny Chrome extensions are born. You know the kinds. The ones that remove the "nofullscreen" word from the controls attribute on the <video> tag. Or the ones that make sure the doesn't receive counter-productive windowOptions options in the third parameter.

Just let the browser do its job, devs!