Everyone encountered at least once a form that ask you to confirm your password or email address to check you didn't make some mistake when re-typing it.
But it's not rare at all to have those websites overriding the paste JavaScript event to prevent you from copying the previous password and paste and so copying your mistake and make the 2nd check useless.
So it's more safe right?
It's a good idea (or at least a good intention) IF you're typing your password manually.
But a more secure approach is to use a password manager, even better an offline password manager (not cloud based without browser integration) like KeepassXC and to pick a very long and strong password with all those special characters.
But wait a minute! You are disabled to paste anything and your password is so long and complex to write manually, there is a 100% chance you make a mistake by trying to write it manually.
That sucks right? This paste event block is preventing users to use a password manager which is a more secure approach.
Note to web dev: please stop to override paste event on the 2nd field, instead you can still prevent the copy event from the 1st field. It's already a little better.
But we are blocked right? We don't either want to copy the 50 char long password manually nor to stop using our password manager and re-use weak rockyou passwords again.
If you are a Firefox user, there si a quick workaround (but we'll see a better solution later using luminous plugin and that works for all browsers). To disable clipboard event override:
- Go into
about:config
- Write
dom.event.clipboardevents.enabled
- Double click the value to change it from
true
tofalse
Now websites can't override any clipboard events!
If you wonder if this trick can break some behavior, I think not. Because, most of the time, clipboard events are used to:
- block copy/paste, that's what we want to avoid
- infect you (eg. Pastejacking attack)
So either way we don't want it. Instead it will even harden your browser a little bit.
luminous plugin#
Identify, analyze and block code execution and event collection through JavaScript in your browser with code interception.
Luminous web-browser plugin helps you see which JavaScript events are executed on the current webpage and allows you to allow/block them.
It's available for Mozilla Firefox, Chromium and Opera.
Disabling dom.event.clipboardevents
in Firefox was a radical option and breaks
some website behavior like on Twitter or Google Docs.
So rather than doing that, installing luminous allows you to block the paste event only for some website or to block it everywhere and whitelist some legit usages.