1Password should by default just always capitalize one word, and add “1” at the end of the memorable password. Since the words are separated by “-“ or “.”, you already hit the “at least one symbol” rule.
I pity the folks who don’t know how to use dev tools.
Banks seem to really like to now allow you to paste direct deposit information, which is insane. I get that they likely are thinking, well we don't want you type it into the first field and copy it into the second.
But I am copying it right from my bank's website, being forced to type it twice is just going to make it more likely I enter an error and I can guarantee you I am looking at that first field when I am typing the verification one.
The way it works is you have a hundred government regulators around the world, full of underpaid bureaucrats straight out of school, who introduce vague, poorly thought out requirements. The consequences of non-compliance often being existential for the business: you can lose your license, your clients, and in some cases, your freedom.
Next a bunch of lawyer/compliance-y types take those requirements from around the world and try to distil them down to a specific (but onerous) set of controls by interpreting the guidelines cautiously. Obviously all they care about is making sure that if you do get popped, you can claim you did everything in compliance with the regulations and you get to continue trading.
Often these rules are transitive too, so you need to have some level of certainty that the other parties in your supply chain are also compliant, so independent auditors spring up to provide some third party accreditation. Your CFO sees this purely as a cost and doesn't want to pay much for it, so the pressure is to make this auditing as simple as possible, so their checklists become oriented around things they can easily check to demonstrate compliance with a particular control.
So some original requirement like "it should not be possible to share passwords between multiple users" ends up being bastardised down the chain until the item on the checklist is "don't allow pasting into the password field". Obviously by this point, everyone's actually forgotten why that checklist item was created, so even if the original requirement disappears, the checklist item lives on, often, forever.
It's only in rare, high profile circumstances where a previous requirement is explicitly and noisily repudiated that old items tend to disappear. Even then it can take years. I'm still having to fight back auditors asking for mandatory monthly password changes, for example, in a system that uses passkeys...
One click and I can paste anyway. Nyah nyah nyah nyah nyah nyah.
The web developer should not be able to disable pasting. Just like they should not be able to disable autofill, and other features that the user wants and has enabled.
So many things web sites do that are counter to the user's expectation, where I think to myself: Why even have that lever?
The purpose, which is to make sure the user knows what they're deleting permanently, is defeated if they can copy the end of the URL string and paste it straight in. Adding a bit of friction there is helpful.
The actual answer to your question is more like "someone thought it was a good idea and now we're stuck with it", though. More browsers should offer a force paste in the context menu, because when said is done, it's my browser, and if I want to do something, I should be able to do it.
While I like the dialogue it’s only a step up over a confirmation dialog (forcing you to switch from clicking to typing). So disabling paste don’t add anything to that. I’d rather they have a trash section so I can undelete or force remove the project.
- keyloggers (safer to click instead of type instead -> on-screen keyboard then)
- but then it turned out Internet Explorer had a bug which allowed attackers to read the mouse click events' X/Y coordinates in other windows which then could be mapped to the on-screen keyboard digits if the layout is predictable
And it also makes my laptop's fan spin up for about 5 seconds on the page load or reload. No idea WTF they're doing - cryptomining?
https://www.ing.com.au/securebanking/
My password manager appears to type the access code successfully but you can't click on login until you click on the stupid keypad.