How To Get Around Websites That Block Pasting For Password Fields On macOS

For reasons that are still a mystery to me, some websites seem to think it's more secure to force you to manually type passwords or verification codes. For those of us who use password managers and strong randomly generated passwords, this is a major hassle. I have also seen financial institutions disable pasting account numbers. Initially, I was thinking of writing an article about why doing this is a UX and security anti-pattern that weakens security and causes unnecessary inconvenience for users but I found Troy Hunt's great article on the subject titled The Cobra Effect That Is Disabling Paste On Password Fields. Instead of duplicating similar arguments, I decided to share my personal workaround in a short article.

Existing solutions that I could find all involved JavaScript or Chrome Developer Tools hacks or required Chrome extensions that would need intrusive access to website content. I wanted to have a simple workaround that was easily reusable for any website or field without having to mess around with the code each time and that did not require a Chrome extension to be installed.

To achieve this, instead of trying to solve the problem at the browser level, I decided to get around the browser and the website's JavaScript by making sure the browser can not tell a paste event is even happening. Instead, I make the browser think individual keys are being pressed. To do this, we need the operating system to simulate key presses. Fortunately, on macOS this is easy to do using osascript. For example, to simulate a key press of a capital A you can simply run the following in the Terminal:

echo 'tell application "System Events" to keystroke "A"' | osascript

Try this in a terminal right now to see how it works. Combine this trick with the fact that pbpaste outputs the content of the clipboard to stdout and we can write a simple shell script to sleep for a couple of seconds to give you enough time to switch from the terminal window to the browser, then simulate key presses based on the content of the clipboard:

#!/bin/env bash

sleep 2
echo "tell application \"System Events\" to keystroke \"${CB}\"" | osascript

Save this code in a file named, ideally somewhere in your $PATH, and make it executable (chmod +x and you are good to go. Next time you try pasting in a field and notice it's disabled, open a Terminal window, run your script and switch back to the browser within two seconds and watch paste work like a charm! Of course, while the title mentions websites, this trick should work for any application running on your machine as far as I know.

Windows users, is there a similar hack that works for Windows? Comment below!