freitasm:

 

The New World Clubcard website doesn't allow paste into the password field and doesn't allow auto-fill from password managers.

 

A couple of friends didn't quite believe me on this. I took a screen recording showing the behaviour and they saw it. Im using Bitwarden, so one of them tried with Google Password Manager, which worked.

I then opened a Widows Sandbox instance, meaning clean browser with defaults. Added the Bitwarden extension only to make sure it's not anything else.

Still the same behaviour. 

So instead of the website itself, it could be the extension.

So I decided to test it.

I ran Windows Sandbox and using the browser with no extensions added... Copy and paste didn't work.

Remember, it's a long and random password, I can't just type it.

Next I install the Bitwarden extension. There's nothing else on that browser. 

It fills the field as expected. The password clears when I click the LOGIN button. I still get a "Wrong password" message. 

I suspect something is going on with the page, so I refresh the page, enter the email address, click CONTINUE and instead of the password I type just one character, any character. 

I then press backspace and use Bitwarden to fill the password.

I click LOGIN.

And it works.

I suspect the developers put some logic there to allow only passwords that are typed in. Paste a password there is not a character typed in. Neither is the Bitwarden auto-fill. But when I type a character it's now ready to accept the field as "manual entry", even if I delete that character.

Now it's ready to accept the input from the password manager.

Basically, whoever developed that webpage is not really helping people use secure passwords and not making the whole site more secure either.

What a weird thing to waste time implementing.