While only scratching the surface of this topic, I've noted that Chrome's password manager does save the pw on the Mobile My Account login screen, and does permit copy/ paste in the pw field. This may not be relevant to creating the pw, or for other browsers, of course.

@MarcJohnson that's right. That bits fine, it's just the generation bit that I was having a problem with

@Anonymous that's another red herring too usually. If passwords are being hashed for storing (which they should be) then the size of the input is irrelevant (as is the character set used)

You mean so a supplier can't ask for the (say) 1st and 3rd characters of you password to confirm they are talking to the account holder?

Now who do we know that does that...?

jelv (a.k.a Spoon Whittler)    Why I have left Plusnet (warning: long post!)    Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month)

As for the password copy/paste js.. I have done a bit of searching around and it seems to be a universally hated 'security standard' and there doesn't seem to be any kind of guidance on where it started and who first implemented it. Out of everything I read, this is one of the more reasonable arguments for using it that I found:

I fully disagree with you. The UK government has just launched the NCSC which as part of the GCHQ is responible for "National Cyber Security". 

Whilst I'm not saying that our government is the most technologically knowledgeable in the world, the GCHQ and therefore the NCSC are very capable in their job.

They posted a guidance about a month ago with the title "Let them paste passwords" https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords

Certainly worth a read and VERY good advice in that article.

Thank you for that link, it is a very interesting read (as well as the others that were provided). I did not know that this was such a hot topic as I had not personally come up against this issue in my own code or the code I am working on. At least in this article it confirms my suspicions that noone really knows where this originated from in the first place. This is all very interesting and something definately needs to be done.

I am gathering all of this evidence and we will raise this with the right people to get this properly looked at.

I've hit just this problem and found this thread.  jaread83, I appreciate your enthusiasm, but 6 months later, the "new password" page neither allows pasting, nor does it even say you can't use '&' as a special character.  (In fact, I'm baffled as to why you limit the range of special characters at all.)

Up until recently the PN mobile site was the only one I'd come across that didn't allow pasting of passwords.

I've just discovered that the government workplace pension site, NEST, doesn't allow pasting EITHER password OR username!.

Obviously the government don't listen to their own National Cyber Security Centre