I consider it a reduction in security because it makes entering proper random passwords more difficult - either I have to paste it somewhere else first (and leave it in plaintext on my screen) OR I have to use a more memorable/shorter password. When I can paste passwords, they can be as long as possible and never are actually visible in any way.
Completely agree. There was a particular US government-run website that I had to use that disabled pasting, and required obscenely long passwords (like 15 character minimum, at least two letters/numbers/symbols/capitals/etc), and forced rotation every 60 days, and aggressively blocked "keyboard patterns" and once a password had been used, it couldn't be used again forever. Given I only had to log in about once every 90 days, I literally had to change my password every time. I've never been more enraged at a product in my life. My passwords for that site may have looked good out of context, but in reality I just figured out "keyboard patterns" that it wouldn't detect and used those, and kept the password in plaintext where I could read and type it. It was the biggest security anti-pattern that I could possibly think of.
They finally fixed it after years of griping (I assume because the skyrocketing interest rates meant a large number of people suddenly began using it), but for a long time the official website for buying US government bonds wouldn't let you use your keyboard at all to enter your password, you had to click on an on-screen keyboard Java applet. For "security". Fortunately most password manager tools could break through it and paste into the password field anyway, but what a fuckup that was.
(And the site still sucks- you can't use the back button at all, for example-- but it sucks infinitesimally less now)
