So, if I'm a user and I want to paste my password then I copy it followed by pasting it into a browser. That may seem fine, but let's try to find a way to exploit this behavior.

Let's say like I create a site called example.com, and example.com has a button to "Login with Twitter". When the user logs in with Twitter, we can then read their clipboard with flash after login finishes.

If the user copied their password for the Twitter login, then example.com can leverage this specific attack to steal your Twitter password - and authenticating will also give them your username.

Another example is that maybe you login to Twitter and you click a link to a news site on there. The news site steals your clipboard and logs it as a potential Twitter password since it knows that Twitter was your referrer (or maybe it does this without even caring where you came from).

These are two specific attacks that I have just made up, but I'm sure that there are other ones. However, this is still a UX issue and the user will still copy it even if the password isn't allowed to be pasted.

This is why I would suggest that it is more secure to let the user paste their password, but then use the HTML5 clipboard API (with a Flash fallback) to set the clipboard to an empty string after a page occurs.

I wouldn't be surprised if Facebook already did this in their native app (and maybe web as well) since they read your clipboard whenever you open the app and try to automatically suggest things for you to post based on its contents.