I needed to download VMware Workstation Pro for a new test environment. That now requires a Broadcom account. Registering that account did something that, in practice, pushes users toward weaker security – and it is also counter-productive for a “free download” funnel.
The problem: the password field blocked paste
During my registration (Dec 2, 2025), the password field blocked the paste function. IMHO, that is a fairly outdated “defensive” UI rule that collides head-on with how secure passwords are created and used today: password managers.
The form blocked pasting into the password field, making password-manager use harder instead of easier.
Why this reduces security
If you want strong passwords at scale, you want long, random secrets and you want password managers to generate and fill them. When pasting is blocked (and in my case there was also no “show password” option), users get nudged into bad choices:
- Manually type a long random password twice and hope you do not make a mistake.
- Pick something short and memorable so you can type it reliably.
The second option is exactly what attackers want. The UI rule is not “more secure”. It is friction that changes user behavior in the wrong direction. I have seen this more than once and it is typically what happens to me as well, when I am faced with such services (especially when they are non-essential).
Security theater in one table
| UI restriction | Purported goal | Actual outcome |
|---|---|---|
| Block paste | Reduce risk from clipboard abuse | Discourages password managers and long random passwords |
| No “show password” | Reduce shoulder-surfing risk | Makes long manual entry error-prone, nudges users toward shorter passwords |
| Force re-typing | Confirm user input | Adds friction and increases mistakes for strong passwords |
And it is counter-productive for “free download”
This part is a bit on different territory, but I think it matters: if something is offered as a free download, the registration flow should be as low-friction and low-risk as reasonably possible. Making account creation painful does not just annoy people; it actively creates a moment where they reconsider whether this tool is worth the effort.
I say this as a CEO: good software tends to sell itself once it is in the user’s hands. A bad download and registration experience does the opposite. It seeds doubt and increases the chance that someone takes five minutes to search for alternatives instead of continuing.
This also lands in an unfortunate context. Broadcom has already increased friction for many customers in other ways (again: my personal impression), and the widely discussed high-end pricing and licensing changes have left a lot of people more sensitive to “vendor control” moments. A hostile registration UI fits that narrative even if nobody intended it.
A note for engineers
Client-side “anti-paste” is not a meaningful control. Anyone moderately technical can bypass it (for example by removing event handlers in dev tools) or avoid paste entirely via password-manager autofill. The only consistent effect is that normal users get punished for doing the right thing.
This is one thing we always need to have on our minds: we need engineer security in a way that not only is secure, but also managable for the task at hand. A simple download registration requirement of course has different security profile than securing syslog via mTLS. Use appropriate measures and user interfaces.
What to do instead
- Allow paste and allow password-manager autofill (do not fight the browser).
- Add a “show password” toggle (with sane defaults).
- Prefer modern auth options where possible: passkeys (WebAuthn) and MFA.
- If you enforce complexity, make it easy to comply securely.
CS summary
- HCI constraint -> security regression: blocking paste (and no “show password”) reduces password-manager use, increases errors, and nudges users toward shorter, memorable passwords.
- Population effect: added friction systematically lowers effective password entropy and increases password reuse, regardless of nominal “complexity” rules.
- Control quality: JavaScript-only anti-paste is bypassable and misaligned with primary credential threats; prefer enabling managers + MFA/passkeys.