I always assumed this anti-pasting was a requirement of some braindead auditor who insisted that this was a necessary security mechanism.
If they aren't, there's a lot of "debt" in the passwords space, like Troy mentions. This is just something that will get better as websites get better. Webapps are much more complicated today than 5 years ago, on average, and as complexity increases things like user auth will get better and more homogeneous. This is especially true if Google and Apple have their way with the Credential Management RFC and get people to have a reason to save their passwords with chrome.
"Passwords" are getting better but we need another 5 years to get us there.
I had a quick look through PCIDSS which is the usual source of this kind of nonsense, but couldn't see anything. However when the first site in the posting talked about losing their "security certificate" they were almost certainly talking about PCI or some related standard.
If they aren't, there's a lot of "debt" in the passwords space, like Troy mentions. This is just something that will get better as websites get better. Webapps are much more complicated today than 5 years ago, on average, and as complexity increases things like user auth will get better and more homogeneous. This is especially true if Google and Apple have their way with the Credential Management RFC and get people to have a reason to save their passwords with chrome.
"Passwords" are getting better but we need another 5 years to get us there.