Chapter #36. Always Allow the User to Paste into Password Fields
It's difficult to fathom where this pattern of disabling paste came from or what possible security issue it's supposed to address. Using some JavaScript on the page to prevent users from pasting into a password field is insane and potentially harmful for security.
A user with a password manager app will have a long, impossible-to-remember password that has to be pasted into the field (especially on mobile, where it's more tricky to autofill the field).
It's a good general rule across the board to not interfere with standard system behaviors (copy, paste, find, zoom, right-click, and so on), as they are all basic interactions that the user will have grown accustomed to over years of working with various devices. To deliberately disable these behaviors on your product is nonsensical, yet it still happens. Designers think that they can improve security, reduce plagiarism, or other factors that aren't user-centric.
Back in the 1990s...