Prohibiting paste on the second password field at first seems like an attempt to prevent users from accidentally mistyping the wrong password, then copying it. But would only work if copying a password field worked. I suspect somebody thought it would solve a problem without attempting to reproduce the problem.
But there’s one angle to this that helps explain the madness and it goes back to that earlier PayPal screen grab. This was of the change password page, not the login page. You can easily paste into the login page and in fact you can even paste into the original password field on the change password page, just not the new password field or the other field that confirms it.
I don’t think the post is talking about your flow. It seems to differentiate between the current password field and new password field. You’re differentiating between the new password field and the verify new password field.
I loved the cobra story :)
Is there a Chrome extension that fixes this? That seems like it might be trivial (but risky, too).
It seems there is: https://github.com/jswanner/DontFuckWithPaste