[Update: TreasuryDirect upgraded its website. The new site doesn’t use the virtual keyboard anymore.]
You have to log in separately using each assigned TreasuryDirect account number, not a user ID you register for yourself. It’s difficult to remember the TreasuryDirect account numbers. You’d have to save them somewhere, ideally in a password manager such as KeePass, Bitwarden, or LastPass.
You copy the account number from the password manager and paste it on the login page. You’ll receive a one-time passcode at your registered e-mail address. The one-time passcode is case sensitive. You copy and paste it on the next page. So far so good.
Now comes the password part. You can’t copy and paste directly into the password field in your web browser. The TreasuryDirect website uses this virtual keyboard:
You click on the buttons with your mouse or finger to enter your password. If you follow the recommended security practice and use a long password with a mix of letters, numbers, and symbols, it’s painful to enter your long password.
Some password managers can fill in the password automatically. 1Password and Keychain on Mac work out of the box. If your password manager doesn’t, you may be tempted to reset your password to a simpler one just to avoid this pain. Don’t. There’s a workaround.
Remove HTML Attribute
The reason you can’t paste into the password field is that the TreasuryDirect web page instructs your browser to set that field to read-only. When you’re on your laptop, if you right-click on the password field and choose “Inspect” in the context menu (it works at least in Chrome and Firefox), you will see this:
<input type="password" autocomplete="off" readonly="readonly" name="password" size="20" maxlength="16" class="pwordinput" value="" data-cip-id="blah blah">
When you double-click in that area and simply remove the part in red, the password field won’t be read-only anymore. Now you can copy and paste your password!
Whether the password field is read-only or not only affects the behavior of your browser. Whether you click on the virtual keyboard or copy and paste your password, the password will be transmitted to TreasuryDirect securely via SSL in the same way.
This works in a desktop browser. It’s difficult or impossible on a mobile device.
If you’d like to eliminate the extra steps to right-click and remove the HTML attribute every time you log in, you can use a browser bookmark to automate the task. Create a bookmark in your browser and use this as the URL:
Even if you don’t know anything about coding, you can see this looks for the password field (“pwordinput”) and removes the read-only attribute.
Next time you’re on the password page in TreasuryDirect, click on that bookmark. Nothing visible happens but it removes the read-only attribute from the password field. You can copy and paste your password from the password manager now.
It works the same way as manually removing the HTML attribute. It just happens in one click instead of multiple steps.
If you’re more technical and you already use a browser extension or add-on such as Greasemonkey for Firefox or Tampermonkey for Chrome, you can put a script in the browser extension and eliminate that one click of a bookmark.
Using a browser extension is beyond the scope of this post. Here’s a solution I found on the Internet:
I didn’t test either script. It may not be the only solution or the best one. Please inspect and use it at your own risk. Because I don’t log into the TreasuryDirect system frequently, clicking on a bookmark once per session is easy enough for me.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.