[probably_wrong]

A couple (bad) examples I can think of:

* you leave the password in the clipboard, and another website copies it (used to be a thing, I think it's patched now)

* same case, but now a coworker comes to your unattended PC and retrieves the password by pasting it somewhere

* allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops

None of this arguments is really good, but I can believe that they would be the result of a world without widespread password managers (also known as "the 90s") and tradition.

[Xylakant]

> * allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops

"Never write a password down" has always been a bad idea. A file named "passwd.txt" on my desktop still is better than using a trivial password or the same password on all sites. It still requires compromise of my machine and prevents the password from being recovered from a dump of the pw-hashes.

[C14L]

And if your PC has full disk encryption and you lock your PC when afk, then its pretty close to a password manager.

[Xylakant]

No, there's a reason password managers should be preferred. For example, sometimes (browser) sandbox escapes grant reading of arbitrary files. Take for example the recently discussed malware scanner the sent the browsing history, it could read such a file and transfer it back.

[UncleMeat]

If you have malware on your device you lose already. It can just read memory out of your browser process and steal your passwords.

[thaumaturgy]

"Just".

Modern browsers and OS kernels have extensive mitigations against this. Reliably extracting a password from a browser process's heap would be newsworthy today.

[rileymat2]

I think “just” is apt. If you have a web request to send the password, you will have a url or username string very close by in memory that can be searched for.

[Xylakant]

I specifically picked an example of a malware that was capable of reading arbitrary files, but not arbitrary memory because the authors found a simple way to trick users into granting them this permission set, but not another.

A sandbox escape that allows the attacker to trick the browser into sending arbitrary files back is also substantially different to having malware on your system that can read arbitrary memory.

[ChrisSD]

Windows doesn't encrypt files on lock. You can tell this because your applications keep running...

[p4rsec]

But that's not the point. The point is they have to break past your login screen, or, failing that, pull data from your storage while it's "offline" (i.e. not booted). If it's encrypted, they can't pull data off your drive externally, and as long as they can't login you're fine. Plus all the data is stored still encrypted. It's not like it decrypts the drive when you boot, it just enables an decryption algorithm that decrypts data on the fly (AFAIK).

[Xylakant]

The data is encrypted, but as long as the encryption keys are in memory, they could be retrieved via either an attack against peripheral ports that can read memory (thunderbolt has proven vulnerable and USB too, iirc) or via a cold boot attack, possibly using freeze sprays. Such attacks against FDE have been demonstrated. A good password manager purges the keys after a bit or on lock. pass ties into the gpg ecosystem and thus allows having the keys on a smartcard, a capability I’d like to see in other PW-managers.

MacOS has the option to purge decryption keys from memory on lock, but that effectively puts the computer to sleep on lock. It’s more secure, but annoying as hell since all network connections die (VPN, ssh, ...)

[p4rsec]

True, there were a couple teams recently with proof of concept for a cold boot attack on BitLocker, so I guess it's still not so secure. But unless you've got some crazy blackhat or a three letter agency after you, I'd argue you're probably not at risk ;)

[temac]

If you have a fancy "USB" port which allows connexion of graphics cards (so basically a PCIe port, although it also accepts USB), chances are that you can do whatever you want with unrestricted DMA through this port. It seems that letting Windows use the IOMMU is only allowed on the Enterprise edition, which is basically unavailable for the general public. So facing determined and/or well financed actors, it is as if the Windows login do not exist anymore for tons of Windows users.

[davidhyde]

Using the clipboard at all for security related things like temporarily storing a password is a bad idea. The clipboard is a big public billboard visible to anything running on your computer.

The fact that password managers use it at all is simply because it is the only hack that works to reliably get data into password boxes. Yes, its a hack. The HTML5 spec should have exposed a mechanism to securely insert data into an element tagged for such a purpose. A one way mechanism.

[reitanqild]

> Using the clipboard at all for security related things like temporarily storing a password is a bad idea.

(Emphasis mine.)

Well. The moment you have evil code running on your box, as you, then I'll naively assume you have a bigger problem to deal with anyway.

> The clipboard is a big public billboard visible to anything running on your computer.

And everything from client work to love letters in my home folder is available to anything that runs as me, unless I've gone out of our way to secure it - and succeed.

Not saying the clipboard isn't a problem.

Not saying browsers shouldn't expose a carefully thought out API.

But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace.

[davidhyde]

> But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace. Browser extension password managers are very much a step in the right direction. For most people, they strike the right balance between convenience and security. I guess I'm just a very paranoid developer who does not value that convenience as much as most.

[corobo]

> The clipboard is a big public billboard visible to anything running on your computer

So is your keyboard buffer. If someone's already in your computer watching your clipboard they're probably also watching anything you type too

[floatboth]

On X11 and Windows (except UWP apps probably?), yes. On Wayland, random apps can't listen to global keyboard events.

[berti]

A number of people dislike Wayland because applications can't watch the screen, keyboard input, clipboard etc outside of their own window. Really, that's one of its great strengths over X11.

[ShamelessC]

I'm curious, how does an application such as OBS Studio (https://obsproject.com/) work with such limitations in place?

[floatboth]

Through some API that checks authorization.

Eventually everyone should be using https://github.com/flatpak/xdg-desktop-portal/blob/master/da... (which is based on https://pipewire.org )

For now, e.g. https://github.com/fzwoch/obs-gnome-screencast uses org.gnome.Shell.Screencast

[paulryanrogers]

Keepass tries to mitigate this, as well as keyloggers, by splitting autoinsertion into parts using both. An even better solution is probably one-time passwords with 2FA.

[davidhyde]

Thanks, that's good to know!

[hiccuphippo]

Does any password manager uses a virtual keyboard to type the passwords in? That would avoid using the clipboard, but wouldn't work with one of my banks which doesn't even have an input box. They show a keyboard on screen and you have to click on the letter to type your password.

[thedirt0115]

You have to type in your password WITH YOUR MOUSE??? Wow. Sounds like a great way to make sure everyone uses the minimum allowed length for their passwords...

[sb23]

One of mine has this mouse-to-type feature coupled with numbers only and max length of 6...

[taco_emoji]

Keepass can "auto-type" the password by emulating keyboard events.

[snackematician]

passmenu --type

[foo101]

> you leave the password in the clipboard, and another website copies it (used to be a thing, I think it's patched now)

Even if it were not patched, how a site disabling "paste from clipboard" remove my password that I have already copied to clipboard.

Note that I would copy the password first and then I would realise that the site is not allowing me to paste it.

[guntars]

You only realize that the field doesn’t support pasting once and don’t attempt it ever again. If it allows pasting, the password will be in the clipboard every time you log in, which arguably could be more times than one.

[hiccuphippo]

No, the next time I try again and after it fails again then remember they didn't allow it and curse them for not fixing it already. Then repeat the process.

[thecatspaw]

if the issue is that it stays in the clipboard the site could just remove it once pasted or when sending the form

[foo101]

I am not familiar with JavaScript. Could someone share some sample JavaScript code that shows how it allows the browser to modify my system clipboard?

[zmw]

Check out clipboard.js.

[pwenzel]

1Password clears your clipboard after a short period of time, and you can customize it. Is this not a standard feature of all password managers?

[C14L]

So does pass and KeePassX.

[FabHK]

And pwSafe (based on some of Bruce Schneier's work), FWIW.