[davidhyde]

Using the clipboard at all for security related things like temporarily storing a password is a bad idea. The clipboard is a big public billboard visible to anything running on your computer.

The fact that password managers use it at all is simply because it is the only hack that works to reliably get data into password boxes. Yes, its a hack. The HTML5 spec should have exposed a mechanism to securely insert data into an element tagged for such a purpose. A one way mechanism.

[reitanqild]

> Using the clipboard at all for security related things like temporarily storing a password is a bad idea.

(Emphasis mine.)

Well. The moment you have evil code running on your box, as you, then I'll naively assume you have a bigger problem to deal with anyway.

> The clipboard is a big public billboard visible to anything running on your computer.

And everything from client work to love letters in my home folder is available to anything that runs as me, unless I've gone out of our way to secure it - and succeed.

Not saying the clipboard isn't a problem.

Not saying browsers shouldn't expose a carefully thought out API.

But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace.

[davidhyde]

> But the way I read your post it might scare people away from password managers and back to a single password or passwords written on papers stored within reach from the workplace. Browser extension password managers are very much a step in the right direction. For most people, they strike the right balance between convenience and security. I guess I'm just a very paranoid developer who does not value that convenience as much as most.

[corobo]

> The clipboard is a big public billboard visible to anything running on your computer

So is your keyboard buffer. If someone's already in your computer watching your clipboard they're probably also watching anything you type too

[floatboth]

On X11 and Windows (except UWP apps probably?), yes. On Wayland, random apps can't listen to global keyboard events.

[berti]

A number of people dislike Wayland because applications can't watch the screen, keyboard input, clipboard etc outside of their own window. Really, that's one of its great strengths over X11.

[ShamelessC]

I'm curious, how does an application such as OBS Studio (https://obsproject.com/) work with such limitations in place?

[floatboth]

Through some API that checks authorization.

Eventually everyone should be using https://github.com/flatpak/xdg-desktop-portal/blob/master/da... (which is based on https://pipewire.org )

For now, e.g. https://github.com/fzwoch/obs-gnome-screencast uses org.gnome.Shell.Screencast

[paulryanrogers]

Keepass tries to mitigate this, as well as keyloggers, by splitting autoinsertion into parts using both. An even better solution is probably one-time passwords with 2FA.

[davidhyde]

Thanks, that's good to know!

[hiccuphippo]

Does any password manager uses a virtual keyboard to type the passwords in? That would avoid using the clipboard, but wouldn't work with one of my banks which doesn't even have an input box. They show a keyboard on screen and you have to click on the letter to type your password.

[thedirt0115]

You have to type in your password WITH YOUR MOUSE??? Wow. Sounds like a great way to make sure everyone uses the minimum allowed length for their passwords...

[sb23]

One of mine has this mouse-to-type feature coupled with numbers only and max length of 6...

[taco_emoji]

Keepass can "auto-type" the password by emulating keyboard events.

[snackematician]

passmenu --type