| HN Mirror

You're losing out on certain types of phishing protections by doing this.

You're also potentially opening yourself up to any apps/tools that are keeping an eye on your clipboard if you're copying and pasting. Auto-type might help with that, but I also wouldn't hold my breath for such a feature coming.

TonyTrapp 2124 days ago

And at the same time you win by not falling victim of "oops, there is a bug in our browser add-on that accidentally leaks arbitrary login data to websites", as it has happened in the past. Leaking all my credentials certainly sounds more concerning to me than leaking the credentials to a single page.

john-shaffer 2124 days ago

KeePassXC asks for permission to share each credential with the browser, with a "Remember" checkbox. You can have convenience for your unimportant logins while keeping your sensitive credentials fully secure.

Eh.. I'm going to go a different route.

Compromising everything is easier, it means you have to change the password for everything and know it was compromised.

If only SOME stuff is compromised then you don't know what was compromised so you end up having to change everything anyway.

I mean, that's at least my approach. I'd rather know I needed to keep an eye on everything rather than some things. At least then I know I can take appropriate precautions.

AnIdiotOnTheNet 2124 days ago

If you are infected with a clipboard logger chances are it is also a keyboard logger. Frankly, at that point you're unlikely to be saved by a browser extension anyway.

I'm not sure I follow. Browser extensions aren't simulating keyboard strokes, so they absolutely would save you in that case.

AnIdiotOnTheNet 2124 days ago

You assume that any malware that is in a position to log keyboard and clipboard events is somehow not in a position to do things like install its own trusted certificate, perform dll injection, or otherwise intercept the password anyway. Not to mention that with all the other things it has access to it might not need said password to fuck up your life.

Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.

> Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.

I agree that malware that has that power could do something else, but the parent post incorrectly asserted that the specific attack of keylogging would work, which it doesn't. I wasn't arguing that as the reason to use them over copy/paste.

The main thing extensions save you from is phishing attacks because they verify the origin of the page is correct for the entry, which is a really common attack and a hard thing for humans to verify consistently, and doesn't require any malware on your machine.

Of course, but in the case that the app is not actually "attacking" you, and is instead just poorly written and/or poorly thought out you're reducing your risk.

A lot of time you can attribute compromises to ignorance rather than malice.

So an app that is stupidly logging the clipboard and doing dumb things with that data, rather than being a malicious app.

Not much can help you if an app on your machine is in a position of power.

Dylan16807 2124 days ago

That depends on how many horrible ideas make their way from phone to desktop.

mikece 2124 days ago

That is the one thing that worries me about iOS (okay: the BIGGEST concern, not the ONLY concern) now that's it has been shown that TikTok and LinkedIn (apps not on my phone) have been shown to be copying the contents of the clipboard. I had not thought of using a browser plugin to avoid clipboard scavengers on non-mobile OSes: I'll have to give that some thought now.

vbezhenar 2124 days ago

iOS have standard API for password managers. There's no reason not to use it.

Really hoping Apple makes this feature available in macOS so that password managers can hook into it in an official way. Every year I keep crossing my fingers but it never happens.

therealmarv 2124 days ago

And you are gaining that many passwords are not shared with the browser. I rely on in browser password storage (which you can also encrypt e.g. in Chrome) for frequently accessed sites.

I think the separation of concerns outweighs the KeepassXC<->Browser integration part.

If your computer is compromised (meaning occasional copy&paste is not secure) you have WAY more problems than only Keepass and phishing.

voxl 2123 days ago

Auto type is much worse, never use an auto type feature, it can easily fall prey to insertion in hidden input fields.

KeePassXC has a thing where it asks you before it will give the browser the password the first time for a given URL. I don't know if you can force it to always prompt you, but that would seem a better solution—as others have pointed out, copy/paste and even auto-type opens you up to more attacks.

delroth 2124 days ago

Browser extensions have the benefit of being more resilient against phishing (since they can perform origin checks), which I would definitely recommend for most users.

vbezhenar 2124 days ago

I'm doing similar thing with KeePass. While there are browser extensions to work with KeePass, I decided to not use those. I'm using Ctrl+B, Ctrl+V for user name and I'm using Ctrl+V which sends keystrokes into browser to fill password. Actually most of websites remember my login information for a long time, so this is not a problem at all. And I like to keep some sense of control over my private data.

As pointed out elsewhere in this thread, there is a danger here that you have to manually verify the origin of the page you are on, which makes you far more vulnerable to phishing attacks, which are common and can be very sophisticated (things like pages that look like normal content but change to a fake Google log in page when you minimise the page, so when you come back, it is there waiting).