[selykg]

You're losing out on certain types of phishing protections by doing this.

You're also potentially opening yourself up to any apps/tools that are keeping an eye on your clipboard if you're copying and pasting. Auto-type might help with that, but I also wouldn't hold my breath for such a feature coming.

[TonyTrapp]

And at the same time you win by not falling victim of "oops, there is a bug in our browser add-on that accidentally leaks arbitrary login data to websites", as it has happened in the past. Leaking all my credentials certainly sounds more concerning to me than leaking the credentials to a single page.

[john-shaffer]

KeePassXC asks for permission to share each credential with the browser, with a "Remember" checkbox. You can have convenience for your unimportant logins while keeping your sensitive credentials fully secure.

[selykg]

Eh.. I'm going to go a different route.

Compromising everything is easier, it means you have to change the password for everything and know it was compromised.

If only SOME stuff is compromised then you don't know what was compromised so you end up having to change everything anyway.

I mean, that's at least my approach. I'd rather know I needed to keep an eye on everything rather than some things. At least then I know I can take appropriate precautions.

[AnIdiotOnTheNet]

If you are infected with a clipboard logger chances are it is also a keyboard logger. Frankly, at that point you're unlikely to be saved by a browser extension anyway.

[Latty]

I'm not sure I follow. Browser extensions aren't simulating keyboard strokes, so they absolutely would save you in that case.

[AnIdiotOnTheNet]

You assume that any malware that is in a position to log keyboard and clipboard events is somehow not in a position to do things like install its own trusted certificate, perform dll injection, or otherwise intercept the password anyway. Not to mention that with all the other things it has access to it might not need said password to fuck up your life.

Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.

[Latty]

> Its a poor argument for choosing browser extensions over cut & paste because the circumstances where it has an advantage are incredibly specific.

I agree that malware that has that power could do something else, but the parent post incorrectly asserted that the specific attack of keylogging would work, which it doesn't. I wasn't arguing that as the reason to use them over copy/paste.

The main thing extensions save you from is phishing attacks because they verify the origin of the page is correct for the entry, which is a really common attack and a hard thing for humans to verify consistently, and doesn't require any malware on your machine.

[selykg]

Of course, but in the case that the app is not actually "attacking" you, and is instead just poorly written and/or poorly thought out you're reducing your risk.

A lot of time you can attribute compromises to ignorance rather than malice.

So an app that is stupidly logging the clipboard and doing dumb things with that data, rather than being a malicious app.

Not much can help you if an app on your machine is in a position of power.

[Dylan16807]

That depends on how many horrible ideas make their way from phone to desktop.

[mikece]

That is the one thing that worries me about iOS (okay: the BIGGEST concern, not the ONLY concern) now that's it has been shown that TikTok and LinkedIn (apps not on my phone) have been shown to be copying the contents of the clipboard. I had not thought of using a browser plugin to avoid clipboard scavengers on non-mobile OSes: I'll have to give that some thought now.

[vbezhenar]

iOS have standard API for password managers. There's no reason not to use it.

[selykg]

Really hoping Apple makes this feature available in macOS so that password managers can hook into it in an official way. Every year I keep crossing my fingers but it never happens.

[therealmarv]

And you are gaining that many passwords are not shared with the browser. I rely on in browser password storage (which you can also encrypt e.g. in Chrome) for frequently accessed sites.

I think the separation of concerns outweighs the KeepassXC<->Browser integration part.

If your computer is compromised (meaning occasional copy&paste is not secure) you have WAY more problems than only Keepass and phishing.

[voxl]

Auto type is much worse, never use an auto type feature, it can easily fall prey to insertion in hidden input fields.