[blockarchitech]

I like password managers. It keeps people from writing them down on your desk or a notepad, so I'm all for it. I hate autofill. Any form of autofill, automated, user request, any of it. I would like people to just use a small button to open a 'mini instance' of the password manager, like an instant app (or app clips for iphones), and copy your password that way. Autofill is also a huge security risk, excluding if they use biometric authentication. If they use a pin code, forget it. If an attacker is on your device in the first place, chances are they have your pin code. Autofill needs to be deprecated.

[red369]

I agree with much of what you said, but I think there is another advantage of autofill which I think copy and paste misses out on. If autofill usually works perfectly day after day, and then one day it fails, for example because the password manager fails to match the URL on a phishing site, its an extra clue that it's not the correct site. Of course this also works with non-automatic autofill, and the importance of the autofill failing could easily be overlooked anyway.

[itsananderson]

If an attacker is on your device, they very likely have access to your clipboard, so how is that more secure? I cringe whenever my password manager's autofill fails and I have to fall back to copy/pasting, because I know that I'm now storing my password in system memory in plaintext. Most password managers clear the clipboard after some timeout, but that's hardly helpful against an on-device threat

[emodendroket]

If the attacker has access to your device, you're going to be severely compromised no matter what you do. Why pretend otherwise?

[itsananderson]

True, if an attacker has control of your device you are probably screwed anyway, but there are still different degrees of screwed. There are more and less privileged portions of your system, and keeping sensitive data to less secure areas is still not a great idea. With browsers offering clipboard access as a JavaScript API, it is definitely an area I would consider less well secured than, say, read protected memory or a process-isolated browser extension sandbox.

[emodendroket]

Fair point, but I don't think you can _read_ the contents of the system clipboard, can you? I thought you could set it but had to wait for a paste event to read it.

[itsananderson]

It requires a permission request, but yes there's a browser API to read the clipboard contents https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/r...

[partido3619463]

On iOS and Mac the clipboard is readable to all apps without interaction. (Eg slack allows login on Mac desktop by copy/pasting text from the browser. Chrome on iOS will auto paste from clipboard to show a target url)

[blockarchitech]

Both of you're statements are valid. If an attacker has access to your device you are *severely* compromised and you can't do much. I am going off the idea that your password manager clears your clipboard history however, but this is a valid and true statement. The thing is: nothing will be 100% secure. Ever. But if we evolve our security at the same rate loopholes, etc are being found, we can prevent data breaches, identity theft, etc. Before it even happens.

[emodendroket]

I guess my feeling is that doing something like this when your machine is already compromised is a little like putting your key under the welcome mat instead of leaving it plainly visible. Perhaps for the very incurious attacker they won't get around it but it's not much effort to find.

[senectus1]

yeah, on a win10 device hold the windows key and tap v

there is your copy paste history in plain text.

[tfigment]

I like how gopass and gopass-bridge work on desktop in browser and avoid the clipboard and still be easy to use once setup, I just wish it was easier to setup. I use passwdsafe on Android and like that it replaces keyboard for entering credentials but dislike number of clicks it takes to work. Unfortunately neither seem to be that popular so will never grow to point that usability will get much better that others will also benefit.

[purplecats]

really comes at the cost of convenience i just don't care thatttt much. for accounts that my real monies are in, i just dont keep them in account managers