[behindsight]

> I always have to manually copy/paste the credentials.

I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)

[mtlynch]

>I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)

How does that work?

If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information? If the user is using a password manager, presumably they don't reuse passwords, so the malicious website would have to guess the matching username + URL where the password applies.

If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.

Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.

[behindsight]

Interesting questions, I can later provide more links to more indepth security resources that go over similar points if you would be interested but currently on my phone so I will just jot down some quick surface level points.

> If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information?

Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

> If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.

The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised. Even if the direct application you are using is non-malicious, you are left hoping wherever your data ends up isn't a giant treasure trove/honeypot waiting to be compromised by attackers.

The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.

In that case it would be safer for everyone to run Qubes OS and stringently check any application added to their system.

In the end it's a balancing act between convenience and security with which striving for absolute perfection ends up being an enemy of good.

> Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.

That is true, good password managers took these steps precisely to reduce the clipboard attack surface.

Firefox also took steps in 2021 to also limit leaking secrets via the clipboard.

[mtlynch]

>Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

Webpages can't read clipboard history, so this wouldn't apply.

I was responding to your guidance to clear your clipboard history after copying a password.

>The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised.

But clearing your clipboard after pasting passwords wouldn't protect you from this attack. That was the recommendation I disagreed with.

The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.

Yes, I agree. But that's why I think people should focus their energy on defending along trust boundaries.[0] There's no trust boundaries between applications running in the same user context on the same system. There is a trust boundary between a web app and local apps, so I think it makes sense to consider what a malicious web app can do (e.g., read the most recent clipboard contents), but we shouldn't lump web apps in with local desktop apps.

[0] https://en.wikipedia.org/wiki/Trust_boundary

[zahlman]

> Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

I always manually type the emails and usernames for this reason.

(A keylogger is already game over, so.)