Web lists-archives.com

Re: Chaniging focus: security ouitside a password manager




rhkramer@xxxxxxxxx writes:

>    * during copy and paste operations, the plaintext password could
> remain on the C&P "stack". thus making it vulnurable: Some notes:
>
>       (1) I've read about at least one password manager that, somehow,
> deletes the plaintext password from the copy and paste "stack" after a
> time delay--I didn't make a note of which one that was.

Yes, the Password Store tools do this (actively delete the content from
the clipboard, after a configurable timeout).

>       (2) another approach could be that a password manager provides a
> facility to write the password to a designated textbox […]

Another common approach, similar to that, is to have a web browser
plug-in which reads the same database.

Thanks to WebExt support in both Chromium and Firefox, we have the
Browserpass <URL:https://dannyvankooten.com/chrome-extension-for-pass/>
extension that allows using credentials directly from a Password Store
database.

> Maybe my concern about these situations is unrealistic, but I want to
> consider it, so all comments are welcome.

I think you should move to the above model (tools like Password Store
that actively work to get the credentials out of the clipboard quickly)
as an immediate improvement first, and see how well that satisfies.

-- 
 \     “Don't be afraid of missing opportunities. Behind every failure |
  `\         is an opportunity somebody wishes they had missed.” —Jane |
_o__)                                          Wagner, via Lily Tomlin |
Ben Finney