Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
stanac 5 days ago

My password manager is a separate app, I always have to manually copy/paste the credentials. That's because I believed that approach to be more secure, now I see it's replacing one attack vector for another.

behindsight 4 days ago | parent | next [-]

> I always have to manually copy/paste the credentials.

I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)

mtlynch 4 days ago | parent [-]

>I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)

How does that work?

If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information? If the user is using a password manager, presumably they don't reuse passwords, so the malicious website would have to guess the matching username + URL where the password applies.

If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.

Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.

behindsight 4 days ago | parent [-]

Interesting questions, I can later provide more links to more indepth security resources that go over similar points if you would be interested but currently on my phone so I will just jot down some quick surface level points.

> If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information?

Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

> If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.

The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised. Even if the direct application you are using is non-malicious, you are left hoping wherever your data ends up isn't a giant treasure trove/honeypot waiting to be compromised by attackers.

The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.

In that case it would be safer for everyone to run Qubes OS and stringently check any application added to their system.

In the end it's a balancing act between convenience and security with which striving for absolute perfection ends up being an enemy of good.

> Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.

That is true, good password managers took these steps precisely to reduce the clipboard attack surface.

Firefox also took steps in 2021 to also limit leaking secrets via the clipboard.

mtlynch 4 days ago | parent | next [-]

>Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

Webpages can't read clipboard history, so this wouldn't apply.

I was responding to your guidance to clear your clipboard history after copying a password.

>The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised.

But clearing your clipboard after pasting passwords wouldn't protect you from this attack. That was the recommendation I disagreed with.

The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.

Yes, I agree. But that's why I think people should focus their energy on defending along trust boundaries.[0] There's no trust boundaries between applications running in the same user context on the same system. There is a trust boundary between a web app and local apps, so I think it makes sense to consider what a malicious web app can do (e.g., read the most recent clipboard contents), but we shouldn't lump web apps in with local desktop apps.

[0] https://en.wikipedia.org/wiki/Trust_boundary

zahlman 4 days ago | parent | prev [-]

> Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

I always manually type the emails and usernames for this reason.

(A keylogger is already game over, so.)

eviks 5 days ago | parent | prev | next [-]

What's the most common example of an alternative attack with autofill?

kaoD 5 days ago | parent | next [-]

The password manager's autofill browser extension gets compromised.

eviks 4 days ago | parent | next [-]

Common? Which of the good pw managers' extensions have been compromised in the last year?

EE84M3i 4 days ago | parent | prev [-]

This used to happen with some frequency but I haven't heard of it happening in some time now.

karel-3d 4 days ago | parent | prev | next [-]

just recently there was a clickjacking attack that affected most popular password manager extensions. It tricked the managers into filling passwords to random pages, worked on almost all extensions and all pages.

eviks 4 days ago | parent [-]

Are you refering to this one https://marektoth.com/blog/dom-based-extension-clickjacking?

This doesn't seem to be "passwords on random pages", only "Personal Data + Credit Card,", passwords are domain-specific unless the website is hacked itself.

> The attacker can only steal credentials for the vulnerable domain.

karel-3d 4 days ago | parent [-]

ok that's nice

5 days ago | parent | prev [-]
[deleted]
SAI_Peregrinus 5 days ago | parent | prev | next [-]

The one I use (KeePassXC) is also a separate app, but there are browser extensions for the major browsers to support autofill. Of course plenty of sites don't actually work with autofill, even the browser builtin autofill, because they don't mark the form fields properly. So autofill not working is common enough that it's not a reliable red flag. Separate password managers have the advantage that they can store passwords for things other than websites, and secret data other than passwords (arbitrary files). KeePassXC's auto-type can work with any application, not just a browser.

eviks 4 days ago | parent [-]

> Of course plenty of sites don't actually work with autofill, even the browser builtin autofill, because they don't mark the form fields properly.

Can't KeePass use the autotype functionality, but still filter it by website domain/host that it gets from the extension? So basically you'll still never have to copy&paste, and any site requiring this would be a reliable red flag?

SAI_Peregrinus 4 days ago | parent [-]

Yes, that should generally work. I'm sure someone will decide to make a page requiring a CAPTCHA in between entering the username & the password to create an exception to this case though. It's the sort of insecure-by-design nonsense banks love.

welder 5 days ago | parent | prev [-]

Please change that now! It's the muscle memory of never typing a password that prevents you from being victim to phishing.