3

Sometimes, if I'm having trouble typing a long password, I'll open up Notepad, type it in there (so I can make sure what I'm typing is correct), and then copy+paste it into the form, and then close the Notepad file without saving anything.

Assuming I don't have somebody looking over my shoulder, and I don't have a keylogger on my computer, would this leave any recoverable trace?

I'm primarily a Windows user, but I'd be interested to know if different OS's would handle this differently.

Anders
  • 64,406
  • 24
  • 178
  • 215
TMH
  • 207
  • 1
  • 8
  • 3
    Related: [copy-paste isn't exactly secure](http://security.stackexchange.com/questions/33428/is-a-password-in-the-clipboard-vulnerable-to-attacks) – Jedi Jul 14 '16 at 11:09
  • See link from @Jedi (+1) - was going to post something similar. In short: Password managers will clear the clipboard after a specified amount of time; anything you copy out of notepad will remain in clipboard and available to all applications with no privileged access required. –  Jul 14 '16 at 11:15
  • An unlikely scenario based on what you're describing, but if you leave a file lying around for some time, it could have been paged out and perhaps you can [recover it from the pagefile](http://security.stackexchange.com/questions/67686/can-windows-passwords-be-recovered-from-the-windows-pagefile) – Jedi Jul 14 '16 at 11:19
  • @TomHart Sorry if I slapped the [windows] tag on your question to quickly. I just asumed it was MS Notepad and figured it was appropriate. – Anders Jul 14 '16 at 11:29
  • 2
    @Anders it's cool :) Windows is my OS, but I'm still interested if other OS's do things differently – TMH Jul 14 '16 at 12:25
  • One thing you should also be sure, is that you are not connected with a remote control tool like TeamViewer. In some companies those tools get used often and if you type your password in the clear while someone is connected to your pc, he possibly could see what you are typing. – hamena314 Jul 14 '16 at 12:33

2 Answers2

5

Microsoft Notepad will not save anything to disk unless you explicitly tell it to do so (by using "Save As"). This is in contrast to more complex programs like Word or Notepad++ that has autorecovery features and might save safety copies of files. I do not know, but suspect, that simple, basic text editors on other OS's work the same way.

If it would be saved to disk, it would persist and possibly be recoverable even after it would supposedly have been deleted. So that would be a bad practice.

Malware could off course read it from the clipboard, or extract it from RAM (where it must be stored sometime anyway, even if you just type it into the password box). But if you have malware on your system all your passwords are lost anyway, so how you type them isn't really an issue.

I would say the major security issue with your scheme is that the password will remain in the clipboard (unless you always remember to copy something else directly afterwards) so that someone who uses the computer after you could stumble upon the password just by pasting.

Also, there are legitimate programs that reads the clipboard and saves it so you can get a clipboard history. Obviously, if you have one of those installed, you are in trouble.

I would recommend that you just use a password manager.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 2
    even if the clipboard is cleared immediately a malicious agent on the same machine could have [already captured](http://www.nonags.com/nonags/clipb.html) the credentials from the shared clipboard. – Jedi Jul 14 '16 at 11:24
  • 1
    Absolutely. I would say that "a malicious agent on the same machine" would fall under malware. In my opinion, if you have malware it is gameover. Attempts to type passwords in a malware safe way is just bogus. They will get to them anyway. So if you put it in the clipboard or not does not matter, you have malware you are owned anyway. – Anders Jul 14 '16 at 11:27
  • @Anders Completely lost when you got malware? For a big part, yeah you're pretty screwed. However what about Avast Safezone browser? Protect against keylogging, screen-capturing, form-logging,... It's a complete sandbox. So even with some kinds of malware you can type in your password 'secure'.. I'm not saying you're 100% secure with Safezone, and you shouldn't prevent malware in any way (because you should). But Safezone can protect against e.g basic keyloggers. – O'Niel Jul 14 '16 at 11:34
  • @Anders, yep malware ~= gameover. But the clipboard is legitimately shared across processes, so technically can be read by non-malware. – Jedi Jul 14 '16 at 11:35
  • @Jedi Yeah, it would be slightly easier for malware to steal it from the clipboard than say the browser. I added a paragraph on legitimate non-malware programs that might steal the password "by mistake". Thanks for the feedback. – Anders Jul 14 '16 at 11:46
2

Yes, temporary in your RAM. Notepad is a program like no-other and uses variables. What you type also is a variable. The value of variables get stored in your RAM. Whenever you close your laptop your RAM is 'cleared' (look-up volatile memory).

However:

  • When you freeze RAM chemically, it's content doesn't get flushed,
  • It takes a few minutes after power-loss before all content is gone,
  • There are special attacks (like e.g Cold-boot attack),
  • Memory forensics is a thing;

So, when someone takes your RAM out and freeze it - even after you just powered-off your laptop - he can recover a big portion of the content.

Also, when you copy-paste, you put your password into a 'clipboard', and for some malware is very easy to recover from your clipboard. Even more easily than RAM forensics. And as Ian mentioned, this can also be done from remote-distance, whenever with RAM forensics you'd rather need physical access.

tl;dr: Yes, it's saved in your RAM and can be recovered in some cases.

O'Niel
  • 2,740
  • 3
  • 17
  • 28
  • 1
    Yes, but it is also saved in your RAM if you type it into the password box, so what difference does it make? – Anders Jul 14 '16 at 11:10
  • @Anders He asked if it's saved. I answered YES it's saved and explained why. Why is that wrong? I didn't sayed it's ONLY saved in Notepad. He asked something, and answered it with explanation. What can I do more? My answer ain't wrong. – O'Niel Jul 14 '16 at 11:12
  • 1
    Would argue clipboard vuln is more important and exploitable rather than RAM, as it's a remote attack vector. –  Jul 14 '16 at 11:18
  • @Downvoter please explain what's wrong with my answer. User asked something about NOTEPAD and I answered his question with explanation. Where am I sharing wrong info? – O'Niel Jul 14 '16 at 11:25
  • 2
    Didn't downvote, but I think while you are technically correct in a narrow sense, your answer isn't very helpful if you look at the context. The question implied (but not written) is "Should I stop doing this?" and your answer could be taken to imply "Yes, because cold boot attacks". – Anders Jul 14 '16 at 11:32
  • 1
    "and then close the Notepad file without saving anything." That is the moment, when the memory asocciated with the process is cleared. Even if all you said is true, this isn't really an answer to OP's question. Regards, – bayo Jul 14 '16 at 12:06