7

The "clipboard" buffer might contain sensitive information (like passwords, or private messages sent to or received from other people) cut/copied previously, that, wenn accidentally pasted into a wrong window, can leak this sensitive information.

This can very well happen by accident when a users attempts to cut/copy something, and believes that the cut/copy operation succeeded, when it in fact didn't. When pasting the buffer content, it would unintentionally be content from a previous cut/copy operation.

Password managers like KeePass provide a functionality where the clipboard buffer is cleared automatically after a predefined timout, so that passwords cannot be pasted by accident.

Do common desktop operating systems (Windows, Mac OS and Linux) provide a way of configuring such a clipboard timeout globally?

Alternatively, which third party tool provides this functionality?

Anders
  • 64,406
  • 24
  • 178
  • 215
tmh
  • 1,139
  • 1
  • 9
  • 10

4 Answers4

3

Sadly as far as know there is no such feature as "clipboard timeout". I miss this too :(.

Actually, the current evolution of end-users desktop environment seems to go the opposite way, with so-called "clipboard managers" enabled by default which store the history of the nth latest clipboard values, thus heavily reducing effectiveness of password managers' clipboard clearing feature (clipboard current value will be cleared, but the password will remain accessible and readable in clear form in the clipboard manager history...).

The only technical workaround I know is to run a system-specific command at regular interval which will clear the current value of the clipboard (command which may not be even available by default, at least on Linux, and therefore require a specific installation). As ugly as it can be, but I did not found anything better.

Otherwise, you have no other choice than train yourself to consider the copy/paste operation as a potentially risky operation and double check what you are doing (and of course get rid of these awful clipboard manager software!).

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • "The only technical workaround I know is to run a system-specific command at regular interval which will clear the current value of the clipboard" -- I guess it would be more convenient if the clipboard was cleared *x* minutes after last usage, not in regular intervals. Otherwise we'd risk losing clipboard content right after a cut/copy operation. – tmh Oct 05 '16 at 18:17
  • The real solution would be that the password manager and the clipboard manager spoke a common language so that the password manager could ask it to 'forget' the last entry. – Ángel Oct 04 '19 at 23:00
2

That's why a good password manager like KeyPass is far better than a copy/paste solution from an encrypted text file. At least on Windows, it can avoid to use the clipboard and directly simulate key stroke inputs in the application window. So you can instruct it to send the following sequence (its default one)

c h a r a c t e r s _ o f _ l o g i n Tab p a s s w o r d Return

after positioning the cursor in the proper field. That way nothing ever went in the clipboard.

If you must use the clipboard, and have no clipboard manager installed, each new copied value replaces the previous one, so you should consistently copy a dummy text after a copy/paste of sensitive information.

If you have a smart clipboard manager that remembers many values, you should just not use the clipboard for sensitive information...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • "copy a dummy text after a copy/paste" -- that's actually what I'm doing after almost every copy/paste. This lead me to asking the question in the first place: Did anyone think of automating that "clipboard reset"? – tmh Oct 05 '16 at 18:15
  • 1
    You'd also need to make sure the dummy text is at least as large as the sensitive content you are clearing, to protect against cold-boot attacks. – John Blatz Oct 05 '16 at 21:45
  • KeePass certainly implements a clipboard timeout (default 12s), and clears the clipboard on exit as well. I prefer to use copy/paste rather auto-type (it's too easy auto-type in the wrong place with a misclick) or use the browser integration (large popups every time I visit a site that supports logins, unless I leave the database unlocked, which defeats the purpose of a password manager). But this is on linux without fancy clipboard managers. On Android KeePassDroid also has a clipboard timeout (default/minimum 30s) but I haven't thoroughly tested it – Chris H Sep 14 '21 at 15:01
  • @ChrisH The problem with copy-paste, is that a site can prevent pasting into a input field through JavaScript. That is useless because there are tons of tools able to simulate keyboard actions, but many site developpers are not very proficient in security and think that preventing pasting is a protective measure... – Serge Ballesta Sep 14 '21 at 15:19
  • @SergeBallesta luckily I don't use any sites that do that for logon. The only place I come across it is "confirm email address"/"confirm password" on signup, where it seems to be becoming less common for passwords. I don't currently use a greasemonkey script to fix that though i used to have one; typing into the "confirm" box, and copy-pasting into the upper box is often a workaround, and I don't sign up for much new stuff. Auto-type is harder on mobile anyway., perhaps an incentive to allow pasting for those in the know – Chris H Sep 14 '21 at 15:23
1

For Mac OS, this discussion offers some script-based approaches: https://apple.stackexchange.com/questions/55146/is-there-an-easy-way-to-clear-empty-the-clipboard

For Windows, ClipTTL is a simple freeware utility that clears the clipboard after a given time: https://www.wilderssecurity.com/threads/clipwipe-a-tiny-system-wide-clipboard-wiper.389092/

John Blatz
  • 991
  • 10
  • 16
0

Google's Gboard keyboard for Android provides a clipboard feature. It records snippets of recently copied/cut text for future use, which disappear after a timeout of one hour.

tmh
  • 1,139
  • 1
  • 9
  • 10