50

I see situations where you may have to input the same password more than once. You may type it in a text editor and copy it to clipboard, to paste it two or more times.

In what scenarios this could be a bad idea?

unor
  • 1,769
  • 1
  • 19
  • 38
Strapakowsky
  • 3,039
  • 8
  • 26
  • 31

3 Answers3

51

The Windows clipboard is not secure.

This is a quote from a MSDN article.

The Clipboard can be used to store data, such as text and images. Because the Clipboard is shared by all active processes, it can be used to transfer data between them.

This should probably apply to Linux machines as well.

Is this a concern? No. For someone to exploit this, he would have to have malware on your machine capable of reading data from the clipboard. If he has the capability of getting malware on your machine, you have much bigger things to worry about as there are plenty of other stuff he can do, including keyloggers and the like.

  • 3
    Note that several (all?) password managers use the clipboard for password entry. While one has to be careful with arguments to popularity or to absence of harmful effects, we aren't seeing floods of compromises that are specific to password managers and clipboard usage. – Jonathan Garber Mar 30 '13 at 02:39
  • 6
    @JonathanGarber From the KeePass site - `Timed clipboard clearing: KeePass can clear the clipboard automatically some time after you've copied one of your passwords into it.` Like I said though, if you can't trust your computer, you are basically screwed. –  Mar 30 '13 at 02:44
  • 17
    Keyloggers usually would require admin privilege, but you don't usually need any special privileges to read the clipboard. – Lie Ryan Aug 20 '14 at 14:42
  • 2
    As a general recommendation, once you paste a password, copy something else immediately to reset it. Leaving your password on memory for a long time, increases the chances of being compromised. For example: You could accidentally paste your password into an input field in a website (like search). Once pasted, sites could easily have access to it intentionally or unintentionally posing a security risk. – lepe Aug 31 '15 at 07:10
  • 2
    @Jonathan Garber: Not all - some of them emulate keystrokes, and in this mode the password does not touch the clipboard at all. – Piskvor left the building Aug 31 '15 at 09:24
  • 1
    Many applications also maintain a clipboard history for editing convenience, passwords copied to the clipboard naturally end up there... Office is one such application, but there are many other popular ones. – Eric Grange Mar 13 '17 at 07:57
  • Coming rather late to the party, but what about reading the clipboard with Javascript? If you copy a password to your clipboard, every web-page is then able to gain the password using Javascript. Or are there some mechanisms fighting against that? – ProXicT Jun 11 '19 at 08:54
8

Aside from the clipboard contents being available for snooping, there have been exploits where web pages can grab your clipboard data, and one where web ads written in Flash (this was before version 10) could stuff malware URLs onto your clipboard, in hopes that unsuspecting users would paste them into e-mail, blogs, etc., without noticing what they contained. Since my clipboard extender (ClipMate) acted as an early-warning to the malicious activity, my blog post was cited quite a bit.
http://www.clipboardextender.com/defective-apps/clipboard-virus-not-exactly-but-still-dangerous

Chris Thornton
  • 203
  • 1
  • 5
4

This is insecure; as the MSDN article notes, the data can be read by other users (and by unprivileged users). Someone who could not necessarily install other malware could still read the clipboard data.

When it would be a "bad idea" depends on what might be running on the system, how sensitive the password is, etc.

Nick
  • 199
  • 4
  • 1
    No, other unprivileged users can't get the content of the clipboard: the clipboard is specific to a session. It doesn't make it secure from applications running in the same user context, though. – Stephane Feb 10 '15 at 09:02
  • @Stephane true, but I think what they mean is: in a current session, any program, even a website, has easy access to the user clipboard, making it an unsafe place for password transfer. one alternative is to translate a file line directly into keyboard input, but i don't know if that's safe either. both approaches, however, while theoretically unsafe, may be safe in practice. – JDG Nov 03 '21 at 02:12