49
7
I've been using the Windows clipboard as a method of getting passwords from Lastpass into desktop applications.
I've been wondering exactly how secure is this? Can't any program access the clipboard at any time?
kiri
Posted 2015-07-06T04:29:39.467
Reputation: 847
60
It is not secure.
See this question & answer on Security.stackechange.com, quoted below:
The Windows clipboard is not secure.
This is a quote from a MSDN article.
The Clipboard can be used to store data, such as text and images. Because the Clipboard is shared by all active processes, it can be used to transfer data between them.
This should probably apply to Linux machines as well.
Is this a concern? No. For someone to exploit this, he would have to have malware on your machine capable of reading data from the clipboard. If he has the capability of getting malware on your machine, you have much bigger things to worry about as there are plenty of other stuff he can do, including keyloggers and the like.
Keltari
Posted 2015-07-06T04:29:39.467
Reputation: 57 019
4While it is trivial to read the data in the clipboard, as Keltari explains, the fact you have malicious software reading you clipboard in the first place is your larger concern. This is the reason copying and pasting your password into a password field has not effect on keeping your password secure, the ability to do so, is convincence.of not typing a 20-30 character secure random password. – Ramhound – 2015-07-06T10:40:12.300
2Of course the threshold is much lower for malware that reads the clipboard (an entirely "legal" piece of javascript embedded in a web page will do) versus malware that exploits the browser process or reads another process' memory, or installs a hook to capture keypresses, etc. – Damon – 2015-07-06T13:44:05.140
24@Damon From what I understand, JS doesn't have random access to the clipboard for precisely this reason. – Colonel Thirty Two – 2015-07-06T14:04:02.323
@ColonelThirtyTwo: You mean that e.g. having an invisible input field and doing document.execCommand('paste') won't work? I haven't tried (not being a malware author, nor really being interested in someone else's passwords), but I guess it should work.
3
@Damon According to MDN, the app needs to have permission to use the paste command, so random pages can't sniff your clipboard using that.
– Colonel Thirty Two – 2015-07-06T14:14:40.500@Damon, some JS commands aren't granted permission to execute until the user has triggered an action that would allow such an action to occur. Functions like execCommand and open are generally blocked by browsers unless triggered during a key or mouse event. – zzzzBov – 2015-07-06T15:50:35.167
2@zzzzBov - And what would stop someone from adding a button in Javascript titled "Free Money - Click Here!", but the button actually copies your clipboard instead of giving you money for free? – Yay295 – 2015-07-07T03:27:14.243
@Yay295, usually the clipboard access granted is for allowing developers to copy contents into the clipboard. I don't recall all the details for accessing the current clipboard contents. Consider this: how valuable is the clipboard data actually without context? Sure, you might have someone's password, but then how do you find their username? And which service does it belong to? – zzzzBov – 2015-07-07T04:23:52.043
I down vote this answer. Please at least advise user to clear clipboard after using it for password, instead of "you have bigger things to worry about". – Chris.C – 2015-07-07T18:52:05.493
6
Just bear in mind that it's not only the applications that may have access to the clipboard and it's not only malware that actually might want to get it.
There are also users that may accidentally or on purpose reveal the content of the clipboard after getting physical access to the computer. Of course, then they can do a lot of harm anyway, but getting the actual password (and not just access to websites/programs) is hard (unless you have it in the clipboard...)
So either make sure the clipboard is cleaned (and this is not 100% reliable as some applications again allow to retrieve old clipboard values) or use some kind of encryption (this is not trivial, but even easy one will protect from accidental password leak)
mikus
Posted 2015-07-06T04:29:39.467
Reputation: 171
1Encryption isn't going to help for this. The attack isn't against the memory the clipboard (or clipboard history) is stored in. The attack is retrieving the clipboard contents using the standard clipboard API (either a running program reading it, or another user gaining temporary access and initiating a paste). – Peter Cordes – 2015-07-07T02:47:41.173
1Not exactly Peter, we do not know the architecture of the original solution, but if your application at first put the content in the clipboard and then retrieves it it can modify the data in a way that it is only understandable to itself. So when someone or even you with someone looking accidentally reveals the content it is not yet obvious what was inside and how to use it. Any way revealing a plain text password is to my mind the highest security breach possible. I'd honestly never consider copying it to the clipboard or text file, etx. There are better ways of communication between apps :) – mikus – 2015-07-07T07:53:28.117
3@mikus while true, this is not usually the way the clipboard works. The clipboard is really only useful to share content from one app to another. A single app may as well just store the encrypted contents in memory for later retrieval and avoid the clipboard altogether. – trlkly – 2015-07-07T08:39:10.770
Indeed, I have never said otherwise, but as long as I dont think any commercial application like LastPass leaves anything in clipboard I guess the author has control over both of the applications. Then he can choose whatever encoding or encryption he wants, right? and other communication methods as well :) If its lastpass saving plaintext passwords in clipboard, then its just not right application to use IMO. – mikus – 2015-07-08T08:48:29.587
2
As everyone agrees, the clipboard is generally insecure. Thus, the followup question is obvious: how to get complex passwords/passphrases from a password manager into where they're needed, without exposing them along the way.
Look for a password manager that has an option to "type your password into the next window you click on" or similar. I don't know of any examples, because I'm not that paranoid about most passwords. (And I actually memorize the very few high-security passwords I use, like my GPG private key.)
Community wiki: edit in names of programs that have this feature:
My version of KeepassX, 0.4.3, offers clearing the clipboard after X seconds (defaults to 20 but 8 is fine)
Peter Cordes
Posted 2015-07-06T04:29:39.467
Reputation: 3 141
1
I remember that clipboard access was enabled by default in some (old) versions of IE (probably IE6). I have found this link where MS put a warning window each time a website tried to access your clipboard, but it looks that it wasn't there earlier. So if you use IE <=6 (you don't, right?) you may be at extra risk.
– Carlos Campderrós – 2015-07-06T15:55:28.5073Running the clipboard on an old shared VMWare Player in an office setting reveals many interesting things about your coworkers. I always had to be careful when responding to people at my old job because there was a good chance if I cut and pasted it would wind up in the boss's clipboard. – Peter Turner – 2015-07-06T19:21:37.533
1@CarlosCampderrós I think flash still allows that. – CodesInChaos – 2015-07-07T06:52:41.047
2KeePass has an option in "Memory" settings: "CLipboard behaviour: Enhanced: allow pasting once and protect against clipboard spies" – DBedrenko – 2015-07-07T09:12:01.010
http://superuser.com/questions/412083/is-it-possible-to-monitor-and-log-read-from-windows-clipboard-events – random – 2015-07-07T16:39:10.280