The Clipboard and Password Managers

There are many discussions about to use or not a password manager. However, most experts agree that you must use a strong password in every system/service (+2fa, but we are not going to elaborate about it today).

So to create a strong password, you need:

  1. A decent password length (eg. >14 characters), old articles recommends 8, however, if they are not produced by a random generator, they are vulnerable to some statistical attacks (eg. Markov chains)
  2. Use non dictionary based words (No dates on it, no ending numbers like qwerty99 or qwerty01, no dictionary based words)
  3. Use Alphanumeric and special characters.
  4. Not to use l33t transformations (P4ssw0rd!)
  5. Even is a 100% secure password, please don’t reuse the password between systems/services
  6. And don’t share segments of the password between systems (like: p4s%sW0rdGMAIL, p4s%sW0rdFACEBOOK) or (like: p4s%sW0rd2002, p4s%sW0rd2003) or (like: p4s%sW0rd01, p4s%sW0rd02) or anything like that

I don’t have to mention that reusing a password is extremely dangerous… even if the service is 100% PCI compliant, that does not mean that this is 100% hacker-proof. If you still believe that there is no need to be alarmed, try searching yourself in https://haveibeenpwned.com/

So, the secure alternative is to use different passwords like this in every service: R@mf8909%3ZA2111, D2mH!8u7s95s4, @#$%aei54mk!36644s

The question:

Are people capable of remembering every password for 100 different services?

The answer is, most people can’t. Most people can only remember 1 or 2 secure passwords and usually are MyPuppyName2022!

So, this is usually the reason behind we use password managers (and tokens like yubikey’s or 2fa)….

Are password managers secure?

Well, the problem is widely discussed everywhere, if the password manager fails, everything goes down with it… so If you are capable enough to create secure passwords, remember every password and rotate them every few months, you should not be using this… if not, it’s a decent option.

The other problem about the password manager is the clipboard…

many users usually copy the password from the password manager using the clipboard, and if you are compromised even with an unprivileged application, even in the future, your password may going to be available in the memory and can be recovered by this application.

And if you think that viewing and copying the password from the screen is a good idea: no is not… it may be leaked with an USB physical keylogger, or simply taking a picture from your screen (or maybe some “advanced” tempest screen radiation recovery)

So, password managers like KeePassXC have a very nice option to avoid all of this: “Perform Auto-Type

This option will type the password straight to the program that is requesting the password, it’s not perfect but it’s pretty decent and simulate the keyboard input…

Leave a Reply