Page 1 of 1
Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 4:25 pm
by LinnitXa
MX23, Desktop pc
If it's true that apps have access to the clipboard, is it not unsafe to use a password manager which pastes the passwords to the clipboard first?
Re: Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 4:48 pm
by CharlesV
For most people, the automated clearing of the clipboard is enough.
However, any application that pastes to the clipboard can be spied upon, even with the "time out clipboard clear" that many password managers use. It there is something on your system that watches the clipboard and logs it, then there is an issue.
KeepassXC (and keepass ) use a special method when you setup Auto Type which can go around the clipboard and "key press" your password specifically into the window / field your on. This is safer if your worried about the clipboard - but it is not going to stop an application that is watching for key strokes.
https://github.com/keepassxreboot/keepa ... oType.adoc
Re: Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 5:15 pm
by LinnitXa
CharlesV wrote: Thu Feb 01, 2024 4:48 pm
For most people, the automated clearing of the clipboard is enough.
However, any application that pastes to the clipboard can be spied upon, even with the "time out clipboard clear" that many password managers use. It there is something on your system that watches the clipboard and logs it, then there is an issue.
KeepassXC (and keepass ) use a special method when you setup Auto Type which can go around the clipboard and "key press" your password specifically into the window / field your on. This is safer if your worried about the clipboard - but it is not going to stop an application that is watching for key strokes.
https://github.com/keepassxreboot/keepa ... oType.adoc
Thanks,
I presume you mean it by-passes the clipboard and pastes directly to the site login "box"?
Re: Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 5:30 pm
by LinnitXa
mmm, just reading that github link you gave, yes it seems to say that. Could be the answer for me.
If there's a key-logger then it's game over I suppose. Are there ways to scan for such loggers?
On another angle - some say using a browser (e. g. Firefox) password manager is not good, but surely with a strong master password on a fde drive should be ok, if no evil maid around?
Re: Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 5:36 pm
by CharlesV
I personally dont trust any 'online' password manager, preferring to stay with local encrypted versions. My personal rule is my browser can handle any password that I dont really care if someone gets in - Otherwise... nope. (and there arent many that are yes either;-p )
Detection of a keylogger can be as simple as looking for them, or working at various techniques.
two links for you on this on
This is listing ubuntu, but most of the same rules apply
https://askubuntu.com/questions/169887/ ... tem#169971
a more generic look :-)
https://duckduckgo.com/?q=linux+scan+fo ... 9-1&ia=web
Re: Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 8:12 pm
by davidy
I you are leery of your passwords being stolen with any one particular site the best thing to do is to change them on an irregular basis. I tried running clamav, with clamtk for a gui, on my laptop, but found it to be too topheavy and the autoupdater was sketchy as well. IOW, the actual gui did not perform as I would have liked so I uninstalled it. For a very portable laptop one less resource-heavy process running in the background is a good thing. For a desktop pc with multiple users, I would definitely install it. A good AV that scans on a schedule is the best way to prevent keyloggers.
Re: Passwords pasted to clipboard?
Posted: Thu Feb 01, 2024 8:32 pm
by Charlie Brown
Though this is not what you asked, you can clear the clipboard whenever you like/remember or as soon as you complete the job. Install the tiny
xsel package, then create keyboard shortcut(s) , say, I set Ctrl+Delete to
(For all (primary, secondary, clipboard) it could also be
xsel -psbc )
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 8:58 am
by LinnitXa
Charlie Brown wrote: Thu Feb 01, 2024 8:32 pm
Though this is not what you asked, you can clear the clipboard whenever you like/remember or as soon as you complete the job. Install the tiny
xsel package, then create keyboard shortcut(s) , say, I set Ctrl+Delete to
(For all (primary, secondary, clipboard) it could also be
xsel -psbc )
I installed xsel, then opened terminal and entered sudo xsel -bc. I pressed ctrl+Delete but nothing happened. Or maybe I didn't get what you meant. Seems almost easier to click the paperclip on panel and "clear history".
Also I'm looking to try Keepassxc with Auto-type ......
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 11:34 am
by MXRobo
Self-generating stateless password managers like Spectre, LessPass, or MasterPassword probably don't use the clipboard to copy as they're self-generating; but there can be disadvantages such as if the website's "info" changes (maybe url), and no list of previous passwords or website info, etc.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 12:07 pm
by Charlie Brown
Charlie Brown wrote: Thu Feb 01, 2024 8:32 pm...
create keyboard shortcut(s) ,
say, I set Ctrl+Delete to ...
LinnitXa wrote: Fri Feb 16, 2024 8:58 am... pressed ctrl+Delete but nothing happened ...
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 1:16 pm
by LinnitXa
I've added that to Keyboard as you've shown, but ctrl+delete still doesnt clear the clipb.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 1:25 pm
by Charlie Brown
Also try
or
(Which are actually the same, as "primary" is the default one)
in case you're using the primary. (middle button when pasting etc..)
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 1:41 pm
by fehlix
LinnitXa wrote: Thu Feb 01, 2024 4:25 pm
MX23, Desktop pc
If it's true that apps have access to the clipboard, is it not unsafe to use a password manager which pastes the passwords to the clipboard first?
The "Clipboard Manger" Clipman in Xcfe does handle both "buffers" the clipboard copy/paste buffer and the "selection" buffer.
The later is populated every time you select with mouse (or keyboard) text.
When Clipman is running it copies (and remembers) anything what is copied to the clipboard.
Trying to clean/clear the clipboard buffer won't help, b/c it's already copied to Clipman.
The default setting in MX-23.2 Xfce is to ignore the "Mouse" selection buffer and put those not into the history.
So in order to not get sensible text like password copied to Clipman and remembered,
would be not to use copy/paste but highlight/select and insert-"paste" from "selection" buffer using middle mouse.
E.g. in KeePassXC one can click view password and with the shown password select e.g with Ctrl+a or highlight manually.
The next "selection" would replace the selection buffer.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 2:29 pm
by Charlie Brown
That's it (and my way) :)
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 3:22 pm
by txm0523
As far as clearing contents from the clipboard, I use the KDE app Sweeper. I copied that app to my desktop. Whenever I need to, I just double click on that icon, I then click Clean Up, Click OK and it's cleaned. Simple. You can find the Sweeper app under Utilities in the KDE menu. Also of note, whenever I copy anything and paste it somewhere else, like documents and spreadsheet items, KDE puts an icon in your system tray. You can click on that and clear / delete each thing listed on the clipboard. Hope that helps.
You might check and see if you can install that app through Synaptic Package Manager if you're running XFCE desktop.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 3:28 pm
by CharlesV
txm0523 wrote: Fri Feb 16, 2024 3:22 pm
As far as clearing contents from the clipboard, I use the KDE app Sweeper. I copied that app to my desktop. Whenever I need to, I just double click on that icon, I then click Clean Up, Click OK and it's cleaned. Simple. You can find the Sweeper app under Utilities in the KDE menu. Also of note, whenever I copy anything and paste it somewhere else, like documents and spreadsheet items, KDE puts an icon in your system tray. You can click on that and clear / delete each thing listed on the clipboard. Hope that helps.
You might check and see if you can install that app through Synaptic Package Manager if you're running XFCE desktop.
You dont need this if your using keepassxc as it clears any entry it makes to the clipboard. And, I would not recommend adding this utility to an xfce install. As I recall it adds a lot of stuff.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 3:32 pm
by txm0523
@CharlesV Good info to know. Yes, those gosh darn dependencies.
Thanks.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 10:34 pm
by MXRobo
fehlix wrote: Fri Feb 16, 2024 1:41 pm
LinnitXa wrote: Thu Feb 01, 2024 4:25 pm
MX23, Desktop pc
If it's true that apps have access to the clipboard, is it not unsafe to use a password manager which pastes the passwords to the clipboard first?
The "Clipboard Manger" Clipman in Xcfe does handle both "buffers" the clipboard copy/paste buffer and the "selection" buffer.
The later is populated every time you select with mouse (or keyboard) text.
When Clipman is running it copies (and remembers) anything what is copied to the clipboard.
Trying to clean/clear the clipboard buffer won't help, b/c it's already copied to Clipman.
The default setting in MX-23.2 Xfce is to ignore the "Mouse" selection buffer and put those not into the history.
So in order to not get sensible text like password copied to Clipman and remembered,
would be not to use copy/paste but highlight/select and insert-"paste" from "selection" buffer using middle mouse.
E.g. in KeePassXC one can click view password and with the shown password select e.g with Ctrl+a or highlight manually.
The next "selection" would replace the selection buffer.
Can this be done in MX-21.3 Xfce?
I'm having difficulty doing this as I cannot find an insert - paste selection, but I also do not have a middle mouse button on my touchpad or my mouse.
=======================================================
And I just tried KeePassXC's Auto-type for the first time today - nice.
I may not want the browser extension - I didn't originally anyway.
Cheers!
Re: Passwords pasted to clipboard?
Posted: Fri Feb 16, 2024 10:41 pm
by Charlie Brown
I don't even use a mouse since years , just tick the option to behave as middle mouse when both buttons are pressed, in mouse&t.p. settings.(Or it can already be so by default as I can't see that option now)
Shortly, just highlight something (anything, anywhere) then press both buttons on somewhere (say in the address bar or terminal or in a text file to test).
Re: Passwords pasted to clipboard?
Posted: Sat Feb 17, 2024 12:05 am
by MXRobo
I don't use a mouse either, I pulled this two button plus scroll mouse out of the closet just to test.
I tried everything that you suggested before I posted – highlighting (anything, anywhere - - text, file, web, KeePassXC)
Still not available.
I do not have two physical buttons on the touchpad, maybe two underneath at bottom corners, still not available.
Maybe I have synclient/synaptic running instead of libinput.
In MX-Tweak → Other (MX-21.3 Xfce) I don't have this checked:
Use lipinput driver for touchpad instead of synaptics touchpad driver.
BUT in my home folder, I have a file named:
30-touchpad.conf.202303111107
that contains: Driver "libinput"
So I did try something at one time, maybe unchecked, or Timeshifted?? - if relevant.
I'm getting of the topic of this post and this isn't really important – but I am security conscious.
Thanks – Have a good day/night….
Re: Passwords pasted to clipboard?
Posted: Sat Feb 17, 2024 6:12 am
by fehlix
MXRobo wrote: Fri Feb 16, 2024 10:34 pm
Can this be done in MX-21.3 Xfce?
I'm having difficulty doing this as I cannot find an insert - paste selection, but I also do not have a middle mouse button on my touchpad or my mouse.
Maybe bind this to a kbd shortcut
which gives a mouse button middle click to "paste" the the primary "selection" buffer.
Re: Passwords pasted to clipboard?
Posted: Sat Feb 17, 2024 7:44 am
by Charlie Brown
MXRobo wrote: Sat Feb 17, 2024 12:05 am... Maybe I have synclient/synaptic running instead of libinput. ...
Nope , that's not the case, cause (MX-23.2) I had changed to Synclient here long time ago , it works and libinput on live session (with the official MX-23 iso) , that works, too , so , pressing both buttons together imitates the middle mouse "ootb" with both drivers (at least here) ...
(Same on the other "very old" laptop with MX-19)
P.S. Check the "Tap touchpad to click" in mouse and tp settings, Touchpad sub-tab.
Re: Passwords pasted to clipboard?
Posted: Sun Feb 18, 2024 3:49 am
by Kulmbacher
Charlie Brown wrote: Thu Feb 01, 2024 8:32 pm
...you can clear the clipboard whenever you like/remember or as soon as you complete the job. Install the tiny
xsel package...
Thank you CB, wonderful tiny tool :-)
Re: Passwords pasted to clipboard?
Posted: Sun Feb 18, 2024 10:29 am
by Charlie Brown
@Kulmbacher 
Re: Passwords pasted to clipboard? [Solved]
Posted: Fri Feb 23, 2024 8:03 am
by LinnitXa
Thanks for all the replies, still to digest some of them!
As my main concern was about passwords, if I was going to use a PW manager that pasted to clipboard, I think I have solved it by installing keepassxc with the browser integration.
https://keepassxc.org/docs/KeePassXC_Us ... ntegration
They say there it's secure.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 23, 2024 8:07 am
by LinnitXa
fehlix wrote: Fri Feb 16, 2024 1:41 pm
LinnitXa wrote: Thu Feb 01, 2024 4:25 pm
MX23, Desktop pc
If it's true that apps have access to the clipboard, is it not unsafe to use a password manager which pastes the passwords to the clipboard first?
The "Clipboard Manger" Clipman in Xcfe does handle both "buffers" the clipboard copy/paste buffer and the "selection" buffer.
The later is populated every time you select with mouse (or keyboard) text.
When Clipman is running it copies (and remembers) anything what is copied to the clipboard.
Trying to clean/clear the clipboard buffer won't help, b/c it's already copied to Clipman.
The default setting in MX-23.2 Xfce is to ignore the "Mouse" selection buffer and put those not into the history.
So in order to not get sensible text like password copied to Clipman and remembered,
would be not to use copy/paste but highlight/select and insert-"paste" from "selection" buffer using middle mouse.
E.g. in KeePassXC one can click view password and with the shown password select e.g with Ctrl+a or highlight manually.
The next "selection" would replace the selection buffer.
Thanks, this looks interesting, I'll take a closer look later.
Re: Passwords pasted to clipboard?
Posted: Fri Feb 23, 2024 3:09 pm
by MXRobo
LinnitXa wrote: Fri Feb 23, 2024 8:03 am
Thanks for all the replies, still to digest some of them!
As my main concern was about passwords, if I was going to use a PW manager that pasted to clipboard, I think I have solved it by installing keepassxc with the browser integration.
https://keepassxc.org/docs/KeePassXC_Us ... ntegration
They say there it's secure.
I've played and used some of these post suggestions too, KeePassXC has an AutoType that will also do this, I recently used it about twice, it's nice.
IIRC and understand, the default is to use two fields, e.g. username filled, delay, password filled, which works for most sited, and it can be customized for e.g.
name, address line 1, address line 2, city, state, zip etc.
You enable it in IIRC Tools->Settings, add a keyboard shortcut, then press the shortcut when on your webpage, it then opens a scrollable window to select your KeePassXC entry, it then autofills - nice.
Also: used something like {Time: dd_mm_yyyy_hr-mm-sec) see bottom of page
https://libreddit.oxymagnesium.com/r/Ke ... e_when_it/
https://doc.qt.io/qt-5/qtime.html#toString
Good Luck!
Re: Passwords pasted to clipboard?
Posted: Fri Feb 23, 2024 3:24 pm
by MXRobo
This is in reply to post #'s 21 & 22 from fehlix and CB:
Tap to click was enabled, it'd have to be enabled otherwise the touchpad won't work.
I realized for the first time, that Clipman copies text to the history when simply highlighting text.
xinput indicates: 0: device does not have a physical middle button
==================================================
Probably not relevant, just included as I was trying to figure things out - still am.
ASUS Precision TouchPad Driver Version V16.0.0.11 – 2022/02/08
https://www.asus.com/us/laptops/for-hom ... 5-F512-AMD
But I don't know if linux needs them or if I can install as no windows on this laptop.
==============================================================
I also tried: synclient EmulateMidButtonTime=500 to no avail.
Since most synaptics touchpad models don't have a button that corresponds to the middle button on a mouse, the driver can emulate middle mouse button events. If you press both the left and right mouse buttons at almost the same time (no more than EmulateMidButtonTime milliseconds apart) the driver generates a middle mouse button event.
Code: Select all
Clipman V 1.6.2
$ xfconf-query -c xfce4-panel -lv | grep /plugins/clipman
/plugins/clipman/settings/add-primary-clipboard false
/plugins/clipman/settings/enable-actions false
/plugins/clipman/settings/history-ignore-primary-clipboard false
/plugins/clipman/tweaks/never-confirm-history-clear false
/plugins/clipman/tweaks/paste-on-activate 0
/plugins/clipman/tweaks/popup-at-pointer false
=============================================================
I tried fehlix's "xdotool click 2" but I maybe incorrectly entered it as a Keyboard Shortcut, in fact I tried several Keyboard Shortcuts for it, ("Super+2" being one of them) and now the #2 key (the horizontal ones, not keypad) does not work unless I press "Super+2".
I removed "Super+2" for "xdotool click 2" from Keyboard→ Application Shortcuts, but this still persists.
[Later prepost edit – it's fine now after rebooting.] And I will play with this some more, been busy.
Did fehlix mean to enter it as a Keyboard Shortcut or do some "binding" of which I have no experience.?
And sometimes it pastes whatever is/was highlighted and paste it in different locations, sometimes after the highlighted text, sometimes a few lines below the highlighted text.
Also, I get different symbols next to recently highlighted or copied text, i.e.; arrow right → , lock symbol, and clipboard symbol.
Again - [Later prepost edit – it's fine now after rebooting.] And I will play with this some more, been busy.
I think I could have caused problems using the Super key and "xdotool click 2", anyway it was copying and pasting very oddly, at least it appeared so to me as to have no pattern - probably me and/or the Super key - will retry later.
Ancillary curiosity questions:
Just curious - would xdotool work with devilspie 2 when manipulating windows?
Just curious - would xdotool be the thing to use if one wanted to created "spotify-client" keyboard shortcuts, or would another keyboard layout be better.
I have NO experience with keyboard layout either.
Thanks all - love this distro!