Hot Take Password Managers Auto-filled Credentials on Untrusted sites

[HarborFront]

It does copy passwords and auto-clears the clipboard after a set amount of time (which can be changed in the settings).

There's a discussion a few years back here. Apparently, the PM does NOT totally clear the clipboard history



To ensure the clipboard is totally cleared, go to Windows and disable Clipboard history as below

Enable or Disable Clipboard History in Windows 11 Tutorial

This tutorial will show you how to enable or disable clipboard history for your account or all users in Windows 11. When you copy something on your Windows PC, it’s automatically copied to your clipboard for you to paste. Clipboard History in Windows 10 and Windows 11 lets you save multiple...

www.elevenforum.com

 

[Arequire]

There's a discussion a few years back here. Apparently, the PM does NOT totally clear the clipboard history



To ensure the clipboard is totally cleared, go to Windows and disable Clipboard history as below

Enable or Disable Clipboard History in Windows 11 Tutorial

This tutorial will show you how to enable or disable clipboard history for your account or all users in Windows 11. When you copy something on your Windows PC, it’s automatically copied to your clipboard for you to paste. Clipboard History in Windows 10 and Windows 11 lets you save multiple...

www.elevenforum.com

I was talking about KeePass. Can't comment on Bitwarden as I've never used it.
KeePass has a setting to prevent passwords being written to clipboard history:

Even Keepass is not totally safe, however the creator doesn't agree:

I disagree with the developer. Obviously if a malicious actor has had physical access to someone's system then its security can no longer be assured, but the developer can make something as important as a password database harder to breach by fixing this vulnerability.

Does clipboard have access to auto-type entry feature as well?

No. Auto-type uses simulated keypresses; it doesn't copy anything to the clipboard.

 

[HarborFront]

I was talking about KeePass. Can't comment on Bitwarden as I've never used it.
KeePass has a setting to prevent passwords being written to clipboard history:
View attachment 272511


I disagree with the developer. Obviously if a malicious actor has had physical access to someone's system then its security can no longer be assured, but the developer can make something as important as a password database harder to breach by fixing this vulnerability.


No. Auto-type uses simulated keypresses; it doesn't copy anything to the clipboard.

Regardless, whether auto-type or copy&paste, both are unsafe methods which can be detected by keylogger. The safest way is drag&drop which don't copy anything to the clipboard

 

[n8chavez]

Keepass does auto-type, with a keyboard sequence. You can even enable "Two-Channel Auto-Type Obfuscation," which inserts info in a jumbled order. So, no. It's far more than simply copying and pasting. The clipboard can also be wiped after X amount of time. This could even handle @HarborFront's negative Nancy attitude.

 

[n8chavez]

Even Keepass is not totally safe, however the creator doesn't agree:

NVD - CVE-2023-24055

nvd.nist.gov

Right. But if someone has physical access to your machine I thinking you have more pressing issues on your hands.

 

[Gandalf_The_Grey]

Right. But if someone has physical access to your machine I thinking you have more pressing issues on your hands.

No, I can be done with remote access according to @Andrezj :

this method does not require physical access
by "access" they mean the attacker has gained network access to the system, such as a remote agent running on the system or a local attacker who has gained access remotely while being behind the router on the LAN
now threat actors can programmatically perform the attack, incorporate it into a infostealer that will send the password export file to a remote destination

the "poc" was done by a local hacker but that does not preclude the same poc performed by a remote attacker

the notification is not accurately written, all an attacker needs is write access to the keepass configuration file - that can be any attacker with the required permssions - local or remote

NCSC warns of Vulnerability in Password Manager KeePass

Dutch article translated by DeepL: The Ministry of Justice and Security's National Cyber Security Center (NCSC) is warning of a vulnerability in password manager KeePass that would allow an attacker who already has access to a system to obtain data in the KeePass database, such as passwords...

malwaretips.com

 

[Andrew3000]

Regarding the CVE-2023-24055:

Security Issues - KeePass

keepass.info

 

[Andrezj]

Right. But if someone has physical access to your machine I thinking you have more pressing issues on your hands.

the attack does not require physical access, it only requires that the user has write access permssions to the keepass configuration xml
an infostealer running in an administrative account with required ntfs permssions has write access to that file

the poc was created using a local attacker, but the same attack can be easily accomplished by a remote attacker

 

[TairikuOkami]

Does clipboard have access to auto-type entry feature as well?

You wanted to ask, does the browser have access to clipboard? I have disabled it in Windows/browsers, it is "broken" in UWP apps and I always copy something aftewards to clear it.

 

[Andrezj]

just fyi to people... a webpage that has info fields such as name, address, email and authentication credentials can be desinged to send the infos immediately once entered without the user ever having to activate a "submit" boolean\button

 

[piquiteco]

Correct me if I'm wrong

Yes, you are wrong.

Does KeePass copy&paste passwords?

No, keepass uses Drag & Drop for other windows and form fields and also fills form fields with a hotkey and that uses obfuscated channels if configured.

If yes, then any keylogger can capture what's on the clipboard, right?

No, no keylogger can capture your clipboard password, because keepass uses an area protected by Process Memory Protection.

Does KeePass come with a time setting to clear the clipboard?

yes, by default keepass is set to clear the clipboard for 12 seconds, but you can set the time you want in the keepass settings.

BW autofills using copy&paste passwords and it comes with a time setting to clear the clipboard. The time set to clear the clipboard can be chosen from the extension

BW does not automatically fill your logins, unless you enable the AUTO FILL box in settings, BW does not clean your clipboard after copying and pasting your login, you need to enable it in Settings->Other->Clean Clipboard options will be selected "Never" you select the time you want from 5 seconds to 5 minutes. I hope I clarified your doubts.

 

[piquiteco]

an infostealer running in an administrative account with required ntfs permssions has write access to that file

This is good news, because I don't use an administrative account, I always use an SUA account on all my computers that I have.

 

[Andrezj]

Regardless, whether auto-type or copy&paste, both are unsafe methods which can be detected by keylogger. The safest way is drag&drop which don't copy anything to the clipboard

just fyi, you are being quoted what keepass claims it is supposed to do
there is no reliable pentesting results of keepass by third party labs
microsoft changes the clipboard and other windows features on a rolling basis, so the only way to know for sure if keepass does what it says it does is to test and verify claims for yourself
just note, clipboard and clipboard history are two different processes on windows

also, even anti-keyloggers that claim they protect against auto-type or copy&paste routinely fail tests

more infos:
some protections only work if using the most popular standard (not sub-variants that are customized) browsers - chrome, firefox, edge
the protections only apply to localhost; if the website or backend is hacked, your authentication credentials go to the malefactors no matter what you do on localhost

 

[Andrezj]

This is good news, because I don't use an administrative account, I always use an SUA account on all my computers that I have.

an infostealer that, through an exploit, runs with administrator privileges on a standard user account still has full system write permissions
a standard user account is little protection for any user that downloads and installs software or against exploits
that is just how it is with limited permission account security, downloading and running anything on a system, being connected to a network

is it likely to happen to you personally? probably not, but it can happen despite using standard user account

 

[HarborFront]

Yes, you are wrong.

No, keepass uses Drag & Drop for other windows and form fields and also fills form fields with a hotkey and that uses obfuscated channels if configured.

No, no keylogger can capture your clipboard password, because keepass uses an area protected by Process Memory Protection.

yes, by default keepass is set to clear the clipboard for 12 seconds, but you can set the time you want in the keepass settings.

BW does not automatically fill your logins, unless you enable the AUTO FILL box in settings, BW does not clean your clipboard after copying and pasting your login, you need to enable it in Settings->Other->Clean Clipboard options will be selected "Never" you select the time you want from 5 seconds to 5 minutes. I hope I clarified your doubts.

Yes, darg&drop is the safest method because nothing is copied to the clipboard. Also, setting clipboard history OFF in Windows further prevent capture by keylogger

BTW I'm thinking of using KeePassXC instead. Do you know whether it has the same drag&drop feature as KeePass?

As for BW I think the minimum time is 10s instead of the 5s you mnetioned

Thanks

 

[Andrezj]

Yes, darg&drop is the safest method because nothing is copied to the clipboard. Also, setting clipboard history OFF in Windows further prevent capture by keylogger

BTW I'm thinking of using KeePassXC instead. Do you know whether it has the same drag&drop feature as KeePass?

As for BW I think the minimum time is 10s instead of the 5s you mnetioned

Thanks

very simple and easy test to confirm

1. open winword and notepad
2. copy-pasta some text into winword
3. in windows settings clear clipboard
4. highlight text in winword and drag it into notepad
5. try CTRL + V or right-click > paste (paste is greyed out\not available)

conclusion: drag&drop does not go to the clipboard

@HarborFront if keylogging or capture of various types is a concern to you, then why not use spyshelter? i tested it extensively about 3 years ago and it beat the keyloggers and screen capture software that i tested it against, the results convinced me and i am the really skeptical type

 

[HarborFront]

just fyi, you are being quoted what keepass claims it is supposed to do
there is no reliable pentesting results of keepass by third party labs
microsoft changes the clipboard and other windows features on a rolling basis, so the only way to know for sure if keepass does what it says it does is to test and verify claims for yourself
just note, clipboard and clipboard history are two different processes on windows

also, even anti-keyloggers that claim they protect against auto-type or copy&paste routinely fail tests

more infos:
some protections only work if using the most popular standard (not sub-variants that are customized) browsers - chrome, firefox, edge
the protections only apply to localhost; if the website or backend is hacked, your authentication credentials go to the malefactors no matter what you do on localhost

There are a few things I'm exploring now regarding safe data storage, ease of use and transfer between different platforms like Windows and android.

1) Use BW and self-hosting. Self-hosting is difficult to do. So unlikely using this method
2) Use KeePassXC. Can use KeePass DX for android. Storage is local. Not sure can use cloud syncing for password/vault though since both are different app
3) Cloud storage. Can subject to hacking. Unlikely to use. Need to depend on cloud provider to maintain the infrastructure to keep you safe. This also makes BW not a good choice.
4) Store software encrypted files/folders on USB flash drive. Drive need not be encrypted for easy access. So far can only find Verycrypt (Windows) and EDS Lite (android) combo to do it.
5) Use of pricey hardware-encrypted USB flash drive i.e. those which come with a physical keypad on the drive. OS platform independent. No software required. Cannot format drive without password.

Options 2/4/5 look attractive as everything is done local. May need cloud syncing for password/vault

What do you think?

 

[Razza]

Use BW and self-hosting. Self-hosting is difficult to do. So unlikely using this method

If you got experience self hosting thing and using docker then self hosting bw is quite easy if it just private install just one user better to use the rust port of the backed GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs lower resource usage than official version.

 

[HarborFront]

If you got experience self hosting thing and using docker then self hosting bw is quite easy if it just private install just one user better to use the rust port of the backed GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs lower resource usage than official version.

No experience in self-hosting

BW should just create a plugin and after installation I just need to specify the local location and capacity I want to host. Job done.

 

[Andrezj]

There are a few things I'm exploring now regarding data storage safety, ease of use and transfer between different platforms like Windows and android.

1) Use BW and self-hosting. Self-hosting is difficult to do. So unlikely using this method
2) Use KeePassXC. Can use KeePass DX for android. Storage is local. Not sure can use cloud syncing for password/vault though since both are different app
3) Cloud storage. Can subject to hacking. Unlikely to use. Need to depend on cloud provider to maintain the infrastructure to keep you safe.
4) Store software encrypted files/folders on USB flash drive. Drive need not be encrypted for easy access. So far can only find Verycrypt(Windows) and EDS Lite (android) to do it.
5) Use of pricey hardware-encrypted USB flash drive i.e. those which come with a physical keypad on the drive. OS platform independent.

Options 2/4/5 look attractive as everytbing is done local. May need cloud syncing for password/vault

What do you think?

afaik keepass can be synced between pc and android, check the keepass website for plugins and other 3rd party developed forks intended to accomplish what you desire
just be forewarned that none of those products have been pentested for security issues
let me relate from firsthand experience, when you have a situation it is more than frustrating when you cannot access or otherwise obtain resources you need to resolve that situation using a digital device, especially a phone
the phone device is always the most problematic, i tried the usb flash drivemethod but that requires a dongle and then not forgetting it and the usb, not to mention having to carrry it all the time
the usb method works ok for pc or laptop
for cross-platform ease-of-use, with reasonably high security, bitwarden cloud has performed well enough for me, even though using it on a phone can be clunky - i set a 25+ character dice generated password and set interations to 1,000,000 years ago to ensure sufficient entropy long before the latest drama about password managers
one advantage to cloud is failover and availability across regions - availablility when networks go down in one area or when traveling worldwide

1. can be done, not as difficult as you think, but then you are reliant upon 100% uptime of the hardware
2. sync is possible from what i have read
3. best all-around usability
4. a bit clunky when using a phone
5. same as 4

it is unfortunate, but we all have to make compromises
all i can suggest is for you to make a choice based upon your use-cases and your tolerance for inconvenience or complex usability
i am not advocating that you use cloud bitwarden, i am merely stating what has worked for me based upon my various experiences

lol, i have an aquaintance who wears a ring with a hidden compartment, in that compartment he stores a tiny piece of paper with critical passwords on it, and yes, he does use that when he is in a bind