Hot Take Password Managers Auto-filled Credentials on Untrusted sites

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
It does copy passwords and auto-clears the clipboard after a set amount of time (which can be changed in the settings).

There's a discussion a few years back here. Apparently, the PM does NOT totally clear the clipboard history



To ensure the clipboard is totally cleared, go to Windows and disable Clipboard history as below

 
  • Like
Reactions: vtqhtr413

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,813
There's a discussion a few years back here. Apparently, the PM does NOT totally clear the clipboard history



To ensure the clipboard is totally cleared, go to Windows and disable Clipboard history as below


I was talking about KeePass. Can't comment on Bitwarden as I've never used it.
KeePass has a setting to prevent passwords being written to clipboard history:
Screenshot 2023-01-28 150100.png


Even Keepass is not totally safe, however the creator doesn't agree:
I disagree with the developer. Obviously if a malicious actor has had physical access to someone's system then its security can no longer be assured, but the developer can make something as important as a password database harder to breach by fixing this vulnerability.

Does clipboard have access to auto-type entry feature as well?
No. Auto-type uses simulated keypresses; it doesn't copy anything to the clipboard.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
I was talking about KeePass. Can't comment on Bitwarden as I've never used it.
KeePass has a setting to prevent passwords being written to clipboard history:
View attachment 272511


I disagree with the developer. Obviously if a malicious actor has had physical access to someone's system then its security can no longer be assured, but the developer can make something as important as a password database harder to breach by fixing this vulnerability.


No. Auto-type uses simulated keypresses; it doesn't copy anything to the clipboard.

Regardless, whether auto-type or copy&paste, both are unsafe methods which can be detected by keylogger. The safest way is drag&drop which don't copy anything to the clipboard
 
Last edited:

n8chavez

Level 16
Well-known
Feb 26, 2021
756
Keepass does auto-type, with a keyboard sequence. You can even enable "Two-Channel Auto-Type Obfuscation," which inserts info in a jumbled order. So, no. It's far more than simply copying and pasting. The clipboard can also be wiped after X amount of time. This could even handle @HarborFront's negative Nancy attitude.
 
Last edited:
  • Like
Reactions: piquiteco

Gandalf_The_Grey

Level 75
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
Right. But if someone has physical access to your machine I thinking you have more pressing issues on your hands.
No, I can be done with remote access according to @Andrezj :
this method does not require physical access
by "access" they mean the attacker has gained network access to the system, such as a remote agent running on the system or a local attacker who has gained access remotely while being behind the router on the LAN
now threat actors can programmatically perform the attack, incorporate it into a infostealer that will send the password export file to a remote destination

the "poc" was done by a local hacker but that does not preclude the same poc performed by a remote attacker

the notification is not accurately written, all an attacker needs is write access to the keepass configuration file - that can be any attacker with the required permssions - local or remote
 

Andrezj

Level 6
Nov 21, 2022
248
Right. But if someone has physical access to your machine I thinking you have more pressing issues on your hands.
the attack does not require physical access, it only requires that the user has write access permssions to the keepass configuration xml
an infostealer running in an administrative account with required ntfs permssions has write access to that file

the poc was created using a local attacker, but the same attack can be easily accomplished by a remote attacker
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,428
Does clipboard have access to auto-type entry feature as well?
You wanted to ask, does the browser have access to clipboard? I have disabled it in Windows/browsers, it is "broken" in UWP apps and I always copy something aftewards to clear it.
 

Attachments

  • capture_01282023_202442.jpg
    capture_01282023_202442.jpg
    188.6 KB · Views: 65

Andrezj

Level 6
Nov 21, 2022
248
just fyi to people... a webpage that has info fields such as name, address, email and authentication credentials can be desinged to send the infos immediately once entered without the user ever having to activate a "submit" boolean\button
 

piquiteco

Level 14
Oct 16, 2022
634
Correct me if I'm wrong
Yes, you are wrong. (n)
Does KeePass copy&paste passwords?
No, keepass uses Drag & Drop for other windows and form fields and also fills form fields with a hotkey and that uses obfuscated channels if configured. (y)
If yes, then any keylogger can capture what's on the clipboard, right?
No, no keylogger can capture your clipboard password, because keepass uses an area protected by Process Memory Protection. (y)
Does KeePass come with a time setting to clear the clipboard?
yes, by default keepass is set to clear the clipboard for 12 seconds, but you can set the time you want in the keepass settings.(y)
BW autofills using copy&paste passwords and it comes with a time setting to clear the clipboard. The time set to clear the clipboard can be chosen from the extension
BW does not automatically fill your logins, unless you enable the AUTO FILL box in settings, BW does not clean your clipboard after copying and pasting your login, you need to enable it in Settings->Other->Clean Clipboard options will be selected "Never" you select the time you want from 5 seconds to 5 minutes. I hope I clarified your doubts. :)
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
Regardless, whether auto-type or copy&paste, both are unsafe methods which can be detected by keylogger. The safest way is drag&drop which don't copy anything to the clipboard
just fyi, you are being quoted what keepass claims it is supposed to do
there is no reliable pentesting results of keepass by third party labs
microsoft changes the clipboard and other windows features on a rolling basis, so the only way to know for sure if keepass does what it says it does is to test and verify claims for yourself
just note, clipboard and clipboard history are two different processes on windows

also, even anti-keyloggers that claim they protect against auto-type or copy&paste routinely fail tests

more infos:
some protections only work if using the most popular standard (not sub-variants that are customized) browsers - chrome, firefox, edge
the protections only apply to localhost; if the website or backend is hacked, your authentication credentials go to the malefactors no matter what you do on localhost
 

Andrezj

Level 6
Nov 21, 2022
248
This is good news, because I don't use an administrative account, I always use an SUA account on all my computers that I have.;)
an infostealer that, through an exploit, runs with administrator privileges on a standard user account still has full system write permissions
a standard user account is little protection for any user that downloads and installs software or against exploits
that is just how it is with limited permission account security, downloading and running anything on a system, being connected to a network

is it likely to happen to you personally? probably not, but it can happen despite using standard user account
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
Yes, you are wrong. (n)

No, keepass uses Drag & Drop for other windows and form fields and also fills form fields with a hotkey and that uses obfuscated channels if configured. (y)

No, no keylogger can capture your clipboard password, because keepass uses an area protected by Process Memory Protection. (y)

yes, by default keepass is set to clear the clipboard for 12 seconds, but you can set the time you want in the keepass settings.(y)

BW does not automatically fill your logins, unless you enable the AUTO FILL box in settings, BW does not clean your clipboard after copying and pasting your login, you need to enable it in Settings->Other->Clean Clipboard options will be selected "Never" you select the time you want from 5 seconds to 5 minutes. I hope I clarified your doubts. :)

Yes, darg&drop is the safest method because nothing is copied to the clipboard. Also, setting clipboard history OFF in Windows further prevent capture by keylogger

BTW I'm thinking of using KeePassXC instead. Do you know whether it has the same drag&drop feature as KeePass?

As for BW I think the minimum time is 10s instead of the 5s you mnetioned

Thanks
 
  • Like
Reactions: piquiteco

Andrezj

Level 6
Nov 21, 2022
248
Yes, darg&drop is the safest method because nothing is copied to the clipboard. Also, setting clipboard history OFF in Windows further prevent capture by keylogger

BTW I'm thinking of using KeePassXC instead. Do you know whether it has the same drag&drop feature as KeePass?

As for BW I think the minimum time is 10s instead of the 5s you mnetioned

Thanks
very simple and easy test to confirm

1. open winword and notepad
2. copy-pasta some text into winword
3. in windows settings clear clipboard
4. highlight text in winword and drag it into notepad
5. try CTRL + V or right-click > paste (paste is greyed out\not available)

conclusion: drag&drop does not go to the clipboard

@HarborFront if keylogging or capture of various types is a concern to you, then why not use spyshelter? i tested it extensively about 3 years ago and it beat the keyloggers and screen capture software that i tested it against, the results convinced me and i am the really skeptical type
 
  • Like
Reactions: HarborFront

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
just fyi, you are being quoted what keepass claims it is supposed to do
there is no reliable pentesting results of keepass by third party labs
microsoft changes the clipboard and other windows features on a rolling basis, so the only way to know for sure if keepass does what it says it does is to test and verify claims for yourself
just note, clipboard and clipboard history are two different processes on windows

also, even anti-keyloggers that claim they protect against auto-type or copy&paste routinely fail tests

more infos:
some protections only work if using the most popular standard (not sub-variants that are customized) browsers - chrome, firefox, edge
the protections only apply to localhost; if the website or backend is hacked, your authentication credentials go to the malefactors no matter what you do on localhost
There are a few things I'm exploring now regarding safe data storage, ease of use and transfer between different platforms like Windows and android.

1) Use BW and self-hosting. Self-hosting is difficult to do. So unlikely using this method
2) Use KeePassXC. Can use KeePass DX for android. Storage is local. Not sure can use cloud syncing for password/vault though since both are different app
3) Cloud storage. Can subject to hacking. Unlikely to use. Need to depend on cloud provider to maintain the infrastructure to keep you safe. This also makes BW not a good choice.
4) Store software encrypted files/folders on USB flash drive. Drive need not be encrypted for easy access. So far can only find Verycrypt (Windows) and EDS Lite (android) combo to do it.
5) Use of pricey hardware-encrypted USB flash drive i.e. those which come with a physical keypad on the drive. OS platform independent. No software required. Cannot format drive without password.

Options 2/4/5 look attractive as everything is done local. May need cloud syncing for password/vault

What do you think?

😁
 
Last edited:

Razza

Level 4
Verified
Well-known
Aug 12, 2014
164
  • Like
Reactions: HarborFront

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
If you got experience self hosting thing and using docker then self hosting bw is quite easy if it just private install just one user better to use the rust port of the backed GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs lower resource usage than official version.
No experience in self-hosting

BW should just create a plugin and after installation I just need to specify the local location and capacity I want to host. Job done.

🙄
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
There are a few things I'm exploring now regarding data storage safety, ease of use and transfer between different platforms like Windows and android.

1) Use BW and self-hosting. Self-hosting is difficult to do. So unlikely using this method
2) Use KeePassXC. Can use KeePass DX for android. Storage is local. Not sure can use cloud syncing for password/vault though since both are different app
3) Cloud storage. Can subject to hacking. Unlikely to use. Need to depend on cloud provider to maintain the infrastructure to keep you safe.
4) Store software encrypted files/folders on USB flash drive. Drive need not be encrypted for easy access. So far can only find Verycrypt(Windows) and EDS Lite (android) to do it.
5) Use of pricey hardware-encrypted USB flash drive i.e. those which come with a physical keypad on the drive. OS platform independent.

Options 2/4/5 look attractive as everytbing is done local. May need cloud syncing for password/vault

What do you think?

😁
afaik keepass can be synced between pc and android, check the keepass website for plugins and other 3rd party developed forks intended to accomplish what you desire
just be forewarned that none of those products have been pentested for security issues
let me relate from firsthand experience, when you have a situation it is more than frustrating when you cannot access or otherwise obtain resources you need to resolve that situation using a digital device, especially a phone
the phone device is always the most problematic, i tried the usb flash drivemethod but that requires a dongle and then not forgetting it and the usb, not to mention having to carrry it all the time
the usb method works ok for pc or laptop
for cross-platform ease-of-use, with reasonably high security, bitwarden cloud has performed well enough for me, even though using it on a phone can be clunky - i set a 25+ character dice generated password and set interations to 1,000,000 years ago to ensure sufficient entropy long before the latest drama about password managers
one advantage to cloud is failover and availability across regions - availablility when networks go down in one area or when traveling worldwide

1. can be done, not as difficult as you think, but then you are reliant upon 100% uptime of the hardware
2. sync is possible from what i have read
3. best all-around usability
4. a bit clunky when using a phone
5. same as 4

it is unfortunate, but we all have to make compromises
all i can suggest is for you to make a choice based upon your use-cases and your tolerance for inconvenience or complex usability
i am not advocating that you use cloud bitwarden, i am merely stating what has worked for me based upon my various experiences

lol, i have an aquaintance who wears a ring with a hidden compartment, in that compartment he stores a tiny piece of paper with critical passwords on it, and yes, he does use that when he is in a bind
 
  • Like
Reactions: HarborFront

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top