How to stop Android 13 from revealing your passwords

Daniel Sims

Posts: 829   +33
TL;DR: One of the features Android 13 introduced when it launched last year can be very useful in many situations, but it can also reveal sensitive information depending on how recently certain apps have been updated. Enabling autofill permissions can mitigate the danger of passwords appearing as plaintext on an Android device's clipboard.

Android 13 lets users see and edit whatever is in the clipboard, but the feature could also reveal sensitive data, like passwords, to whoever else might be looking at a device's screen. If an app doesn't mark that information as private, activating autofill in the settings can circumvent the problem.

Starting with Android 13, whenever Android users copy text, images, or other information, a bubble appears at the bottom of the screen displaying what the user just copied. From there, users have a variety of options with the clipboard's contents: they can edit, share, and use the text or images to perform actions across different apps.

The new clipboard functionality can save users a lot of time for many different tasks, but the mobile apps for password managers also usually work through the clipboard. Copying credentials from a password manager into another app could cause Android 13's clipboard to reveal that information to anyone looking at the screen, especially if the app in question hasn't received an update for Android 13.

Developers working on Android 13 must define whether or not copied text is sensitive so the clipboard knows not to display it publicly. Android 13 will also periodically automatically delete the clipboard's history when users copy sensitive information onto it.

Many password managers have received updates since Android 13's launch last summer, but not all, so some users might not be fully protected. For instance, those still using 1Password 7 must manually upgrade to 1Password 8, which has the latest updates for Android 13.

Activating autofill permissions for managers and other apps that don't mark sensitive text should make them automatically input copied text into fields, bypassing the clipboard. Users can do this by locating the autofill service in the settings screen and selecting their app of choice. The setting's location will vary depending on your Android device. Furthermore, not all devices use the standard version of Android 13.

Users should also take care to change their password manager's clipboard settings on all devices and operating systems to automatically clear copied text after a set amount of time. Some of them, like Bitwarden and Keeper, leave text in the clipboard indefinitely by default.

Permalink to story.



Posts: 117   +140
From my experience its been absolutely fine, when you copy from a password field it automatically swaps any characters for asterisks, and does so until you paste it somewhere, so I don't see the problem unless it's an app that accesses the clipboard in some convoluted way and hasn't been updated well which would then expose the clipboard contents