You should change your password manager's clipboard settings now

Daniel Sims

Posts: 757   +29
Staff
PSA: Password managers are probably the safest way to establish and manage secure passwords, but they aren't bulletproof. One security setting in particular is perhaps a bit too lax in some managers, which could give attackers a way to grab users' passwords in certain situations.

If you use a password manager, you should definitely check the setting that controls how quickly it clears copied text from the clipboard as grabbing information from this location is a common tactic of malicious actors.

Some password managers like Bitwarden and Keeper never clear the clipboard on their default settings. That means that once you use a password with either of those managers, your username and password sit in the clipboard indefinitely, accessible to any other application on your system. PCWorld writes that using cloud clipboards could let other apps access that information even if users don't paste the text.

The setting to make your password manager clear the clipboard after a set amount of time is found under Settings in Keeper and NordPass and Settings > Options in Bitwarden. You can find it in each manager's desktop app, mobile app, or browser extension. NordPass defaults to 30 seconds, and it would be prudent for other password manager developers to change their defaults to something similar.

Two password managers have suffered attacks over the last few months including LastPass, which was hit in December. The company initially said it wasn't cause for alarm among ordinary users, but later that month it revealed the attackers had accessed usernames and encrypted passwords. It would take a determined hacker to unencrypt the passwords, but it's not impossible. LastPass users should at least change their passwords and possibly consider another password manager.

Earlier this month, Norton Password Manager withstood a less serious but still concerning attack. Someone used a credential stuffing attack to make mass login attempts using a collection of usernames and passwords stolen in other data breaches. Unlike the LastPass incident, no one breached operator Gen Digital's (formerly Symantec and NorthLifeLock) internal systems, and anyone who uses two-factor authentication should be safe.

While changing your password manager's clipboard setting, it's also good to take a tour of the other security settings. They let users control things like login methods, how often the manager locks itself, how it handles authenticator keys, and other important features.

Permalink to story.

 

bviktor

Posts: 1,158   +1,689
That means that once you use a password with either of those managers, your username and password sit in the clipboard indefinitely, accessible to any other application on your system.

Not on iPhones with iOS 16.1 or newer. iOS asks you if you want to allow the app to read its content. According to Statcounter, the feature is already present on 44.83% of all iOS devices worldwide.


You see, this is the kind of sentiment I like about iOS. Apple think of themselves, obviously, but they also think of me with safeguards like this. This feature protects me, the user, from app developers. Much like the lack of sideloading, and mandatory Apple Pay, among others. Which safeguards, for some reason, certain users are so keen on dismantling.

I really don't understand though. You have the choice. You want an open system? Fine. Use Android. Leave iOS alone for the rest. I like my iPhone because of the restrictions it imposes on the developers, not despite of them. I want developers to be restricted, very much, I don't want any kind of "openness" on my phone, you know, the device that contains all my personal info, authenticator codes, passwords, contacts, credit cards, everything.

The lack of sideloading or payment alternatives doesn't "restrict" me in anyway, quite the opposite. It's extremely convenient to use a single solution for everything. And it's also safer at the same time. It's a pure win for me.

It's probably the same reason why people who switch from Android to iOS keep turning on and off GPS, BT, etc. on their phones all the time. Instead of just permanently restricting the apps they don't want to use those (they're restricted by default). They're so used to not being in control on their "open system".
 
Last edited:

trparky

Posts: 1,159   +1,319
I really don't understand though. You have the choice. You want an open system? Fine. Use Android. Leave iOS alone for the rest. I like my iPhone because of the restrictions it imposes on the developers, not despite of them. I want developers to be restricted, very much, I don't want any kind of "openness" on my phone, you know, the device that contains all my personal info, authenticator codes, passwords, contacts, credit cards, everything.

The lack of sideloading or payment alternatives doesn't "restrict" me in anyway, quite the opposite. It's extremely convenient to use a single solution for everything. And it's also safer at the same time. It's a pure win for me.

It's probably the same reason why people who switch from Android to iOS keep turning on and off GPS, BT, etc. on their phones all the time. Instead of just permanently restricting the apps they don't want to use those (they're restricted by default). They're so used to not being in control on their "open system".
Yeah, I agree with you. I don't want iOS to turn into the malware ridden hellscape that is Android and Windows. Leave iOS alone. If you want openness? Go to Android. See? Choice!
 

StrikerRocket

Posts: 180   +142
In Sticky Password, a manager I rarely see mentioned in articles about these tools, you cannot set clipboard password retention longer than 30 seconds. It is automatically deleted after this delay.
You also have the choice to store your passwords in the cloud, encrypted with the same password as your PC, or not, you can synchronize across multiple computer via Wifi, and even with the mobile Android App. I bought it more than 10 years ago and had to pay for an update only once, and the price is around $20. Give it a try, it's the best paid password manager I've tried. KeePass, a free app, is also worth a look.
 

Avro Arrow

Posts: 3,363   +4,366
This is why I don't use password managers. I have my own system of gobbledeegook passwords that I have in my head. They're combinations of letters, numbers and symbols that I recognise and they're not in any specific pattern that couldn't be anticipated by someone else.
 

waclark

Posts: 795   +490
This is why I don't use password managers. I have my own system of gobbledeegook passwords that I have in my head. They're combinations of letters, numbers and symbols that I recognise and they're not in any specific pattern that couldn't be anticipated by someone else.
I have too many passwords to remember them all. I do like what my buddy suggested, though, that is very long passwords that are somewhat easy to remember. Something like, Thisismypa$$wordandonlyIknowit. The longer the better, but clearly, a pain to type in every time.
 

alexnode

Posts: 110   +39
No offence but if your clipboard is accessed you have more things to be worried than you passwords. Someone is in your house.
 
Yeah, I agree with you. I don't want iOS to turn into the malware ridden hellscape that is Android and Windows. Leave iOS alone. If you want openness? Go to Android. See? Choice!

It is about personal choice and not being locked into an ecosystem that doesn't allow for alternatives. If the choice is given, IT DOESN'T AFFECT YOU. You can merrily continue the way you have with official Apple app store programs. BUT NOT PROVIDING alternatives DOES affect others who do want freedom of choice. I used both ecosystems, and never had I gotten malware on my Android because I vet the apps I installed. I don't sideload questionable apps on the same device that contains my financial and personal data. I wouldn't even jailbreak an iPhone if it has my banking apps on it even though many banking apps won't work on jailbroken devices. But on devices that I don't leave my personal information on like tablets (iPads) or streamers, I have no problems since hackers wouldn't get a useful thing out of it. Same with Windows. The last time I had gotten a virus was probably in 2002 because I am wiser about the sites I use and what I click on.

The best protection against phishing and malware is education, not the OS you run.
 
I'm not saying clipboard attacks are an invalid attack vector but the amount of hang wringing in this article is just ridiculous. There's a not so subtle implication that having your password indefinitely in your clipboard could lead to the type of attack we saw with LastPass which.. nah. Even the Norton Password Manager attack wasn't anything CLOSE to what you'd need to do a clipboard attack.

These FUD-ish articles only serve to make people anxious about using password managers as oddly enough verified by some of these comments if they're to be believed. The truth is even using LastPass with indefinite clipboard is still safer than not using a password manager. Security articles should focus on realistic mitigation and pushing password managers is WAY better than not using them and knowing what vectors are more likely than others can be a nice guide post rather than a scare tactic.

The only interesting thing about this iOS vs Android discussion is that it shows that some iOS users don't understand why we use Android phones. I don't side load apps. I use the google pay. But something simple like being able to put a folder of MP3s (Audiobook) onto my phone without syncing it to a specially branded computer is super helpful. The point of "choice" is that it puts the power of choice in your hands. You can choose whether you want to be walled into the garden or open the doors and go out. On android you have that choice. And iOS you're locked in whether you want to be or not. The difference between locked in and secured is almost paper thin and the problem with being locked in is that doesn't benefit you.. it benefits Apple. They can charge what they want, change what they want and you have no say no alternative option if you're locked in. On android you can block apps from permissions. You can download all your apps from a trusted source. There are differences between the OSes and benefits and risks to weigh but you can't embrace the walled garden without acknowledging it means you put Apple in charge of what you know about the outside. And apple doesn't care about you. They care about Apple and how to make more money.

 

SethNW

Posts: 31   +33
And there I thought that clearing clipboard is standard feature to be on by default. Doesn't matter how safe your clipboard is in your OS of choice, there is absolutely no point in not clearing it after some time. I use KeePass2 and that will clear it after 12s and I found that plenty of time to paste it. While still not being overly long, in case I then copy something else.