#1117 Dragging Password shouldn't copy to clipboard-security risk


1) During another discussion, discovered when using the drag password or user name icons (in v3.31), it copies the values to clipboard. Only when PWS is minimized, is clipboard cleared - which may be a good while.

2) Regardless, AFAIK, no need for drag / drop to copy values to clipboard.
Copying PW to clipboard - ever - increases security risk. Normally shouldn't be needed to log in & should probably be generally avoided. Seems like copying to clipboard only makes it easier for malware.

3) If dragging a PW straight to a site's login field, why copy to clipboard? Explorer or most apps don't use clipboard if dragging files / objects to another window or another folder. Would lots of users paste the PW - AGAIN - somewhere, when logging into a site?

4) There's already a separate "copy PW to clipboard" icon.

5) If there's an odd reason UN & PW MUST be copied to clipboard, using drag & drop, time it remains there should be limited; possibly adjustable by option.


  • DrK

    DrK - 2013-09-02

    As you yourself said in another item:
    "When dragging the PWS "drag" icons, on some sites (w/ quite large / tall entry fields), the tip of cursor arrow must be positioned w/in VERY SMALL tolerance - almost EXACT vertical center of field."

    Therefore, the dragged item is placed in the clipboard so that the user can paste it in the field should they not get the drag to work.

    BTW - The exact positioning is a function of that site's web page designer and/or the browser not PWS.


  • Brittney Smith

    Brittney Smith - 2013-09-02

    Simples? No, not simple. Not necessary in most case & security issue. We ARE security conscious, aren't we?

    I wasn't blaming about difficulty of drag / dropping PWS data in login fields - just observation.

    When SMALL % of sites are difficult to drop UN or PW into login fields, THAT'S what "copy PW (& UN) to clipboard" should be for.

    NOT copy them to clipboard every time "drag & drop" icons / feature is used, unnecessarily creating extra security risks.

    I'd guess 95% or > of time drag & drop's used, data copied to clipboard is never used. For few times drag & drop won't work, already TWO easy ways to copy data to clipboard.

    (1) Icons on toolbar &
    (2) R click entry > copy UN / PW.
    [Don't think Help - mini chart (concise) really explains drag & drop, or is clear as could be, but would be useful.]

    After couple of times, users know which sites don't work w/ drag & drop, so then just use copy / paste or autotype. "Simple." :)

    Autotype (correctly) doesn't copy data to clipboard. On a tiny % of sites it doesn't work (& it doesn't), security issues aside, is it much trouble to copy items to clipboard (if needed), OR use drag & drop? When, if must use drag & drop, I'd rather data not be copied to clipboard, for security reasons.

    Help file section on available methods in PWS to enter data could use bit 'o clarification & updating. I'd be happy to submit updated draft.

    Last edit: Brittney Smith 2013-09-02
  • Rony Shapiro

    Rony Shapiro - 2013-09-02
    1. Thanks for offering to clarify and update the help file - now's the perfect time to do this, as we're about to start the release cycle for 3.32. Please contact me directly if you'd like to edit the help file source directly.
    2. As a mitigation for the clipboard issue, note that PasswordSafe will clear the clipboard when it locks if the contents of the clipboard at the time came from PasswordSafe.
  • Brittney Smith

    Brittney Smith - 2013-09-02

    As a mitigation for the clipboard issue, note that PasswordSafe will clear the clipboard when it locks if the contents of the clipboard at the time came from PasswordSafe.

    I realize that. And it's fine - to a point. The fact that the data get copied to clipbd AT ALL, creates security risk.

    One can't "close PWS" fast enough to keep malware from reading the clipboard. That's like out running lightening.

    With all other options available to users to "copy UN / PW", for security reasons, no point that I (or most security experts I've read discussing such) see to copy data to clipboard - every time - if using drag & drop, or other methods - unless absolutely necessary (not necessary, here).

    Using drag & drop, data copied to clipboard is rarely used.

    It creates additional security risks.

    Two other easy methods exist to copy data to clipboard, when needed.

    1000 points of light.
    Stay the course.
    No new taxes.

  • DrK

    DrK - 2013-09-03

    Being in a perverse mood today - if

    One can't "close PWS" fast enough to keep malware from reading the clipboard. That's like out running lightening.

    Then you can't stop your malware keyboard logger from intercepting AutoType either.

    Solution 1: Don't turn on your PC/laptop - use as an expensive paperweight instead.
    Solution 2: Don't connect to the big bad internet. Use snail mail or telephone (assuming no one is listening that is). Sorry - due to Global Warming and air-quality controls, Smoke Signals are no longer allowed.
    Solution 3: Never install untrusted software and use a reputable anti-virus, anti-malware product just in case.
    Solution 4: Don't use any password manager but keep all your IDs and passwords written down in an old Filofax, assuming you can still get the paper inserts. If you can't get the inserts, then I understand Post-It Notes (colour coded for the type of information they protect) stuck on the bottom of keyboards is a good alternative!

  • Brittney Smith

    Brittney Smith - 2013-09-03

    Now you're just being silly. :D You have a really good product.

    Glad you brought up the need for obfuscation. :D

    I assumed (I think correctly) because PWS was modified so:

    • when browsing to URL, nothing is copied to clipboard. Why was that changed?

    • autotype doesn't copy anything to clipboard (it may never have - dunno).

    then there was a reason for the change(s).

    If no reason for that / those change(s) or behavior, why do it? Just copy everything (or nothing?) that's clicked to the clipboard.

    Your tongue in cheek :) suggestions imply, because changes won't make an (any) app 100% safe, it has NO value. Not true. It's always (& only) matter of trying to swing the odds in our favor.

    Can only try to make apps safeER & SOMEwhat harder for malware, but NEVER 100% safe. ALL devs continue changing apps to make safeER.

  • Rony Shapiro

    Rony Shapiro - 2014-07-06

    This was resolved in commit 97cfca9 as follows:

    The default behavior is now the secure one, that is, the specified text is not copied to the clipboard. However, if the Control key is pressed when the left mouse button is clicked on a dragbar icon, then the specified text is copied to the clipboard in addition to being pasted when dropped.

    This allows people who want the "copy to clipboard" behavior to get it, while providing a secure (clipboard free) default.

  • Rony Shapiro

    Rony Shapiro - 2014-07-06
    • status: open --> pending
    • assigned_to: Rony Shapiro
  • Rony Shapiro

    Rony Shapiro - 2014-07-15
    • status: pending --> closed

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks