Dear people who make websites,
Do you ever block your users from being able to paste into a text field?
Why?
Do you need this ability for a good reason? Whatβs that reason?
Or, as a user, would you like to see it go away? Perhaps you encounter sites that prevent you from pasting your super complex password from your password manager into a password field, and wonder why they can do so?
What might be the downside of removing support of disallowing pasting from the web?
@jensimmons
The only time it has saved me is when a site asked for my password twice. I usually copy and paste it from the first. But this time I'd made a typo. Retyping it helped me validate I'd got it right.
But that's about the only time it has ever been useful for me.
@Br3nda @ben @Edent @jensimmons
This is only true, aiui, for Windows.
In *nix OS, everything runs as a specific user. While I am logged in, apps I start up run as me, and only apps running as me have a chance to see my clipboard.
On Linux OSes using Wayland, there is a further wrinkle: the compositor is the only thing which can read from my clipboard,
So for something malicious to happen it has to
a. already be in the OS,
b. be running as me,
c. and be recognized by the compositor.
1/
@Br3nda @ben @Edent @jensimmons
But another thing to keep in mind is: for passwords, you do not need to use the clipboard.
With #KeepassXC's browser extension, you can have it type the password. I am sure other password database systems have similar features.
2/2 fin
@dozymoe @amgine @ben @Edent @jensimmons
Also getting it set up means trusting it as a browser extension or phone keyboard or whatever other mechanism it uses.
@Br3nda @dozymoe @ben @Edent @jensimmons
Indeed. But it is signed by a multi-person encrypted key, and the browser will not allow it to run if it does not match every certificate.
I do not know enough about how it operates to be sure, but I do not believe it runs as a keyboard on a phone. I think it runs entirely within the browser.
More importantly, it is made by people whose project and passion is to secure passwords.. I expect they are under greater targeted scrutiny than average.
@Br3nda @dozymoe @ben @Edent @jensimmons
π I think the average non-tech person does exactly what you are doing! approach it very cynically, with lots of caution, asks the tough questions and demands answers.
EXACTLYβΌοΈ
Keepass is on your machine, not someone else's. When you are a website trusted by tens of thousands of people with their most-trusted passwords and certificates, you are a Big Important Target because all someone has to do is get lucky once for a big payout.
But when everyone has their passwords on their own machines distributed all over the world, the bad guys have to get lucky tens of thousands of times. And no one of them is likely to be super valuable.
Jen Simmons
Terence Eden
Ben Hardill
Potato Enthusiast π΅πΈ
Amgine
Fahri Reza π
Ellie π΄π³οΈββ§οΈ