He gets to have the added insecurity if putting it on his clipboard for other programs to see on the way by.

/s

I actually can't imagine how it could be safer than having the password manager do it directly.

> He gets to have the added insecurity if putting it on his clipboard for other programs to see on the way by.

If the local system is trustworthy, then none of the other programs are sniffing the clipboard looking to harvest passwords. And therefore there is no issue here.

If the local system is untrustworthy and contains malware sniffing the clipboard looking to harvest passwords, then using or not using a password manager is irrelevant [1]. Instead there is a bigger issue needing cleaning up, that of returning the local system to a trustworthy state.

[1] because an untrustworthy local system running clipboard sniffing malware is also likely running key logging malware, so even if the passwords were only ever memorized they will still get captured whenever they are typed in.

A password can end up on the clipboard and get picked up by some utility, stored in a history, log or swap file or otherwise get misplaced - this doesn't require a compromised system full of malicious software, just bugs and/or unexpected or unintended behaviour or interactions, which are fairly common.

This is not necessarily true. iOS, for example, does not allow for key logging but will happily allow Facebook to grab whatever you have on your clipboard, which it does of course because it's Facebook.

I think I've spotted iOS clearing the clipboard if you task-switch after pasting the contents into a password input field. Which is presumably precisely to defend against this kind of data theft.

Huh, this must be new. I'll look into it; it's nice to hear that this security loophole is at least partially fixed!

Unless you're running a clipboard history program. I know at least two people that user such software; it basically saves the past 10 or so clipboard contents for later use.

One possible way to exploit this is:

  - user copy-and-pastes password
  - user forgets to clear clipboard
  - user opens a link in a new tab with middle-click
  - link was actually a text form
  - middle-click pasted the password into the textfield

(only on platforms with middle-click configured as paste)

I noticed this when I had an image url in my clipboard and tried on open a link on imgur.com in a new tab. Instead of opening the link, the image url in my clipboard was uploaded.

A lot of password managers clear or restore the clipboard after a short period.

My manager autoclears the paste buffer.

I've seen some CVEs where malicious websites induce your browser to autofill (basically steal passwords).

So the intention is that I stop some script from siphoning my passwords.

This admittedly opens me up to phishing, but to mitigate I also have containers set up for various facets of my life.

(So it's a big red flag if what's supposedly my bank doesn't open in the "bank" container".)

Edit: I also value storing the database locally versus "in the cloud"

That's why you should turn off auto-fill.

This is why most password managers no longer autofill without user interaction.

Your web browser doesn't have any connection to your password manager. Who knows what your web browser is doing, why would you give it any access to your credentials?

How can you not give your browser your credentials? Do you login on a site using curl and manually copy session cookies?

You can manually copy over one credential at a time - no need to connect the browser to your entire bucket of credentials.

The Safari browser can be linked to the Keychain Manager, both products coming from Apple.

Makes you use the password manager credentials to access your login credentials for other services. Works to stop nosy coworkers, siblings, spouses, etc.

Not sure I understand your point here. You need to use your password manager credentials to autofill also (at least for 1Password). The only reason to copy/paste is if you don't think your password manager will put the right info into the right boxes.