[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password managers



On 15/11/2023 15:40, Michel Verdier wrote:
On 2023-11-15, Max Nikulin wrote:

For Chromium it is better to have a password manager
(gnome-keyring/kwallet/keepassxc/etc.) with D-Bus interface. It needs
a key to encrypt passwords saved in browser and likely cookie store.
Encryption is not applied otherwise.
What about Firefox then? Does it work with password managers with a
D-Bus interface?

keepassxc has a plugin for firefox

Browser extension should be a significantly better option than using clipboard for passwords for various sites. (I hope, it is properly implemented.) I am unsure if it works for mozilla accounts since add-ons are not allowed to interact with some mozilla sites.

As to D-Bus Secret Storage API, Chrome has no master password dialog, it can use only user keyring. Firefox has its own dialog but does not support getting it through D-Bus. Both browsers have their own storages for site passwords. KeePassXC declares support of Secret Storage API, so it should be suitable for storing of Chrome master key. Certainly users may choose to keep their passwords for sites in KeePassXC, not in browser-specific storage.

Firefox stores cookies (and so authentication tokens for active logins) without encryption:
https://bugzilla.mozilla.org/show_bug.cgi?id=56788
and a number of duplicates.

Pass(1) sets a timer and removes the password from the clipboard after
that time has expired.

I am unsure if listening for clipboard change events is currently implemented
in browsers. Such feature defeats timeouts. Its fair use is clipboard managers
specifically for ChromeOS, but that might be usable on other platforms as
well.

don't know for pass, but keepassxc don't rely on managers and erase
the clipboard itself after its timeout

I mean clipboard sniffing

./clipnotify -s clipboard && xclip -selection clipboard -o |
   tee -a /tmp/pw.txt

where clipnotify is a tool to wait for clipboard changes:
https://github.com/cdown/clipnotify
The command above fetches clipboard content immediately when KeePassXC puts a password into clipboard. Timeout does not help.

In Wayland applications needs a permission to access clipboard.

In KDE klipper is enabled by default and clipboard history is saved to a file. There is a number of other clipboard managers.

For web pages there was intention to allow actions in response to changes of clipboard content:
https://w3c.github.io/clipboard-apis/#clipboard-event-clipboardchange

KeePassXC does not erase password immediately after clipboard content is obtained. However it would be rather minor improvement. Even if clipboard is cleared after first use, a sniffer may put content back to allow user to paste password.


Reply to: