Re: Password managers

To: debian-user@lists.debian.org
Subject: Re: Password managers
From: Max Nikulin <manikulin@gmail.com>
Date: Thu, 16 Nov 2023 00:20:05 +0700
Message-id: <[🔎] uj2uk7$kjk$1@ciao.gmane.io>
In-reply-to: <[🔎] 87jzqjwh6r.fsf@free.fr>
References: <[🔎] 20231109110553.10261d32@yosemite.mars.lan> <[🔎] 87msvmlvox.fsf@sugarbit.com> <[🔎] 20231113215817.34cdb895@yosemite.mars.lan> <[🔎] uj07r3$cdv$1@ciao.gmane.io> <[🔎] sm0a5rgummn.fsf@lakka.kapsi.fi> <[🔎] uj1apu$7hk$1@ciao.gmane.io> <[🔎] 87jzqjwh6r.fsf@free.fr>

On 15/11/2023 15:40, Michel Verdier wrote:

On 2023-11-15, Max Nikulin wrote:

For Chromium it is better to have a password manager
(gnome-keyring/kwallet/keepassxc/etc.) with D-Bus interface. It needs
a key to encrypt passwords saved in browser and likely cookie store.
Encryption is not applied otherwise.

What about Firefox then? Does it work with password managers with a
D-Bus interface?


keepassxc has a plugin for firefox

Browser extension should be a significantly better option than usingclipboard for passwords for various sites. (I hope, it is properlyimplemented.) I am unsure if it works for mozilla accounts since add-onsare not allowed to interact with some mozilla sites.

As to D-Bus Secret Storage API, Chrome has no master password dialog, itcan use only user keyring. Firefox has its own dialog but does notsupport getting it through D-Bus. Both browsers have their own storagesfor site passwords. KeePassXC declares support of Secret Storage API, soit should be suitable for storing of Chrome master key. Certainly usersmay choose to keep their passwords for sites in KeePassXC, not inbrowser-specific storage.

Firefox stores cookies (and so authentication tokens for active logins)without encryption:

https://bugzilla.mozilla.org/show_bug.cgi?id=56788
and a number of duplicates.

Pass(1) sets a timer and removes the password from the clipboard after
that time has expired.


I am unsure if listening for clipboard change events is currently implemented
in browsers. Such feature defeats timeouts. Its fair use is clipboard managers
specifically for ChromeOS, but that might be usable on other platforms as
well.


don't know for pass, but keepassxc don't rely on managers and erase
the clipboard itself after its timeout


I mean clipboard sniffing

./clipnotify -s clipboard && xclip -selection clipboard -o |
   tee -a /tmp/pw.txt

where clipnotify is a tool to wait for clipboard changes:
https://github.com/cdown/clipnotify

The command above fetches clipboard content immediately when KeePassXCputs a password into clipboard. Timeout does not help.


In Wayland applications needs a permission to access clipboard.

In KDE klipper is enabled by default and clipboard history is saved to afile. There is a number of other clipboard managers.

For web pages there was intention to allow actions in response tochanges of clipboard content:

https://w3c.github.io/clipboard-apis/#clipboard-event-clipboardchange

KeePassXC does not erase password immediately after clipboard content isobtained. However it would be rather minor improvement. Even ifclipboard is cleared after first use, a sniffer may put content back toallow user to paste password.

Reply to:

References:
- Password managers
  - From: <paulf@quillandmouse.com>
- Re: Password managers
  - From: John Hasler <john@sugarbit.com>
- Re: Password managers
  - From: <paulf@quillandmouse.com>
- Re: Password managers
  - From: Max Nikulin <manikulin@gmail.com>
- Re: Password managers
  - From: Anssi Saari <anssi.saari@debian-user.mail.kapsi.fi>
- Re: Password managers
  - From: Max Nikulin <manikulin@gmail.com>
- Re: Password managers
  - From: Michel Verdier <mv524@free.fr>

Prev by Date: Re: Why is bullseye-backports recommended on bookworm?
Next by Date: Re: Why is bullseye-backports recommended on bookworm?
Previous by thread: Re: Password managers
Next by thread: Re: Password managers
Index(es):
- Date
- Thread