Clipboard Security

Hi

I have discovered a number of threads on the following topic in this community but none of those that I have come across have provided me with a satisfactory answer, hence my own post on the subject.

I’ve spent a considerable amount of time researching and testing various password managers recently and had almost settled on BitWarden (BW) as my preferred option but at the eleventh hour I was alarmed to discover that when using the copy/paste password option in BW the copied items remain visible in the clipboard history even after the configured ‘Clear Clipboard’ period has elapsed.

I use Windows 10 on my laptop and Android 11 with Microsoft Swiftkey on my smartphone. I do not have Windows clipboard history enabled on my laptop (but if I do activate it any copied passwords remain visible until manually cleared or overwritten when the clipboard reaches capacity) but I cannot find a way of preventing Android/Microsoft Swiftkey from retaining multiple clipboard items, including any passwords that may have been copied from BW.

Unless I’m missing something really obvious, this seems like a significant security risk for a solution that is supposed to tighten up a user’s digital security.

I suspect the response to this will be to avoid using copy/paste for login credentials and instead rely on autofill or typed entry, which is fine, but I guess my overriding question is why is copy/paste available as an option when it seems to be inherently insecure?

I must point out that BW is not the only password manager that I have experienced this ‘flaw’ with, but at the same time there do appear to be some options out there that seem to have implemented a solution to this issue.

Does anyone know if there any plans for this aspect of BW to be improved at all in the near future, please, because if not I think I’ll have to opt for another password manager that does seem to have this covered?

Thanks.

4 Likes

I don’t see it as an issue with Bitwarden at all. It’s just the nature of the copy/paste function across various operating systems. Obviously, anything you copy to the clipboard will be copied in plain text. If your OS, keyboard app, etc. has some sort of clipboard history function that you can’t disable, and you don’t want your passwords to appear in that history, then you just have to avoid copying credentials to the clipboard.

I’m surprised you can’t disable the clipboard history facility in SwiftKey. I don’t use it myself, so I don’t know if it allows you to disable it or not. Seems like something they should give people the option to switch on or off. Perhaps try another keyboard to see if the issue is with Android itself or the SwiftKey keyboard.

Out of interest, you mentioned that some other password managers have a solution to this issue. What sort of solutions have you found?

2 Likes

Thanks for taking the time to offer your thoughts.

My comments were not intending to be specifically critical of Bitwarden because I really do like the tool and I’m aware that clipboard exposure if a common security issue, however, given the nature of these tools and the fact that some developers seem to have resolved this issue I’m just surprised that it’s not near the top of the priority list for those who haven’t.

From what I can tell, KeePass, 1Password and Enpass do seem to have developed some way of keeping copied credentials away from the clipboard.

2 Likes

The Windows 10 clipboard isn’t secure. The text copied to your clipboard is stored in plain-text format. >www rapidfs com activation

Hello Mr Windows User

I am a Linux User and I also have the same concerns and issues. I have enabled BW to clear the clipboard after 30 seconds, and of course it does not. Same exact issue. I keep clipman (clip manager for linux) running as a taskbar icon and I can quickly clear the clip board history.

A popular search result will give you some better insights clipboard vulnerability:

Also here is quick bit warden article on using auto fill for passwords that avoid the copy paste shuffle, but only seems to be if your using the browser plug in or phone app.
https://bitwarden.com/help/article/auto-fill-browser/#keyboard-shortcuts-hot-keys

In the end I will admit I have not found a reasonable solution myself. For me though, at some point I have to make a choice and run with it. Since I am a Linux user I am conditioned by default to less then polished perfect software and have adapted to work around minor issues of inconvenience. I am also an ardent believer in Open Source software so for me Bit Warden get my vote.

While the copy/paste clipboard thing is a minor issue, I have faith in my desktops security and in google chrome security. If I can manually copy paste a password, I can just as quickly clear it from the clip board.

Ultimately when you look at the overall security of Bit Warden its a wise choice. It has top grade 256 AES encryption, and it is non-custodial. Even if BW servers got hacked they got nothing, they don’t keep your vault passwords, that is completely in your hands. That is a huge security bonus that outweighs any minor risk from a clip board manager hack. (which I have not even heard of happening, so really its kind of a paper tiger)

Cheers!

With all that said, I do implore Bit Warden to clean up the code in regards to clearing the clip board. If you have a setting that claims to clear the clipboard then make that happen. Otherwise it looks like software that is released without actual functionality, so lets make it happen!

2 Likes

I’m happy to be corrected on this, but I think the “clear clipboard” option is linked to the automatic copy of TOTP codes to the clipboard, not just a general wiping of whatever is on the clipboard every thirty seconds.

Thank you, but I think that’s kind of my point.

These tools handle highly sensitive information but enable/encourage users to copy to clipboard.

Hi robster

Thank you for taking the time to offer such a comprehensive response.

I think the above statement from yourself hits the nail on the head for me. When I see the clipboard clearing settings in the UI I take them at face value, i.e. nothing will remain in the clipboard beyond the configured period, and I only discovered that this isn’t the case by accident.

If BW is not going to be developed to handle copied credentials in a more secure manner perhaps the wording on the those settings could be changed to be more explicit.

The Clear Clipboard feature seems to work as intended for me, and I cannot seem to replicate this issue in any Bitwarden app/client on Windows, MacOS, Linux, or Android. Can someone provide specific clients, OS, steps, etc. to replicate the issue?

Noe that if you have installed an app that records your clip history, Bitwarden does not claim to clear that, nor could it. Swiftkey on Android is a good example of this - you must disable the Remember Copied Items feature to prevent it from storing items.

1 Like

In Windows it just adds a blank paste into the history. Press Win+V and you’ll see your password in the history (you may need to enable it first)

See my post above - Bitwarden makes no claims about clearing the historical contents of your clipbook. Don’t use clipbook apps that copy the clipboard content into a running history if you see this as a security issue - this is true for most password managers.

1 Like

Sorry you asked how to replicate it so I just gave you the method quickly for the Windows 10 aspect of the thread

The problem with disabling the history is with the productivity benefits the clipboard history gives to the users. After using the Windows one for around 4 years now, I can’t imagine not having it. Just typing out commands into PowerShell from a data dump is so much easier with the history as there’s less flicking between monitors and open programs.

Like Robster and WinBW have said, I think it’s the wording of it that causes the misconception. “Clear Clipboard” to me would mean deleting the entry so it’s no longer an item in the clipboard history, especially for Windows and Mac which has it built into the OS - not separate apps like SwiftKey or flycut are. The history functionality in these operating systems have been around long enough for this to be the default assumption for myself and the others that have raised it here and on GitHub. Perhaps adding a warning alongside the option that it cannot clear the history would at least warn users that use histories rather than them believing it to be a bug or issue with their setup?

It’s already being tracked in GitHub so hopefully once the browsers support it after the experimental stage it can be possible :crossed_fingers: (Issue #557)

In terms of the SwiftKey clipboard history, it can be turned off under Rich Input > Clipboard although this may not be a viable solution for everybody, I don’t know if it would be possible or feasible to clear third party app histories

image

2 Likes

No problem, Danny - I wondered if some posts in this thread were about clearing the clipboard history (in apps or opt-in features, such as the Windows clipboard history applet) rather than clearing the current clipboard contents. Obviously, these are different things, and Bitwarden only takes care of the latter.

From what you have said, it sounds like a method to clear an os-level clipboard history is being investigated, and I hope it works out.

In the meantime, I hope everyone reading this thread in the future realizes the risk of enabling clipboard histories when using copy-and-paste operations with password managers.

1 Like

A workaround I developed on Android involves using macrodroid pushing a random string of characters to the clipboard every X minutes. I also put in a repeat loop so that it pushes 20 times to make sure the entire clipboard has dummy data in it.

The Clear Clipboard option exists in the browser plugin options (not in the vault options at vault.bitwarden.com). If I use the browser extension copy icon to copy a password, it is indeed cleared from my password after the specified period (I cannot paste it into any application after that period). But if I copy in any other manner/context (such as from my vault) then nothing is cleared…

…Personally I never expected it to be cleared in that scenario, for two reasons:

  1. there is no “clear clipboard” option anywhere when accessing the vault through vault.bitwarden.com. It follows a pattern where many of the security options in the vault are separate/independent from the extension (such as for automatic timeout resulting in locking or logout. )
  2. it doesn’t seem reasonable to me to expect that a browser plugin would be doing some continuous service of clearing the clipboard in the background even when the extension has not recently been in use.

Regardless of what might seem reasonable, I’m curious - Is your behavior different than I described in my first paragraph?

I do find it unfortunate that Windows 10 doesn’t provide any convenient shortcut to clear clipboard. If you enable the clipboard history then ctl-v pulls up some tools to clear it, but I prefer not to enable it because that increases vulnerability if I forget to clear it. Without clipboard history, the only way to clear the clipboard is to copy something else I think.

Samsung Galaxy has a huge security flaw where all copied items (like passwords from bitwarden) get saved in the clipboard history. The bitwarden clear clipboard option only adds a new blank entry to the history.

1 Like

This tends to be the same if you have Windows Clipboard history turned on as well, just how each clipboard program saves.
Personally having any part of my clipboard being sent to the “cloud” and not locally would be a concern for me, as well as anything where this cannot be set to clear after so long.

There is a relevant Reddit post I found regarding this issue.

On macOS, Enpass has a mechanism to make the copied password invisible to other clipboard “monitors” (you can still paste it during a limited time which set by preferences). It would be great if BW implement this, I’m gonna switch to BW one it is implemented.

I was curious about the above claim, so I dug into it a bit, and found this information in a post on the Enpass support forum:

On macOS, Enpass copies data to clipboard with a flag (org.nspasteboard.TransientType ) that the data should not be recorded in pasteboard history due to sensitive nature of data. Only the clipboard managers that are not supporting this flag or configured to ignore this will save data to its history.

The same discussion also includes a suggestion to use the flag org.nspasteboard.ConcealedType instead.

Neither of these flags would stop malware from accessing the clipboard, but it may prevent accidental leaks by users who use clipboard manager apps.

There is a discussion on github since 2018, but we might have to wait for another “4 years”!! :sweat_smile:

Pasteboard type · Issue #2633 · bitwarden/clients · GitHub

1 Like