We don’t want our master password to stay in RAM longer than needed do we?
Could check if clipboard content is the actual master password before wiping, in case it was typed in but also stored in clipboard.
We don’t want our master password to stay in RAM longer than needed do we?
Could check if clipboard content is the actual master password before wiping, in case it was typed in but also stored in clipboard.
Why would the master password be stored in the clipboard?
Because it’s 90bit random entropy, which I store in offline password manager, and not going to type in
Interesting. FYI, you really only need around 50 bits of entropy to make an uncrackable master password (e.g., a random, 4-word passphrase).
Second question is, why are you logging out and logging in so frequently that clearing the clipboard manually is a chore for you?
One could argue that rememberable password is weaker, since someone could shoulder surf. But our threat levels can be different.
That’s the point I only need to login when browser crashes, so I use clipboard, and forget to clear clipboard after, and if I’m unlucky I will paste my password into website/chat/live zoom call after. Why would you trust a human with a chore?
If bitwarden knows that clipboard content was meant for itself (login success) then it could block that information to be used by anyone else. Anyway, it could be an option for others if it’s causing a problem.
why not configure your offline password manager to clear clipboard? Surely it’s capable of doing that since it knows that a password was copied…
Because some people might store it in different way, or not have that option.
Why not make it secure out of the box for everyone by adding 3 more lines of code.
With all these data breaches going on one cannot be paranoid enough.
Different from what?
Exactly. So ask developers of that password manager to add it.
BitWarden is an open source project with source code available on the GitHub. If it’s as simple as you say it is, add those 3 lines and submit a PR to get it merged.
If this is your threat model then don’t use clipboard to enter your master password at all.
But yes, one can be too paranoid and start being afraid of their own shadow and exercise in security theater.
Here is a simpler take
I’m not familiar with code base but it shouldn’t be harder than
onLoginEvent
if clipboard == masterPassword:
clipboard.clear( )