Share via

Clipboard - Any way to ensure that it's encrypted and not being spoofed or sniffed?

Anonymous
2024-05-31T15:36:56+00:00

One common thing is pasting passwords from the clipboard. over time, we have become accustumed to using password management tools - to store our passwords. LastPass, OnePass, or Browser, all store passwords in some way. Then we go to them, copy them to the clipboard, then paste. Sometimes we allow the browser to "cache" these items, but that leaves them open to tools like NIRSoft's password validator which can export passwords from a browser to a text file. One way to prevent this is to create an internet key exchange between the browser library storing the pw and the field that the pw is being passed to. This would prevent us from every posting the cleartext password on the clipboard, while still allowing a key to unlock the field that the pw provides.. it can present the pw but that field, be locked by the OS - as targed attribute with a specialized condition.

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Koch 25,755 Reputation points Volunteer Moderator
    2024-05-31T21:22:55+00:00

    You're trying to fix a completely broken system, since passwords are inherently able to be captured, phished, breached and from the user's standpoint, easily forgotten. They're useless and all of the major security focused organizations like Microsoft. Apple, Google, financial institutions, government and others too numerous to list have known it for decades.

    That's why all of these organizations got together and created an entirely new authentication system based on a Public Key Infrastructure that instead uses something called Passkeys that can simply be handed over to anyone, because they're useless except on the device where they were created and the Private key used to create them is stored in and encrypted, usually secure storage location like a TMP or similar.

    Passkeys overview - Microsoft Support

    They work already in certain scenarios and for a few major websites, but the effort right now is going into simplifying the interfaces and shaking out the bugs that affect certain cross-platform usage scenarios.

    That's where Microsoft and others are putting their effort, since it's a system that resolves most of the password's failings, is inherently more secure and doesn't require the user to remember much of anything. Which do you think is truly worth the effort?

    The password is dead, it'll just take a few years to bury it completely.

    Rob

    2 people found this answer helpful.
    0 comments
  2. Anonymous
    2024-08-10T02:59:31+00:00

    Mmmm, I do wonder if an encrypted clipboard may be more secure than an unencrypted one. For example the private key could be securely stored somewhere, and say if a key logger is active on a system, a copy paste function would result in a hash being stored and then dumped to a field, versus say typing it in. Obviously if the private key is hijacked this whole thing is pointless, but it might marginally improve security. The private key could be either secured by password, or on another device.

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2024-05-31T19:57:25+00:00

    No, I would not want to be asked for decryption key in the future. what i would prefer is a self enrolling system that self maintains security so that the passwords once enrolled and stored in the password wallet, are no longer visible by a person unless needed. Hand the password encrypted to the password form, without needing to unmask. Normally, persons are getting used to copying the password to the clipboard first, then pasting it to the website. there are new emerging threats in the form of malware that are watching the clipboard for these passwords. this means every time you are cutting and pasting a password to type it out of a wallet you are putting yourself at risk of data exposure.

    post infection forensics is very expensive. this addresses multiple problems here.

    have a person who has an amazon password for example, enroll their browser as an authorized otp enrolled browser that can self authenticate as necessary. this a no longer needs a password to access amazon. and it can send a otp to a mobile device to confirm, never exposing the amazon password to anything. similar to blockchain..

    what do you think?

    0 comments
  4. Anonymous
    2024-05-31T17:32:11+00:00

    The clipboard is not encrypted. Encrypting and decrypting every time you copy and paste would slow down the process. And do you really want to be asked to submit the decryption password every time you paste something?

    Now let's think about this from an attacker's perspective. Considering that there are so many easier ways to attack your computer, why would an attacker risk getting caught by trying to read your clipboard? And if an attacker has successfully breached your computer, there are much better and more productive things to do with it.

    If you're still worried that an attacker might go after your clipboard, here's a simpler solution:

    Start > Settings > System > Clipboard > Clipboard history > Off

    0 comments