What is Apple doing to eliminate security risk when using the clipboard?

[hajime]

Hi, some users just copy and paste long passwords. This creates a security risk since the clipboard is involved. Has Apple done anything that eliminates this risk?

If we create passwords using Apple's method and use TouchID, can the security risk be eliminated? I don't have a Silicon Mac with me. If I recall correctly sometimes MacOS creates suggested passwords and stores them in keychain that require TouchID to access?

 

[kitKAC]

The risk is minimal, a trojan monitoring the clipboard would have to see someone copying the URL, username and password into the clipboard for there to be any risk. 1password itself uses the clipboard to transfer data and clears the clipboard after 90 seconds.

Passwords saved into the Keychain can be unlocked using the system password or paired Apple Watch.

 

[hajime]

Is it more secure than Windows?

Is there any password manager that does not use clipboard?

 

[posguy99]

Hi, some users just copy and paste long passwords. This creates a security risk since the clipboard is involved. Has Apple done anything that eliminates this risk?

It's text. Just text. It's context that makes it a password. How is anything Apple does supposed to make that more or less secure?

Apple is pushing Passkeys. Maybe that's what you're looking for.

 

[Gudi]

You can't eliminate stupid behaviour. But on a Mac with TouchID you only use your login password once after boot up and from there on everything is confirmed by fingerprint. I don't even know my passwords, let alone copy them into clipboard.

 

[satcomer]

You can't eliminate stupid behaviour. But on a Mac with TouchID you only use your login password once after boot up and from there on everything is confirmed by fingerprint. I don't even know my passwords, let alone copy them into clipboard.

You don't know your own user password? did you inherit the Mac or steal it?

 

[mcnallym]

You can't eliminate stupid behaviour. But on a Mac with TouchID you only use your login password once after boot up and from there on everything is confirmed by fingerprint. I don't even know my passwords, let alone copy them into clipboard.

You don't know your own user password? did you inherit the Mac or steal it?

But on a Mac with TouchID you only use your login password once after boot up and from there on everything is confirmed by fingerprint.

indicates knows the user password as enters it once to activate Touch ID.

 

[Gudi]

You don't know your own user password? did you inherit the Mac or steal it?

You don’t need to know your password, only where to find it. You can use the ISBN of your favorite book and grab it when you need it. Even if you lose the book, you can google it and find your password on Amazon, hidden in plain sight.

PS: Or you can invent your own fancy password, write it down on a post-it and glue it to the computer monitor to not forget it, like my father. 🖥️🩹🏷️✍️

 

[bogdanw]

Related thread https://forums.macrumors.com/threads/no-clipboard-manager.2383186/

For security & privacy reasons, a “clean clipboard after” option would be nice in future macOS versions.
A solution now https://apple.stackexchange.com/a/331203

 

[galad]

Keychains and password managers with browser integration don't use the clipboard at all to insert the password.

 

[hajime]

I tried to use TouchID on a new Mini yesterday. On the same website, sometimes I could use TouchID to enter userid and password but sometimes even putting my finger on the sensor did not activate Apple's Password. I had to open Password from the Settings and then copy and paste such login information. What went wrong?

 

[posguy99]

Keychains and password managers with browser integration don't use the clipboard at all to insert the password.

Ah, if the only place you ever had to insert a password was in a browser window...

 

[hajime]

Ah, if the only place you ever had to insert a password was in a browser window...

I am not sure if we are talking about the same thing.

Yes, one time the page just provided the password field and asked me to enter the password to verify I am who I am. In that case, TouchID was not available and I had to copy and paste.

 

[DeltaMac]

So you are saying that your only choice was to use the clipboard?
"copy and paste" is usually just a time-saver, and not a required task, assuming that you can see the actual password, and type that on your own - no "copy and paste" necessary.

 

[ericwn]

Is it more secure than Windows?

Is there any password manager that does not use clipboard?

A pw manager with a native app like a browser extension will interface with the apps directly and not use clipboard.

 

[hajime]

So you are saying that your only choice was to use the clipboard?
"copy and paste" is usually just a time-saver, and not a required task, assuming that you can see the actual password, and type that on your own - no "copy and paste" necessary.

It is impractical to remember nor type my password.

 

[DeltaMac]

Then... have Safari remember your passwords.
Works pretty good, and, of course, the built-in password storage doesn't use the clipboard to enter the passwords.

 

[Big Bad D]

It is impractical to remember nor type my password.

For the occasional times I need to enter a password into a non-browser app that does not directly allow entryfrom my password manager, then I use copy and paste. But the password manager I use makes the copied password only available for a limited time. I don't see any real security concern.

 

[posguy99]

Yes, one time the page just provided the password field and asked me to enter the password to verify I am who I am. In that case, TouchID was not available and I had to copy and paste.

Not everyone only puts passwords into web pages.