Methods for transferring passwords to the target application

Hello everyone. I’m new to the forum. I’d like to ask you to share your thoughts on a topic I’ve been researching for a while. When transferring passwords from the password manager application to the password fill field in the target application, methods such as using a clipboard, using the click-to-fill method with a password manager browser extension, or manually typing the password after displaying it on the screen are all possible. Each has its own unique threat profile and should be evaluated based on the individual threat model.

Using a clipboard is particularly unsafe from a security perspective on Windows or Linux systems running the X11 Protocol. Whether malicious or not, any application can monitor the clipboard through simple API calls. This is arguably the highest threat level password transfer method. Furthermore, a malicious JavaScript script on a website could listen to copied text with the paste event.

Using the click-to-fill method with Password Manager Browser Extensions is generally more secure because it doesn’t use the clipboard. However, factors such as XSS vulnerabilities and clickjacking attacks reported in the past raise questions about the security of add-ons due to the general security weaknesses of browsers. Furthermore, because add-ons represent an additional layer of software, they are more susceptible to supply-chain risks, albeit very unlikely.

The final and most tedious method is to observe the passwords on the screen and manually type them into the appropriate field in the target window. This is vulnerable to screen capturing or keylogger attacks.

Another method not mentioned here is the autotype method, but this is not supported by every password manager and cannot be used in a Wayland environment. I am looking for a common solution for both Linux systems running the Wayland protocol and Windows systems.

Regarding the threat model, I intend to create a low threat surface for any user. Regardless of my personal needs, I’m curious about what users with a high threat model should use and am conducting research on this. Could you please help me with your knowledge? Which method do you find more secure? Thank you very much.

My personal thoughts might derail the whole conversation:

The best method of all the presented is always the most convenient.

• For the Web Browser it the extension with click-to-fill is the best. It’s the fastest and it tells you, if you are on the correct website and not a fake.
• For every other application. The best method would be auto-type, but if it does not work (Wayland) copy & paste is the best method.
• Typing is only needed if you do not have your password manager on your target device, like when you login to Netflix on a Smart TV.

Here is my reasoning:

Security is not just about technical stuff. Much of it depends on the human factor. Having 30 character long, unique, randomly generated passwords for every service is good practice, but those passwords are a pain to type.

Not staying logged in to a website reduces the risk of session hijacking, but logging in is extra work.

Having good security practices and sticking to them is extremely valuable. To often people undermine their own security because the workflows are to much of a hassle. Maximizing every day convenience helps a lot here.

All the weaknesses discussed in your research are weaknesses inherent to passwords. You can reduce those risks by using TOTP 2FA or Passkeys for most accounts. Your most critical accounts (Password Manager and Everything-Accounts like Google Account, Apple Account, Microsoft Account) should be protected with FIDO2/Webauthn 2FA (a hardware key).

As soon as an attacker get access to your computer that is equivalent to your own - aka you’ve got malware installed - you have basically lost the game. The only thing that can still be protected in such a case are your hardware keys. But as soon as you login to a service protected by a hardware key your session can be hijacked. - Sand-boxing helps by reducing the reach of potential malware. How effective that is, depends on the methods your operating system uses.

So there are technical methods to improve security and they should be utilized when available. But I’m convinced day-by-day convenience is an important part of security and you should optimize for that too. Only if you can work as fast or even faster with sticking to good security practices, it becomes sustainable. Choosing inconvenience because it might be more secure in a particular scenario or would mitigate a certain risk is a fools errand in my opinion.

Thank you so much for your response. With the development of biometric authentication, living in a password-free world in the future would greatly increase security. Passwords certainly have a much larger threat surface than some alternative login methods. I’ve personally been entering passwords manually for a long time in applications other than the browser because I believe copying and pasting is risky. Besides being quite cumbersome, I wonder if this actually creates more risk. The clipboard has never felt like a safe place to store passwords, even with the “delete after x seconds” setting. It’s probably something like, to quote a post I saw on a website, “the faster you pick up your sandwich after it falls on a dirty floor, the safer you can still eat it.”

It’s a pretty niche topic, as most digital attacks are caused by human error rather than a potential weakness in how you enter your password, but for a long time I didn’t know if I was doing something wrong by displaying the password on the screen instead of using the clipboard. As you said, security should ensure sustainability, but there are certainly certain scenarios where people compromise security for ease of use. It was very helpful to hear someone else’s perspective on this. Thanks again.

I struggle to understand the notion that “if your computer is infected, it’s all over.” Of course, the things people use to fool viruses, like using an on-screen keyboard or randomizing the sequence of characters in a password, are useless against advanced RATs that both listen to the keyboard and read the screen. But even if 80 out of 100 viruses are this advanced (and I don’t think there’s a large percentage of such advanced malware), wouldn’t taking precautions against the remaining 20 reduce the threat surface? Doesn’t thinking in terms of the worst-case scenario prevent us from taking precautions against less overkill possibilities? Isn’t cybersecurity built on minimizing risk? Risk will always exist, but even after all the precautions have been taken, if a competent attacker can threaten us, we’re left to say, “Hat’s off!”

I’d expected a question like that. It security is a litte bit like fighting a war (maybe just a cold war), you have to pick your battles.

You can threat over how to stay save while having malware on your device, but that’s the wrong battle to fight, when you can choose. So instead you can put your effort into preventing malware from getting onto your device, how to detect malware as early as possible and how to get rid of it as fast as possible and thoroughly.

You gave an example with the question “which password input method could be how vulnerable to a cross site scripting attack?” which is the wrong approach in my opinion. The right questions would be “how can I check if the website I’m having an account on might be vulnerable to cross site scripting?“, “how do I report such a vulnerability to the website provider?“ and “how do make sure its fixed in the end?“, “how can I mitigate the risk, with this vulnerable site in the meantime? - do I have to use it? can I use it within an isolated environment? ….“

By picking your battles wisely you can improve your situation a lot.

The last part of the puzzle would be compartmentalization and backup strategies but that’s to far of topic.

So I’d like concentrate more on perspective now. Every attacker has limited resources to spend, a certain tolerance for risk and a limited set of capabilities. Also every attacker works for a potential gain. Your job as a defender is to make yourself (and your zone of responsibility) into such a hard target, that you are far outside the scope of every likely attacker.

For example:

A normal uninteresting person, using a hardware key (FIDO2) for their Google account is far outside of the scope of many attackers. Phishing would not work. Stealing or guessing the password is a dead end, because without physical access to a hardware key it’s mostly worthless. Getting physical access would require a human spending much time on a single target and taking a high risk. The further away the target is from an attacker, the higher the cost (travel) and risk. So a remote attack is actually limited to getting info stealer malware on a targets device to get a session cookie and that’s is a much more involved process.

So if you are an attacker and just trying to find a target, you will find soft targets enough: These are people who use the same password everywhere, who have weak passwords, who don’t use 2FA, who can’t read URLs and therefore can’t differentiate between “genuine-bank.com“ and “genuine-bank-com.please-login.com“, who open links to genuine looking login pages in urgent sounding emails, who don’t report their mistakes and just hope no one did notice and nothing bad happens and so on and on and on … - For the same potential reward, you don’t go for the hard targets, because those require more resources and heighten the risk you take, without giving you any benefits.