On 15/11/2023 15:40, Michel Verdier wrote:
On 2023-11-15, Max Nikulin wrote:
For Chromium it is better to have a password manager
(gnome-keyring/kwallet/keepassxc/etc.) with D-Bus interface. It needs
a key to encrypt passwords saved in browser and likely cookie store.
Encryption is not applied otherwise.
What about Firefox then? Does it work with password managers with a
D-Bus interface?
keepassxc has a plugin for firefox
Browser extension should be a significantly better option than using
clipboard for passwords for various sites. (I hope, it is properly
implemented.) I am unsure if it works for mozilla accounts since add-ons
are not allowed to interact with some mozilla sites.
As to D-Bus Secret Storage API, Chrome has no master password dialog, it
can use only user keyring. Firefox has its own dialog but does not
support getting it through D-Bus. Both browsers have their own storages
for site passwords. KeePassXC declares support of Secret Storage API, so
it should be suitable for storing of Chrome master key. Certainly users
may choose to keep their passwords for sites in KeePassXC, not in
browser-specific storage.
Firefox stores cookies (and so authentication tokens for active logins)
without encryption:
https://bugzilla.mozilla.org/show_bug.cgi?id=56788
and a number of duplicates.
Pass(1) sets a timer and removes the password from the clipboard after
that time has expired.
I am unsure if listening for clipboard change events is currently implemented
in browsers. Such feature defeats timeouts. Its fair use is clipboard managers
specifically for ChromeOS, but that might be usable on other platforms as
well.
don't know for pass, but keepassxc don't rely on managers and erase
the clipboard itself after its timeout
I mean clipboard sniffing
./clipnotify -s clipboard && xclip -selection clipboard -o |
tee -a /tmp/pw.txt
where clipnotify is a tool to wait for clipboard changes:
https://github.com/cdown/clipnotify
The command above fetches clipboard content immediately when KeePassXC
puts a password into clipboard. Timeout does not help.
In Wayland applications needs a permission to access clipboard.
In KDE klipper is enabled by default and clipboard history is saved to a
file. There is a number of other clipboard managers.
For web pages there was intention to allow actions in response to
changes of clipboard content:
https://w3c.github.io/clipboard-apis/#clipboard-event-clipboardchange
KeePassXC does not erase password immediately after clipboard content is
obtained. However it would be rather minor improvement. Even if
clipboard is cleared after first use, a sniffer may put content back to
allow user to paste password.
