> Maybe I'm overly paranoid but I choose to manually copy my passwords out of my manager into the login form.

Holy crap, don't do that. You're eliminating the primary benefit of using a password manager.

Browser integrated password managers can't be phished; they only auto-fill on the correct site, they're not fooled by convincing URLs, and the better ones respect https requirements.

This isn't a matter of convenience. Putting human judgment in the critical path makes things worse, not better, even when it's your own judgment. Don't let paranoia and distrust of automation draw you into a pattern of bad decision making.

KeyPass? That's what I use and I probably am 50/50 between using autofill or Copy+Paste. And it autoclears after a few seconds.

And I store my DB in Dropbox, but not the key.

You're doing it wrong.

The password manager (implemented correctly) will only fill in the form on the legitimate site. This protects against phishing.

Yes, but I'm more worried about a flaw in the software revealing my DB than phishing, something I am an expert on.

I also have some measures in place to detect. (Ex: hard coded lists of URLs that open in a "financial" container)

I don't claim it's perfect, but it's my way of doing things, I like it, and I don't think it opens me up to an unreasonable amount of risk.

(Also, for lower-value passwords, like netflix, HN, etc I just use my browser's built in password manager.)

LastPass did this wrong, they had a bug in their url parser that let you trick it into selecting the wrong site data to form-fill with.

With the c+p workflow, you can completely cut out any attack vectors (because the website doesn't interact with your password manager in any way).

you can't cut out phishing. IDN homoglyphs used to be an easy way to get burned. AFAIK this is now prevented at least by mainstream browsers (those for which a pw mgr plugin would exist anyway). 'rn' vs 'm' is still a multi-letter homoglyph that works and is very very difficult to identify.

I would prefer to trust the pw mgr to send password to only the recorded website, than for me to remember and pay attention no matter how tired or distracted I might be, to what that website is. 'rn' vs 'm' as noted, but also citibank.com vs cittibank.com vs citibankcorp.com, or worse for sites that may not have a .com, how am I supposed to remember it's for TLD .io vs TLD .phisher?

You can only cut out the attack vectors if you act perfectly. That's simply not dependable. All I personally need to reassure myself of this is to look at the number of bugs I write per day.

Timing is good on this one: https://arstechnica.com/information-technology/2019/02/behol...

I didn't investigate in detail but it appears that it is a fake iframe. Even X-Frame-Options et al to prevent 3rd party iframe doesn't solve it because the iframe is fake to begin with!

Very very hard for you to prevent copy/paste to a fake iframe SSO.

What's the benefit of doing it that way?

He gets to have the added insecurity if putting it on his clipboard for other programs to see on the way by.

/s

I actually can't imagine how it could be safer than having the password manager do it directly.

> He gets to have the added insecurity if putting it on his clipboard for other programs to see on the way by.

If the local system is trustworthy, then none of the other programs are sniffing the clipboard looking to harvest passwords. And therefore there is no issue here.

If the local system is untrustworthy and contains malware sniffing the clipboard looking to harvest passwords, then using or not using a password manager is irrelevant [1]. Instead there is a bigger issue needing cleaning up, that of returning the local system to a trustworthy state.

[1] because an untrustworthy local system running clipboard sniffing malware is also likely running key logging malware, so even if the passwords were only ever memorized they will still get captured whenever they are typed in.

A password can end up on the clipboard and get picked up by some utility, stored in a history, log or swap file or otherwise get misplaced - this doesn't require a compromised system full of malicious software, just bugs and/or unexpected or unintended behaviour or interactions, which are fairly common.

This is not necessarily true. iOS, for example, does not allow for key logging but will happily allow Facebook to grab whatever you have on your clipboard, which it does of course because it's Facebook.

I think I've spotted iOS clearing the clipboard if you task-switch after pasting the contents into a password input field. Which is presumably precisely to defend against this kind of data theft.

Huh, this must be new. I'll look into it; it's nice to hear that this security loophole is at least partially fixed!

Unless you're running a clipboard history program. I know at least two people that user such software; it basically saves the past 10 or so clipboard contents for later use.

One possible way to exploit this is:

  - user copy-and-pastes password
  - user forgets to clear clipboard
  - user opens a link in a new tab with middle-click
  - link was actually a text form
  - middle-click pasted the password into the textfield

(only on platforms with middle-click configured as paste)

I noticed this when I had an image url in my clipboard and tried on open a link on imgur.com in a new tab. Instead of opening the link, the image url in my clipboard was uploaded.

A lot of password managers clear or restore the clipboard after a short period.

My manager autoclears the paste buffer.

I've seen some CVEs where malicious websites induce your browser to autofill (basically steal passwords).

So the intention is that I stop some script from siphoning my passwords.

This admittedly opens me up to phishing, but to mitigate I also have containers set up for various facets of my life.

(So it's a big red flag if what's supposedly my bank doesn't open in the "bank" container".)

Edit: I also value storing the database locally versus "in the cloud"

That's why you should turn off auto-fill.

This is why most password managers no longer autofill without user interaction.

Your web browser doesn't have any connection to your password manager. Who knows what your web browser is doing, why would you give it any access to your credentials?

How can you not give your browser your credentials? Do you login on a site using curl and manually copy session cookies?

You can manually copy over one credential at a time - no need to connect the browser to your entire bucket of credentials.

The Safari browser can be linked to the Keychain Manager, both products coming from Apple.

Makes you use the password manager credentials to access your login credentials for other services. Works to stop nosy coworkers, siblings, spouses, etc.

Not sure I understand your point here. You need to use your password manager credentials to autofill also (at least for 1Password). The only reason to copy/paste is if you don't think your password manager will put the right info into the right boxes.