It’s been a while since I posted something here. The purpose of this topic is to get an insight of how everyone handles their password and secrets safely. Not to encourage any arguments.
So let’s talk about handling secrets. Specifically using password managers. In my case it’s KeepassXC.
Saving passwords is relatively easy. I can generate one easily or type it in. But the tricky part is when I have to enter it. In a browser I use an extension compatible with the password manager. But in any other window I am relying on auto type feature of KeepassXC. This allows me to enter the selected password into the last open window. But this only works in X11 since wayland does not allow this.
That gives rise to my first question : How to fill in passwords to a desktop app or a terminal using a password manager in wayland ?
Should I copy and paste the password.
Now imagine I am signing in to some website. They ask me to save my recovery keys.
Second question : How should I save this recovery key to my password manager ?
Should I copy and paste it or type in a long random string.
Third and last question : How should I update my existing passwords ?
Fill in the old password first and then update the password in the password manager, finally fill in the new password to the password update form.
Or should I clone the password entry in the password manager and update it then fill in the old and new passwords in the update form.
I don’t trust many browser extension’s, even KeepassX’s.
I know this sounds insane but I am happy (and securer) cutting and pasting (ctrl b and ctr c respectively) my login and passwords into the fields.
2 cents.
EDIT: I offer no opinion on password section. Conventional wisdom radically varies
Same copy and paste. Or you can create a separate entry, or store it in the description.
This is likely the safer option in case there is an issue with the website or you have a glitch of some sort during the process of updating. You will have a copy until you verify the change took.
For all of them determine your level of desired risk and treat your clipboard accordingly, in regards to storing items, how many, how long, etc.
iv’e read somewhere sometime ago that copy pasting passwords (even from password manager) isn’t safe.
when changing a password on a site it usually asks for old password , then create new password , if the password manager is active it should catch the new password and ask if you want to save it . At least that’s what Bitwarden does , which i’m on .
I’m also using the bitwarden extension in browser ( which i don’t particularly trust, don’t trust extensions) but it seems only way to let it work flawlessly.
I’m usually logged out of my password manager , until i need it , after i log out out again. I just feel safer that way lol.
This is all on X11, I don’t use wayland, (btw)
For passwords I use KeepassXC and for storing important personal files I encrypted one mechanical 1 TB HD with VeraCrypt that is only mounted manually and protected with a key file with a proper backup stored “somewhere”
This is because it will continue to reside in your clipboard. Clear it and it is not a problem. This is what I was referring to when I mentioned managing your desired level of risk.
I got rid of xsel. Even though in --help it says I can use --verbose, the -cv output said absolutely nothing so if I can’t see it I can’t believe it.
On to parcellite, I appreciate your help
TL;DR: it depends, but copy/pasting is generally much less secure than a browser extension.
In X11, your clipboard is visible to every program on your computer, i.e. not safe at all. Wayland tries to fix this by making it such a pain in the ass to use your clipboard that you never touch it but fundamentally a clipboard is just not that secure, since it’s something that has to be easily-accessible across apps.
Browser extensions are basically the safest computer programs out there, thanks to built-in sandboxing and capabilities-based security. (This is part of why companies try to move everything onto web apps or web-based technology like Electron—much as we might hate it, Google Chrome is a better “operating system” than any actual operating system out there. It’s not based on the now 54-year old Unix design, so it can implement much better security features.)
Another big advantage is autofill makes phishing harder. If you always copy-paste your data into a password form, you’re very likely to do this without noticing the URL is off; however, autofill won’t work if the URL is incorrect.
But it’s a problem (at least for me) if you want to keep some of the history list, unless you use a clipboard that can delete one line (the password one) instead of all of them.
That’s why I use Copyq and not the default Xfce clipboard.
Secrets that change and where I might need the previous one or where I have key files, backup codes etc go into notes field of the current item - no separate one.
For convenience I use Proton Pass and their browser extension which is secured with a 6 digit PIN before before 1st usage and after 10 minutes again. The Proton Pass site has a separate password different from the Proton account password. I know that this is CLOUD and I need to trust them, but Proton is quite safe IMHO…
Money relevant accounts (amazon, paypal) or e-mail accounts (especially the ones used for password resets) are secured with 2FA anyway.
