Keypass And Safepay

Hello,


I would like to ask a question regarding safepay and the clipboard. If I copy a password from Keypass Password manager that is open on the desktop, switch to safepay and then paste the password in a form, is this a safe procedure?

Comments

  • camarie
    camarie Principal Software Developer BD Staff
    Hello,


    I would like to ask a question regarding safepay and the clipboard. If I copy a password from Keypass Password manager that is open on the desktop, switch to safepay and then paste the password in a form, is this a safe procedure?


    It is a feature. I believe the quedtion means "can someone else intercept it?": the answer is yes, because the clipboard is a public way to exchange data. For two applications exchanging data secure, they should use a clipboard format secure which both know to encrypt and decrypt. Keypass is an external program.


    if keypass does this with, say, Internet Explorer, it also have an extension running inside IE to do this (I'm just speculating here).


    Was this your concern?


    Regards,


    Cristian

  • zorgon
    edited November 2013
    It is a feature. I believe the quedtion means "can someone else intercept it?": the answer is yes, because the clipboard is a public way to exchange data. For two applications exchanging data secure, they should use a clipboard format secure which both know to encrypt and decrypt. Keypass is an external program.


    if keypass does this with, say, Internet Explorer, it also have an extension running inside IE to do this (I'm just speculating here).


    Was this your concern?


    Regards,


    Cristian


    Thanks for the response.


    Yes, but according to Keypass, the contents of the clipboard are encrypted and then decrypted when pasting. I was wondering if it was a security problem when switching from desktop to Safepay. From your answer, I assume that it would be safe to do as the data in the clipboard is encrypted when passing to Safepay.



    Keypass Process Memory Protection


    While KeePass is running, sensitive data (like the hash of the master key and entry passwords) is stored encrypted in process memory.


    This means that even if you would dump the KeePass process memory to disk, you couldn't find the passwords.


    For example, when you are copying a password to the clipboard, KeePass first decrypts the password field, copies it to the clipboard and immediately re-encrypts it using the random key.

  • camarie
    camarie Principal Software Developer BD Staff
    Thanks for the response.


    Yes, but according to Keypass, the contents of the clipboard are encrypted and then decrypted when pasting. I was wondering if it was a security problem when switching from desktop to Safepay. From your answer, I assume that it would be safe to do as the data in the clipboard is encrypted when passing to Safepay.


    It is probably how I said; they are probably using 2 programs, one writing to clipboard encrypted (the main program where the user is copying the password), and one decrypting and pasting inside the target program (either is an extension loaded in browser, or another form of injecting in the program where the paste should be done).


    They support only browsers, or also other programs? I'm asking this because from their description from http://keepass.info/features.html#lnkclipboard I cannot understand exactly the scenario.


    Thanks,


    Cristian

  • It is probably how I said; they are probably using 2 programs, one writing to clipboard encrypted (the main program where the user is copying the password), and one decrypting and pasting inside the target program (either is an extension loaded in browser, or another form of injecting in the program where the paste should be done).


    They support only browsers, or also other programs? I'm asking this because from their description from http://keepass.info/features.html#lnkclipboard I cannot understand exactly the scenario.


    Thanks,


    Cristian


    As far as I know, Keypass can work outside of browsers also. I use the portable version. If I provide the main password to the manager, it will let me paste the password to a browser password field or any empty field in any program.

  • camarie
    camarie Principal Software Developer BD Staff
    As far as I know, Keypass can work outside of browsers also. I use the portable version. If I provide the main password to the manager, it will let me paste the password to a browser password field or any empty field in any program.


    Then they are most likely using a global hook. We are not targeting other programs, but you have a point.


    Let me think a little on this, maybe I can come up with an user story and maybe an improvement.


    Bump the thread if you dont' see me answering, I'm doing 4 things at once now (with 5th on the way...) so I might get caught in other issues.


    Thanks,


    Cristian

  • Then they are most likely using a global hook. We are not targeting other programs, but you have a point.


    Let me think a little on this, maybe I can come up with an user story and maybe an improvement.


    Bump the thread if you dont' see me answering, I'm doing 4 things at once now (with 5th on the way...) so I might get caught in other issues.


    Thanks,


    Cristian


    Bump.

  • camarie
    camarie Principal Software Developer BD Staff
    Bump.


    The entire story is submitted to the team; one of the guys is looking in deep in the inner workings and hopefully he'll come up with detailed results in the next days.


    Cristian


    PS A side note: 2013 has entered in the maintenance/bugfix mode only some time ago, and so is 2014 version since last week. That means we will not add new features in these versions.

  • Dudescu Dude
    Dudescu Dude Senior QA Engineer ✭✭✭

    Hello,


    what keepass does is clearing the password after 10 seconds after you copied it from the software.


    It does not use encryption for passwords in clipboard.

  • Hello,


    what keepass does is clearing the password after 10 seconds after you copied it from the software.


    It does not use encryption for passwords in clipboard.


    Thanks for that info. That really kind of scares me as I always thought the password was encrypted in memory. I confirmed it by using the Clipboard viewer in XP. Sorry for any problems I caused. Thanks again for giving me the heads up on this.