The clipboard's biggest vulnerability is the user themselves, but most password managers automatically clear their own entries after a customizable timeout.
Sure other applications can see the clipboard, but if you've got software running on the user's machine you've already won.
It's trivial to script if you want (either by modifying the rather simple pass script itself or by wrapping around it).
Some programs support calling an external command to get a password, that's convenient (mutt and msmtp allow that for instance). I thought about integrating pass in my window manager directly but I didn't take the time to implement it yet.
pass also tries to clear the clipboard after 45 seconds.
But really if you can't trust your clibpoard what can you do? I didn't really feel a lot safer with lastpass' browser plugin.
A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.
Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.
I think the point in discussions like these is, what is the alternative? Ie, add value to the discussion, not argue over semantics. Arguing that everything (or this thing) sucks is.. non constructive. What do you see as better alternatives?
I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.
> so you know and trust every piece of software that is running on your machine?
Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.
If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.
I'm not particularly worried about other applications on my computer listening to the clipboard. But I 99% of the time I'm pasting into a webpage in Chrome or Firefox. Can any open tab sniff the clipboard passively?
No, webpages get to the contents of clipboard only after explicit user interaction.
On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.
I think a better idea would be to fill in the password through something like xdotool