A password manager effectively can't protect against other applications on the same machine. IMO that makes the universality of the clipboard more valuable than the safety of using alternate input methods.
Though since there are plenty of things that block pasting passwords, those alternate options are appreciated.
I think the point in discussions like these is, what is the alternative? Ie, add value to the discussion, not argue over semantics. Arguing that everything (or this thing) sucks is.. non constructive. What do you see as better alternatives?
I agree completely, the clipboard is non-trusted. Yet the fact remains, how can we transmit an arbitrary string from a secure app like a password store, to another app in need of authorization? Lets build constructive conversations.
> so you know and trust every piece of software that is running on your machine?
Ostensibly, yes. Because (as 'StavrosK said), if I don't then we can't even begin to talk about security on that machine yet. We have to start with assumptions somewhere.
If software on your machine is compromised, your machine is compromised (or will be in short order). You need to make reasonable concessions and stick with them in order to get anywhere.
I'm not particularly worried about other applications on my computer listening to the clipboard. But I 99% of the time I'm pasting into a webpage in Chrome or Firefox. Can any open tab sniff the clipboard passively?
No, webpages get to the contents of clipboard only after explicit user interaction.
On the other hand it does not work this way in the other direction. Random web pages can manipulate your primary selection and overwrite it with random garbage (this primarily happens with various attempts to make copying stuff from the page more "convenient", pretyy comonly resulting in state when it is simply impossible to copy said thing into say rxvt directly). It is somewhat ironic that chrome's address bar uses some magic to prevent this from happening, while the same magic is not applied to websites.
