auto-type is much more secure than using the companion keepassxc browser extension to fill your passwords since it didn't need a connection between your browser and your password manager. it also removes the chance of some dodgy website having a username and password box off screen and using it to trick the atuofill feature.

one minor inconvenience with auto-type is that your passwords don't auto fill by themselves, but I have it set to the hotkey alt+x which makes it quick to trigger with my thumb and after doing it this way for nearly 2 years now i barely notice

another downside with auto-type is that not all websites put their full names in the browser title bar so auto-type won't show you your related passwords in some cases. to fix that you can install a browser extension that puts the full web url in titlebar https://github.com/erichgoldman/add-url-to-window-title

> another downside with auto-type is that not all websites put their full names in the browser title bar so auto-type won't show you your related passwords in some cases. to fix that you can install a browser extension that puts the full web url in titlebar https://github.com/erichgoldman/add-url-to-window-title

Instead of modifying the browser title, I use AutoTypeSearch plugin for Keepass, that opens a dialog allowing me to suggest entries in case of no matches.

There is also another plugin that allows search using both URL and title -- "WebAutoType".

These two plugins together make the Keepass experience almost seamless.

My setup is almost identical, though I skip the browser plugins and let the password manager auto-paste into the browser. Keepass inside GDrive, job done. Very occasionally I'll make a copy out to a portable drive.

I've been running this setup for about a decade,since some big breach (I forget which one) made it clear to me that using the same or similar passwords across multiple sites was not gonna fly any longer.

The initial time investment was surprisingly heavy - I iterated through every online login I could find for myself (searching through email history mostly for signups confirmations) and changed the password on every account I had. Took about two full days.

After realizing how every program running on your machine can Snoop on your clipboard I'm never allowing any program to send my password to the clipboard again.

Haven't you pretty much already lost when you can't trust the programs running on your machine? If they can snoop on your clipboard, they're probably also able to access your sensitive files, log key presses, take screenshots, install browser extensions etc.

They'd need root access to do half of those things. The other half are bad but not life-shattering.

This obviously depends on your OS and setup, but on Linux + Xorg at least I don't need root access to do any of the things I listed.

Sorry, I must have been very tired last night. This morning, I can't remember (or figure out) which actions I was thinking of when I wrote that.

The only one that still jumps out to me is browser extensions—I'm pretty sure none of the major browsers allow that without user approval within the browser. You'd have to do something nasty which would require root.

>The only one that still jumps out to me is browser extensions—I'm pretty sure none of the major browsers allow that without user approval within the browser. You'd have to do something nasty which would require root.

I've admittedly never tried it, but as far as I understand, installing an extension in Firefox just involves copying the corresponding .xpi file to the profile folder (which is owned by the user, not root) and modifying a few configuration files (e.g. extensions.json). I don't see why some other program wouldn't be able to do that.

If root access were required, you'd have to supply your root password every time you wanted to install an extension.

Nope, they don't allow that anymore! https://blog.mozilla.org/addons/2020/03/10/support-for-exten...

This is in addition to the fact that Firefox has absolutely mandatory code signing for extensions (the only recourse is to recompile Firefox). That's something I'm very much not happy about, but does have upsides.

I have a hard time imagining how they enforce that. What keeps a malicious program from replicating the exact changes that Firefox makes when installing an extension? What about just replacing the whole profile folder with one that has a malicious extension installed?

>Firefox has absolutely mandatory code signing for extensions

That helps I guess, but there are clearly still malicious extensions that can pass the automated tests and get signed. Even if that wasn't possible, you could probably use some userscript extension and load malicious scripts that way.

> What keeps a malicious program from replicating the exact changes that Firefox makes when installing an extension? What about just replacing the whole profile folder with one that has a malicious extension installed?

I obviously haven't spent time trying to break this, but I would assume the config file is hashed. You probably could replace the whole profile, but that would be very noticeable to the user.

KeePass (official) can split the auto fill between typing and pasting to mitigate sniffers which only monitor cupboard or keyboard.

I'm far less worried about that than I am about one website breach resulting in my accounts on other sites being compromised.

Perfect security doesn't exist, of course, so somewhere in the middle lies a good compromise that trades off risk and convenience. For me keepass on a synced drive hits the mark.

Not sure what the solution would be if you don't trust local programs - Keepass' paste method already bypasses the clipboard IIRC by entering directly into the fields.

I think it would be great if major OSs offered an "$app copied/pasted from clipboard" notification like iOS.

If you care about such things, you should probably use Qubes OS with a dedicated VM storing passwords.

> 4. Browser support: KeePassXC-Browser. Allows you to autofill your username / password / TOTP from your KeePassXC application to Chrome / Firefox.

I believe the point the article is making is that any browser extension to auto fill is inherently insecure for architectural reasons.

I find it odd someone so serious about password managers would recommend KeePassX which hasn't seen a release since 2016. Perhaps they meant the KeePassXC fork.

> I believe the point the article is making is that any browser extension to auto fill is inherently insecure for architectural reasons.

No, that is not what the article said. The article said that password managers that insert elements into the webpage are insecure. You don’t need need to do that to autofill passwords.

Can extensions auto fill without content scripts?

I don't think the Bitwarden extension uses content scripts—at least, it doesn't insert any elements into the webpage, which seemed to be the main issue that the article was bringing up.

Just to be clear, when I say autofill I'm not suggesting that it fills in passwords with zero interaction, but when you're on a website that Bitwarden has a password for, it shows a little flag on the extension icon, and you can click on it to fill the password.

I should probably just switch to using the autotype functionality built in, though much of my security concerns are allayed by the fact that KeePassXC prompts me in the application each time a website requests to use a password.

>Not sure what the options are for Apple, but I'm sure they exist

Strongbox is fantastic on iOS

> Strongbox is fantastic on iOS

Yeap, but now you have to trust (there's really no open source on iOS, as there's no reproducible builds or way to verify the code) on some guy and hope for the best.