Is it safe to use Secure Memos with the clipboard?

Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Fri Feb 08, 2013 11:10 am

I have another post regarding two two login pages for an application (viewtopic.php?f=73&p=97153#p97153). To resolve the login problem I have created a secure memo with filename and password for each task. The info in the memo is easily copied to the clipboard (just mark the text in the memo, than paste into the appropriate field).

I have noticed that this copy process is not the same as when you copy a password from the Web Account or App Account section.

My settings: “Ask before pasting password from clipboard“ is checked. If I copy the pw from a Web/App Account record, SP asks me whether I want to paste from the clipboard. No question is asked when I paste the content from a secure memo. Is the clipboard encryption not enabled for secure memos?

I do not think I fully understand the clipboard protection in SP. The info I have found is this post:
viewtopic.php?f=75&t=58629&p=67616&hilit=Clipboard+Encryption#p67616

The confirm question is asked if I paste into a web page. If I paste into Notepad, the result is “[Sticky Password Protector]”. If I paste into Open Office Writer, the confirmation question is asked, then Open Offices displays “Requested clipboard format is not available” and nothing is pasted. However, if I press ctrl-v for the second time, the password is pasted without any question.

If I paste into OO Calc, I get the message “The contents of the clipboard could not be pasted” ; all the time, the every other time behavior does not occur in Calc.
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby Evzen » Fri Feb 08, 2013 1:27 pm

John Flyer wrote:My settings: “Ask before pasting password from clipboard“ is checked. If I copy the pw from a Web/App Account record, SP asks me whether I want to paste from the clipboard. No question is asked when I paste the content from a secure memo. Is the clipboard encryption not enabled for secure memos?

No, this feature does not work with secure memos. As the setting says, it protects PASSWORDS copied to clipboard.
And apparently, there is no way to tell that a generic string is a password, so Sticky can be certain about PASSWORD being copied to clipboard only when it's copied there from a certain places, namely password fields of Accounts.
John Flyer wrote:If I paste into Open Office Writer, the confirmation question is asked, then Open Offices displays “Requested clipboard format is not available” and nothing is pasted. However, if I press ctrl-v for the second time, the password is pasted without any question.

If I paste into OO Calc, I get the message “The contents of the clipboard could not be pasted” ; all the time, the every other time behavior does not occur in Calc.

Interesting... looks like some funny collision with OOo...
What version of OOo it is? Is it really OpenOffice.org, not LibreOffice?
Evzen
Experienced user
 
Posts: 163
Joined: Tue Jul 03, 2012 1:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Fri Feb 08, 2013 3:09 pm

Hi Evzen,
Oh yeah, SP had to be clairvoyant to understand when I was copying a password from the secure memo. The encrypted clipboard must eventually always be used in connection with secure memo. Just to be SECURE....

My app is OpenOffice.org 3.4.1 [ApacheOpenOffice 3, AOO341m1(Build:9593) - Rev. 1372282]
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Fri Feb 08, 2013 5:07 pm

I am sorry, but I copied a password from the SP database into Ashampoo Office 2012 (Text Maker). SP asked for confirmation, then pasted the password without any trouble.

Is this the way the encrypted clipboard should work?
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby Evzen » Sat Feb 09, 2013 12:41 pm

Yes, that's the intended behavior.

BTW, the clipboard problem with OpenOffice.org seems to be an OOo fault: http://www.oooforum.org/forum/viewtopic.phtml?t=54108 (that discussion is from 2007-2008, but apparently the problem still exists).
However, SP should not paste the password without asking first, regardless of the OOo error message.
Evzen
Experienced user
 
Posts: 163
Joined: Tue Jul 03, 2012 1:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Sat Feb 09, 2013 2:34 pm

Thanks for your clarification, Evzan.

I am not able to open www.oooforum.org in any browser, http://forum.openoffice.org/en/forum/ is OK. But let us forget any OOo-problem, my objective is to learn and understand SP; I am trying to have the utmost outcome of this helpful application.

As I have said, I do not think I fully understand the encrypted (protected) clipboard feature. I know it is very easy to access anything that is copied into the clipboard, that is why I want to understand the protection SP can give me.

I have experienced several different processes:

1 – 'The Ashampoo behavior' (and Web Page behavior)
Confirmation question, the pw is correctly pasted.

2 – 'The Notepad behavior'
No confirmation question, the text “[Sticky Password Protector]” is pasted.

3 - 'The Edit Plus behavior'
Confirmation question, the the letter 'm' is pasted.

4 – 'The OOo behavior'
Different in Writer/Calc; due to a fault in OOo.

Another strange observation:
In Edit Plus, if I copy the text “[Sticky Password Protector]” and try to paste it, nothing happens. If the text is changed to “[Sticky Password Forum]”, the behavior is normal. If I close (exit) SP, I can copy/paste “[Sticky Password Protector]” as usual. ???

My main question is: In what way is this a protection against keyloggers? If a keylogger tries to read the clipboard, would SP give me the confirmation question?
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby Evzen » Sat Feb 09, 2013 4:46 pm

The principle is that SP should ask you for confirmation whenever something is trying to paste from clipboard.
So when this question appears, you should know whether it's YOU (or generally some process you know of) or something else - and either confirm or reject the operation.

The clipboard content is not actually encrypted, the clipboard actually holds the placeholder text.
When the paste operation is confirmed and it detects this placeholder text in clipboard, it asks SP directly for the originally intended clipboard content (i.e. the password).

This also explains your experiment with copying the "[Sticky Password Protector]" text in the clipboard - when the paste operation asked SP for the originally intended content, there was none, SP did not have such thing, thus nothing happened.

BTW, it works with Notepad too, but you should better restart SP after changing the "Ask before pasting" option in Settings. That way you ensure that the functionality is properly initialized.
Evzen
Experienced user
 
Posts: 163
Joined: Tue Jul 03, 2012 1:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Sun Feb 10, 2013 4:40 pm

Notepad: "Ask before pasting" is constantly on, it is not changed after boot. I have never been asked about pasting when Notepad is the target, the result is always “[Sticky Password Forum]”. But when I copy from Notepad to OOo, the real password is pasted without a question. A bit crazy. Do you have another behavior?

I should have liked to create a script to read the clipboard (to notice SP's reaction), but I am a bit outdated when it comes to VBS/Excel scripting. In stead I activated a multi-clipboard program storing the 25 last captures. As soon as I pressed 'copy' SP got “furious”, several confirm questions on the screen, but none of them responded to Yes/No. I had to force a log-off. The multi-clipboard program was unable to store the password, only “Program Specific Clip” showed up.

You have described SP's logic; do you have internal knowledge about the code, or do you claim your assumptions? I do not like that SP reacts in different ways to different applications. :?
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby Evzen » Sun Feb 10, 2013 8:00 pm

John Flyer wrote:Notepad: "Ask before pasting" is constantly on, it is not changed after boot. I have never been asked about pasting when Notepad is the target, the result is always “[Sticky Password Forum]”.
It's [Sticky Password Protector], not [Sticky Password Forum], I guess... ;-)
I think I know what is the problem - you're on 64-bit Windows, aren't you?
SP is a 32-bit application and supports only 32-bit application - so apparently the described clipboard protection principle doesn't work well with 64-bit applications.

John Flyer wrote:But when I copy from Notepad to OOo, the real password is pasted without a question. A bit crazy. Do you have another behavior?
What exactly do you "copy from Notepad"? A password? How should it know that the string you copied is a password? It's just a string, a generic string... there is no way to tell that it's actually a password...

John Flyer wrote:I activated a multi-clipboard program storing the 25 last captures. As soon as I pressed 'copy' SP got “furious”, several confirm questions on the screen, but none of them responded to Yes/No. I had to force a log-off. The multi-clipboard program was unable to store the password, only “Program Specific Clip” showed up.
This looks like a more or less correct behavior - in the end the password was NOT "compromised", was it?
The behavior may be a bit odd, I agree. That's something what I'm sure can be fixed, just report a bug with more detailed description and it will get fixed eventually.

John Flyer wrote:I do not like that SP reacts in different ways to different applications. :?
Given the behavior you described so far I guess my description of the functionality principle is quite correct ;-).
Evzen
Experienced user
 
Posts: 163
Joined: Tue Jul 03, 2012 1:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Sun Feb 10, 2013 9:13 pm

“[Sticky Password Forum]”, yes, of course, it should have been "[Sticky Password Protector]"; my carelessness! LOL.

Yes, I am running 64b Win7. I did not know SP is not fully compatible with x64.

The crazy story in detail: 1) I copied the pw from a Web Account 2) I pasted into Notepad with ctrl-v. The result was: [Sticky Password Protector] 3) I marked this text in Notepad, pressed ctrl-c, went to OOo and pressed ctrl-v. Now the password from the web a/c was displayed. Without any question.

The multi-clipboard program: Yes, the password was NOT "compromised", that is good, but I do not like the system crash, of course. It means SP is not compatible with this multi-clipboard program, but that is NOT a huge loss.

Your description of the functionality principle is what I named “1 – 'The Ashampoo behavior' (and Web Page behavior)” in a previous post. If the behavior had been like that with Notepad/Edit Plus/Open Office org/25 Clip – or any other software, I would have been happier.
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Mon Feb 11, 2013 3:15 pm

I tried the portable version of SP on my 32b computer (WinXP Pro):

Paste into Notepad:
Confirmation question, pw correctly pasted (=behavior 1)

Paste into Edit Plus & OpenOffice Writer, same behavior as on my 64b computer (behavior 3 & 4). (When I paste into Edit Plus, the control goes to beginning of the file and the first character from the password is pasted.)

Back on my 64b computer (Win7 Pro):
I have two instances of notepad.exe, file #1 with size 193,536 byte, timestamp 14.07.2009 03:39, located in C:\Windows. File #2 with size 193,536 byte, timestamp 14.07.2009 03:39, located in C:\Windows\System32 and C:\Windows\SysWOW64.

If I use file#2, SP asks the confirmation question and the pw is properly pasted!!!

My taskbar shortcut points to %windir%\System32\notepad.exe but still file #1 is used (with the crazy result). ????

I have tried to rename C:\Windows\notepad.exe, but I am not permitted do do so (not in safe mode either). I have copied file #2 to C:\Windows\notepad_x64.exe and edited the taskbar shortcut to %windir%\notepad_x64.exe. NOW I CAN PASTE THE PW FROM SP WITH “Behavior 1”, that is the proper way.

BTW, I have a localized (non-English) Windows 7 OS. I do not understand this strange issues, but this discussion with Evzen has been of great value to me. Thanks!

Edit: About the "[Sticky Password Protector]" text please read viewtopic.php?f=73&t=58639&p=68063&hilit=Sticky+Password+Protector#p67903:
Petr Pinkas wrote:
Re: Keylogger VS Sticky Password 6
by petr.pinkas » Thu May 24, 2012 12:55 pm
Keylogger will only see "CTRL+V", so it will not log your password. If it will try to access clipboard, it will get value "[Sticky Password Protector]"

John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby Evzen » Tue Feb 12, 2013 1:34 am

John Flyer wrote:When I paste into Edit Plus, the control goes to beginning of the file and the first character from the password is pasted.)
That's apparently some incompatibility between EditPlus and the system used by SP. The world is not ideal and SP team can't do tests with every possible application.

John Flyer wrote:I have two instances of notepad.exe, file #1 with size 193,536 byte, timestamp 14.07.2009 03:39, located in C:\Windows. File #2 with size 193,536 byte, timestamp 14.07.2009 03:39, located in C:\Windows\System32 and C:\Windows\SysWOW64.

If I use file#2, SP asks the confirmation question and the pw is properly pasted!!!
Sure. Because you actually used the 3rd file which is a 32bit Notepad. See http://en.wikipedia.org/wiki/WoW64

John Flyer wrote:My taskbar shortcut points to %windir%\System32\notepad.exe but still file #1 is used (with the crazy result). ????
Nope. The files 1 and 2 are the same 64-bit notepads and the 3rd notepad.exe in SysWOW64 is 32-bit.
And now for the best part - these files 1 and 2 are not separate files, but actually only hardlinks to ONE PHYSICAL FILE.
Just look here, install the Link Shell Extension and be surprised what is on your harddisk: http://schinagl.priv.at/nt/hardlinkshellext/hardlinkshellext.html

John Flyer wrote:I have tried to rename C:\Windows\notepad.exe, but I am not permitted do do so (not in safe mode either).
Sure, it's normal behavior since Vista... it's not a magic, it's just a standard file/folder permissions stuff. Only users with administration rights can do such changes in system (and %ProgramFiles%) folders. Oh, and of course the file can't be locked, e.g. the application can't be running at the time you try to rename the file...

John Flyer wrote:I have copied file #2 to C:\Windows\notepad_x64.exe and edited the taskbar shortcut to %windir%\notepad_x64.exe. NOW I CAN PASTE THE PW FROM SP WITH “Behavior 1”, that is the proper way.
Of course... because it's a 32-bit Notepad, not 64-bit as you think. Just look in the processes list in Task Manager, it shows "*32" next to 32-bit processes.

John Flyer wrote:I do not understand this strange issues, but this discussion with Evzen has been of great value to me. Thanks!
Man, you should know better about Windows and how things work inside before you start such experiments. It's slowly becoming a mixing apples with oranges... Let's stick with the basic fact that SP is a 32-bit application and as such does not work with 64-bit applications. So any experiments in 64-bit area WON'T WORK.
Evzen
Experienced user
 
Posts: 163
Joined: Tue Jul 03, 2012 1:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Tue Feb 12, 2013 10:36 am

Once again, thanks for your clarifications. I have heard about 'symbolic links' introduced in Vista, but I have not cared very much. Now I have learned the meaning of WOW64; nice to know (and I have renamed my file copy from notepad_x64.exe to .._x86..). Another issue I have had, is how to determine whether you are running a 32b or a 64b program. I know how to distinguish the IE9 versions, but how to do that in a generic way? Thanks for the tip about processes in Task Manager. Like every 64b users, most of my apps have the x86 architecture. (Like Firefox, Edit Plus, OOo Writer, Ashampoo Text Maker and 25Clip).
Evzen wrote:Man, you should know better about Windows and how things work inside before you start such experiments. It's slowly becoming a mixing apples with oranges... Let's stick with the basic fact that SP is a 32-bit application and as such does not work with 64-bit applications. So any experiments in 64-bit area WON'T WORK.
That is a kind of diversion. I am not experimenting in the 64-bit area. I am trying to get the utmost outcome of my SP installation. I have been forced to use the clipboard/Notepad along with SP due to a non-floating Secure Memo window and due to SP's lack of ability to handle login processes with two pages.

I try to be focused on security, not all the information SP takes care of, is top sensitive, but I like to know how secure my daily routines are. Beware of the theme of this topic. As said, SP forces me to use the clipboard/notepad. According to the product information - “32-bit applications/browsers are supported on 32-bit or 64-bit systems” - I should be able to run SP on my Win7x64 computer. I have never bothered whether the installed Notepad is a 32 or a 64 bit program.
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby Evzen » Tue Feb 12, 2013 3:18 pm

John Flyer wrote:Once again, thanks for your clarifications. I have heard about 'symbolic links' introduced in Vista, but I have not cared very much.
...
Another issue I have had, is how to determine whether you are running a 32b or a 64b program. I know how to distinguish the IE9 versions, but how to do that in a generic way?
That's all just fine as long as you consider yourself "a Joe Average".
But as soon as you start sniffing around miscellaneous advanced stuff - and the discussed topics ARE such stuff - you simply need to know (way) much more about computers and the OS internals, otherwise you start doing incorrect things... and because of that you start coming to incorrect conclusions.

John Flyer wrote:I am not experimenting in the 64-bit area. I am trying to get the utmost outcome of my SP installation.
As soon as you started experimenting with all the Notepad copies and pastes you DID start experimenting in the 64-bit area. You just didn't know about that. But that's a different story...

John Flyer wrote:I have been forced to use the clipboard/Notepad along with SP due to a non-floating Secure Memo window and due to SP's lack of ability to handle login processes with two pages.
Are you sure it's not possible to solve it? It's not possible to create separate account for each of the two pages (and tie the accounts to the particular page instead of entire website in its settings)?
If the problem is only the 2 pages (and it's not something else like e.g. autogenerated field IDs preventing SP completely from work with such pages), this approach should work IMO.

John Flyer wrote:According to the product information - “32-bit applications/browsers are supported on 32-bit or 64-bit systems” - I should be able to run SP on my Win7x64 computer.
And that's how it works. You can run SP on both 32-bit and 64-bit OS, however only 32-bit applications are supported on 64-bit OS.
John Flyer wrote:I have never bothered whether the installed Notepad is a 32 or a 64 bit program.
Well, you can't blame SP for that, can you? ;-)
Evzen
Experienced user
 
Posts: 163
Joined: Tue Jul 03, 2012 1:33 am

Re: Is it safe to use Secure Memos with the clipboard?

Postby John Flyer » Tue Feb 12, 2013 9:32 pm

Evzen wrote:Well, you can't blame SP for that, can you?

I am sorry you feel I am “blaming” somebody, I cannot have expressed myself clearly (English is not my native language).

My intention was to get the utmost out of my SP installation in an easy, but secure way. Due to the non-floating secure memo window and the app login with two pages, I landed on the clipboard issues and the cut&paste security SP is offering. I was about to suggest the secured memos should be clipboard protected like the passwords are today, but I do not think it is a good suggestion for the time being. I now have discovered that I use another app which is the 6th 32b program that is incompatible with SP's protected clipboard.

It is easy enough to open TrueCrypt containers in a manual way (through copying URL & password); it is rather seldom I need to open these containers. SP's “Big Brother” had no problems with the 2 page login, but I think that system is overloaded. As "a Joe Average" user I want utilities that are simple and secure to use. I enjoy Sticky Password with the possibility to have several logins for the same URL. Other users/families prefer separated databases, but a user description for this solution can be found at the support site (http://lamantine.helpserve.com/Knowledg ... -databases).
John Flyer
Experienced user
 
Posts: 124
Joined: Fri Jan 18, 2013 11:33 am


Return to Sticky Password PRO 6

Who is online

Users browsing this forum: No registered users and 1 guest