Your Clipboard is Leaking

Legal professionals who use password managers should understand this risk: when you copy your password from your password manager to your application or Web account, it goes on your device’s clipboard.  This is a virtual part of your device’s memory and it clears when you restart your device.  Most password managers clear the clipboard after a few seconds, so that your password isn’t just sitting there for other applications to capture.

Which is exactly what they can do.  There was an interesting Ars Technica piece on Clipcaster, an Android app that does just this.  It monitors your clipboard and, when it sees a password, it copies it.  The Ars article also discusses automatic form-filling (auto-fill) extensions.

Clipcaster Android App Captures Passwords from Clipboard
Clipcaster Android App Captures Passwords from Clipboard

This screen capture was on my Android phone, where I use KeePassDroid with my main KeePass file.  Once I type in my master password, I can select any of my accounts.  KeePassDroid, like KeePass on Windows, copies the password to the phone’s clipboard and then I can paste it into the Web site or other app.

If you use this sort of password manager – and I [still] think you should – and it stores your password on your device – Mac, iOS, Android, Windows, Ubuntu – clipboard, you should be aware of this potential risk.  Fortunately, since you are typing your master password into your password manager directly, that password isn’t at risk from a program or app that monitors the clipboard.  And because you use unique passwords for every site and account (right?), what gets exposed may be minimal.

To be honest, I’m not sure how best to avoid this threat.  I will continue to use KeePass, because it enables me to use many, complicated passwords, without just relying on the number of complex passphrases I can keep in my head.

Obviously, know what the apps you’re downloading say they are going to do.  I downloaded Clipcaster on purpose to see the behavior.  I also use a firewall on my devices to block certain apps from connecting to the Internet and phoning home. It’s just another thing to be aware of as you’re using mobile devices.

David Whelan

I improve information access and lead information teams. My books on finding information and managing it and practicing law using cloud computing reflect my interest in information management, technology, law practice, and legal research. I've been a library director in Canada and the US, as well as directing the American Bar Association's Legal Technology Resource Center. I speak and write frequently on information, technology, law library, and law practice issues.


  1. July 30, 2015
    KeePassDroid has a function in ‘settings’ to clear the clipboard after a given number of seconds. Unfortunately, there are two problems.
    1. It doesn’t work. (in my Moto G)
    2. Even if it worked, there is an exposure time before clearing.

    1. It worked on my Sony Xpedia but … your #2 hits the nail on the head. Since the capture is immediate, whatever time you allow before the clipboard clears is too long.

Comments are closed.