QS, the clipboard and Lastpass

[Ian uɐI]

Hi,

Lastpass is a cross-platform browser extension based password manager. QS seems to be able to handle 1password and keychain clipboard events to exclude them from being added to clipboard history. Because Lastpass runs in the browser, using the "ignore applications" option of the clipboard plugin stops anything being copied and stored from the whole browser.

Is there some other way Lastpass can copy to the clipboard without storing it in QS -- would whatever 1Password uses be able to work for Lastpass?

Thanks!

[Patrick Robertson]

Hi there,

Are you a developer of LastPass, or a user?

What 1Password does is defines a 'transient type' for the data that is copied to the clipboard.

If you're a developer, then here's the info you need: http://nspasteboard.org

If you're a user, then I guess you just need to ask the LastPass guys to implement this! (Although I'm not sure if browser extensions can define the type of the pasteboard data)

--
You received this message because you are subscribed to the Google Groups "Quicksilver" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blacktree-quicks...@googlegroups.com.
To post to this group, send email to blacktree-...@googlegroups.com.
Visit this group at http://groups.google.com/group/blacktree-quicksilver.
For more options, visit https://groups.google.com/groups/opt_out.

[Ian uɐI]

On Thursday, 17 October 2013 14:00:05 UTC+1, Patrick wrote:

Are you a developer of LastPass, or a user?

A user, though I wanted a bit of technical info before i posted this as a feature request on their forum / support. They do have a binary component which is accessed through an NPAPI plugin API, but that is being phased out by Google and Mozilla, and there is no clear replacement plugin API that has cross-browser support. But it can't harm to see if they can at least think about how to / if possible implement this.

Thanks for your knowledge Patrick!!!

Ian

[Brian Bucknam]

On Thursday, October 17, 2013 11:15:11 AM UTC-7, Ian uɐI wrote:

A user, though I wanted a bit of technical info before i posted this as a feature request on their forum / support.

Just for completeness: Using the nspasteboard.org TransientType would probably be a mis-use of this marker, and the recent 1Password release generated a bunch of flak from users by initially doing this in a beta.

Smile Software (who maintains that nspasteboard.org page) is in the process of adding an org.nspasteboard.ConcealedType, which would be the correct marker for LastPass and 1Password to use. I tried to get the Agile (1Password developers) to go with org.nspasteboard.ConcealedType, but it looks like they chose to go their own way and add a com.agilebits.onepassword marker instead. 

However, a few notable pasteboard utilities already do ship with support org.nspasteboard.ConcealedType -- Keyboard Maestro and Butler.

Just FYI if you do contact Lastpass support,

Brian

 

[Patrick Robertson]

Interesting, thanks for the info Brian. Don't think we're using org.nspasteboard.ConcealedType in QS. Probably worth us adding it. Apart from the more explicit name, why a new identifier?

--

[Etienne Samson]

A pasteboard item marked with ConcealedType should be treated carefully because it's sensitive information (eg display as ••••), while TransientType should not be shown at all. The rational being that users are likely to still want their passwords to end up in their password manager, but be treated as sensitive information.

Cordialement,
Etienne Samson
--
samson....@gmail.com

[Brian Bucknam]

Etienne has it right, but to give a bit more detail:  The use case scenario is that users want to be able to Copy both a password _and_ an account name out of a password utility (LastPass, 1Password, etc), then go to a web form or something and use a pasteboard history utility to Paste first the account name, then the password (or vice-versa).

That is: ConcealedType allows pasteboard history utilities to still provide their useful functionality of Pasting multiple items from the history, even if some of the pasteboard content is not something that you would want someone glancing over your shoulder to see.

If a password utility uses TransientType for the password, then the pasteboard history utility should ignore it, and the use case is broken.

If the password utility uses no marker, then the use case works, but users then might worry about "shoulder surfers", or in a case like Quicksilver, the pasteboard history being written to a plain-text file where the password seems vulnerable.

Therefore, ConcealedType marked items should be:

- displayed in pasteboard history, preferably as "pa******" or similarly obscured, available for pasting

- _not_ be written as plain text to a pasteboard history file. It's easiest just to exclude them from any history file, but I guess some developer might want to encrypt them or something.

Thanks,

Brian

On Friday, October 18, 2013 3:11:50 AM UTC-7, Etienne wrote:

A pasteboard item marked with ConcealedType should be treated carefully because it's sensitive information (eg display as ••••), while TransientType should not be shown at all. The rational being that users are likely to still want their passwords to end up in their password manager, but be treated as sensitive information.

Cordialement,
Etienne Samson
--
samson....@gmail.com

Le 18 oct. 2013 à 02:27, Patrick Robertson <robertso...@gmail.com> a écrit :

> Interesting, thanks for the info Brian. Don't think we're using org.nspasteboard.ConcealedType in QS. Probably worth us adding it. Apart from the more explicit name, why a new identifier?
>
> On 18 Hyd 2013, at 05:43, Brian Bucknam <brian5...@gmail.com> wrote:
>
>> On Thursday, October 17, 2013 11:15:11 AM UTC-7, Ian uɐI wrote:
>> A user, though I wanted a bit of technical info before i posted this as a feature request on their forum / support.
>>
>> Just for completeness: Using the nspasteboard.org TransientType would probably be a mis-use of this marker, and the recent 1Password release generated a bunch of flak from users by initially doing this in a beta.
>>
>> Smile Software (who maintains that nspasteboard.org page) is in the process of adding an org.nspasteboard.ConcealedType, which would be the correct marker for LastPass and 1Password to use. I tried to get the Agile (1Password developers) to go with org.nspasteboard.ConcealedType, but it looks like they chose to go their own way and add a com.agilebits.onepassword marker instead.
>>
>> However, a few notable pasteboard utilities already do ship with support org.nspasteboard.ConcealedType -- Keyboard Maestro and Butler.
>>
>> Just FYI if you do contact Lastpass support,
>> Brian
>>  
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Quicksilver" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to blacktree-quicksilver+unsub...@googlegroups.com.

>> To post to this group, send email to blacktree-...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/blacktree-quicksilver.
>> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups "Quicksilver" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to blacktree-quicksilver+unsub...@googlegroups.com.