Bug 487359

Summary: Allow option to exclude strings from Klipper's history
Product: [Plasma] plasmashell Reporter: Roland Tapken <kde>
Component: Clipboard widget & pop-upAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED INTENTIONAL    
Severity: wishlist CC: nate
Priority: NOR    
Version: master   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Roland Tapken 2024-05-22 09:03:24 UTC 
SUMMARY

I have to use some legacy apps that don't have any password manager integration, so I have to use the clipboard to fill the password. Often I forget to remove the password from Klipper's history afterwards.

For this reason I would like to have a blacklist file where I can enter salted hashes for strings that should never ever be included in Klipper's history.


STEPS TO REPRODUCE
1. Use password manager to copy password into clipboard for legacy application
2. Forget to remove the entry from Klipper's history

OBSERVED RESULT

Klipper shows the clear text password in the history widget and even stores it on disk if configured to keep the history for the next session.

EXPECTED RESULT

Klipper matches the string with a list of blacklist hashes and ignores the value.

SOFTWARE/OS VERSIONS

all
Comment 1 Roland Tapken 2024-05-22 09:37:32 UTC 
As an alternative approach maybe it would be possible to create a "Copy to clipboard" method that marks the string as private and exclude it from Klipper (or other clipboard managers).
Comment 2 Nate Graham 2024-05-22 18:47:51 UTC 
It's an interesting idea, but I'm afraid this isn't feasible. Such a technical feature would only be understood by the person who requested it (i.e. you) and would not have general applicability.

The problem of passwords getting remembered in Klipper when you don't want them to is real, but I'm afraid this isn't the right way to solve it.

The optimal solution would be for those apps to add the `x-kde-passwordManagerHint` mimetype hint for copied passwords. If the apps in question are open-source, you could even implement this yourself. If not, you can at least contact their support and request it.
Comment 3 Roland Tapken 2024-05-23 08:34:47 UTC 
Hello Nate,

> It's an interesting idea, but I'm afraid this isn't feasible. Such a
> technical feature would only be understood by the person who requested it
> (i.e. you) and would not have general applicability.

It depends on the user interface. There is already an action menu that works with patterns. We could add a checkbox or a radio box "Secret string" to the menu and show it as "*******" in the interface when it is hashed, and add an action "remove from history".

> The optimal solution would be for those apps to add the
> `x-kde-passwordManagerHint` mimetype hint for copied passwords. If the apps
> in question are open-source, you could even implement this yourself. If not,
> you can at least contact their support and request it.

Thanks for the hint to this flag. It seems that at least for Bitwarden there is already such a feature request, but according to one comment it needs an extension of the Web API  (https://github.com/bitwarden/clients/issues/1047#issuecomment-1097429744).