I've tried to exclude 1Password from the Clipboard History via the Preferences: Excluded item, but I still see passwords showing up in the KM Menu Paste dropdown. I know the documentation states that the application will be excluded unless the clipboard is explicitly read - is that why passwords are still showing up in the Paste command? I'd really like to have a way to ensure KM is not reading any data from my password application.
Hey @phookz,
Chances are you just excluded the 1Password app and didn't account for the 1Password Mini app.
Use the Activity Monitor utility to find â1Passwordâ.
You'll find the main app and also the â 1Password Extension Helperâ app.
Get info on the later in the Activity Monitor and then select âOpen Files and Portsâ.
I think the 2nd item in the path to the helper app.
You'll have to use the âOther...â item in the add-excluded-app Keyboard Maestro pref to drill down to where that helper app is hidden.
NOTE â This setting is also available in Keyboard Maestro's General Prefs:
-Chris
Thanks for the response, Chris.
I tried your instructions, but going through the Open Files & Ports I can see the extension is running out of the 1Password 7.app folder - it's a subfolder. There are some files open under my ~/Library/Containers/2BUA8C4S2C.com folder, but when I try to browse through that folder via the KM Exclude picker, there's nothing to select there as they are all data files - nothing is an executable and therefore can't be specified in the Excluded items.
Your second suggestion I already have in place, but it doesn't provide any security. I would rather have 1Password excluded entirely - hiding the password is limited obfuscation, as the password is still in the clipboard history and can be pasted or viewed via the Clipboard History Switcher.
Reading the instructions again for the Preferences (https://wiki.keyboardmaestro.com/manual/Preferences), I think I misunderstood what the preference would do. This is really unfortunate, and is a bit alarming from a security standpoint.
Hey @phookz
You can find the â1Password Extension Helperâ app by:
-
Revealing the 1Password app in the Finder.
-
Right-Clicking on it and selecting âShow Package Contentsâ.
-
Search for âhelperâ.
-
Select the one with the 1Password icon â NOT the Unix Executable with the black icon.
Since you had the path to the â1Password Extension Helperâ app you could also use ââ§G to bring up the path-selector dialog in Keyboard Maestro's open dialog and then go directly to the item.
BUT.
Note that that path goes to the Uniix Executable inside the â1Password Extension Helperâ app:
/Applications/Utilities/Utilities_Chris/Security_Utilities/1Password/1Password 7.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS/1Password Extension Helper
So you have to back up a couple of levels to get to it.
OR â edit the path from the get-go.
-Chris
I can't get âG to work, not sure about that. However, expanding the contents and then dragging from the finder into the KM Open Dialog worked to get the extension helper excluded.
Chris - thanks again for your help with this. In the end, I don't think this is having the desired effect. Keyboard Maestro is still picking up the passwords from 1Password.
What I've done instead, to limit the exposure of passwords, is to set the MaxConcealedPosition setting to 1. This seems to be the lowest it will go, and prevents the Clipboard History from seeing more than 1 password. I want to document this in case others come behind me and are looking for the same thing, so here's the command:
defaults write com.stairways.keyboardmaestro.engine MaxConcealedPosition -int 1
This is documented under the preferences documentation. I also created a macro for clearing out the Clipboard History, for those times when I want to make sure things are as tightened up as possible. In general, for websites I don't use the clipboard for 1Password but instead use the extension. However, there are times when that won't work and for those times I like a convenient way to clear out any traces of passwords.
I'm open to suggestions if I am taking the wrong approach to this.
ďżź
Whups â that Command-Shift-G.
Search for âgo to folderâ in this document:
It works in the Finder and in Open and Save dialogs.
Hmm... So it would seem.
I looked into things a little further, and I was wrong about the 1Password helper app being the same as 1Password Mini.
Even with both 1Password.app and 1Password Extension Helper.app in Keyboard Maestro's clipboard exclusion list KM is continuing to show copied items...
Hey @peternlewis â what's the story on this?
-Chris
It does provide additional security in that the password is excluded from saving to disk and removed from the history after it reaches position 10 on the list (and as you note, that can be adjusted down to 1, which basically just means the current system clipboard).
1Password Extension Helper is never the front application - it masquerades as the front application (similar to how Keyboard Maestro Engine behaves). So, for example, if you are in Safari and use the 1Password extension to copy an entry and look in the Keyboard Maestro clipboard history, you will see the clipboard recorded as originating from Safari.
Because of this the extension cannot be excluded.
1 Like
My mistake; there is a bit of extra security. I'm still concerned about passwords living in the Clipboard History. 1Password will clear the clipboard after a configured time period (90s by default), but it doesn't know about the Clipboard History in MK so nothing can be done there.
I've been trying to exclude the main 1Password app. I think I've figured out what's happening, based on some trial and error.
I believe (please correct me if I'm wrong) that when you click the KM Menu Paste, it reads the Clipboard History, and appears to be accessing the current System Clipboard as well as an explicit read. If you have a password in the System Clipboard, it is then read into the KM Clipboard History. This makes testing complicated.
To prove this theory out, I set the 1Password Clipboard preference to clear the clipboard after 10 seconds. Then, to test this, I copy a password, view the Paste history in KM, and see the password. Now clear out the Clipboard History in KM, and copy a password again. Wait 10 seconds (verify it's empty by trying to paste into another app), then check the paste history. In my testing I see the password doesn't make it there in this case.
So, to ratchet security up a bit, set the MaxConcealedPosition to 1 and have 1Password clear the clipboard set to something long enough for usability, but short enough to limit exposure. I'm going with 60 seconds. If you don't muck with trying to read the clipboard in KM, it won't pick up the password. Even if it does, with the setting at 1 it will be overwritten shortly.
This is what I'm going with. Alternatively, you could make a macro to paste and immediately clear the clipboard history. This removes your clipboard history, but means the password is no longer cached anywhere. I don't really use the Clipboard History, so the impact in my workflows would be minimal.
Correct, the menu reads the clipboard history, which includes the current System Clipboard.
An alternative would simply be to use a macro to paste the password and immediately delete it. No need to clear the history at that point, just delete the current system clipboard containing the password. This would work regardless of whether you use clipboard history or not, as long as you're disciplined enough to use the macro to paste the password.
And in all seriousness, if you're not using the clipboard history then you are missing out - clipboard history is a facility that should be built in to the Mac, and even folks not using Keyboard Maestro (shudder!) should use a clipboard history application. So many times you cut something and then have to ensure you carefully don't copy anything else lest you accidentally lose important information, or you want to copy three different things from one place to another, or you want to refuse something you copied a minute ago.
Yes, there are some security implications, but most of them are not realistic threats - if your Mac is ever out of your control while unlocked you have already lost all security, and if the password is ever on the clipboard, then whether it stays on Keyboard Maestroâs clipboard history for a while is almost certainly irrelevant since it was already accessible to every single running process in your account.
If you have situations where you want to allow someone you mostly trust to use your Mac, write a macro that clears the history, locks your keychain, closes appropriate applications, etc. Or better yet, create a guest or secondary account and fast user switch to it.
But once a real attacker gets on to your Mac for even a minute without your control your Mac security is lost.
1 Like