RDM Clipboard
Hi tried a search for this but not found any post about it.
Some VPN clients don't work with RDM VPN integration due to many reasons (VPN paid version, unsupported by RDM yet, etc.)
But, the RDM integration with a window of a program seems good. So, I can force any software to open "inside RDM".
To increase security, I know if is RDm has or if it is possible to add a feature where I allow users to copy passwords for some entries I and paste only in window software opened inside RDM.
My objective is to allow users to copy passwords for some VPN clients that RDM cannot handle with VPN sessions, but can open using entry of type "embedded command line"... And user can copy the password just inside this tab opened into RDM, but not outside RDM...
For example I allow the user do this "special password copy" and RDM puts a temporary encrypted version of the password on its memory (or clipboard). If the user attempts to paste outside RDM, it just pastes an encrypted value (just RDM knows decrypts), so this copied value has no meaning outside RDM... But, if it pastes in a specific RDM opened tab, RDM can decrypt and paste on some fields I want (or in any field present in a window of destination tab)
This is possible?
All Comments (4)
Very interesting idea. As for "is it possible" we will need to investigate. We have monthly "developer-ninja" days where developers are free to explore ideas and create proof of concepts. I will add this to the list of suggestions and see what people come up with over the next few months.
As for me, the gears in my head are already spinning thinking of the possibilities and the details of what it will take to implement something like this.
The clipboard on Windows is a beast of complexity but with well-defined rules. Unfortunately theses rules are not always (rarely) followed by most applications and clipboard manager tools. This will be a very interesting challenge.
Best regards,
Stéfane Lavergne
I've been thinking about this some more.
I could most probably limit paste to say an executable. Something like, you create the credential entry and you specify the full path of the executable for which you wan to "allow paste". The only issue with this is it only solves the problem where the user pastes the password in say notepad.exe, that would be blocked. Nothing would stop them from pasting the password in the username field of the VPN application hence exposing the password. We can control the paste at the process level not the control level unfortunately.
Do you think this is something worth pursuing?
Stéfane Lavergne
Hi Stefane!
First, thank you for giving some attention to this crazy idea.
You bring a question that I did not pay attention to: In any case, the user can hack the process using text fields in the target process. This turns our efforts to protect copy useless.
So, I guess that is so difficult to protect the user from copying just if Windows provides a way to enforce copy directly to the password field. I guess that don't have something like this yet.
I believe that will can end this discussion. Again, very much thanks for your attention.
If, in the future, you have some great idea to we turn passwords copies in this situation more secure, please, share it with us!
My pleasure, crazy ideas sometimes become amazing features so we always welcome thinking outside the box.
As for the clipboard, they have already implemented a flag where you can tell the OS that the data in the clipboard is "sensitive" (aka private) so that tools that keep a clipboard history can ignore those values those, in theory, your password safe. The only issue is the flag is only a suggestion. You would be surprised (scared) at how many tools that don't even use the clipboard, yet still monitor your clipboard data.
Using the clipboard to log in to any site/tool should always be your last option. Unfortunately, for most VPN, it is the only option. Even the command line is not better. Think procexp.exe, add the "Command Line" column in the grid and voila.
Best regards,
Stéfane Lavergne