sabrogden
Lacks safeguards against holding passwords
Using Ditto makes copying confidential data more risky because:
- It is stored for longer (statistically, since copying further selections does not immediately remove the previous clipboard).
- Some password managers which are designed for copying passwords only temporarily actually end up leaving passwords in Ditto. This even affects KeePassXC, by default.
These can be problematic if the Windows session is hacked, if someone accesses it via remote control, or if someone watches you pasting from Ditto.
There are workarounds for these issues. The simplest is to manually delete the confidential entry (e.g. password) after it is used, but this is risky since it is easy to forget. There are other more systematic workarounds, such as excluding applications and disconnecting from the system clipboard.
There are quite a few tickets tracking ways this could be improved (in particular #241, #325, #986 and #1008). These can all help, some in particular circumstances. Solving all of these would mostly solve the problem, but the most important issue I see is that users are not informed about these risks. #1 may be obvious when you think about it, but if you use a PC where Ditto is preinstalled, it is unlikely you will realize that until a risky situation arises. As for #2, it took me years of using both KeePass/KeePassXC and Ditto to realize it. I am not saying Ditto bears the responsibility, but it is certainly a necessary part of the problematic combination.
As of now (Ditto 03.25.113), nothing is done to warn users about this increased risk. Since user awareness is the first line of defence, at least one of the following should be added:
- a warning in the README and/or the wiki
- a warning when creating a first Ditto clip (and perhaps an optional reminder every 2500(?) copies).
