One can enable a firewall in firejail
The firejail site says nothing about using it for intrusion protection… it is all about isolating suspect apps.
A VM with NAT can provide some intrusion protection. Not sure about docker containers.
So what makes you guys think someome could break into a running firejail environment?
I have found the answer
You switch off your computer
Get in the car and drive 100 km to your local branch of the bank which closed last week and transfered a further 100 km away…
Then you realise you forgot your passport, id card, password, and lock of hair for the dna test…
Ultimate security. No money no worries !
Hi all, 
thank you so much for your many replies. I´m pretty overwhelmed by them, but in a good way. 
I guess I should´ve made it clearer why I asked my question in the first place.
It´s just out of interest.
When going about my online banking business looking for my id and password (both of which are safely tucked away) poses no problem at all.
As I said, I then enter my credentials with the help of onboard.
I was just interested in the hypothetical question whether or not a potential keylogger would be able to access the contents of the clipboard.
Sorry if I triggered an “unnecessary” discussion. Didn´t want to waste your time. 
@Tech_JA :
Thanks for the suggestion, Jorge. I already took care of that.
BTW:
I use keepass xc as well for managing my passwords. Seems good enough for me.
No, I haven´t.
I never even knew such a thing existed.
But it´s good of you to share your experience with it. Thanks a lot.
@nevj :
Thanks so much, Neville, for sleeping on it.
But please don´t sacrifice your sleep on my behalf. I´m almost feeling bad about it. 
O.K., you came up with a good plan for doing online banking safely.
Although powering up a VM for this purpose only might seem a bit drastic, it´s doable.
Using Alpine for that matter might be just the right thing to do.
I see. I have to admit I wouldn´t have thought of that. That´s a good idea.
Right. Whenever using a VM I already run it in firejail as per default. I made it a habit of doing it this way.
Yes, that´s certainly the right thing to do. A dedicated VM for online banking exclusively. It´s hard to beat that one.
Your approach is certainly worth looking into, Neville. Thanks a lot. 
BTW:
I was flirting with the idea of trying out Alpine in the past but I’ve never been able to bring myself to tackle the task.
Might look into now.
According to ubuntuusers wiki:
User names and passwords can be copied to the clipboard for further use. Depending on the security setting, these are deleted from this after a short time.
(translation via “TranslateLocally for Firefox” add-on)
I´m not sure whether the clipman history will be affected though.
Thanks for your comments, Dan.
@pdecker :
Thanks for your assessment of the matter.
@ all:
Once again: thank you very much for this great input of yours. It´s highly appreciated.
Many greetings from Rosika 
Think its a great topic and made us all think about security and information theft which is a hot subject given the numbers of hospitals, government bodies etc who are subject to cyber crime.
If it was unnecessary noone would have participated.
It’s an interesing question, that’s why the many replies
And it definitely was not a wasted time.
I could have read the news instead, now that would have been a waste of time 
My sentiment exactly.
@Rosika always starts interesting topics.
Rosika,
I just did a test with my KeypassXC.
I have the settings to clear the clipboard after 10s, but the password is visible during that time - I did the paste in an editor and the password is completely visible, in normal text. However, I use an add-on in Firefox, called KeePassXC-Browser, I have no idea if it’s safe or not, but I don’t use critical passwords either, but this add-on is connected to the KeypassXC database.
I think that when you fill in the user and password credentials with this add-on, it should use a different method than use the clipboard to copy the password. It’s a matter of exploring whether it’s safer for you or not (it’s like the Bitwarden add-on).
EDIT:
I have this information in the add-on settings:
KeePassXC: Getting Started Guide:
Jorge
Hi all,
@callpaul.eu @kovacslt @nevj :
thank you so much for your kind words.
I´m feeling very honoured by your appreciation.
That´s very true indeed. This topic unfortunately has become hotter than ever.
Oh dear. Sorry to hear that, László.
Well, I guess the news are not very funny at the moment. Sad state of affairs.
Thank you so much, Neville.
But, to tell the truth, the topics you and the other members of the form start are certainly more interesting and are much more profound.
@Tech_JA :
Thanks a lot, Jorge.
I looked at my settings, too. It´s exactly the same with me as well. Those 10 s seem to be the default value (which can be changed in the settings of course).
But it doesn´t seem to work this way.
It´s been some minutes now since I copied a password and it´s still there in the clipboard.
clipman also seems to hold it.
Interesting idea.
So installing the KeePassXC Browser Extension is necessary then.
Well, that excludes this variant for me. Because for online banking I invariably make use of the firejail sandbox (see above).
As already mentioned the command I use is
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote.
It´s like having a brower freshly installed and with no other site than your banking site accessed before…
… which means I´d have to install the KeePassXC Browser Extension every time I do my online banking business. I guess it´s less work for me to use onboard instead.
Thanks also for the link, Jorge.
It´s funny they mention
The KeePassXC-Browser extension is available on the following web browsers:
[…]
Mozilla Firefox and Tor-Browser
[…]
As far as I know it´s the Tor people themselves who advise against installing any browser extensions.
Use just those that come with the tor browser.
Thanks a lot, Jorge.
Many greetings to you all from Rosika
Think its important for the site and its members to create, read and reply to topics posted. If it generates interest thats great we all get something out of it. Life is about sharing knowledge and helping each other.
Positive stuff
Just that I think the purpose was to keep things from breaking out. Maybe they have also addressed the reverse and it does also keep things from breaking in. But it seems a copy and paste works, so it isn’t completely isolated. The same keyboard/mouse/video works.
In a VM, copy/paste works internally only… unless you install spice-vdagent .
You say firefox in firejail,can be copied in and out of… so the external clipboard is accessible.
What happens with a docker container? I must check. I have one with waterfox in it.
I was using Lastpass as my primary password manager. The reason why I liked so much is because I was a victim of a keylogger attack and I swore I would never use the keyboard to enter passwords again and I even try to avoid CTRL+C, CTRL+V (Copy-paste). But then Lastpass had a data breach and that forced me to look for alternatives.
Then I decided to take a look into local network solutions, meaning, my passwords are stored locally on an encrypted server and can only be access locally (not via the internet or cloud-based like Lastpass). But it needed to meet my personal criteria of keyboardless entry and no use of the clipboard via copy-n-paste.
The solution I came across was Nextcloud running on local network, that is ONLY available via my home network and that uses a self-signed SSL certificate.
Why self-hosted?
I wanted to self-host as I want full control over the server on my local network
Why use a self-signed certificate?
If you use Nextcloud with a public domain name, you’ll need to use a SSL certificate from a 3rd party Certificate authority. I believe this will require your server to be exposed to the internet for certificate confirmation. I’m didn’t want to do this, so I went with Self-Signed Certificate. It does pull up an annoying message when you try to access your Nextcloud server via https:// but that’s the only downside.
Nextcloud Passwords
Nextcloud has a module called “Nextcloud Passwords”. It stores encrypted passwords in it’s database. They provide Nextcloud Passwords Add-on for Firefox and Chrome that allows you to securely connect to your local Nextcloud Server to retrieve passwords.
The plugin works exactly like the Lastpass, meaning there is no need to use the clipboard. You do not need to use CTRL+C, CTRL+V. It simply populates the Username and Passwords fields from the Nextcloud Password database for the matched site you are trying to log into.
The only inconvenience with this setup is it does not work when I’m outside of my home network. However, this is by design and I see this as a security benefit as I only do online banking from home.
Does Nextcloud Passwords work on mobile/tablets?
Nextcloud has an iPhone and Android app for handling logins on Mobile devices. Once again, not need for copy + paste from a password manager. Just visit the website/app on your phone and tap+hold to pull up the “Auto-fill” menu and select fill with Nextcloud Passwords. The username and password automatically pre-fill the form.
Regarding the mobile apps, I read the docs and they say the passwords are stored in the “Secure Element” on your smartphone device. I am using a Google Pixel phone which I believe has a secure element. I believe most recent Apple devices (iPhone and iPads) have secure elements so the likelihood of a password leak is unlikely. But I’m not that technical so I can’t really verify it to be true.
Videos to help you evaluate/get started
If anyone wants to learn more about this solution, I highly recommend watching these short videos:
I recommend giving this a try for yourself.
I hope this helps someone in this community.
Hi @MV02 ,
Thanks Mark, that at least addresses the issue of avoiding the keyboard and clipboard. It may help someone.
What worries me is that it depends on complicated setups with NextCloud… for passwords one does not want something tricky that is likely to have gliches and deny
you access.
That said, avoiding keyboard and clipboard is tricky… there are not many options.
Also, I have wondered whether one needs to avoid screen display of passwords.
Can malware hack your screen image?
I dont imagine thay your solution displays the password, but some do.
Regards
Neville.
Can malware hack your screen image?
Simple answer is Yes.
A few years back we were trying to interface two systems, patient records and hospital theatre system to produce a operation record … details dont matter here as to why.
Only solution as no access to either record was possible was to screen read both systems and take details from both to create the new record. Data mapping would not work and creating a sql would not link the 2 systems due to security issues.
It was not easy to do, but in effect we wrote, go to position xy on screen, copy next 10 characters, go to new record and paste, repeat with new record position.
As banking systems are fixed screen positions yes it would be possible. But no idea if they area actually doing it.
In the last 15 years I did not see my passwords, only points, stars, and such on keypress, or even nothing if it’s about sudo.
So yes, the screen content may be stolen, even from outside of your computer,
like imagine a data-thief shooting your display with a telephoto lens.
But capturing your password that way does not seem to be possible to me.
My own biggest security paranoia on Linux (or any system) is using browser extensions.
This is my wicker wig 
Seems it would be possible if the passwords were displayed.
Some password utilities do that while you are editing… but it would not appear in a fixed screen position, so would be difficult.
I checked using Waterfox in a docker container.
I can copy/paste between the container and the host OS.
So , no, a docker container does not isolate clipboard from the host OS.
One may be able to with special provisions. Easier to use a VM.
In any case the characters are sent through the browser to the online service to login. A keylogger or clipboard reader would have access to them even if you can’t see them as they are entered into the password field
A clipboard in a VM would be safe, but not the keyboard.
I think screen in a VM would still be accessible, if the screen could be accessed directly, but that would be tricky because position of passwd on the screen would not be fixed.
What I have done in the past is to use a Webapp in LinuxMint to create a Sandboxed-ish firefox install exclusively for my banking. I may have set up Firejail for it before, I don’t remember. I used the password manager Keepassxc and enabled its security settings to have access to firefox. I installed the keepassxc web browser extension within my banking webapp. I connected the web browser extension to my Keypassxc Password database that contained my banking password. I believe this makes for a secure password transfer process to the browser, although I don’t know that for certain. This setup makes it so keypassxc sends the login credentials directly to the banking webapp so you needn’t enter them. I also used Syncthing to synchronize my Keepassxc encrypted password databases across my devices without sharing it with 3rd parties like dropbox, google, etc. Today I have become a bit more lazy about security.