SnipTray logo

How Clipboard Managers Handle Passwords (and How SnipTray Does It)

A clipboard manager sees every password you copy unless it knows to skip it. Here is exactly how the well-designed ones avoid recording passwords, 2FA codes, and credit-card numbers.

8 min read · by SnipTray Team

When you copy a password from your password manager — 1Password, Bitwarden, KeePassXC, Apple Passwords — it lands on the system clipboard like anything else. Any app that reads the clipboard while it is in the foreground can grab it. A clipboard manager, which polls the clipboard in the background on macOS, would naturally record it next to your last screenshot and that Slack permalink unless it specifically knows not to.

This guide is the technical-honest answer to how clipboard managers handle passwords: what the well-designed ones do, what to check before you install any clipboard manager, and the specific defaults SnipTray ships with. For the broader safety case, see Are clipboard managers safe?.

The short answer

A well-designed clipboard manager does all of the following to avoid recording sensitive content:

  1. Honors the org.nspasteboard.ConcealedType flag — the convention password managers use to mark a clip as “do not record”.
  2. Auto-detects passwords, 2FA codes, and credit-card numbers by shape and skips them.
  3. Ships with an app exclusion list pre-populated with the major password managers (1Password, Bitwarden, KeePassXC, Apple Passwords, Authy).
  4. Lets you exclude any other app you want in two clicks.
  5. Offers auto-clear of the entire clipboard manager history after a configurable interval.

If your clipboard manager is missing any of these — especially #1 and #3 — you have a risk that grows every day you use it.

1. The org.nspasteboard.ConcealedType convention

The macOS pasteboard supports arbitrary metadata “types” alongside the actual content. The community-driven convention is that any app putting sensitive content on the clipboard sets a type called org.nspasteboard.ConcealedType on the item, signaling to all clipboard managers and clip-watchers: “do not record this”.

Most modern password managers do this:

  • 1Password — yes, by default for all copy operations.
  • Bitwarden — yes, for password and TOTP copies.
  • Apple Passwords (built-in macOS) — yes.
  • KeePassXC — yes, with an option to disable.
  • Authy / Google Authenticator — yes, for TOTP codes.

A well-designed clipboard manager checks for this flag on every clip and silently discards anything marked. SnipTray does this by default.

The catch: not every app sets the flag. Older apps, smaller utilities, and some web-based password tools (when you copy from the browser) may not. That is why the next layer matters.

2. Auto-detection by shape

Even when an app does not flag a copy as concealed, a good clipboard manager can recognize sensitive content by what it looks like and skip it:

  • Passwords — strings that match common password patterns (mixed case + digits + symbols, lengths typical of generated passwords). Recognition is heuristic and not perfect; the goal is to skip likely passwords, not catch every one.
  • 2FA codes — short numeric strings (6 or 8 digits) without context, in a typical TOTP shape.
  • Credit-card numbers — strings that pass the Luhn checksum, with the digit length of a real card.
  • SSH private keys — text blocks starting with -----BEGIN OPENSSH PRIVATE KEY----- (or similar PEM-style headers).
  • JWT tokens — three base64 segments separated by dots, of the right length, with the expected eyJ prefix.

SnipTray runs every clip through these checks and skips matches by default. You can see what was skipped in the privacy log if you want to audit, but the items themselves are never written to the database.

The catch: shape-based detection can miss things (a weak password that looks like a normal word) and can have false positives (an item that looks like a credit card but is not). The combination of shape detection + the concealed-type flag + the app exclusion list gets coverage close to 100% in practice.

3. App exclusion lists (pre-populated by default)

The strongest single defense: never record anything copied from a specific app, regardless of content.

If 1Password is on the exclusion list, anything you copy while 1Password is the foreground app gets dropped immediately. The clipboard manager never sees the content — it only sees the source app’s bundle identifier, decides to skip, and moves on.

SnipTray ships with the following apps on the exclusion list by default:

  • 1Password
  • Bitwarden (desktop + browser extension)
  • KeePassXC
  • Apple Passwords
  • Authy
  • Google Authenticator (when used via desktop companion)
  • macOS Keychain Access

You can add any other app in two clicks — your bank’s app, an internal tool, a corporate VPN, anything.

The trade-off: if you exclude an app, you lose history for everything copied from that app, not just sensitive content. For password managers that is exactly what you want; for general productivity apps it would be too aggressive.

For the broader safety checklist, see Are clipboard managers safe?.

4. Per-item delete-and-exclude

Sometimes you copy something sensitive from an app that is not on the exclusion list (an internal admin tool, for example). A well-designed clipboard manager lets you:

  1. See the item in history (briefly), then
  2. Right-click → Delete and Exclude Similar.

That option removes the item, and adds the source app to your exclusion list going forward so it does not happen again. SnipTray supports this; most other clipboard managers require manual app exclusion through preferences.

5. Auto-clear (defense in depth)

Even with everything above, the safest assumption is that something might slip through. Auto-clear is the last line of defense: configure your clipboard manager to wipe everything older than a chosen interval.

SnipTray’s options: 1 hour, 1 day, 1 week, or never. For most users, “never” is fine because the other defenses are doing the work. For high-security environments (handling financial data, customer PII), “1 day” is a sensible default.

What happens if your clipboard manager does not do these things?

Concrete failure modes:

  • No org.nspasteboard.ConcealedType check. Every password copied from 1Password, Bitwarden, Apple Passwords, etc. ends up in your clipboard history — visible to anyone who unlocks your Mac and presses the clipboard hotkey.
  • No auto-detection by shape. Manually-copied passwords, 2FA codes you typed into a chat to forward, credit-card numbers copied from a PDF — all recorded.
  • No app exclusion list, or no pre-populated defaults. Anything not pre-flagged gets through. New users do not know to configure exclusions before their first password copy.
  • No auto-clear. Anything that did get recorded sits there until you find it.

If you are evaluating clipboard managers, check each of these explicitly before installing. Most apps mention some subset of these in marketing copy; the question is which are on by default versus buried in settings.

How SnipTray scores against each layer

For transparency:

  1. org.nspasteboard.ConcealedType flag. Honored. Items marked concealed are silently discarded.
  2. Shape-based auto-detection. On by default for passwords (heuristic), 2FA codes, credit-card numbers (Luhn check), SSH private keys, JWT tokens.
  3. App exclusion list. Pre-populated with the major password managers and Authenticator apps. Editable to add any other app.
  4. Per-item delete-and-exclude. Right-click in tray → Delete and Exclude Similar.
  5. Auto-clear. Configurable: 1 hour, 1 day, 1 week, or never. Off by default (so existing history is preserved) but a single click to enable.

Plus the broader posture: zero analytics, zero telemetry, no SnipTray servers in the data path. Sync goes through your private iCloud (CloudKit) container, encrypted with keys tied to your Apple ID — see Clipboard managers with iCloud sync, compared.

For the broader privacy posture, see the features → privacy section and our writeup on whether clipboard managers are safe in general.

Other apps’ approaches

Briefly, for context, how a few other popular clipboard managers handle this:

  • Paste. Honors concealed flag, supports app exclusion, but ships with fewer apps pre-excluded. Shape detection is more limited.
  • Pastebot. Honors concealed flag, supports app exclusion, no Luhn-check on credit cards.
  • Maccy. Honors concealed flag, supports app exclusion, no shape-based auto-detection.
  • Raycast’s clipboard. Honors concealed flag, supports app exclusion, syncs through Raycast’s cloud (not iCloud) which adds another link in the chain.
  • CopyClip / Flycut / Clipy. Vary widely. Check the specific version’s docs before relying on it for anything sensitive.

For the head-to-head comparisons, see Paste vs SnipTray, Maccy vs SnipTray, Pastebot vs SnipTray, Raycast clipboard vs SnipTray, and Alfred clipboard vs SnipTray.

Frequently asked questions

Can I trust a clipboard manager to never record my passwords?

With the right defaults, very close to it. The combination of concealed-flag, shape-detection, and an app exclusion list catches the vast majority. The safest pattern is to copy passwords only from your password manager (which sets the concealed flag) and never paste passwords into apps that put them on the clipboard.

What about Touch ID / Face ID auto-fill — does that touch the clipboard?

No. Auto-fill bypasses the clipboard entirely and types directly into the field. That is one of the reasons modern password managers push it so hard — it is meaningfully safer than copy-paste.

How do I check if my clipboard manager is recording my passwords?

Open the clipboard manager’s history and look. If items copied from your password manager appear there, the app is not honoring the concealed flag and/or your password manager is not setting it. Stop using whichever component is failing.

What if I copied a password before realizing my clipboard manager was recording it?

Immediately: (1) clear that item from history; (2) add the source app to your exclusion list; (3) consider rotating the password if it was a high-value one. See How to clear clipboard on Mac, iPhone, and iPad.

Does this matter on iPhone too?

iOS has a stricter model — apps cannot poll the clipboard in the background. The exposure is much smaller. The flag is still honored on iOS, and the app exclusion list on Mac applies to anything synced over to iOS too. See What apps can read your clipboard on iOS.

Is open source safer for this?

Sometimes — auditable code is genuinely valuable. But strong defaults matter more than open-vs-closed source. Many popular open-source clipboard managers configure most of their protections off by default. SnipTray is closed source but configures the strongest defaults on by default. See Maccy vs SnipTray for the open-source-specific comparison.

The bottom line

A clipboard manager that handles passwords correctly does so through layered defense: honor the concealed flag, auto-detect by shape, pre-populate an exclusion list, allow per-item delete-and-exclude, and offer auto-clear. SnipTray ships every layer on by default — you do not have to remember to configure any of it.

If you have ever been quietly nervous about a clipboard manager seeing things it should not, give SnipTray a try — and if you switch away, take this checklist with you.

Try SnipTray for free

The smart clipboard manager for Mac, iPhone, and iPad. Free forever for one Mac. Pro from $2.99/mo or $24.99/year.

All posts →