Hm, this set me wondering how much risk there is passing the passwords through the copy-paste mechanism itself. Probably not terribly much more than passing through the keyboard and IO subsystems, though. Still, I know with X selection buffers, when data is requested the application it's requested from can run arbitrary code to generate (or check!) it and is passed the window-id requesting[0]. It seems like a password manager could make use of this to implement an ACL and lock things down tighter - do any do this?

[0]: http://tronche.com/gui/x/icccm/sec-2.html#s-2.4