From FAQ - Why doesn't KeePass lock when Windows locks and a KeePass sub-dialog is open?

joemc74
2013-09-23
2013-09-24
  • joemc74
    joemc74
    2013-09-23

    Having used Password Safe historically and migrating to Keepass for better mobile support, I feel like Password Safe had this problem solved beautifully. Password Safe saved all information every time you clicked "OK" in the edit entry fields. This way if your PC crashed after successfully opening, changing, and OK-ing multiple changes; there would be no data loss. As long as a sub-window such as 'Edit Entry' are open and changes are made, I think it's clear to most people that the information hasn't been saved. Password safe would lock after the idle period while keeping the sub-windows open. As long as you logged back in, you could pick right back up where you left off and save information that changed in the sub-window.

    Like many people, I end up having to give out some of my PC passwords to family members and such. My wife wouldn't be too happy if I had to be there every time to unlock my PC or tablet. I think most people give out their PC passwords to a very small set of people. On the other hand, I trust no one with my Keepass master password.

    I wish Keepass could provide this type of secure functionality that Password Safe was providing years ago.

     
  • wellread1
    wellread1
    2013-09-23

    I detect concerns on three different issues:

    1. You want to keep your KeePass database in a constantly saved state.
      Create a trigger as follows:
      EVENT: User interface state updated
      CONDITIONS: Active database has unsaved changes
      ACTIONS: Save active database
    2. You read the FAQ but the fact that KeePass doesn't lock when a KeePass sub-dialog is open still bothers you.
      This won't change, so your best bet is to adopt usage habits that don't put you in the position of having sub-dialogs open routinely.
    3. It is not convenient to share a subset of passwords.
      KeePass 2.x can open multiple databases in the same workspace. If you have a set of shared passwords you can keep them in a separate database and provide that database, with a different Master Key, to your trusted colleagues.
      Tip: Install the KeeAutoExec plugin to help manage multiple databases and create a trigger that activates the main database upon workspace locking so that the same main database always has the focus when the workspace is unlocked.
      Tip: If appropriate, use cloud storage and KeePass 2.x database sync triggers to keep your colleague's sub database up-to-date.
     
  • joemc74
    joemc74
    2013-09-23

    Actually the main concern is number 2. I was simply trying to explain how a the Password Safe product handled this, and am confused as to why this is such a non-starter. This seems like it will be an increasingly required feature as Windows based tablets come along, and windows 8 metro/modern apps can keep the desktop out of view. Anyone with a password safe is going to want that software running on all their machines (phone/tablet/pc), and I've never met anyone that has a complicated password on a tablet or phone.

    I guess in the FAQ, 3 options are written. I'm interested as to why it's not possible to have a 4th option that says "Lock the database, do not save uncommitted changes, but preserve the state of the recent entry and resume this entry if/when the database is unlocked. It seems as if this single entry's worth of unsaved/cached data could be retained in memory under the locked instance of Keepass.

    I'm sure it's complicated to program, but I imagine I fall with other users that are frustrated with this behavior. Hence the reason it's the most detailed section in the FAQ. Every time I find Keepass unlocked it really freaks me out. The combined entries in my Keepass probably account for multiple identities and all my financial assets. When considering this - I'd much rather lose changes on an uncommitted entry and have the rest of the information safely locked rather than leaving it wide open. At least give that option if you're not going to lock the application allowing a resume where the user left off.

    If this absolutely is never going to happen, then please just say so and I'll probably switch back to Password Safe. It just seems like a major security hole that should be addressed in some way.

     
  • wellread1
    wellread1
    2013-09-23

  • AlexVallat
    AlexVallat
    2013-09-24

    Use KPEnhancedEntryView and you can view and edit your entries without opening a sub-dialog :-)