#1774 Database wide Password duplicate checking

KeePass
open
nobody
None
5
2014-06-19
2013-08-13
spacewalker
No

With duplicate password usage being BAD (same password, multiple sites) it'd be cool if Keepass would indicate to you if you are using a duplicate password that you've already used anywhere in your KeePass database. Maybe a clone icon or something next to an entry with a duplicate password (configurable on/off of course). And when you create such a duplicate entry KP should let you know you already use that password, what other entries it's found in, and ask you to confirm that you want to really reuse that exact password.

Thanks for a good product.

Discussion

  • Paul
    Paul
    2013-08-14

    There is no need, simply let KeePass generate the password for you.

    cheers, Paul

     
    • spacewalker
      spacewalker
      2013-08-14

      While I appreciate KP's ability to generate passwords there are some sites that really need passwords I can remember (even if long and convoluted) since entering passwords in on things like someone else's computer or my only partially-smart phone or iPod Touch requires being able to remember them too.

      I did find I could export the whole database as a csv and then sort stuff in Excel, which helps. But still, it'd be a cool feature for added security to let you know if you've got a repeated username and/or password.

       
      • wellread1
        wellread1
        2013-08-14

        While its not duplicate checking, you don't need to export a 2.x database file to sort it by password.

        1. Setup the display options:
          a. Unhide the passwords by selecting View>configure columns; select Password and uncheck the "hide data using asterisks" box in the low left corner.
          b. Set whether you want to view sub-groups (View>Show Entries of Subgroups)
          c. Turn grouping on or off (View>Grouping in Entry List>ON/OFF/Automatic)
        2. Sort on the password column by clicking on the header (there are three sort orders: ascending, descending, & unsorted)
         
        Last edit: wellread1 2013-08-14
    • spacewalker
      spacewalker
      2014-05-27

      Also, that doesn't take into account any previously existing password entries from pre-KeePass days that were manually created, sometimes with duplicates.

       
      • wellread1
        wellread1
        2014-05-27

        See below; both the second sentence and point 1. Dealing with pre-KeePass entries is a one-time operation.

        If finding duplicates were a frequent necessary operation I would be agreeing with you.

         
        Last edit: wellread1 2014-05-27
  • Todd W. Powers
    Todd W. Powers
    2014-05-27

    I think spacewalker's suggestion is valid. There are many occasions when the auto-generated KeePass password is not appropriate.

    While I appreciate wellread1's very thorough explanation of how to sort the KeePass database to locate duplicate passwords, software is suppose to make your life easier and simpler, not require you to take a bunch of manual steps to achieve your goal. Software is supposed to automate those things for you.

    A feature that notified you of duplicate passwords in your database would be beneficial to users who might not be as security conscious as they should be. Alerting them to the fact that they are entering a duplicate password would help to condition them to be more careful of the passwords they do choose to use.

    This is something that should be automated and a feature of the application, not accomplished through a convoluted set of manual processes when a user decides that they need to review their passwords.

     
  • wellread1
    wellread1
    2014-05-27

    The find duplicate steps are: Display All Entries, Sort by Password, Inspect. This is a combination of three often used operations. By contrast, finding duplicates should be a relatively rare operation, generally done only after importing a set of entries. My personal experience has been that I know when the password I am creating by hand is likely to be a duplicate. In that event, it is easy to determine whether one is reusing an existing password by sorting during the entry creation process.

    Finding duplicates in KeePass is the fast and easy part of eliminating duplicates, even using the sort method. Changing the passwords is the time consuming part. If you display KeePass full screen it is practical to show ~30 sorted entries per screen on a smaller screen & ~50 on a larger screen. With a sorted listed it is quite quick (I estimate <<1 min/page) to find the duplicates. However changing the password will take a couple, or several minutes per site (per entry).

    While features that streamline processes are often good, I don't see much need of this feature for the following reasons:

    1. The feature is rarely needed (on import and possibly occasionally thereafter to cleanup).
    2. Finding duplicates via the sort method is not the time consuming step of the 'fix duplicates' process.
    3. The feature would add a new menu item, adding length & complexity to the menu system.

    In light of the above, I believe a plugin would be a better solution.

    Tip: When looking for duplicates use the Quality column plugin as part of the process, Sort by password then Quality. This procedure will help prioritize the work by identifying the the weakest duplicates.

     
  • spacewalker
    spacewalker
    2014-05-27

    @wellread1 - thanks for the tips on how to see all entries and sort, that will help (I didn't know or remember about removing sub groups so that always slowed me down when trying to compare passwords among my many sub-groups).

    Personally, I'd rather have this feature built-in. I would trust it more than a user-contributed plug-in.

    Thanks for the suggestion and time you took to respond. I appreciate everyone's response - and I still think a duplicate password feature would be beneficial. Just because we "can" use the built in generator doesn't mean users always will or should.

     
  • Paul
    Paul
    2014-05-28

    If you want to use a self generated password, paste it into the KeePass Find box (Ctrl F, not the simple search on the toolbar) tick the Password box and press Enter. Any duplicates will be shown.

    cheers, Paul

     
  • Todd W. Powers
    Todd W. Powers
    2014-05-28

    I think the point here is... When creating a new entry, it would be helpful (and much more responsible) if the application warned you AUTOMATICALLY, that you're using a duplicate password.

    Although the ability already exists in the application to check or find other passwords, those steps require the user to be "trained" or be experienced, or to even CARE about checking. Too often, users simply use an application as it exists in it's "default" form, without bothering to look into the application and find out how to do various things.

    Additionally, I venture to guess that a majority of KeePass users don't go much further than the default functionality in regards to password security. I would venture to guess that most users have duplicate passwords all over the place, without even giving it a second thought. Either they don't know better, or they don't care. They probably think that since they're using KeePass already, they're doing enough to keep themselves protected.

    Having KeePass check this and warn the user, would go a long way towards getting users thinking about NOT using duplicate passwords. Perhaps after they have been prompted enough times, they will start getting annoyed and start using the random password generator instead.

    The dialog box could even mention that.... "You're using a password that is already in use for the following entries... {...list...}. You should choose a unique password, or simply use the built-in password generator. Are you sure you want to use this password?"

    The dialog could even be a version of the password generator... Giving them the option of replacing the password with an automated generated password with one-click...

     
    • spacewalker
      spacewalker
      2014-05-29

      Todd W - you TOTALLY get what I'm saying and I think your suggestions are EXACTLY what I would like to see in the product as well.