Feature Request - Security enhancement
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Feature Request - Security enhancement
I'm not qualified to jusge security of the code , but I do know that I am personally my biggest security problem.
There are times at work when I get very busy, leave my workstation and return to find that I had left my KeePass database unlocked with an entry open.
The open entry prevents the database from auto locking. My feature request should be pretty easy to implement. Just include an option to ignore that an entry is open, or even modified when trying to auyo lock the database.
I'd much rather loose work in a single entry not saved that risk my database being looked at.
This feature won't be added to KeePass. The reasons are described in Why doesn't KeePass lock while a sub-dialog is open? FAQ.
KeePass is designed so that it can be used from the main Window, without opening the Add/Edit dialogs except to add or edit an entry. After making any change in a dialog you must decide to keep or discard those changes. This is not something that KeePass can do for you. When you keep changes, you need to close the dialog and save the database immediately to ensure data integrity. Since you must close the dialog to save the database, it should be not particularly difficult to adopt an editing workflow that will allow KeePass to lock the database.
As Wellread1 said, you can use keepass without opening it. Copy and paste passwords or use autotype from the main screen, no need to open the entry hardly ever.
2 plugins could help though:
If you take notes in your keepass and that is why the entry is open, the KPEnhancedEntryView plugin allows you to edit the notes without opening the entry. It also allows the notes appear in a larger font so they are easier to read as well.
The KeePassQuickUnlock plugin will give you 1 try to open your locked keepass with a password. If you get it right on the first try, you are in, else you must enter the whole password. I recommend the last 4 characters of your regular password, that way you don't need to remember another password and the last for are often harder to guess than the first 4. Anyway, this means you can set your safe locking to a very short 5 or 10 minutes (or less in a crowded workspace), and get back in quickly and easily even if you have a very long complex regular password.
Many people come here claiming this is a security flaw in KeePass, but it's more like a flaw in how people use it. If people would use KeePass the way it was intended, they wouldn't complain about this, because they wouldn't notice it in the first place.
I've been a happy user of KeePass for years, but I do have to agree with Richard that autolock is the main security issue of the program. I understand the reasons given in "Why doesn' t KeePass lock..." section of the FAQ, but I don't agree with the conclusion ("This simple concept avoids the problems above. The user is responsible for the state of the program.").
There already is an option for "Automatically save when closing/locking the database", it just doesn't work with the dialog open. Would it not be great to have the option to always autolock, and for the user to be able to choose in the settings to either autosave any changes or disregard any changes?
I, for one, would feel much safer with a database that's realiably locking even if the responsible, stupid user (that's me ;)) is leaving dialogs open. I would be very happy to take the risk of losing or overwriting changes: losing one or two entries is indefinately prefable over the risk of all my pincodes and passwords being exposed because I forgot to close a dialog again.
Anyway, just my two cents. I remain a big fan of KeePass and am gratefull for all the time you guys are putting in.