Hi.
LastPass work in such a way, that during browsing you can use or store passwords, but nobody can look in lastpass database and click visible on every stored passwords. You had to use master pass to get to database.
But with KeePass, if I am using it good, after I run KeePass app, so I can browse websites with chrome and KP addon everybody can look in whole database. (I can go out for copy and whoever can make even export!!)
So my question is, how should I setup up chrome, or KP addon in chrome so it can use my database for browsing but nobody can look in whole database without entering master pass.
??
thx for answer
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Simple answer, you can't
But if you set the approbiate lock workspace options
the database will most of the time be locked and can't be browsed
without entering the Master password.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
ok, but then I need enable "fast opening" like in KeePass on andorid. Putting 3 characters of pass (fast opening) is easy, but writing every 5 minutes my very long pass is really enjoying :-).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Weak (fast opening) passwords are a lousy solution. Instead optimize the strength of your master password (which is different than making the password ridiculously strong). The password strength Wikipedia article is a helpful guidance.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This approach of LastPass is not very secure. When LastPass allows you to use stored passwords it must have a key for decryption of them in the memory. This means that it is possible to get the passwords even if the user interface of LastPass seems to not allow it.
Possible ways:
A malware can find the key in the memory and decrypt the passwords.
A skilled user can misuse the software to get the passwords by tricking it to write the password into a different web page or into notepad...
Last edit: pabouk 2015-03-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@pabokuk: LassPass is taking pass from the cloud I suppose and cloud is encrypted but yes, it had to have some link to cloud and this can be abused by malware. But I am not so worry about malware, I am more worried about coleagues around my PC :-)
@wellread: Fastopening for KeePass on android have settings, so I can make own rules. It is all about how use KeePass very fast and secure too. I can imagine that my rules for blocking fast opening will be 1 hour or windows user account block. So if I am on my PC, or just few meter of it I can use just 3 characters for fast opening, there is very little security risk but it is very confortable. But If I am out and windows user account is blocked or if just time without working will pass, database will cancel fast opening.
I have question for you, you all have all day opened KeePass? What if you are going out to make a coffee, to take a paper from printer, to say hellou to nice colleague, you are always closing KP and then put your long and hard master password again and again or you are just leaving KeePess open all the time :-) ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
"Should KeePass implement a working mode that is much less secure than locked database, but slightly more convenient to open than opening a locked database?"
It seems to me that the case for adding a working mode that is only slightly more secure than a open database, and only slightly more convenient to open is very weak.
Consider that it is relatively easy to create a 16-20 character password that is very secure (see Wikipedia password strength) and that a user of average typing competency should be able to enter a 16-20 character password in 3 to 8 seconds using a keyboard. The case may be stronger for mobile platforms with awkward keyboards.
I have question for you, you all have all day opened KeePass? What if you are going out to make a coffee, to take a paper from printer, to say hellou to nice colleague, you are always closing KP and then put your long and hard master password again and again or you are just leaving KeePess open all the time :-) ?
If you are using the database on a secure PC you can use the KeeAutoExec plugin to simplify database unlocking.
Last edit: wellread1 2015-03-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I would very much like to have access to my passwords from, say, Dropbox, but I haven't yet found a way of doing so that wouldn't also compromise my more standard access methods. The password I use on my main database can be difficult or impossible to enter on certain devices, and so for me, the convenience of increased access is outweighed by the less secure master password that would be required.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just to be clear:
I wasn't lobbying for any sort of change to KeePass in my previous post - I was only commenting that I haven't yet hit upon a balance of security and convenience that would allow me to access my KeePass database remotely yet still feel confident in its security. (I'm experimenting with KeeAutoExec now.)
For me, it's more important to know that there's no possibility of the Bad Guys getting my passwords than it is to have access to the definitive list of them when I'm away from my own devices.
Last edit: T. Bug Reporter 2015-03-14
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I changed to passwordbox today, no matter if it has less security, but it has more comfort. I will not use it for banks or so...just "unimportant" websites which I am daily logging... KeePass is good, but high security has low comfort and I need comfort. thx for answers, maybe I will use it later.
Anyway, authors of KP did very nice progress from the last time I used KP, it was couple of years ago...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi.
LastPass work in such a way, that during browsing you can use or store passwords, but nobody can look in lastpass database and click visible on every stored passwords. You had to use master pass to get to database.
But with KeePass, if I am using it good, after I run KeePass app, so I can browse websites with chrome and KP addon everybody can look in whole database. (I can go out for copy and whoever can make even export!!)
So my question is, how should I setup up chrome, or KP addon in chrome so it can use my database for browsing but nobody can look in whole database without entering master pass.
??
thx for answer
Simple answer, you can't
But if you set the approbiate lock workspace options
the database will most of the time be locked and can't be browsed
without entering the Master password.
Set KeePass to lock after 5 minutes.
Set KeePass to lock on Windows lock and lock Windows when you leave your PC.
cheers, Paul
ok, but then I need enable "fast opening" like in KeePass on andorid. Putting 3 characters of pass (fast opening) is easy, but writing every 5 minutes my very long pass is really enjoying :-).
Weak (fast opening) passwords are a lousy solution. Instead optimize the strength of your master password (which is different than making the password ridiculously strong). The password strength Wikipedia article is a helpful guidance.
This approach of LastPass is not very secure. When LastPass allows you to use stored passwords it must have a key for decryption of them in the memory. This means that it is possible to get the passwords even if the user interface of LastPass seems to not allow it.
Possible ways:
Last edit: pabouk 2015-03-13
@pabokuk: LassPass is taking pass from the cloud I suppose and cloud is encrypted but yes, it had to have some link to cloud and this can be abused by malware. But I am not so worry about malware, I am more worried about coleagues around my PC :-)
@wellread: Fastopening for KeePass on android have settings, so I can make own rules. It is all about how use KeePass very fast and secure too. I can imagine that my rules for blocking fast opening will be 1 hour or windows user account block. So if I am on my PC, or just few meter of it I can use just 3 characters for fast opening, there is very little security risk but it is very confortable. But If I am out and windows user account is blocked or if just time without working will pass, database will cancel fast opening.
I have question for you, you all have all day opened KeePass? What if you are going out to make a coffee, to take a paper from printer, to say hellou to nice colleague, you are always closing KP and then put your long and hard master password again and again or you are just leaving KeePess open all the time :-) ?
The question you are posing is:
It seems to me that the case for adding a working mode that is only slightly more secure than a open database, and only slightly more convenient to open is very weak.
Consider that it is relatively easy to create a 16-20 character password that is very secure (see Wikipedia password strength) and that a user of average typing competency should be able to enter a 16-20 character password in 3 to 8 seconds using a keyboard. The case may be stronger for mobile platforms with awkward keyboards.
If you are using the database on a secure PC you can use the KeeAutoExec plugin to simplify database unlocking.
Last edit: wellread1 2015-03-13
I would very much like to have access to my passwords from, say, Dropbox, but I haven't yet found a way of doing so that wouldn't also compromise my more standard access methods. The password I use on my main database can be difficult or impossible to enter on certain devices, and so for me, the convenience of increased access is outweighed by the less secure master password that would be required.
There are a number of ways to enter a difficult password relatively easily that do not require KeePass modification.
I'm sure you can imagine other methods.
cheers, Paul
Just to be clear:
I wasn't lobbying for any sort of change to KeePass in my previous post - I was only commenting that I haven't yet hit upon a balance of security and convenience that would allow me to access my KeePass database remotely yet still feel confident in its security. (I'm experimenting with KeeAutoExec now.)
For me, it's more important to know that there's no possibility of the Bad Guys getting my passwords than it is to have access to the definitive list of them when I'm away from my own devices.
Last edit: T. Bug Reporter 2015-03-14
I changed to passwordbox today, no matter if it has less security, but it has more comfort. I will not use it for banks or so...just "unimportant" websites which I am daily logging... KeePass is good, but high security has low comfort and I need comfort. thx for answers, maybe I will use it later.
Anyway, authors of KP did very nice progress from the last time I used KP, it was couple of years ago...