A new major problem pasting passwords
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
This is becoming serious problem for me, as I really like KeePass and use strong passwords everywhere. One by one, websites are starting to block pasting passwords. I can't imagine why they are doing this because it encourages people to use weak passwords, I'm certainly not going to TYPE a 20 character strong password. So... Obviously this is not KeePass's fault, but it sure affects us. We need a new strategy. Perhaps injecting keystrokes directly without pasting will get past them?
I went to change my Ebay password this morning and was stopped by this. And of course there is no way to contact them and they wouldn't care anyway. I can see onPaste="return false" right in their page, they are doing it intentionally.
This is my 4th account this week that I can no longer use KeePass with.
Discuss!
I have found that some sites don't allow CTRL-V but I haven't found one that refuses both CTRL V and right click the choose paste.
Using Auto-Type KeePass does not paste anything, it types the characters !
Set-up the correct Auto type entries and it works.
I can use Keepass on all web sites and also on Ebay with no problem at all.
Try KeePass auto-type; either global auto-type or Perform auto-type.
With respect to the particular problem you experienced: I changed my ebay password yesterday (US site). I don't recall encountering a problem and I usually change passwords manually using copy paste. I also just tested ebay login using both Copy Paste, and auto-type. Both methods worked fine for me.
I just changed my webay password (what sort of crap security do they have where they encourage you to use strong passwords but don't say what the maximum length is - seems to be about 20?) and couldn't paste. I duplicated the entry with the new password and then changed the Auto-Type to {PASSWORD}{TAB}{PASSWORD}. Then I could Auto-Type the password.
Let's face it, website authors have no idea about security!!!!
cheers, Paul
Even worse, ebay designed a password reset procedure that only requires access to a user's email account. If an attacker gets control of any email account they can check if there is an associated ebay account and change the password without knowing the old password. The ebay reset message helpfully provides the ebay username.
Apparently I changed my password before these security upgrades.
Disregard, I had a lapse, this is the same procedure many vendors use. The take home message is protect your email account.
Last edit: wellread1 2014-05-23
I think, the thread producer did not only mean the auto type with the login.
That is working fine with keepass
I had the same problem with paypal today.
They allow you to paste the old password, but don't allow you to paste the new and the retyped new password.
I ended up making a change to the auto type of the paypal entry to only auto type the password. So I could auto type, which uses character insertion.
What I was really missing at this time was an option (in the right click/edit menu) to just auto type user name or password as single entries, not the global standard "username, tab, password, enter"
An additional context menu item of "Auto-Type password" would probably fix this problem.
cheers, Paul
I think you are right. Also, entering a password only, is useful and probably the second most common keystoke sequence. Adding this feature would significantly augment the Perform auto-type capability.
Since the key stroke sequence would naturally have a Workspace scope rather than a database or entry level scope, the sequence could be user defined and saved in keepass.config.xml.
Some further thoughts: Since the Workspace would be a new source of keystroke sequences the feature might entail a significant modification to KeePass. Additionally the mismatch between placeholder scope and a keystroke sequence defined with a Workspace scope could be a problem, though I believe a similar mismatch exists in Triggers. Finally, an unintended consequence, not necessarily undesirable, might be to create demand for additional hot-keys.
I don't think you need to define a sequence, just Auto-Type the password. It's then up to the user what they do next.
cheers, Paul
Steve, please post at the end of the thread. Makes it easier to follow.
cheers, Paul
I've run into the same idiotic mis-feature with Paypal and some credit card sites.
An "autotype password" option in KeePass would get around this bit of idiocy quite handily. Please consider implementing this feature soon. Hotkey or menu option from the GUI, whichever or both.
A feature request that you can vote for has been filed at https://sourceforge.net/p/keepass/feature-requests/1890/.
Tim, here's the solution I use which was discussed here: https://sourceforge.net/p/keepass/discussion/329220/thread/deccac80/
Add a completely new Title and just make the auto-type sequence to {PASSWORD}{ENTER} on the second title. Then when the hotkey is entered keepass would ask you to select either the full username & password or password only entry. Easy with 1 click of the mouse. Title #1 could be "PayPal" for example and Title #2 could be "PayPal - p/w only".
@Glenn: thanks, that is a workable workaround. I'd rather have a "autotype password" option. That seems a cleaner solution going forward.
If it's any help, WebAutoType can be configured to automatically skip the username when it detects that you are auto-typing into a password box.
Not sure if this advances the discussion any, but last night I came across a website that wouldn't allow copy-and-paste of the password from KeePass to log in, but would allow drag-and-drop.
How do these mechanisms actually differ and should they give different results?
You can use javascript to prevent pasting into a browser, but not to prevent drag n drop - you can also Auto-Type into such pages. Both give the same result, with DnD not using the clipboard - I prefer DnD both for the lack of clipboard and for the ease of use, you can DnD without having to swap back and for between windows.
cheers, Paul
Just passing the word to anyone who might still be monitoring this thread...
This post by T. Bug Reporter explains how to enable additional auto-type context menu options that are disabled by default. (shown below)
Thanks for that... been using KeePass for years and overlooked that option!
Setting multiple entrys for the same login is some kind of workaround, yes, but very inconvenient. Not digging through windows and not being forced to do multiple clicks is what makes the regular autotype such a beauty.
So I would also like to see an option to bind another hotkey which auto-typesonly the password . Things got worse recently, because I need to enter TOTP codes separately now as well, which yields the same difficulties as pasting a single password. Have a nice day everyone! o)
The global auto-type hot key is quite flexible (default hot key Cltr+Alt+A). Define custom auto-type sequences in the same entry for each scenario (e.g. username/password, password only, TOTP). Depending on the webpage window title global auto-type will behave in one of two ways.
If the webpage window title is unique, e.g., the webpage title is different for TOTP input from the page title for username/password input, then global auto-type will type only the matching auto-type sequence
If the webpage window title is not unique, e.g., the webpage title is same for TOTP input as the page title for username/password input, then global auto-type will display the Auto-Type Entry selection dialog that will send the correct keystroke sequence after a mouse click.
Last edit: wellread1 2018-05-18