Hi!
I was wondering if it might be possible to create a second login type.
The way I understand it, it is possible to setup a Keepass database to use a Master Password and/or a Key File and/or a Windows User Account. You can use any one, or two, or three of the three to make up a composite key to unlock the database. If you have chosen all three for example, you need all three to open the database.
I use a long passphrase only and I have my machine backed up. There have been times where I needed to retrieve the Keepass database from the backup and I only need to remember my passphrase to access it. I sometimes copy my database to my laptop. If I used a Windows account the laptop SID would not work. If I copy a Key File, I don't think it is adding much more protection. So a long passphrase is fine for security wherever my Keepass database ends up and I really don't have to ever worry about anyone guessing it.
BUT! I have a long passphrase!
It takes a long time to type it and I usually try to type it fast and often make mistakes. It would be a lot easier to keep my long passphrase for backups and temporary copies on other machines, but use a shorter password somehow on my main machine. The shorter passphrase would never work anywhere except that one machine.
I guess that sounds like somehow creating two master passwords - one just a long pasphrase and the other with a shorter password but also needing to rely on say a key file or a windows account.
I suppose another way of looking at it would be the main password would use a key file or Windows SID, but also have a back door passphrase.
Would this be possible?
Thanks,
Bob.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Create a small secondary database that is protected by a weaker password and the Windows User Account. Follow the instructions included with the KeeAutoExec plugin and make an auto-open entry in this database that will automatically open your primary database.
Since this is a multi-database configuration you will probably want to add a trigger that activates your primary database whenever you unlock your workspace. See tthe trigger example for Using multiple databases at the same time for a simple trigger that will do this.
Last edit: wellread1 2020-08-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Write something in AutoHotkey / AutoIt that types most of your password if you are on a specific machine. Fire up KeePass, type the small bit you need and then invoke your script.
Save the script in the KeePass database for safe keeping.
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
KeePassQuickUnlock allows you to unlock a previously opened but locked database, it does not change the way for initially opening the database.
It would be a lot easier to keep my long passphrase for backups and temporary copies on other machines, but use a shorter password somehow on my main machine. The shorter passphrase would never work anywhere except that one machine.
One more option: Split your long passhrase into a short password and a keyfile on your trusted main machine
Example:
Use bszbg$T$G%bszb6sh6hHjäi2us7ns6u as your password everywhere except your main machine
Use bszbg as your password on your main machine and in addition use a keyfile with $T$G%bszb6sh6hHjäi2us7ns6u as content. Of course this keyfile should not leave your main machine
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi!
I was wondering if it might be possible to create a second login type.
The way I understand it, it is possible to setup a Keepass database to use a Master Password and/or a Key File and/or a Windows User Account. You can use any one, or two, or three of the three to make up a composite key to unlock the database. If you have chosen all three for example, you need all three to open the database.
I use a long passphrase only and I have my machine backed up. There have been times where I needed to retrieve the Keepass database from the backup and I only need to remember my passphrase to access it. I sometimes copy my database to my laptop. If I used a Windows account the laptop SID would not work. If I copy a Key File, I don't think it is adding much more protection. So a long passphrase is fine for security wherever my Keepass database ends up and I really don't have to ever worry about anyone guessing it.
BUT! I have a long passphrase!
It takes a long time to type it and I usually try to type it fast and often make mistakes. It would be a lot easier to keep my long passphrase for backups and temporary copies on other machines, but use a shorter password somehow on my main machine. The shorter passphrase would never work anywhere except that one machine.
I guess that sounds like somehow creating two master passwords - one just a long pasphrase and the other with a shorter password but also needing to rely on say a key file or a windows account.
I suppose another way of looking at it would be the main password would use a key file or Windows SID, but also have a back door passphrase.
Would this be possible?
Thanks,
Bob.
You can use the KeeAutoExec plugin for this.
Create a small secondary database that is protected by a weaker password and the Windows User Account. Follow the instructions included with the KeeAutoExec plugin and make an auto-open entry in this database that will automatically open your primary database.
Since this is a multi-database configuration you will probably want to add a trigger that activates your primary database whenever you unlock your workspace. See tthe trigger example for Using multiple databases at the same time for a simple trigger that will do this.
Last edit: wellread1 2020-08-27
Write something in AutoHotkey / AutoIt that types most of your password if you are on a specific machine. Fire up KeePass, type the small bit you need and then invoke your script.
Save the script in the KeePass database for safe keeping.
cheers, Paul
All great suggestions. Also take a look at KeePassQuickUnlock which would give you a short password in addition to your longer password.
KeePassQuickUnlock allows you to unlock a previously opened but locked database, it does not change the way for initially opening the database.
One more option: Split your long passhrase into a short password and a keyfile on your trusted main machine
Example:
Use
bszbg$T$G%bszb6sh6hHjäi2us7ns6uas your password everywhere except your main machineUse
bszbgas your password on your main machine and in addition use a keyfile with$T$G%bszb6sh6hHjäi2us7ns6uas content. Of course this keyfile should not leave your main machineAre you saying that your example would work if your database password was actually bszbg$T$G%bszb6sh6hHjäi2us7ns6u ?
In other words, does KeePass actually concatinate the password you type with the contents of the file to get the actual password?
KeePass will concatenate if you do it correctly.
Create a test database with a simple password and test it.
cheers, Paul
This doesn't work, because KeePass concatenates the SHA-256 hash of the master password with the other components.
Best regards,
Dominik