KeePass is really awesome, but I think it is missing a few good security features:
- "Screen Capture Block / Windows Capture Disablement" to prevent KeePass from showing up in screenshots. It is a common feature in 3rd party sandbox applications, such as Kaspersky Sandbox and Sandboxie (where Screen Capture Block can be enabled with "BlockScreenCapture=y" parameter). I think KeePass should include such a feature natively without any need for users to run KeePass from within sandboxes. This feature is also known as "Streamer Mode" in programs such as System Informer.
- "Stack Protection" flag for KeePass.exe image to make KeePass fully compatible with Kernel-Mode Hardware-Enforced Stack Protetion.
- Other security mitigation flags (DEP, Bottom-Up ASLR, High Entropy ASLR, Strict Handle Checks, Extension Point disablement, Heap Termination on Corruption, Control Flow Guard, Non-System Font blockage, Remote Loads disablement, and Low Integrity Mode disablement) can be forced upon KeePass.exe via IFEO (Image File Execution Options) in Windows OS, but there is no reason for KeePass.exe to not be compiled with those flags already enabled.
Also, it would to have Random MAC Generation algorithm that generates only unicast addressess because multicast addresses are not always accepted.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
KeePass has an option for protecting its windows against certain screen capture operations since version 2.46 (released in 2020). See 'Configuration/Security/PreventScreenCapture' here: https://keepass.info/help/v2_dev/customize.html#opt
Up to now, it was necessary to edit the configuration file manually in order to activate the option, because it may also prevent legitimate other software (accessibility-related tools like Windows Magnifier, remote desktop solutions, etc.) from seeing KeePass windows. However, I also noticed that more and more applications (including password managers) are adding support for preventing screen captures, thus I've already added an option in the GUI (menu 'Tools' → 'Options' → tab 'Security') for the next KeePass release. When trying to activate the option, KeePass shows a confirmation dialog, in which the potential problems are mentioned.
Your MAC address idea is great. I've now changed the 'MAC Address' password generator profile such that it always generates a unicast, locally administered MAC address in the SLAP administratively assigned quadrant.
DEP and ASLR are already enabled/used. I'll have a look at the other flags/mitigations again, but there might be reasons why Microsoft doesn't enable them by default (e.g. compatibility)...
Thanks and best regards,
Dominik
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Blocking screenshots of open Keepass windows is a must have option. Many sites don't allow to auto enter all credentials by Ctrl+V, so folks often leave an open Keepass window with shown in clear password while going back-n-force btw apps to copy-paste credentials, and spyware can routinely take screenshots at that time.
Last edit: Zamar Acadia 2024-04-29
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried to copy a hidden password, but the app says "Not allowed". Only clear passwords I could copy from the password field. More important, as the Password DB grows, inevitably folks leave notes related to each acc, including control website login questions, certain dates, card numbers and other confidential data, considering Keepass to be convenient one place keep all relevant account info DB. The Notes are in clear, so taking screenshots by spyware or outside camera has never being safe and always represented major concern for me.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
KPEEV isn't needed for copying passwords, as long as you have a password column in the main database view. It doesn't have to be very big (especially because it'll only be showing asterisks), just big enough to right-click on it... You may find this more convenient than opening the edit window just to copy (risking accidental changes to the record).
Last edit: T. Bug Reporter 2024-05-04
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
KeePass is really awesome, but I think it is missing a few good security features:
- "Screen Capture Block / Windows Capture Disablement" to prevent KeePass from showing up in screenshots. It is a common feature in 3rd party sandbox applications, such as Kaspersky Sandbox and Sandboxie (where Screen Capture Block can be enabled with "BlockScreenCapture=y" parameter). I think KeePass should include such a feature natively without any need for users to run KeePass from within sandboxes. This feature is also known as "Streamer Mode" in programs such as System Informer.
- "Stack Protection" flag for KeePass.exe image to make KeePass fully compatible with Kernel-Mode Hardware-Enforced Stack Protetion.
- Other security mitigation flags (DEP, Bottom-Up ASLR, High Entropy ASLR, Strict Handle Checks, Extension Point disablement, Heap Termination on Corruption, Control Flow Guard, Non-System Font blockage, Remote Loads disablement, and Low Integrity Mode disablement) can be forced upon KeePass.exe via IFEO (Image File Execution Options) in Windows OS, but there is no reason for KeePass.exe to not be compiled with those flags already enabled.
Also, it would to have Random MAC Generation algorithm that generates only unicast addressess because multicast addresses are not always accepted.
KeePass has an option for protecting its windows against certain screen capture operations since version 2.46 (released in 2020). See 'Configuration/Security/PreventScreenCapture' here:
https://keepass.info/help/v2_dev/customize.html#opt
Up to now, it was necessary to edit the configuration file manually in order to activate the option, because it may also prevent legitimate other software (accessibility-related tools like Windows Magnifier, remote desktop solutions, etc.) from seeing KeePass windows. However, I also noticed that more and more applications (including password managers) are adding support for preventing screen captures, thus I've already added an option in the GUI (menu 'Tools' → 'Options' → tab 'Security') for the next KeePass release. When trying to activate the option, KeePass shows a confirmation dialog, in which the potential problems are mentioned.
Your MAC address idea is great. I've now changed the 'MAC Address' password generator profile such that it always generates a unicast, locally administered MAC address in the SLAP administratively assigned quadrant.
Here's the latest development snapshot, if you want to test it:
https://keepass.info/filepool/KeePass_240426.zip
DEP and ASLR are already enabled/used. I'll have a look at the other flags/mitigations again, but there might be reasons why Microsoft doesn't enable them by default (e.g. compatibility)...
Thanks and best regards,
Dominik
Thank you for such a quick response! The latest development snapshot works really well! Stack Protection (compiling with CET flag) can be tricky, especially for NET Framework software, but its protection that goes a long way now that memory kernel attacks are becoming more frequent. I think this is a good explanation of what it does - https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815 .
Many thanks for your hard work!
Blocking screenshots of open Keepass windows is a must have option. Many sites don't allow to auto enter all credentials by Ctrl+V, so folks often leave an open Keepass window with shown in clear password while going back-n-force btw apps to copy-paste credentials, and spyware can routinely take screenshots at that time.
Last edit: Zamar Acadia 2024-04-29
Taking screenshots is safe if you keep your passwords hidden behind asterisks.
cheers, Paul
I tried to copy a hidden password, but the app says "Not allowed". Only clear passwords I could copy from the password field. More important, as the Password DB grows, inevitably folks leave notes related to each acc, including control website login questions, certain dates, card numbers and other confidential data, considering Keepass to be convenient one place keep all relevant account info DB. The Notes are in clear, so taking screenshots by spyware or outside camera has never being safe and always represented major concern for me.
Don't use Notes for sensitive information. Create a custom field and enter the information there.
Then use the KeePassEnhancedEntry plug-in to view / use all custom fields.
cheers, Paul
KPEEV isn't needed for copying passwords, as long as you have a password column in the main database view. It doesn't have to be very big (especially because it'll only be showing asterisks), just big enough to right-click on it... You may find this more convenient than opening the edit window just to copy (risking accidental changes to the record).
Last edit: T. Bug Reporter 2024-05-04
An entry in the Title column can be right clicked and a password copy action can be selected, even with the Password column not displayed.
Or, if you're a keyboard person, you can cursor to the proper entry and press Ctrl-C.