Disable User Name Suggestions for New Entries
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
In some recent upgrade, KP now displays a list of User Names when creating a new Entry. Although well intended, it sorts this list alphabettically and never defaults to my default User Name which is my standard E-Mail address. (For most folks as well?) I would like to disable this new "feature", or enable a "Default UserName" to be set instead. The previous (no suggestion) did work fine for years.
File > Database Settings, General, Default user name...
cheers, Paul
Yikes! How long has that been available?
Perfect!
Thank you very much!
Peace, Jay
Dominik,
I know this has been asked before but I'm going to ask again.
Please give us the option to turn off the user name suggestions.
This seems such a security and privacy violation. I have many user names and whenever I add a new entry then they all show as I type. User names are 1/2 of most credentials, and while not designed to be secret, there is no reason to display all user names as you type.
I protect my user name by hiding them under asteriks just like my passwords in KeePass. I have to assume when you are scanning and displaying username suggestions you are unprotecting all of them and exposing them in memory to any malware that may on my system. I would rather type my user name and password or set a default in the database settings then having them all exposed.
From a privacy issue, if anyone is within site of my system they then get an eyefull of all my userids that the user name suggestion displays. This reminds me of the frustrating design of MS Outlook online where it gives you "suggestions" for the To: email address as you type even Spam emails, etc. Many have complained about this privacy issue to MS... they fixed it years ago and then when they released the last "New Outlook" they removed the fix.
KeePass is an incredibly rich, feature filled security manager which takes great pains to protect user data as much as possible. The user name suggestions seems the antithesis of everything you have built.
Some KeePass users probably like this feature, but for those of us who see it as a security and privacy violation please consider giving us the option to disable it.
Thanks much for a great product and considering my request.
Why is that a problem?
KeePass doesn't encrypt usernames in the memory anyways, assuming one can see suggested usernames he can also see the entries themselves(both in UI and in memory)
RangerXus,
Paul provided this answer: (It is already an option)
File > Database Settings, General, Default user name...
Peace,
That's not his complaint, I don't know why he replied here to be honest.
@RangerXus, if your system has malware that actively looks for KeePass data in memory, the game is pretty much over regardless of what you do.
As for protecting user names in the UI, you can do that by pressing
Ctrl+J. (The long way:View-Configure Columns, selectUser Namethen checkHide data using asterisks. Works for other fields, too.)The data will still be available in memory...
RangerXus,
I believe in Ver 2.40 an AutoFill feature was added to the UserName field when creating new entries. This presented a list of previously used UserNames that one could scroll through and select. If this is not wanted, one can populate this field with a default user name which suppresses the list from appearing. Deleting this entry (could be any characters) apparently toggles or clears the presentation of said list permanently. This feaure could/should have some option to enable or disable it implicitly in a future upgrade.
Personally, I did not mind the list display except my Standard UserName was always at the bottom:-)
Peace,
Jay,
Thanks to you and others for replying. I am hoping that Dominik will reply to my request.
As the OP of this discussion, you understand what my concerns are and agree that there should be an option to disable the user name suggestion feature.
Paul's suggestion of setting a default username will prefill the field but since I have many userids it will only minimally solve my concerns. As soon as you clear the username field of the default to type in the username needed the auto suggest feature kicks in again.
My concerns are both security and privacy. From the privacy perspective have a list of your userids display as you type allows anyone within distance to see all matching userids.
@Andrei and @John_Jones, as my original post stated I am using the ctrl-J feature to hide my userids under asteriks. It was my thinking that this would enable in-memory protection just like hidden passwords (and field strings when in-memory protection is checked) but based on your comments I may have been wrong... maybe Dominik can clarify this point.
But since I am using ctrl-j on usernames that shows that I am very concerned about protecting usernames from being visible which the user name suggestions feature violates.
If creating a new option to disable the username suggesions is not feasible, maybe Dominik could check the setting of ctrl-J and if active (hiding username under asteriks) then disable user name suggestions.
@John_Jones, I posted here because the OP requested the same thing. And while Paul did give a suggestion to work around the problem if a person always uses the same username so setting a database default username helps, for those of us who don't have a "default" username this does not solve the problem.
@John_Jones, Maybe I should have created a new post so as to start a new discussion and hopefull Dominik will see. If this thread gets too bogged down I will create a new discussion with my original reply from this thead with an apology to those who consider it a duplicate post. I will clear mark this thread with a reference to the new post.
I don't understand why this is so controversial. Those who have no concerns over the username suggestions keep using it.. I am in no way suggesting it be removed. But for those who do have privacy and security conerns let us disable the feature or as I suggested above honor the ctrl-J option if username is hidden under asteriks.
Thanks for all your opinions and comments. Hopefully Dominik will read this entire thread and respond.
Again, KeePasss doesn't encrypt usernames in memory.
even if you were to add an option to turn it off, security won't change a bit.
User names are in no way part of the security of any service you may use.
RangerXus,
I am running the latest Ver 2.42.1 and once I delete the populated UserName field, save settings and restart, the AutoFill feature stays off. (Actually, I have no idea how to turn it back on.)
Experimentally, I uninstalled KeePass and re-installed it attempting to get some screen captures but, unfortunatelly, it did not return.
Perhaps this was a bug or a beta feature that snuck through in a previous release?
Peace,
Well, an option could of course be added in the future, but the effect would be visual only; user names are not encrypted in the process memory (in contrast to passwords).
Best regards,
Dominik
It's important to make a distinction between protecting against sophisticated malware (which is rare) and protecting against casual shoulder-surfers. The first can't be done by the end user (except for taking reasonable precautions to see that malware never gets on the computer in the first place), but the second is entirely within the user's realm as far as deciding what needs to be protected and how much protection it needs. To that end, the username field should be afforded the same options for protection as any other field, and any feature which may be percieved as lessening that protection should have a disable switch.
Why not encrypt everything then? Notes can have sensitive data, tags and so on.
It's not feasible, there's a performance penalty for encrypting memory.
shoulder-surfers has nothing to do with memory encryption. just use asterisks for usernames if you consider that a viable threat(ridiculous at best for pratical attacks, in many cases an attacker can find\know the username fairly easily)
Agreed, but this discussion seems to be confusing the two.
Displaying no user name suggestions when the user names are hidden in the main window makes sense. I've implemented this now; thanks for the suggestion!
Here's the latest development snapshot for testing:
https://keepass.info/filepool/KeePass_190818.zip
Thanks and best regards,
Dominik