Has there been any consideration for creating alternate unlock methods for a database? That might allow for other devices (such as a mobile phone) to provide easier methods for input based on the device. Specifically, I would like the ability to use a pattern (like a 4x4 or 5x5 grid) to unlock from my phone (using MiniKeePass) while still using the passphrase on the computer. Perhaps the database format could allow for multiple unlock methods? I haven't thought through the implementation or security concerns much. Just an idea...
KeePass processes a Master Key into an encryption key. There can only be one encryption key. However it is possible to encrypt a single "Secret Key" (e.g. the Master Key) using multiple different pass-phrases. So what you describe is possible in principal. You would need to write an appropriate plugin to implement a particular scheme.
On my laptop, I use a long password for the Master Key. It's not too difficult to type error-free on a decent keyboard. KeePass also has Keyfile capability, and I also recently discovered the ability to open the database on my laptop using the Master Password (on the laptop keyboard) + generating a 6 digit Google Authenticator code on my mobile phone - (check thru the forum for the thread.) Seems to be lots of options for the PC version of KeePass.
On the mobile phone side, I agree with the original poster - entering long, complex passwords is tedious and error-prone. The developer of Keepass2Android (NOT me, by the way), has developed a concept called "Quick Unlock", where you optionally enter only the last 3 or 4 characters of your Master Password to unlock the database. He argues that the risk of this procedure is mitigated by the fact that you only get 1 chance to enter this simple code correctly. If you fail, you then are required to enter the full Master Password. Whether or not you agree with this as a secure methodology - it is refreshing to see some innovation regarding this problem.
Quck unlock would be great for the PC version as well. Mabye the 3 or 4 characters could change in location of the password. EG must input the first 4 characters of the password, must input the first 4 numbers of the password, must input the 5th to 8th characters of the password, etc.
If you want implement quick unlock schemes, take a look at the KeeAutoExec and WinKee plugins. The KeePass developer is unlikely to implement additional intermediate security levels beyond the unlocked state (e.g. quick unlock). For discussion see the FAQ entry about specialized spyware.
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.