Auto-Type Multiple Entry Selection

Help
tstrab
2014-05-07
2014-05-08
  • tstrab

    tstrab - 2014-05-07

    When you have more than 1 entry in your database that matches an Auto-Type window, in the Auto-Type Entry Selection window if you click "Options" at the bottom and select "Columns -> Password" it displays the password in clear text. I couldn't find anything in the options to force it to only show asterisks. Does anyone know how to force it to only show asterisks in this column?

     
  • tstrab

    tstrab - 2014-05-07

    Sorry, I should have specified this was using 2.26.

     
  • Paul

    Paul - 2014-05-07

    That shouldn't happen IMO, I'd call that a bug.
    Why do you want to show the passwords column anyway?

    cheers, Paul

     
    • tstrab

      tstrab - 2014-05-07

      I don't want to show the passwords column, so I either need a way to disable it, or make the passwords only show as asterisks.

       
  • wellread1

    wellread1 - 2014-05-07

    The auto-type selection dialog should be a transient display and the user should be in control of their computer when they auto-type. The only reason to display the password column at all is to aid auto-type selection. In that case the user needs to see the password and selecting the display password column option is functionally equivalent to un-checking the 'hide data behind asterisks' option in View>Columns. The only difference is it is more convenient.

    It probably makes sense to disable the password display if the 'Unhide Passwords*' option in Tools>Options>Policy(tab) is un-checked because the user has elected to disable password display everywhere else. Currently the auto-type selection dialog is unaffected by this option.

     
    Last edit: wellread1 2014-05-07
    • tstrab

      tstrab - 2014-05-07

      If we're using keepass auto-generated passwords, there is not much use to seeing the passwords in clear text, because I honestly don't know which 25-character string of letters, numbers, and symbols is the right one. In this case I would rather use the notes field to determine which entry is the correct one, and not have the password displayed at all.

       
  • Paul

    Paul - 2014-05-07

    Use the options button to remove the password column, same as you did to show it.

    cheers, Paul

     
  • wellread1

    wellread1 - 2014-05-07

    It is true that there are other better ways to distinguish between auto-type sequences (e.g. using comments or descriptive titles) than looking at passwords. It can be also be disconcerting, if you are not expecting it, to see the password displayed in plain text on the screen. You could make a Feature request.

    I think two additional dialog display options, when combined with the current behavior, would probably cover all user preferences:

    1. 'Disable Password Column in Auto-type Entry Selection dialog' would prevent display of the Password column.
    2. 'Always require selection of Password Column in Auto Entry Selection dialog' would force the user to select the Password Column from the Auto-Type entry options drop down every time they want to see the password column.

    Note: Not everyone uses KeePass the same way, and there may be situations where being able to see the password is helpful. For example a user might make a Bank two page login and create auto-types for the complete login, username only & password only. In this case it is easy to distinguish the complete login sequence from the username only sequence by seeing the password column.

     
  • tstrab

    tstrab - 2014-05-07

    Paul - I understand I can simply remove the password column from the display, in the same manner that I got it to display in the first place. The thing is, I don't want anybody who uses this Keepass database to be able to see the password in clear text. I am trying to set up a password system that will be used by many users; we have machines at customers' sites for which we have a single account to log on (typically through remote desktop), and I would prefer it if nobody actually knew the password (or had the ability to see it displayed to write it down). That way, if somebody leaves the company, they can't take a list of passwords with them. Perhaps I am thinking about this wrong, and I just need to accept the risk. I'm having a tough time with it, though.

    wellread1 - How do I go about submitting a feature request?

    Thanks.

     
  • wellread1

    wellread1 - 2014-05-07

    Feature requests are filed at https://sourceforge.net/p/keepass/feature-requests/

    I would prefer it if nobody actually knew the password (or had the ability to see it displayed to write it down).

    Based on your statement, it sounds like you want the "Unhide Passwords*" policy to extend to the Auto-Type Entry Selection dialog. This would be a different feature request than the one I suggested. I mentioned the Policy setting in the post above.

    I suggest you try the "Unhide Passwords*" policy (you have to restart KeePass for the policy to become effective) and see if hiding passwords always and everywhere is a workable solution. Note: Currently the Auto-Type Entry Selection dialog is an exception in the policy.

     
  • wellread1

    wellread1 - 2014-05-07

    I am trying to set up a password system that will be used by many users; we have machines at customers' sites for which we have a single account to log on (typically through remote desktop),

    KeePass is inherently a single user password database. Sharing a database among many users is a massive expansion of trust relationships. This increases risk of a breach. It is not possible to configure KeePass so that users can not access the passwords in an open database unless you are prepared to completely lock down the entire computer, not just KeePass.

    See the important caveat under the Security: heading in the For Network Administrators: Enforced Configuration section.

     
    Last edit: wellread1 2014-05-07
  • Paul

    Paul - 2014-05-08

    Having the password after leaving the company is not an issue if access is restricted by location or call back etc. You need to review/change your process, not your access to passwords.

    cheers, Paul

     
    • tstrab

      tstrab - 2014-05-08

      Could you elaborate on what you mean by that? I am not an IT expert, my understanding is that if you have the Remote Desktop IP, and the username and password, that's all you need to get in, regardless of any other policies we might implement.

       
  • Dominik Reichl

    Dominik Reichl - 2014-05-08

    I agree that the passwords column in the auto-type entry selection dialog should be unavailable if the 'Unhide Passwords' policy is turned off, and have implemented this now.

    Here's the latest development snapshot for testing:
    http://keepass.info/filepool/KeePass_140508.zip

    Thanks and best regards,
    Dominik

     
    • tstrab

      tstrab - 2014-05-08

      Very nice, that is perfect! Exactly what I was looking for. Thank you, Dominik.

       
  • Paul

    Paul - 2014-05-08

    Anyone with some knowledge can collect the credentials from KeePass and take them home. Using them from home should not be possible as your systems should reject connection attempts from unauthorised locations. If access from home is required then a work laptop should be provided and that is then an authorised location.

    cheers, Paul

     
    • tstrab

      tstrab - 2014-05-08

      All of our technicians are issued company laptops to use. The problem is that the systems we are connecting to are not managed by us, they are managed by the IT department of whichever company that computer happens to live on. We typically don't get to set the rules for remote access to these systems; ultimately it is up to each company's IT department to set their security rules for access and such, but given the recent Target data breach, through the computer that was used for managing the HVAC system (which is what my company does), it has become painfully obvious that even large companies with well-funded IT departments are not properly managing their access rules (the HVAC computer that was used for access had global/admin access and privileges that it did not need and should not have had). It therefore falls on us to limit the risk as much as possible, because even though it was Target's responsibility to secure their system, the HVAC shop was blasted in the media for being the "vector" through which the attackers gained access. Obviously, we would like to avoid having our name in the news like this.

      And in the case of small "mom-and-pop" businesses that may not even have a formal IT department, it falls even more on us to make sure that any outside access to the system is done in a secure way.

      Right now I am looking at using Keepass with the Pleasant Password Server, to see if this will meet our needs.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks