#1606 Quick Unlock

open
nobody
5
2016-06-15
2012-04-10
No

When you first open your password vault you are asked for your full password, but after you subsequently lock it you can unlock quickly with a partial password (configurable - by default the first four characters, as indicated in the password field). Quick Unlock will also be available when you use an auto-type command while the vault is locked; in this case you will be asked for both password and account. Note that only one partial password attempt is allowed - if you enter a wrong partial password, the full password
It would be a great usability improvements with minimal security costs.

Discussion

  • ursus

    ursus - 2013-09-19

    +1
    This is already implemented in Keepass2Android and works like a charm.

     
  • Anthony Chianese

    This is an excellent idea, and I too would like to see it implemented. It's much harder to use a long, secure password for the database AND keep it locked if I always have to type the password. Because a wrong try just locks the database, I can't see how this would significantly weaken security.

     
  • Paul

    Paul - 2013-12-09

    This would require a major change in the way KeePass stores data in memory - data would need to be encrypted with the shorter key. Therefore the change is unlikely.

    cheers, Paul

     
  • E. Bekker

    E. Bekker - 2015-01-14

    Would it be possible to support defining a "QuickUnlock" PIN or password independent of the passwords or other locking strategies of specific databases, and then that QuickUnlock would actually lock just the UI of KP?

    A single, correct attempt at the QuickUnlock would restore the UI, but a failed attempt would simply do a "true" lock of each DB that is open. With this strategy, the actual DBs are not really locked, only the UI to get to them is -- so this would mean that any plugins or interfaces are still able to get to the true credential stores.

    Another alternative, with the QuickUnlock feature enabled, whenever a DB is opened, the DB-specific passwords are themselves encrypted with a temporary (session) key derived from the short PIN/Password (i.e. using something like PBKDF2 or SCrypt). So when successfully unlocking the QuickUnlock on the first attempt, that would in turn release the credentials to unlock each DB in the current running application session. A failed QuickUnlock attempt would simply wipe out the data guarded by the temporary session key, and a user would need to fully unlock each DB to regenerate it.

    With the second strategy the DBs are truly locked so plugins or interfaces would not be able to get to the credential stores.

     
  • Paul R. Rogers

    Paul R. Rogers - 2015-04-18

    As I understand it, KeePass's current (workspace/database) locking unloads the key and database contents from memory. This is the safest approach in case the system were compromised. And folks who keep KP open for long periods can already disable exporting and printing keys.

    That being said, I also wanted a way to lock the window without making the database entirely unusable. So I've made a (paid) plug-in which does just that, and with support for a quick-unlock using a PIN within the database. In case anyone is interested, it's available on my site at https://paulrrogers.com/product/lockywindow .

     
  • Paul

    Paul - 2015-04-18

    This has been requested numerous times so a plug-in is a great idea.
    I see it's already discounted! :)

    Is it a PLGX or DLL?

    cheers, Paul

     
    Last edit: Paul 2015-04-18
  • Paul R. Rogers

    Paul R. Rogers - 2015-04-19

    At present the LockyWindow plug-in is a DLL. I'm concerned about the security of caches (created as PLGX files are first loaded) being writable by non-administrative users. And, thus far, I've not found a need to use the PLGX form for the functionality I'm including.

    If there is sufficient demand I'll reconsider including the PLGX format; perhaps as an option during installation.

     
  • Paul

    Paul - 2015-04-20

    When it's locked, is the password column displayed, or does it change the column view to that shown in your screen shots?

    Are you able to launch a URL from KeePass when locked?

    I assume search is not available, nor Auto-Type selected entry?

    cheers, Paul

     
  • Paul R. Rogers

    Paul R. Rogers - 2015-04-20

    Column view is not (yet) changed; though, I would like to obscure any passwords if they're visible when locking. Global auto-type is available, as are integration capabilities of other plug-ins like KeePassHttp. Manually initiated auto-type (Ctrl+V) is not available since the entry list is disabled. If there is demand for allowing it then that could be developed.

     
  • Paul R. Rogers

    Paul R. Rogers - 2015-04-21

    Hiding the password column has been added, at least for English languages. Time permitting I'll look into a more international way of doing it. I also added clearing the summary panel underneath the entries list.

    Launching URLs and search are unavailable when locked as they're also disabled. The idea of different levels of locking has been considered, and I'm open to suggestions for what that should look like.

     
    Last edit: Paul R. Rogers 2015-04-21
  • Paul

    Paul - 2015-04-21

    If KeePass is locked by locky and minimised to tray, are you able to right click on the tray icon and select options - I see options is disabled on screen?

    cheers, Paul

     
  • Paul R. Rogers

    Paul R. Rogers - 2015-04-22

    When LockyWindow is locked the tray options are still available. I'll look into restricting those for consistency.

     
  • Paul R. Rogers

    Paul R. Rogers - 2015-04-23

    Tray items have been restricted as well now. Thanks for the question.

     
  • Paul

    Paul - 2015-04-23

    I suggest you open a new thread in Discussion > Open Discussion announcing the plug-in. Then we have a specific thread for your plug-in.

    I don't know Dominik's policy on paid plug-ins, but he may link to it on the plug-ins page.

    cheers, Paul

     
  • Bruno Quilling

    Bruno Quilling - 2016-06-13

    +1 Still looking for this feature since I've been using KeePass2Android and it would release me to be able lock the database frequently (because I know I can open it quickly).

     
  • Paul

    Paul - 2016-06-13

    What's wrong with LockyWindows?

    cheers, Paul

     
  • TGP1994

    TGP1994 - 2016-06-14

    +1, I'd also like to see this implemented as a feature into Keepass.

     
  • Bruno Quilling

    Bruno Quilling - 2016-06-14

    Hi TGP1994,

    Try the plug in given from Paul, it is interesting :

    https://sourceforge.net/p/keepass/discussion/329220/thread/4236e391/?limit=25#d4b9

    Cheers
    Bruno

     
    • TGP1994

      TGP1994 - 2016-06-14

      Is that who KN4CK3R is? I thought Paul was selling a plugin to do that, which I wasn't so interested in to pay for. KN4CK3R's plugin that you've linked to is what I'm using in the meantime though.

       
      Last edit: TGP1994 2016-06-14
  • Paul

    Paul - 2016-06-15

    I don't sell anything to do with KeePass, I give away my time helping people who have questions.

    Why are you against paying a small amount for something that does what you want? Do you not backup your computer because you can't do it free?

    cheers, Paul

     
  • TGP1994

    TGP1994 - 2016-06-15

    Sorry Paul, I was referring to user Paul R. Rogers who had the paid plugin. I'm against paying a small amount for something that does something I want when there is something for free that does the exact same thing. Same reason why I don't pay for something like LastPass or Roboform when KeePass does just about everything I want. If it were impossible to back up my computer for free then yes I would pay for something, but since it is free to backup my computer, I don't see the need. I didn't come here to debate the merits of paid vs. free though, just wanted to put my support behind this feature being implemented into KeePass.

     

Log in to post a comment.