Menu

#2088 Auto-Type for expired entries

KeePass_2.x
closed
nobody
Expiration (3) autotype (16) Auto Type (5) auto-type (14) expired Entry (1)
5
2017-01-20
2016-02-03
cvolhard
No

It would be great if the global auto-type hotkey works on expired entries. In most cases you have to login first, to change the password and an expired password will still works. It could be an option on the entries, if auto-type works after expiration on this entry. Preferably inherited from the group and maybe a warning notification should be shown if auto-type uses an expired entry.

Discussion

  • cvolhard

    cvolhard - 2016-02-03

    alternatively an additionaly option on the auto-type entry 'also use if entry is expired'
    see https://sourceforge.net/p/keepass/feature-requests/2090/

     

  • Paul

    Paul - 2016-02-03

    All 3 of your requests seem to be for the same problem.
    Please explain how you peform the password change? Do you need to do it multiple times for the different systems?

    cheers, Paul

     

  • cvolhard

    cvolhard - 2016-02-03

    I have different scenarios:

    Simple:
    I have a Keepass-Entry for a single account on single system. Password expiration is one month and is due today. Keepass notifies me about the expiration and I connect to the system where I have to login to change the password. But the auto-type does not work for expired entries, so I have to type the login information by myself (or rather copy the data from keepass). It would be easier if Keepass global auto type hot-key would work on expired entries to.

    Not so Simple:
    I have a Keepass Entry for ssh access on about thirty different servers. Every server uses the same username and password, but has a separated user registry. For a password change I have to change the password on every single server. I connect through putty and every putty session uses different windows titles. For every window title I defined an auto-type sequence for this entry (only password, because username is in the putty session).

    For a password change I have to:
    1. copy the old password permanently to the clipboard
    2. generate a new password and safe the keepass entry
    3. login to all the servers
    4. call passwd on all servers
    5. paste the old password from clipboard
    6. execute the auto-type two times for the password change and conformation

    A auto-type sequence like
    passwd{ENTER}{OLDPASSWORD}{ENTER}{PASSWORD}{ENTER}{PASSWORD}{ENTER}
    (where {OLDPASSWORD} contains the newest password from history) would be fantastic.
    I can't use the {NEWPASSWORD} Placeholder because I have to repeat this on multiple servers.
    Because I also have an auto-type sequence for every server which types only the password for daily use (yes I use keys for login, but I have to sudo a lot, and there the system wants to know my password), it would be even more fantastic, if I could disable the sequences for the password change for daily business. Or - even better - could tell keepass, that this sequence is only useable while the keepass entry is expired.

    For better understanding i added an example entry. Instead of 3 Systems I have about 30 and the titles for the Systems have nothing in common (wildcard won't work and the regex would not be maintainable).

     
    Thumbnail
    ScreenShot032.png

  • Paul

    Paul - 2016-02-03

    This suggested method for password change should get you most of the way there.
    https://sourceforge.net/p/keepass/discussion/329220/thread/93c4cf59/#cb61

    Rather than attempting to Auto-Type from the expired entry, select the expired entry, right click and select "Perform Auto-Type".

    To Auto-Type the lot you could try this.

    1. Create a custom field called "NewPWref" with this value. {REF:P@T:{T-REPLACE-RX:!{TITLE}!(.*) - Copy!$1!}}
    2. Duplicate the entry as described in the linked post.
    3. Create an Auto-Type trigger and button as described in the Help. http://keepass.info/help/kb/trigger_examples.html#atpwonly
      For the "sequence" use this:
      passwd{ENTER}{PASSWORD}{ENTER}{S:NewPWref}{ENTER}{S:NewPWref}{ENTER}
    4. Open a session to the machine you want to change.
    5. Bring KeePass to the front and select the "duplicate" entry.
    6. Click the button you created earlier.

    cheers, Paul

     

    Last edit: Paul 2016-02-03

  • cvolhard

    cvolhard - 2016-02-04

    Thanks for your suggestion, but this sounds more like a workaround for me.
    Keepass is an awesome tool, because you can do almost everything you can expect from a password manager in a very quick and comfortable way and additionally the handling of keepass is very simple and straight forward. This makes keepass part of the few tools I need on every device I have to work with. I was almost suprised that there is no easy way to change the passwords in a scenario like I descriped earlier. Sure there are other (more complicated ways) to do this, but I thought with my three feature requests I could help (a little at least) to make this tool even more awesome :)
    Please consider this feature request for a later release of keepass.

     

  • cvolhard

    cvolhard - 2016-02-04

    At least consider the option to use expired entries while performing auto-type from the global hotkey. It feels weird, hitting ctrl+alt+a for a login and nothing happens, because the entry is expired.

     

  • wellread1

    wellread1 - 2016-02-04

    I have a Keepass-Entry for a single account on single system. Password expiration is one month and is due today. Keepass notifies me about the expiration and I connect to the system where I have to login to change the password. But the auto-type does not work for expired entries,

    The expiry date is a hard deadline. If you would like a warning starting 7 days prior to the hard deadline check "Show entries that will expire soon" in Tools>Advanced(tab)>After Opening a Database(section).

    You can also arrange the warning to first appear later than 7 days by setting the expiration date accordingly e.g. to see the warning beginning 2 days before the account password expires, set the KeePass entry expiry date to 5 days after the account password expires.

    Every server uses the same username and password, but has a separated user registry.

    [ALSO]

    Because I also have an auto-type sequence for every server which types only the password for daily use (yes I use keys for login, but I have to sudo a lot, and there the system wants to know my password), it would be even more fantastic, if I could disable the sequences for the password change for daily business. Or - even better - could tell keepass, that this sequence is only usable while the keepass entry is expired.

    Because these user accounts are actually different (i.e. separated user registry) the better practice would be to use a different password for each. KeePass makes managing multiple user accounts simple by allowing your to create separate entries for each account. Once you have created a separate entry for each user account you can use the {NEWPASSWORD} placeholder.

    However, if KeePass becomes too inconvenient when you need to sudo, you could use the following procedure to change an identical password set (same old and new password) on multiple user accounts. The procedure allows one to:

    • Change the password on multiple servers with the same (new and old) password using auto-type only.
    • Disable the change password auto-type sequence(s) when they are not needed.
    • Continue using auto-type after the KeePass entry that contains the server password has expired.

    Setup: Create Two KeePass entries:

    1. Create a "change password" KeePass entry (the Master entry) that expires.
      • Add the current multiple server username and password to this entry.
      • Add a custom string field (e.g. OLD_PASSWORD) to the change password entry that can hold an old server password for as long as it is needed to change passwords on every server.
      • Add the "change password" auto-type sequences to this entry.
      • Disable auto-type for the change password entry except when needed to change passwords.
      • Set the appropriate expiry time on this entry.
    2. Create an "everyday" KeePass entry (the Child entry) that never expires.
      • Use field references to reference the server username and password
      • Add "everyday" auto-type sequences to this entry

    Change the password on multiple computers:

    1. Edit the "change password" KeePass entry
      • Copy the current password from the password field to the entry's "OLD_PASSWORD" custom string field.
      • Update the current password to a new password using the password generator or other means.
      • Enable auto-type on the entry.
      • Set the expiry date to the new expiry date.
      • Close the entry
    2. Use the global auto-type hot key auto-type to execute the change password auto-type change the password on each server.
    3. Once the password changes are complete, disable auto-type on the "change password" KeePass entry

    The "everyday" entry auto-type works even if the change password entry has expired.

     

    Last edit: wellread1 2016-02-04

  • Dominik Reichl

    Dominik Reichl - 2016-03-01
    • status: open --> closed
    • Group: KeePass --> KeePass_2.x
    • Priority: 4 --> 5
     

  • Dominik Reichl

    Dominik Reichl - 2016-03-01

    I've now added an option 'Expired entries can match' (turned off by default) in 'Tools' -> 'Options' -> tab 'Advanced'.

    Here's the latest development snapshot for testing:
    http://keepass.info/filepool/KeePass_160301.zip

    Thanks and best regards,
    Dominik

     

  • cvolhard

    cvolhard - 2016-04-04

    Sorry, it took me so long to respond. Thank you for the implementation!

    Tried to download the snapshot, but the link is dead.

     

  • Dominik Reichl

    Dominik Reichl - 2016-04-04

    Indeed, the development snapshot has been removed, because an official version has been released; KeePass 2.32 includes the feature.

    Best regards,
    Dominik

     

Log in to post a comment.