Auto-Type for expired entries
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
It would be great if the global auto-type hotkey works on expired entries. In most cases you have to login first, to change the password and an expired password will still works. It could be an option on the entries, if auto-type works after expiration on this entry. Preferably inherited from the group and maybe a warning notification should be shown if auto-type uses an expired entry.
alternatively an additionaly option on the auto-type entry 'also use if entry is expired'
see https://sourceforge.net/p/keepass/feature-requests/2090/
All 3 of your requests seem to be for the same problem.
Please explain how you peform the password change? Do you need to do it multiple times for the different systems?
cheers, Paul
I have different scenarios:
Simple:
I have a Keepass-Entry for a single account on single system. Password expiration is one month and is due today. Keepass notifies me about the expiration and I connect to the system where I have to login to change the password. But the auto-type does not work for expired entries, so I have to type the login information by myself (or rather copy the data from keepass). It would be easier if Keepass global auto type hot-key would work on expired entries to.
Not so Simple:
I have a Keepass Entry for ssh access on about thirty different servers. Every server uses the same username and password, but has a separated user registry. For a password change I have to change the password on every single server. I connect through putty and every putty session uses different windows titles. For every window title I defined an auto-type sequence for this entry (only password, because username is in the putty session).
For a password change I have to:
1. copy the old password permanently to the clipboard
2. generate a new password and safe the keepass entry
3. login to all the servers
4. call passwd on all servers
5. paste the old password from clipboard
6. execute the auto-type two times for the password change and conformation
A auto-type sequence like
passwd{ENTER}{OLDPASSWORD}{ENTER}{PASSWORD}{ENTER}{PASSWORD}{ENTER}
(where {OLDPASSWORD} contains the newest password from history) would be fantastic.
I can't use the {NEWPASSWORD} Placeholder because I have to repeat this on multiple servers.
Because I also have an auto-type sequence for every server which types only the password for daily use (yes I use keys for login, but I have to sudo a lot, and there the system wants to know my password), it would be even more fantastic, if I could disable the sequences for the password change for daily business. Or - even better - could tell keepass, that this sequence is only useable while the keepass entry is expired.
For better understanding i added an example entry. Instead of 3 Systems I have about 30 and the titles for the Systems have nothing in common (wildcard won't work and the regex would not be maintainable).
This suggested method for password change should get you most of the way there.
https://sourceforge.net/p/keepass/discussion/329220/thread/93c4cf59/#cb61
Rather than attempting to Auto-Type from the expired entry, select the expired entry, right click and select "Perform Auto-Type".
To Auto-Type the lot you could try this.
For the "sequence" use this:
passwd{ENTER}{PASSWORD}{ENTER}{S:NewPWref}{ENTER}{S:NewPWref}{ENTER}
cheers, Paul
Last edit: Paul 2016-02-03
Thanks for your suggestion, but this sounds more like a workaround for me.
Keepass is an awesome tool, because you can do almost everything you can expect from a password manager in a very quick and comfortable way and additionally the handling of keepass is very simple and straight forward. This makes keepass part of the few tools I need on every device I have to work with. I was almost suprised that there is no easy way to change the passwords in a scenario like I descriped earlier. Sure there are other (more complicated ways) to do this, but I thought with my three feature requests I could help (a little at least) to make this tool even more awesome :)
Please consider this feature request for a later release of keepass.
At least consider the option to use expired entries while performing auto-type from the global hotkey. It feels weird, hitting ctrl+alt+a for a login and nothing happens, because the entry is expired.
The expiry date is a hard deadline. If you would like a warning starting 7 days prior to the hard deadline check "Show entries that will expire soon" in Tools>Advanced(tab)>After Opening a Database(section).
You can also arrange the warning to first appear later than 7 days by setting the expiration date accordingly e.g. to see the warning beginning 2 days before the account password expires, set the KeePass entry expiry date to 5 days after the account password expires.
Because these user accounts are actually different (i.e. separated user registry) the better practice would be to use a different password for each. KeePass makes managing multiple user accounts simple by allowing your to create separate entries for each account. Once you have created a separate entry for each user account you can use the {NEWPASSWORD} placeholder.
However, if KeePass becomes too inconvenient when you need to sudo, you could use the following procedure to change an identical password set (same old and new password) on multiple user accounts. The procedure allows one to:
Setup: Create Two KeePass entries:
Change the password on multiple computers:
The "everyday" entry auto-type works even if the change password entry has expired.
Last edit: wellread1 2016-02-04
I've now added an option 'Expired entries can match' (turned off by default) in 'Tools' -> 'Options' -> tab 'Advanced'.
Here's the latest development snapshot for testing:
http://keepass.info/filepool/KeePass_160301.zip
Thanks and best regards,
Dominik
Sorry, it took me so long to respond. Thank you for the implementation!
Tried to download the snapshot, but the link is dead.
Indeed, the development snapshot has been removed, because an official version has been released; KeePass 2.32 includes the feature.
Best regards,
Dominik