Option to disable saving of the last used password generator settings
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
#2715 Option to disable saving of the last used password generator settings
When a new password is being generated KeePass remembers the used settings and stores it on the disk. However, if a forensic analysis would take place on that storage the attacker would normally not be able to get information from the encrypted KeePass database but they would still be able to get the information on the password metrics - since it is not unlikely that an user tries to use the same password generator settings for as much passwords as possible (unless e.g. a service has special restrictions).
While good passwords should be strong enough to resist attacks if an attacker knows the metrics how it was generated (length, character sets, other options, etc.) it would still cut off some % of the possibilities. For security reasons it might not be the worst idea if KeePass would provide an option to prevent saving the password generator settings and probably use always the default settings in that case.
Using derived settings etc. should be fine as well here (I wished SourceForge would allow to edit the original post so I would not have to correct this here).
On thinking about this a bit more I'm now even wondering if other similar menus that save their settings can leak potential problematic details as well. For example with just creating https://sourceforge.net/p/keepass/feature-requests/2714/ before this ticket I'm curious if such a use case via the Find menu has potential to leak information here as well.
Edit: I just noticed while the Find menu saves its settings it does not save the entered string so the Find menu might be actually fine here.
Last edit: Sworddragon 2022-04-03
Let's assume some bad guy knows you use 16 character passwords of just numbers and letters.
Now the bad guy wants to login to a site as you.
Do you actually use this site?
What username does BG choose for this site?
Let's assume BG has managed to guess your username.
BG now has trillions of possible passwords to try.
How many tries does the site allow before locking your account? If it's not locked then BG has a chance, otherwise he doesn't.
cheers, Paul
Or he just brute-forces on the recent leaked database (e.g. Twitch) to guess the password. But yes, as I already sayed a good password should still resist all those attacks - but it still doesn't hurt trying to avoid potentially weakening the password.
Last edit: Sworddragon 2022-04-04
See Kerchoff's principle. If your password is feasible to crack, make it infeasible to crack, i.e. stronger, and stop worrying about non-secrets.
I agree with Wellread1 and Paul. A password generator profile is not a secret. If you have a profile that generates weak passwords, you should adjust the profile to generate stronger passwords instead of trying to keep the profile secret.
Thanks and best regards,
Dominik