Allow Auto-Type without password Prompt
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
New keepass user here. I am experimenting with it right now and have grown quite fond of it. Right now there's one thing I would like to do but can't seem to get it: how can I have the workstation locked (don't want anyone to edit it, etc) and run auto-type without being prompted for password? Any help would be appreciated.
Edit: Meant to write workspace in place of workstation. Now I am curious: will have to check and see if keepass can operate successfully with workstation locked (yes, this time I meant workstation):)
Nothing works with the workstation locked, at least nothing that requires keyboard input.
cheers, Paul
Hi Paul,
Yeah, I even tried using AutoHotKey to call KeePass to execute auto-type when the workstation was locked and it(KeePass) never sent any keys :(. Although this has very little to do with the original intent of this thread, I think that adding this feature (similar to controlsend in AutoHotKey) would be a wonderful addition.
Unfortunately, locking of the workspace locks access to the database. It is natural (and intended) that you have to enter your db password in order to be able to use the Global Auto Type function - otherwise, the db would not be truly locked, and that would render it insecure.
John,
Original thread author here, what I have been trying to do with KeePass was to call auto-type when the workspace was unlocked (had all "Lock workspace when *" unchecked in Options Security setting). I believe that auto-type would be much more useful to users if there was a way to lock the database from editing/viewing but still enable auto-type without the password prompt.
I understand what you are saying - but again, this makes the database less secure - more functional, but less secure.
Still, I suppose such functionality should be considered if Dominik plans on developing an enterprise level program in the future.
John,
Thanks for your response, but do you understand how KeePass is being used?
Because auto-type is so valuable in terms of efficiency, the database is being left unlocked all the time (because if it weren't, constantly having to input the master password would negate the time gained from using auto-type).
For those that use it in this manner, we have a completely INSECURE program. What we need is a compromise: an option to prevent access to the workspace without preventing access to autotype. That way, if we leave our desk or something and someone comes along, they cannot get to our user/pass info (even though they could still use autotype, but might not know our hotkeys!).
I suggest implementing an easy option like "lock database when restoring main window". This would allow users to keep the database unlocked for auto-type, but as soon as someone tried to access the workspace itself, it would lock and require a password.
In summation:
Under the current configuration:
If the database is to be completely secure, autotype is practically useless.
If autotype is to be useful, the database is completely insecure (we have to leave it unlocked)
So we need a compromise:
Keep auto-type useful while keeping the database at least *somewhat* secure.
Thanks,
Tony W.
Think about it:
What is more secure?
1) A password database sitting wide open all day long, free for anyone to access and use at any time, in any way.
-or-
2) A database that sits open for use only with autotype, but locks the instant anyone tries to access its data any other way (via the workspace, for instance).
These are the two options that you should be considering when determining what is more secure. The third option (locked all the time) isn't a consideration, because we wouldn't even be using autotype if we did this.
Making this change would make KeePass MORE secure for those using autotype. MORE SECURE.
Sorry to harp on this, but you say you understand what we're saying, though you don't seem to grasp that this would not compromise KeePass's integrity, it would strengthen it!
Of course, this would be an option, allowing those people who want to make sure the database is completely locked at all times to do so -- it would just help people like me, who have to always keep the database unlocked in order to efficiently use autotype.
Considering the fact that you leave it open all the time for anyone to get access to, then, yes, in your situation, it will make it a bit more secure.
However, I enter my PW every time I need to - therefore, my method is still more secure than yours - no one can access it except for those brief time periods when I use Auto Type.
So, compared to my methodology, your suggestion still is less secure.
I think this is the point where Dominik will have to weigh in on whether this middle ground here is feasible, and more importantly, if he wants to include it or not.
Thanks John, I agree with you. Considering how I (and some others) use KeePass, this kind of change would help tremendously. But of course none of this would be nearly as secure as how you are using it by keeping it locked.
Auto Type just isn't nearly as useful to me if I have to enter my master password each time I use it (I might as well just put in the user/pass that KeePass is Auto Typing!). It all comes back to that age-old functionality vs. security balance.
Thanks for the attention, input, and consideration.
Tony W.
Actually, the reason I find it better this way is simple.
I have a single password that I have to remember - all my 'site' passwords are long, complex ones (24 char or better), except those few sites that strictly prohibit it.
Trying to remember 300+ 16 character (or more) passwords is simply too time consuming for me. Remembering 1 PW is a lot easier. Having to type t in again and again it not troublesome, it is a godsend and a life saver - mainly because, before I became more educated, I used to use the same password every where (around 14 years ago, when I first started dealing with a Unix server / client setup at school, as well as when I first started dialing into BBS accounts around the local area).
Again, though, it is a matter of to each his own.
If Dominik *does* decide to implement this, then I ask for 2 things - 1) that it unlocks, performs the autotype and locks it again, and 2) that it be a user-definable 'switch' - for those of us who would rather have the added security.
In every corporate users are forced to have a screen saver with password
and this comes in automatically or on request.
So no one can play with Keypass while the workstation is locked.
Why do you left the workstation unlocked if you leave it ?
Everyone can come along and delete or read all your files.
John,
1. You can't unlock without supplying the master password, so this is no better than leaving the database locked.
cheers, Paul