Keepass - a further leap ahead with OptionLock

[discs]

Quote:

Originally Posted by Page42

@ discs...
Here is some info on Edit Controls:
Secure Edit Controls
KeePass supports security-enhanced edit controls.

Selection Limitation
A limitation of these secure edit controls is that you can't select a range of characters. You for example cannot select 3 characters and replace them by the current contents of the clipboard using the paste command.

Are you, indirectly, referring to the above, Page42?

I don't use the copy/paste command in my manual 'manipulation' of a password entry. The secure edit controls do allow selecting, and then over-typing selected text.

Or, were you just pointing to yet another Keepass 'leap-ahead' .

[Victek123]

Quote:

Originally Posted by discs

For a brief description see 'Enter Master Key on Secure Desktop' on the Keepass Security page http://keepass.info/help/base/security.html - although this will not give you much detail about implementation.

The simplest explanation for the 'secure desktop' model that I came across (sorry I can't find a link) is that the desktop opens in a totally new process and is cut off from all other programs. It is in effect isolated. It is in this isolated process that you enter the master password in Keepass.

Another way to approach an understanding of how the 'secure desktop' model operates is probably the secure desktop used in Windows 7 for UAC. See for example an explanation at http://cybernetnews.com/vista-uac-se...top-explained/. There may be more extended explanations on the web.

(With Keepass, also, the secure desktop has a minor delayed response, and appears with the entire screen temporarily dimmed).

Thanks for the explanation and links. Using Secure Desktop for entering the master password is definitely a good idea that I hope will be adopted by LastPass (must get over to their forum and ask about this) and others.

[Page42]

Quote:

Originally Posted by discs

Are you, indirectly, referring to the above, Page42?
Or, were you just pointing to yet another Keepass 'leap-ahead'.

Just kind of piggybacking on this post... maybe partially back-filling the editing security hole we were discussing.

[Page42]

Quote:

Originally Posted by discs

(With Keepass, also, the secure desktop has a minor delayed response, and appears with the entire screen temporarily dimmed).

I purposefully wait for the bell tone before entering the master password.
There is an advanced setting (I believe it is selected by default) that says:

Quote:

Play UAC sound when switching to secure desktop

Sometimes there is a bit of a delay between when the password dialog appears and the tone sounds.

[Sordid]

Pretty sure you can exploit that secure desktop. It does not run under UAC policy, I don't believe. The protection just stems from the fact most malware is unaware of multiple WinOS desktops (and so are most users).

Also it seems all this integration (hotkey or autofill) is universally jackable via a cleartext form grab/keylogger which could be prevented somehow by decrypting your saved passwords securely as keepass does now but creating the web page submission also by reencrypting your submission with the ssl session key before passed out of memory protection to the browser. In other words, all these password managers are secure until they enter the password--a big oversight. Now form grabbers could never grab because at no point is it in cleartext.

This would mean that the browser would have pass keepass the handshake session key to encrypt your passwords before it submits them back which could prove even more dangerous and difficult. Just seems silly to have cleartext sitting in the browser when most high-level transactions offer public keys to create random session keys we could use to prevent cleartext insertion.

& yes, I haven't really thought to deeply about this. Probably not possible.

[Victek123]

Quote:

Originally Posted by privacyrights4all

Huge issue, for sure. Dashlane's mobile apps -- both on Android and iPhone -- time out automatically. The default is set to log you out every time you exit, or are idle for only a minute or so, but you can alter the settings to make it fit your needs.

I looked into this and it turns out that the problem is with the LastPass plugin for Dolphin browser. It has very few features and I would not recommend it. I installed the standalone LastPass android app and it has automatic timed logoff and other safety features such as timed re-validation using a PIN.

[discs]

Quote:

Originally Posted by Sordid

Pretty sure you can exploit that secure desktop. It does not run under UAC policy, I don't believe. The protection just stems from the fact most malware is unaware of multiple WinOS desktops (and so are most users).

Also it seems all this integration (hotkey or autofill) is universally jackable via a cleartext form grab/keylogger which could be prevented somehow by decrypting your saved passwords securely as keepass does now but creating the web page submission also by reencrypting your submission with the ssl session key before passed out of memory protection to the browser. In other words, all these password managers are secure until they enter the password--a big oversight. Now form grabbers could never grab because at no point is it in cleartext.

This would mean that the browser would have pass keepass the handshake session key to encrypt your passwords before it submits them back which could prove even more dangerous and difficult. Just seems silly to have cleartext sitting in the browser when most high-level transactions offer public keys to create random session keys we could use to prevent cleartext insertion.

& yes, I haven't really thought to deeply about this. Probably not possible.

Your assertions above may or not be valid (if you genuinely care about that you may wish to post on the Keepass forums: http://sourceforge.net/projects/keep...s/forum/329220).

The Keepass developers would be the last ones to claim that it is impregnable (especially re the Secure Desktop - where the point you make about sophisticated malware aware of multiple WinOS desktops being able to bypass it has been made by the lead Keepass developer himself. Nevertheless, the additional screen logging plus protection the secure desktop in Keepass offers for the master password makes it greatly superior to other password managers).

The point of this thread was simply to highlight that Keepass is way ahead of its 'competitors', and that it is also open source.

[Victek123]

The matter of Secure Desktops is complex. Here are a couple of links that shed some light. It seems that if it's implemented properly it would definitely add a layer of security.

http://security.stackexchange.com/qu...ktop-mode-work

https://blogs.msdn.com/b/uac/archive...edirected=true

Edit:

I don't know that Keepass is really "way ahead of its' competitors" when it lacks two-factor authentication (TFA). TFA is a standard feature in LastPass.

[discs]

Thanks for the links on secure desktop; the first link is actually the one I read a long while ago, and couldn't find. It's good you posted it because it covers the topic well, and gives some insight into the advantages of a secure desktop. These security advantages are excellent even when the model isn't implemented to its fullest - and these are the secure desktop advantages in Keepass I have focused on . The article also covers its limitations when secure desktop implementation doesn't fully replicate the UAC model, as Keepass's secure desktop possibly doesn't.

Your second point about Keepass lacking 2 factor authentication (TFA). It has TFA - just seems to be hidden away in the documentation.

Keepass firstly offers TFA through YubiKey (which is open source) http://keepass.info/help/kb/yubikey.html. Lastpass also offers YubiKey TFA - but only as part of their premium package.

More recently (and I am not upto the mark on this) I believe TFA in Keepass is also implemented in a free open source Keepass plugin developed by Dominik Reichl (the developer of Keepass). The plugin is called KeeOtp:

This [KeeOtp] is a KeePass plugin that adds support for two factor authentication into other systems using TOTP (Timed One Time Passwords). It stores TOTP secret keys in the KeePass database and generates TOTP codes from the key within KeePass.

KeeOtp is compatible with Google's 2-Step Verification and Amazon AWS MFA. It will work with most other RFC 6238 compliant TOTP implementations as well. http://keepass.info/plugins.html#otpkeyprov

I started this thread to highlight how far ahead of other password managers Keepass is - btw, did I mention it even provides TFA . Actually, I only focused on areas where Keepass surpasses other main password managers, in summary:

• Secure Desktop
• Auto-type Obfuscation
• No Browser Integration
• Open Source

As far as I can see, the Keepass developer doesn't push his free and open source product. You either see it for what it is - or you miss it.

I also started this thread to highlight a weakness in Keepass - and the need for the use of the OptionLock plugin to cover what I saw as a security hole.

For my part I believe I have, in the above contexts, travelled the thread as far as I can. Today, I installed a Linux system (something I know little about) and will be devoting my time to learning this new operating system. So, forgive me when you don't see me come back on further posts, questions and comments you may have wanted to address to me.

[Victek123]

Quote:

Originally Posted by discs

Your second point about Keepass lacking 2 factor authentication (TFA). It doesn't actually - just seems to be hidden away in the documentation.

Keepass firstly offers TFA through YubiKey (which is open source) http://keepass.info/help/kb/yubikey.html. Lastpass also offers YubiKey TFA - but only as part of their premium package.

More recently (and I am not upto the mark on this) I believe TFA in Keepass is also implemented in a free open source Keepass plugin developed by Dominik Reichl (the developer of Keepass). The plugin is called KeeOtp:

I'm glad to hear that I was wrong about Keepass and two factor authentication. I currently use LastPass, but I've used KeePass previously and I'm pleased to see that it keeps getting better. People who use either are far ahead of the norm.

[moontan]

version 2.20 released today.

changelog:
http://keepass.info/news/n120908_2.20.html

[lordraiden]

There is any way to activate this by default?
http://keepass.info/help/v2/autotype_obfuscation.html
So I don't have to go one by one.

Could this be better than the default one?
http://gogogadgetscott.info/keepass/twofishcipher/

[moontan]

Quote:

Originally Posted by lordraiden

There is any way to activate this by default?
http://keepass.info/help/v2/autotype_obfuscation.html
So I don't have to go one by one.

Could this be better than the default one?
http://gogogadgetscott.info/keepass/twofishcipher/

you have to go one by one.
i did not see anything in the global settings.

Quote:

KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.