Keepass - a further leap ahead with OptionLock

Selection Limitation
A limitation of these secure edit controls is that you can't select a range of characters. You for example cannot select 3 characters and replace them by the current contents of the clipboard using the paste command.​

Are you, indirectly, referring to the above, Page42?

I don't use the copy/paste command in my manual 'manipulation' of a password entry. The secure edit controls do allow selecting, and then over-typing selected text.

Or, were you just pointing to yet another Keepass 'leap-ahead' .

 

Thanks for the explanation and links. Using Secure Desktop for entering the master password is definitely a good idea that I hope will be adopted by LastPass (must get over to their forum and ask about this) and others.

 

Just kind of piggybacking on this post... maybe partially back-filling the editing security hole we were discussing.

 

I purposefully wait for the bell tone before entering the master password.
There is an advanced setting (I believe it is selected by default) that says:

Sometimes there is a bit of a delay between when the password dialog appears and the tone sounds.

 

Pretty sure you can exploit that secure desktop. It does not run under UAC policy, I don't believe. The protection just stems from the fact most malware is unaware of multiple WinOS desktops (and so are most users).

Also it seems all this integration (hotkey or autofill) is universally jackable via a cleartext form grab/keylogger which could be prevented somehow by decrypting your saved passwords securely as keepass does now but creating the web page submission also by reencrypting your submission with the ssl session key before passed out of memory protection to the browser. In other words, all these password managers are secure until they enter the password--a big oversight. Now form grabbers could never grab because at no point is it in cleartext.

This would mean that the browser would have pass keepass the handshake session key to encrypt your passwords before it submits them back which could prove even more dangerous and difficult. Just seems silly to have cleartext sitting in the browser when most high-level transactions offer public keys to create random session keys we could use to prevent cleartext insertion.

& yes, I haven't really thought to deeply about this. Probably not possible.

 

I looked into this and it turns out that the problem is with the LastPass plugin for Dolphin browser. It has very few features and I would not recommend it. I installed the standalone LastPass android app and it has automatic timed logoff and other safety features such as timed re-validation using a PIN.

 

Your assertions above may or not be valid (if you genuinely care about that you may wish to post on the Keepass forums: http://sourceforge.net/projects/keepass/forums/forum/329220).

The Keepass developers would be the last ones to claim that it is impregnable (especially re the Secure Desktop - where the point you make about sophisticated malware aware of multiple WinOS desktops being able to bypass it has been made by the lead Keepass developer himself. Nevertheless, the additional screen logging plus protection the secure desktop in Keepass offers for the master password makes it greatly superior to other password managers).

The point of this thread was simply to highlight that Keepass is way ahead of its 'competitors', and that it is also open source.

 

The matter of Secure Desktops is complex. Here are a couple of links that shed some light. It seems that if it's implemented properly it would definitely add a layer of security.

http://security.stackexchange.com/questions/3759/how-does-the-windows-secure-desktop-mode-work

https://blogs.msdn.com/b/uac/archive/2006/05/03/589561.aspx?Redirected=true

Edit:

I don't know that Keepass is really "way ahead of its' competitors" when it lacks two-factor authentication (TFA). TFA is a standard feature in LastPass.

 

Thanks for the links on secure desktop; the first link is actually the one I read a long while ago, and couldn't find. It's good you posted it because it covers the topic well, and gives some insight into the advantages of a secure desktop. These security advantages are excellent even when the model isn't implemented to its fullest - and these are the secure desktop advantages in Keepass I have focused on . The article also covers its limitations when secure desktop implementation doesn't fully replicate the UAC model, as Keepass's secure desktop possibly doesn't.

Your second point about Keepass lacking 2 factor authentication (TFA). It has TFA - just seems to be hidden away in the documentation.

Keepass firstly offers TFA through YubiKey (which is open source) http://keepass.info/help/kb/yubikey.html. Lastpass also offers YubiKey TFA - but only as part of their premium package.

More recently (and I am not upto the mark on this) I believe TFA in Keepass is also implemented in a free open source Keepass plugin developed by Dominik Reichl (the developer of Keepass). The plugin is called KeeOtp:

This [KeeOtp] is a KeePass plugin that adds support for two factor authentication into other systems using TOTP (Timed One Time Passwords). It stores TOTP secret keys in the KeePass database and generates TOTP codes from the key within KeePass.

KeeOtp is compatible with Google's 2-Step Verification and Amazon AWS MFA. It will work with most other RFC 6238 compliant TOTP implementations as well. http://keepass.info/plugins.html#otpkeyprov
​

I started this thread to highlight how far ahead of other password managers Keepass is - btw, did I mention it even provides TFA . Actually, I only focused on areas where Keepass surpasses other main password managers, in summary:

• Secure Desktop
• Auto-type Obfuscation
• No Browser Integration
• Open Source

As far as I can see, the Keepass developer doesn't push his free and open source product. You either see it for what it is - or you miss it.

I also started this thread to highlight a weakness in Keepass - and the need for the use of the OptionLock plugin to cover what I saw as a security hole.

For my part I believe I have, in the above contexts, travelled the thread as far as I can. Today, I installed a Linux system (something I know little about) and will be devoting my time to learning this new operating system. So, forgive me when you don't see me come back on further posts, questions and comments you may have wanted to address to me.

 

I'm glad to hear that I was wrong about Keepass and two factor authentication. I currently use LastPass, but I've used KeePass previously and I'm pleased to see that it keeps getting better. People who use either are far ahead of the norm.

 

version 2.20 released today.

changelog:
http://keepass.info/news/n120908_2.20.html

 

There is any way to activate this by default?
http://keepass.info/help/v2/autotype_obfuscation.html
So I don't have to go one by one.

Could this be better than the default one?
http://gogogadgetscott.info/keepass/twofishcipher/

 

you have to go one by one.
i did not see anything in the global settings.