KeePass: the global login shortcut to ease your life
There are many great password managers out there which all have their advantages and disadvantages. My password manager of choice is KeePass and I do not seem to be the only one here on Ghacks that uses the password manager. One of the great features of the password manager is its extensibility with plugins that add features to the program that it does not support by default.
Many KeePass users install browser plugins for instance to improve the workflow on the Internet as they can fill out the information on supported websites directly which is comfortable and preferred over copying and pasting the data.
What's interesting in this regard however is that the default version of KeePass supports a global login shortcut that you can make use of to fill out the login information on sites automatically. Instead of having to use copy and paste twice, once for the username and once for the password, or a browser plugin that adds third party code to the system, it is possible to simply hit Ctrl-Alt-A to fill out the log in information.
I have tested this in Firefox only but it should work in other web browsers as well. Let me explain to you how you need to prepare your data in KeePass to be recognized on the right website.
Some of you may think that it is the url field that is compared but that is apparently not the case. The following applies instead:
When you press the hot key, KeePass looks at the title of the currently opened window and searches the currently opened database for usable entries. If KeePass finds multiple entries that can be used, it displays a selection dialog. An entry is considered to be usable for the current window title when at least one of the following conditions is fulfilled:
- The title of the entry is a substring of the currently active window title.
- The entry has a window/sequence association, of which the window specifier matches the currently active window title.
So, at least part of the website's title needs to be in the title entry of the saved login information. On Twitter, you need Twitter as the title for it to be recognized automatically for instance.
Part of the title is displayed in the browser tab which you can then use fully or partially for the title field. If that is not enough, view the source code and locate the title field to see the full page title
While you may need to edit titles in the KeePass database to match titles so that you can use the global shortcut, doing so may simplify life for you in the long run. (via)
Advertisement
This is indeed a very useful method to integrate KeePass with any browser without installing third-party plugins and/or extensions that ultimately might create a security vulnerability.
However, and as mentioned, the association method between the websites and the relevant entries is not very secure, although it could be argued that most people using KeePass (or any similar password management solution) are security conciseness enough to at least be vigilant about what they are typing and where they type it in and/or less susceptible to Phishing attempts in general.
Another shortcoming of this method compared to using plugins is the fact that this method allows one to only output the credentials into the login fields, but do not automatically capture and store/update them in the Database, which in general is a very useful feature to have.
On the other hand, by requiring manual creation of every entry this method allows one to create entries to websites that do not offer auto-saving of the login details (with the use of a bookmarklet that is) and to create entries for websites with more than just the username and password fields.
It could also be argued that by requiring the user to take a moment and manually create every entry, it could make the re-consider if that website is really worth registering to – thus preventing some bloat which in this context might lead to a security risk. On the other hand, it could be argued that “lazy” users won’t bother to create manual entries for some websites and instead will opt for the one-size-fits-all password method that is an even worse solution from a security perspective.
Something else… I just checked out the plug-ins and at the bottom of the page keepass.info/plugins I found the following statement:
“The plugins offered on this page are developed by different, independent authors. The KeePass team cannot check all plugins for bugs and malicious code before they are distributed here.”
How can I be certain that the plug-ins I want to use don’t harm me? For example I’d like to use TrueCrypt AutoDismount, but how can I be sure it doesn’t spy on me, worst case it reads out my TrueCrypt passwords?
On topic: There’s a plug-in to execute auto-type based on the current web browser URL instead of the window title: keepass.info/plugins.html#webautotype
@Seban
You can’t be sure without looking into the source code or monitor your network for any suspicious activity. But in the context of a personal computer, in general it is quite unlikely, although not unimaginable, that common plugins that are generally considered trustworthy, are provided with any malicious intent and/or with a security variability that wasn’t identified by some community member at one point or another.
I do agree, however, that a best practice is avoiding installing unnecessary plugins, leveraging KeePass’s functions as much as possible, and installing only the plugins that ones actually needs and uses and not just because a plugin looks “cool” or because it might be useful. After a while each person develops his/hers own use pattern depending on one’s needs and preferences, and this pattern and preferences should dictate what plugins to install.
Therefore it is a good idea for beginners to start using the bare-bone version of KeePass, try to find solutions to what they need using its built-in features, and after using it for a while it will become more evident what one needs in terms of plugins, if at all. The average KeePass user – the one who just wants to manage passwords and other sensitive data – probably doesn’t need any plugins at all.
You should consider using Two-Channel Auto-Type Obfuscation to protect yourself against standard keyloggers. For more information see http://keepass.info/help/v2/autotype_obfuscation.html
I’m asking myself, if AutoType is more or less secure than using copy/paste, but can’t find an “official” statement. Any opinions?
Greetings
I used KeePass a long time ago when then wasn’t (weren’t?) as many choices as we have today. I’m not sure why I stopped.
I’ll look into again.
You usually provide a link.
Where you out late last night? :)
http://keepass.info/
Wow! Keepass is just a really useful and terrific (and secure) product. I use a few of the plugins, and haven’t been disappointed yet. Thanks for the tip.
Interesting.
Im using Keepass since a few months and i didn’t know about this browser plugins.
Ill give it a try.
Might this approach not lead to a spoof website using a keyword in the title and trapping your login?
If you land on a fake site and press the combination, then yes, I’d assume it would. I do not really understand the decision to only use titles. While I can understand that it is necessary for desktop programs, it is definitely a security risk on the web. It is likely however that only window titles are available to KeePass and not urls, making it the only option to send data to the window.
Actually, if you hit tools at the bottom you can choose the target window. It brings up a listing of all of the titles of the windows open at the time and you can choose the appropriate one. If you use multiple browsers you can do this multiple times to have it work on each browser.
Doing this also works with non-browser login windows with a unique title window.
Great tip, thanks.
I love KeePass. Been using it for a while to store a ton of passwords. I never knew about the “Ctrl-Alt-A”, thanks for the tip. I use the Firefox plug-in “KeeFoxâ€. It integrates with KeePass very well. Once it is configured properly it will automatically log you onto most of the websites you have listed by just visiting those URLs via Firefox.
Also “KeePassDroid†works good on Android Phones. I just transfer my KeePass database to a folder on my phone via cable. I am not sure if there is an equivalent for iPhones since I just own a Galaxy Note 2.