search

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.49k stars 266 forks source link

Clear master password entry upon switching app #321

Open Currrupted opened 5 years ago

Currrupted commented 5 years ago

When opening my database in KeePassDX on my Android phone, I noticed something that seemed unsettling to me. I opened the application and saw that my master password was still entered and visible, even though I had not been using it for some time. I must have forgotten to actually decrypt my database and I was worried what might have happened if I gave my phone to someone with my password clearly visible.

To me, this does seem like a security issue, even though it is f course it is unlikely that someone would actually be able to acquire the master key this way. I just think that fixig this would minimize the risk the users face.

Scenario: the user launches KeePassDX to get a password for a website and enters their master password, visible in clear text. They are almost finished, but then they receive a message which catches their attention. Unfortunately, they also did not properly close or kill the application and the password remains in the field. Until they open the database or manually close the application, the password to the database is kept visible to other people, such as family members or friends.

What do you think?

J-Jamet commented 5 years ago

A timer should be created that automatically removes the password from the field. I will look to implement the feature but it will not be for now. I already have many other things to do.

Currrupted commented 5 years ago

A timer should be created that automatically removes the password from the field. I will look to implement the feature but it will not be for now. I already have many other things to do.

If you don't mind, I would be interested in looking for a solution for this. I don't have that much experience with the code of KeePassDX, but it should not be too difficult after some studying.

J-Jamet commented 5 years ago

Yes, of course, I encourage this kind of initiative. It allows to have a fresh look on the code. You should look in the PasswordActivity class.

Currrupted commented 4 years ago

Yes, of course, I encourage this kind of initiative. It allows to have a fresh look on the code. You should look in the PasswordActivity class.

I will look into it soon, sorry for the inactivity. Hopefully I will have it finished by the end of the year.