It is too easy to lose a generated password

[damienleone]

Say I want to create an account to a new website. I will generate a password, create an account, log off, log in again and save the entry. By the time I log in again, chances are that something else ends up in my clipboard, effectively losing the generated password.

When KeePass generates a password, it shows a list of passwords that I can copy and paste. Even if I lose my clipboard, I can still retrieve my password from that list.

There should be a similar feature or some kind of way to retrieve the last generated password in KeeFox.

[damienleone]

A good example of that is those stupid websites that ask you to answer secret questions for password recovery. I always generate passwords for those too. So I have to open a text file to write down the different generated passwords before I can properly add them to the KeePass entry.

[skibbipl]

In fact I lost one password due to scenario you described. Fortunately I was able to reset it later. Anyway I would suggest creating mechanism like LastPass have - when generating a new password it's automatically saved as "Generated password for site.com" entry. This way you will have a temporary stored password in KeePass.

[luckyrat]

I want to improve this situation so I've been thinking about how to approach it.

It effectively boils down to whether we store the newly created password in KeeFox/Firefox or KeePass.

Firefox

Pros

• Opportunity for a more seamless UI

Cons

• Password might be stored in slightly less secure memory space for longer
• Not persisted to disk (won't survive a browser restart or crash and won't help when a lost password is not noticed soon after creation)
• Would need to create some UI to allow access to old passwords (including localisation)

KeePass

Pros

• Persistent (assuming user has the default KeePass auto-save option enabled)
• UI for retrieving the password is already available

Cons

• Slower? (a possibly noticeable pause while the device performs the KeePass database save)
• Some users might see the addition of extra entries to their KeePass database as "noise"
• No natural expiry of old "backup" passwords

Conclusion(ish)

I think on balance the KeePass approach is probably the most promising so here's my first attempt at mitigating the cons.

We could choose to send the password to Firefox/clipboard before initiating the save which would keep the speed comparable to the current implementation, albeit it with the risk of a later failure to save still leaving you with a missing password. I think the chance of KeePass failing to save before the user has been able to submit a password change form to the internet is quite low so am inclined to accept that risk and go for the faster approach.

We should always put the passwords in a known subfolder, perhaps "KeeFox automatically generated passwords". Each entry will be hidden from KeeFox so we avoid creating entries in the KeeFox UI for these incomplete entries.

We could set the passwords to automatically expire but that could often conflict with user's preferred expired password management process so I think we have to rule out that option.

One option is to just say that it's up to the user to manually delete the contents of the magic folder whenever they want to shrink the size of their database. That's certainly the easiest approach and therefore mean it's more likely I'll have time to implement this feature... but despite the lack of any obvious alternatives it feels suboptimal.

[skibbipl]

I like the Keepass approach of storing passwords. Also in LastPass temporarily saved passwords were updated to full site entries after first successful login. Therefore you didn't had any extra entries, unless you generated passwords but never used them for login. Auto expire seems fine, but I think users should decide whether to delete or keep generated passwords. Also will KeeFox generate multiple entries for specific site if I generate several passwords?

[luckyrat]

Also will KeeFox generate multiple entries for specific site if I generate several passwords?

Yeah I think that's the best approach. Although that might make it more difficult to extend this feature into an "automatic entry creation after first login" feature, I'm more interested in the prevention of data loss than enabling a new account creation workflow at the moment.

[luckyrat]

This is available in KeeFox 1.6.0b1: https://addons.mozilla.org/en-US/firefox/addon/keefox/versions/beta

Unfortunately it is impossible to automatically save the generated passwords to disk because KeePass' and Firefox's window focussing code conflicts in a way which breaks the display of the KeeFox advanced password generation feature. None-the-less, I think the ability to at least attempt to store a record of the password somewhere other than the clipboard is better than nothing.