Password changes made in browser are lost - not saved to database

[ThePythonicCow]

When I have an existing, password protected, account on some website, where that website and login credentials are known to KeePassXC, then I expect that when I am change that password, using the KeePassXC Password Generator to make a nice new random password, that there will be someway to ensure that that new password is saved to the KeePassXC database, updating the password it has saved for that website.

I can find no way whatsoever to make this happen just from within the Browser interface.

I have to open KeePassXC itself, in a separate window, and update the record for that website to have the newly generated password. If I forget to do so, before closing the KeePassXC Password Generator popup in the browser, then my new password for that website is lost forever.

I would like to use KeePassXC to update my passwords on dozens of websites, and it would be much easier to do so, if I could just work within the browser, rather than copying newly generated passwords back and forth between KeePassXC itself (to get it into an updated KeePassXC record) and the admin page for my account on each corresponding website.

The way it is now, for me, is dangerous -- a high risk of losing a newly generated password if I am not careful.

I am using KeePassXC 2.3.3 with the KeePassXC-Browser 1.1.13 Add-on in Firefox 60.0.2 on Gentoo Linux with the /usr/local/bin/keepassxc-proxy proxy.

The particular site I have been playing around the most with this, trying to see if I was missing some user step (if I am ... I'm still missing it) was my Zerohedge.com account, as that's not a critical account for me, and they have quite functional password recovery mechanisms. However every site I've tried this on is the same way. I do have a critical account at one website (an email service for a critical email account of mine) that, until recently, had an essentially impossible and broken password recovery mechanism ... so I am perhaps more sensitive than most to risks of losing an account's password when trying to update it.

My testing is typically when I have the KeePassXC application already opened and running, with its database unlocked, and the above stated proxy running, and with my being able to login to the test website (such as Zerohedge) using the existing login name and soon to be obsolete password obtained from KeePassXC using the (quite nice) login form recognition and field data entering of KeePassXC. Then I go to my account login page for that website, and endeavor to change my password there. The newly created password never ends up back in the KeePassXC database, and is lost forever, unless I manually also enter that new password directly into "Edit entry" screen for that account in the KeePassXC application and click Apply or OK for that screen.

If the above normally works better than this, for most users, on most systems, suggesting that there is something "special" about my system, then I may be able to assist in debugging the problem, if given some specific questions, as I am an ancient Unix/Linux kernel/utilities hacker.

P.S. -- This may actually be a nearly impossible expectation on my part. For some websites, I have multiple login accounts, and without some serious UI and serious logic hacking, the code that was generating a new random password in the browser (even if using the KeePassXC Password Generator) would, perhaps, not know which one of my several login accounts for that website should have its KeePassXC stored password updated. If that is the case, then I recommend == Removing == the interface to the KeePassXC Password Generator in the Browser add-on, as it's an invitation to shoot one's self in the foot (to set some account's password to something that will be immediately and forever after lost.) This in particular would mean == Removing == the "Show Password Generator Icons" option from the KeePassXC context menu for login credential fields, and == Removing == the "Activate password generator" option from the Preferences for this KeePassXC-Browser 1.1.13 Add-on. If the best that can be done with this browser add-on password generator interface is to make it much easier to lose knowledge of your password(s) for a website, then it would be better to not have that interface. I certainly to not know this code well enough to know if this speculation applies here.

[varjolintu]

Does any of those pages where you can update your password update the browser icon to a blinking red lock icon? That opens a dialog where you can update your credentials or save a new entry instead.

[ThePythonicCow]

After (1) bumping BlinkTime and RedirectAllowance in my KeePassXC-Browser settings (as suggested by some other similar reports here), and (2) saying a thank-you to the Gods that I didn't have my KeePassXC-Browser icon buried on my browser's "Overflow Menu" where it would have been out of sight, and (3) proceeding to continue after filling in the new password field to go further without confirmation that my new password would be saved in the KeePassXC database to actually click "Save" on that Zerohedge account admin page to Save that new password, and (4) looking a ways out of where I was focused on my big screen monitor to "way up in the corner":

Yes ... I then did see the blinking red lock KeePassXC icon, as you describe.

I clicked on it. Nothing happened.

Then as also suggested by some other reports here, I clicked on it a second time, and got a pull down menu that read:

...................................................................................... [Green: Settings] [Orange: Choose own ...] [Red: Lock] KeePassXC-Browser has been configured using the identifier "KeePassXC" and is successfully connected to KeePassXC. [Blue: Redetect Credential Fields] ......................................................................................

I do not see anything on that dialog "where I can update my credentials or save a new entry instead."

I am also a bit irritated ... as I have literally spent 2 or 3 hours, over the last couple of days, just getting past the above non-intuitive interface details, to get this far in figuring out how to change passwords within the browser UI.

The rest of KeePassXC all works quite fine, and I am delighted to have a worthy replacement for Lastpass.

So I shall continue to persist on this detail, as I intend to change quite a few passwords, once I figure out a practical, non-error-prone, way of doing it.

But, as you can see, I'm not there yet.

So ... where is that dialog "where I can update my credentials or save a new entry instead" ?

[varjolintu]

I suggest you try the current develop branch (here from GitHub) and load the extension manually. See if it solves the problem. A bug has fixed that the save dialog didn't appear at the first click. The blinking icon means the password change has been detected.

I'm sorry to hear you have spent so many hours with the problem. If the current dev branch (going to be released as version 1.1.4. soon) doesn't solve it, I'll take a closer look. I'm happy to provide any help to get this work.

Link to the wiki entry for guide how to load the extension manually and allow it with native messaging.

[ThePythonicCow]

The two clicks needed on the flashing red locked icon is the least of my problems.

So if that's the primary advantage, for my use case, of 1.14 over 1.1.3, I'm quite happy to wait, unless you're seriously looking for someone to test this.

The primary problem and cost of time for me was how long it took to figure out how this worked.

Just finding the various recent bug reports here, which do implicitly say how this (updating the database from changes made in the browser), took me hours. I first found a twitter announcement channel and asked my question briefly there, but that was really the wrong place and nothing useful came of my effort there.

Then I found the recent bug reports on this github project and learned that it takes a sequence of several non-obvious steps to get the database updated with credential changes made in the browser:

0. Lack of documentation of the following.
1. BlinkTime setting must be high enough to notice.
2. RedirectAllowance must be high enough for whatever redirects the website does.
3. User will not see any feedback until after they Save their changed credentials.
4. Feedback will be a small blinking icon, perhaps hidden in the icon Overflow Menu (Firefox term).
5. Clicking (or perhaps clicking twice) on that icon should enable one to then update the database.

All of these seem essential. Nothing is obvious until all are done or noticed. None of this is documented that I can find, except implicitly in recent bug reports here. It was not obvious to even be here on this github project for these questions, as it is not obvious when just using KeePassXC how young it is. The product seems quite polished and more "aged" like fine wine in other respects, so I did not instinctively go looking for the github developers project to get assistance.

So presently I have two issues that remain more important from my perspective:

Items (1) through (3) above I've figured out now, and (4) looks to be a (now minor) issue, for my immediate needs, that will likely soon be fixed.

The two big issues in my present view:

[A] Most new users will NOT make it through the maze (blindly getting several sequential steps correct, without documentation or intermediate feedback) to successfully update login credentials in the browser and have those updates make it into their KeePassXC database.

[B] Item (5) above is still unanswered for me. I stated in detail, in my previous reply to this bug report, what I see after I click the red blinking lock icon twice. I do NOT see the dialog "where I can update my credentials or save a new entry instead" ?

[A] is essential for those who come after me, and [B] is essential for both them, and me.

[droidmonkey]

For the record, this same crappy behavior you describe was present in the base plugin that the current one is derived (keepasshttp). I dislike it too and echo your frustrations. We are steadily correcting all these problems as @varjolintu mentioned.

[varjolintu]

I agree the documentation is out of date, and we need a proper guide that is more detailed than the migration one.

Good example of this is that Save credentials used from the context menu has been forgotten. That should trigger the credential update popup manually.

Thank you for such a detailed explanations.

[ThePythonicCow]

Hi varjolintu, or other contributor to KeePassX Reboot:

Thanks for all the work to provide an excellent password manager. My two year subscription to Lastpass expires in a few weeks, and I will not be renewing it, now that I have what is, in many important ways, a superior alternative with KeePassXC. I have successfully moved over nearly 400 web accounts from Lastpass to KeePassXC and disabled Lastpass on my system, for what is likely the last time.

I do have quite a few (dozens) of web accounts on which I intend to change my password. The security model for Lastpass is less clear to me than that for KeePassXC, and now that I have left Lastpass behind, I'd like to change the passwords on my more important accounts, away from whatever Lastpass might ever have seen.

---

I have one question (buried in all my other chatter above) that you might be able to answer easily; then I will have done what I can do here, and wish you well.

The question is whether or not the following is what I should expect, just after I've changed a password on some website in my browser and have clicked to leave that webpage (clicking on "Save" or whatever on that page).

If I see the flashing red lock at that point and (single/double, as needed) click on it, should I expect to see the following:

...................................................................................... [Green: Settings] [Orange: Choose own ...] [Red: Lock] KeePassXC-Browser has been configured using the identifier "KeePassXC" and is successfully connected to KeePassXC. [Blue: Redetect Credential Fields] ......................................................................................

If "yes" (I should expect to see that) then how is that the dialog "where I can update my credentials or save a new entry instead"?

If "no", then that's another bug of some sort or other, that I didn't see whatever other dialog you would have expected me to see.

If "yes", and if there is some way that I can use the above dialog to update my credentials, to transfer from that web page back into the KeePassXC database my updated password, then I'd appreciate someone telling me how to do that. Otherwise, I'll have to do it the "hard way" for now, manually updating both the KeePassXC database and the website's password for my account, by separate, parallel, efforts.

If this question is not easily answered, for whatever reason, that's ok too. Perhaps those, such as yourself varjolintu, who could answer this question of mine would prefer to continue to stay focused on improving KeePassXC. A wise decision if so.

In any case -- Thanks -- and may the Force be with you!

[varjolintu]

Glad you like KeePassXC and consider it as a superior alternative to the commercial and closed source products!

When you click the red blinking icon you should see the following popup:

Username or password changed! Save it? 
Url: <url> 
Username: <username>
[Green: New] [Orange: Update] [Red: Dismiss] [White: Never ask for this page]
Credentials will be saved in connected database with identifier <databaseid>.

Did you upgrade to version 1.1.4 that was released recently?

[ThePythonicCow]

varjolintu wrote:

When you click the red blinking icon you should see the following popup: Credentials will be saved in connected database with identifier <databaseid>.

I don't recall ever seeing that line in a popup :).

Did you upgrade to version 1.1.4 that was released recently?

I upgraded to 1.1.4 a few hours ago. Somethings, on some sites, don't seem to be working quite as well anymore, however I am such a newbie with KeePassXC that I am not a competent reporter on what changed, whether for better or worse. I see others are starting to file more useful reports on 1.1.4 and will leave that effort up to those others.

[varjolintu]

Updates are coming for those issues. Did the Context Menu item Save Credentials help at all?

[ThePythonicCow]

Did the Context Menu item Save Credentials help at all?

I have not yet gotten that to do anything at all ... it's a no-op for me.

Here's what I did:

Using KeePassXC 1.1.4 on Firefox 60.0.2, on the website nutri.com (an online vitamin seller where I have an account) I went to their password change screen, entered my old and new (the later entered twice, to confirm accuracy) passwords, then I right clicked in the 2nd of those two new password fields and selected "Save Credentials". Nothing happened on screen, and no update was made to the KeePassXC database with my new password. I had just used KeePassXC to access and login to nutri.com, so the KeePassXC database was unlocked and had a working entry for my nutri.com account, and was connected to the browser add-on via the proxy.

Continuing this nutri.com example, I then clicked nutri.com's "Save" button on their password change page, and got a confirmation screen from them that my password had been changed. My KeePassXC icon however did NOT show any red blinking lock, but remained the usual gentle blue key icon. So I still have never seen (that I can recall) a pop-up that ended with the phrase "Credentials will be saved in connected database with identifier ." I had to manually, independently, update my KeePassXC database record for nutri.com with the new password that I had established on that website.

[varjolintu]

Thank you for the info. I'll try to reproduce the issue with that particular site.

[Facer66]

With me it is detecting nothing any more. It doesn't save any new login on any new website. Before it worked great. This are my versions: KeePassXC-Browser Version: 1.1.7 KeePassXC Version: 2.3.3

Firefox and Chrome, Chromium. Before it blinked, now no blinking nothing

[varjolintu]

@Facer66 Is your database open when this happens? I cannot reproduce the issue.

[Facer66]

@varjolintu Yes the database is open. I am running it as app-image under Linux. I have no clue where to look. If I use it for earlier saved credentials or manually added credentials it works great. This means it finds the credentials for the page where I want to login. Only for new login credentials there is no offering to save it nor a blinking icon.

[varjolintu]

@Facer66 Could you tell the site where this happens? You can also try to modify the Redirect Allowance and Redirect Offset values.

[Facer66]

@varjolintu It happens since a couple of weeks on all sites and in all webbrowsers. I will first try to modify the Redirect Allowance and Redirect Offset values and see where it leads to. Even when I right click and try: Save credentials nothing happens

[Facer66]

@varjolintu I tried to modify the Redirect Allowance and Redirect Offset values. No difference with different values. If I am the only one with this problem it should be something local I guess. Using different browsers.

[Facer66]

@varjolintu I found a older version of the plugin keepassxc-browser 0.4.5.1 from januari 15 which works like before. This version was still laying somewhere around on my computer. I guess this means that the newer versions have a problem with me.

I have to add in this message that the old plugin can not connect to the database but the function of the blinking and asking to save the credentials is working with keepassxc-browser 0.4.5.1

[Facer66]

@varjolintu I went back to version KeePassXC-Browser 1.1.3 in firefox and all is working great again. Database connection, saving credentials and blinking icon ;-)

BTW from Version 1.1.4 it isn't working for me.

[varjolintu]

@Facer66 Version 1.1.7 is the latest. Try that one.

[Facer66]

@varjolintu Version: 1.1.7 is the one that I was using which gave me problems

[varjolintu]

@Facer66 Ah.. sorry. Totally forgot it. I'll try it again and compare 1.1.3 with 1.1.7 when I have the time. So far everything has been working for me.

[Facer66]

Yes would be great to find out what the difference is. Until then I will keep using 1.1.3 which is great for me.

[varjolintu]

@Facer66 Can you debug the extension? This works with Chrome: go to the page you have the problem, right click mouse and select Inspect, and select debugging tab. keepassxc-browser.js should open. In cipForm.onSubmit() function is the one that should trigger the popup in the last line.

[varjolintu]

@ThePythonicCow I tested the site with version 1.1.7. Then I went to the account page and changed my password, first the page displayed a popup that it was updated. I clicked it away, and the extension icon was blinking with red lock icon and I could update my credentials from there right away. So I cannot reproduce this problem.

[Facer66]

@varjolintu I managed to try as you asked. I don't see keepassxc-browser.js appearing. Only version 1.1.3 saving credentials and blinking ico

[varjolintu]

@Facer66 If you refresh the page and select KeePassXC-Browser from the Inspector's left panel (switch it to Content Scripts first), it should show it in a list. This should work if it's not opened automatically.

[ThePythonicCow]

@varjolintu wrote: << @ThePythonicCow I tested the site with version 1.1.7. Then I went to the account page and changed my password, first the page displayed a popup that it was updated. I clicked it away, and the extension icon was blinking with red lock icon and I could update my credentials from there right away. So I cannot reproduce this problem.>>

I tried it again, on nutri.com, using two configurations: Firefox 60.0.2, KeePassXC 2.3.3, KeePassXC-Browser 1.1.7 Chromium 66.0.3359.170, KeePassXC 2.3.3, KeePassXC-Browser 1.1.7

In both cases, as reported before, even after clicking on the password updated pop-up, I never saw a blinking red lock icon, and my keepassxc database was never updated automatically. Each time, I had to manually update my keepassxc database with the change to my password that I had made in the Firefox or Chromium browser.

I don't know why I am seeing this problem and you're not. Thanks for trying. Apparently this problem awaits further insight or good fortune.

[varjolintu]

@ThePythonicCow Thank you for trying it again. The only thing that could help this issue is debugging the content script as described above. Maybe even the JavaScript console could show some error messages.

[Facer66]

@varjolintu I am now seeing: cipForm.onSubmit() in my test I deleted the entry from the keepassxc database. This means the icon should blink. I did some desktop recording for you to see. Is this what you need to see or what I need to debug?

Screencast 2018-06-16 10:53:22.mp4.zip

[varjolintu]

@Facer66 It's line https://github.com/keepassxreboot/keepassxc-browser/blob/develop/keepassxc-browser/keepassxc-browser.js#L548 you should set your breakpoint.

Btw, I tested exactly the same site and I can see the blinking icon right away.

[Facer66]

I just installed a new Ubuntu based OS in a Virtual Environment Installed New KeepassXC database + chrome extension nothing else installed. Same problem

I even start to doubt myself what I might do wrong that's why I setup everything fresh and new

If you want I can give you access to this virtual environment with team-viewer or anydesk to see it and to test whatever you want to test

[varjolintu]

Now I got it reproduced. I'll get back to you when I have more information about the reason.

[varjolintu]

Could you test if you disable the option Save domain only from the General settings page and see if it affects to this?

[Facer66]

I tested it: disable the option Save domain only and I see no different behaviour.

[varjolintu]

@Facer66 One more thing you could try.. add some site to the ignore list manually and see if it makes any difference. There's one check missing from the settings and it can cause browserAction.js return an error and stop the popup execution.

[Facer66]

@varjolintu I just add some sites to the ignore list manually and that works! it makes the icon blink and asking to store the credentials.

[varjolintu]

@Facer66 Nice! Now I know what the issue is.

[Facer66]

@varjolintu Great that it has a direction towards an solution.

[varjolintu]

@ThePythonicCow You could try the same workaround while waiting for the fix: add one site manually to the Ignored Sites settings page. Any site will do, except the one you want to save or modify credentials.

[Facer66]

@varjolintu @ThePythonicCow Yes that is what I am doing right now. Good workaround for the time being.

[tiotrom]

That workaround works for me too. Chromium and Ubuntu 18.04. However the "blinking" red icon that allows you to save credentials disappears so quickly after the url reloads. So I fill in the fields to register, click register, then red icon appears to save the details in the database, but disappears so fast it is no way for me to click it to save.

[varjolintu]

Feel free to test the current dev branch. It's the base for the next release.

@tiotrom What site does this?

[tiotrom]

That workaround with adding a site to ignored list is not working anymore for me. Chromium and Ubuntu 18.04.

@varjolintu any website. Say https://www.patreon.com/signup. If I fill the singup forms and click sign up, then I can't manage to save that to keepassxc as the website reloads and the Chromium keepasssc icon that got red and asked to save them disappears.

[varjolintu]

@tiotrom Try increasing the value of Redirect Allowance in the settings?

[tiotrom]

That could work. Thanks! Also there might be an issue when we get a re-captcha that we have to solve before confirming the sign up, and that re-captcha may take a while to "solve" and in the meantime the keepassxc blinking icon disappears. I've used LastPass for the past years and switched to keepassxc (and I love it) but one thing LastPass seemed to be doing is to have a persistent way of asking to save new sign up credential, even after the website reloaded. Only when you dismissed that it went away. Maybe keepassxc can do something similar?

[varjolintu]

@tiotrom You can increase the time with tuning the Blink Time setting. But it would be a nice improvement that if you set it to -1 it would wait until the user dismisses it. Thanks for the idea!

[tiotrom]

@varjolintu That would be super useful! It's the main thing that I am missing from LastPass.

[varjolintu]

@tiotrom Follow this to see the progress: https://github.com/keepassxreboot/keepassxc-browser/pull/232.