Support "password hints"

[AdamPS]

Summary

For critical passwords like banking it's not necessarily a good idea to store them even in a secure tool like KeePassXC. Instead I write myself a cryptic hint and put that in KeePassXC in a custom way using the notes field. Unfortunately the UX is slow. I have to switch from my browser to KeePassXC, find the appropriate notes and then switch back to the browser. Also I have to type the username by hand.

It would great to integrate hints properly into KeePassXC.

Desired Behavior

In KeePassXC I can create a password hint entry. This would have a username, then instead of a password a special "password hint" attribute that accepts arbitrary text.

In KeePassWX browser, when autofilling, if there is a password hint attribute on the entry, then display it in a popup. Fill the username as normal.

Possible Solution

This is covered above.

Context

I think this would be useful to many people. Storing banking passwords in full is not necessarily recommended.

[AdamPS]

Maintainers: if you think this is a good idea then I will add a bounty.

[droidmonkey]

This is cumbersome and ineffective in my opinion. There is really no legitimate reason to not store your bank password in the encrypted database. If the password to your bank is such that a hint, interpreted by a human, is sufficient to reconstitute the password you are doing it wrong. Your passwords must be completely random 12-20 characters. No hint should even be possible.

Do you do this with your email account? If not I could just reset your password of your bank after hacking your email. (This is assuming I have unencrypted access to your database)

[AdamPS]

@droidmonkey thanks for responding to this issue.

There is really no legitimate reason to not store your bank password in the encrypted database

Not everyone agrees with that statement - for example see https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers which says:

Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime If someone discovered this password, would it result in your life being ruined ... then I wouldn’t put it in a password manager.

Also note that banks often have a second stage of authentication where you have to type in random selected characters from a secondary password. Presumably in this case a password manager cannot auto-fill, so there is a valid case for a hint.

Do you do this with your email account? If not I could just reset your password of your bank after hacking your email. (This is assuming I have unencrypted access to your database)

True, the email is a serious weak point. However I think (hope!) that banks would tend not to allow a reset with email alone but rather require some extra piece of information.

[droidmonkey]

The advice by ncsc is completely false, at least in the USA. Securely storing a randomized password in no way invalidates the right to compensation following a cyber crime. That is just plain ridiculous.

[AdamPS]

Well I live in the UK and that webpage is by my official government agency so I am not going to dismiss it so likely. Can you provide any references to back up your point of view?

[droidmonkey]

There is an excellent discussion about this here: https://security.stackexchange.com/questions/59298/can-users-make-use-of-a-password-manager-when-banks-tell-them-never-to-write-pas

Bottom line is your country should have liability protection for you, as a consumer, given that you have done everything reasonably possible to protect your information. In the USA we have the EFTA (Electronic Fund Transfer Act) which limits your liability for fraudulent activity given you report it to the bank in a timely manner.

[droidmonkey]

This quote alone makes my skin crawl and why I completely dismissed the NSCS advice as garbage:

If someone discovered this password, would it result in your life being ruined ... then I wouldn’t put it in a password manager.

That is precisely the scenario where I want a password manager to securely generate and store a very long and complex password.

Btw, good discussion here, thank you for bringing this up.

[AdamPS]

Interesting I will think about it.

I think partly I am concerned about "all eggs in one basket". If I put all my important passwords in the same place there is a risk someone else gets them all and it's really bad. On the other hand I think it will hard for someone to do that from the password hints as presumably the bank will lock the account if there are too many failed logins.

What are your thoughts about this comment I made a few posts earlier?

Also note that banks often have a second stage of authentication where you have to type in random selected characters from a secondary password. Presumably in this case a password manager cannot auto-fill, so there is a valid case for a hint.

[droidmonkey]

We have a request to implement that, it is called "pickchars".

As for egg baskets, you can always create and use multiple kdbx databases. You can store your most sensitive data in an "offline" database with a very secure access method, such as password + yubikey.

[Gurran]

I completely agree with @droidmonkey on this one. I get the "Don't put all eggs in one basket" argument and would therefore suggest you store your passwords in a containerized way.

Containerize your passwords by grouping them in different password databases depending on risk. You might want all finantial credentials in a more secure database, one stored more securely, and that requires multifactor.

As for the hint, if anyone could guess your password from the hint you effectively have no password and are effectively relying on 1 factor of authentication. The much more secure route is to have the password be a randomly generated password, stored in a secure database. (Bonus points if the database is stored without online access.)

[Gurran]

@AdamPS I found this about the use of password managers. https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online?curPage=/collection/top-tips-for-staying-secure-online/password-managers

Your link was from 2017, the NCSC seem to have updated their view on password managers.

[AdamPS]

Thanks @Gurran and @droidmonkey you have persuaded me to change my habits. But only partly! I will put my username and password into the database, but I will keep the second factor of authentication via a hint. I think this gives an excellent balance of one part really strong and random, the other part still concealed if my database is hacked.

There's an important risk that hasn't been mentioned yet: catastrophic breach of the database protection. Even if I have more than one database I won't be protected so my eggs are still all in one basket. It could be

• I make a really bad stupid mistake in how I set things up
• Sophisticated malware on my computer
• A security bug in the password manager software
• A breach of the software distribution mechanism so I load compromised software by automatic updates.

[AdamPS]

A second case is that the login form maybe something that KeePassXC cannot fill, even with "pickchars" - which looks like #725 and several of the maintainers have a low opinion of the idea:-)

There might be multiple different items of "memorable" data and one is selected at random to pick chars from. I don't generally fill in memorable data literally as it is way too easy for someone else to find out the name of town where I grew up or my mother's maiden name. Instead I put in a password of my choice and record a hint.

[AdamPS]

Another advantage of this feature is for people using the new auto-submit feature. If there is a password hint, then it would disable auto-submit and leave the input focus in the password field ready to type the password.

So for both of those reasons please can we turn this back to a "new feature" request? I would like to post a bounty if you are willing to accept a PR.

[droidmonkey]

Unfortunately I do not want this to be a feature. It encourages bad behavior and complicates the design of everything. Unless you are a very very rich person, I doubt you are as much of a target as you think you are. There is far more risk of the bank itself being hacked or your account number involved in a wire transfer fraud. Your bank login information is the least of your concerns.

[AdamPS]

OK fair enough. I don't think I am specifically a target I just don't want to be caught out by bad luck.

In that case please can I make an issue for fine-grained control of auto-complete? I need a way to turn it off for sites with a pick chars or similar. Either a different key-press, or a per-site exception.

[droidmonkey]

You can modify the Auto-Type sequence on a per group and/or per entry basis. Just open the entry and go to the Auto-Type page.

[AdamPS]

Sorry I wasn't clear - I am talking about browser extension settings -> Auto-submit login forms.

When that is enabled, it is difficult to log in to sites with pickchars or other complex authentication where KeePass is unable to complete 100% of fields. I would need to open settings, temporarily disable auto-complete, press AS+U, fill the extra fields by hand, submit, open settings, enable auto-complete.

[droidmonkey]

Please open a new issue for this over in the browser extension board. It would be good to be able to disable auto submit on a site by site basis.

[AdamPS]

Thanks https://github.com/keepassxreboot/keepassxc-browser/issues/542