Enhance Fingerprint Login for first login with masterpassword

[Andre3424]

hi do you plan to enhance KeePassWinHello, so it can be used as first login to the keepass database? This would be a great enhancement and will make Keepass used by many more people, which today use browser password managers for convenience.

I would also make a donation to such an enhancement

[shuffle-c]

Hi, You can make use of "Store keys in the Windows Credential Manager" option (KeePass' menu Tools -> Options, WindowsHello tab) to allow the plugin to unlock your database at KeePass startup. Does it suit your purpose?

[sambul13]

Yes it usually does.

Is it possible to recover a forgotten kdbx db Master Password from the KeePassWinHello key stored in Windows Credential Manager, and how exactly?

[shuffle-c]

The plugin does not let you recover a Master password, but to simply unlock a database. Having the db unlocked, you can save it with a new password.

[sambul13]

The problem is, when Windows Login Password is changed, all WinHello keys are auto deleted from Credential Manager. Even if recovered from the hard drive, they are still deleted when copied back to CM folder. Hence, there is no way to login to the DB with recovered WinHello key and update Master Password. Is there a workaround to recover it from the deleted key?

[shuffle-c]

I don't know what happens to Windows Hello private keys when one changes login password, i.e. whether they get invalidated or not. If they do, previously stored plugin keys are useless. Otherwise it's technically possible to recover, not by means of the plugin itself though. But I don't get it, how come that keys are deleted from CM? Who deletes them?

[sambul13]

They seems deleted by OS after 1st or 2nd user Windows login with the new password. Once that happen, at opening any KeePass db it asks for Master Password again. Despite being deleted from the CM folder ( C:\Users\User\AppData\Local\Microsoft\Credentials ) and possibly other relevant folders, the key appears still valid and working.

I.e. if one exports it from CM as .crd password protected file, then changes Windows login password, and then imports WinHello key back to CM, it still works OK. It looks like the key is re-activated this way for the new Windows password. Other WinHello keys (used to login to Windows) also need re-activation in Windows 10 Settings without entering new values. However, if the KeePass key was not timely exported, its impossible to simply recover from disk and copy it back to CM folder, it gets deleted each time at CM startup or OS re-login.

That happen to me unfortunately. How exactly would you suggest to use the key to recover DB MP? I can PM it to you if possible. Thank you.

[shuffle-c]

@sambul13 I suppose Windows protects files in CM folder with something using your current login credentials, and so altering creds makes these files impossible to decode. Did you try just to revert your creds back? I believe the only way out is to figure out how CM saves its data in these files and reverse them applying your previous creds. I'll try to find some info about it.

Let's continue in PM, yes.

[shuffle-c]

Check out this tool https://www.nirsoft.net/utils/credentials_file_view.html

[sambul13]

@shuffle-c I think you're right. I did try that tool, but I changed old Windows Login Password because I forget it. No way to rely on tools asking to enter it. CM is probably replacing Windows old login hash with the new one in an old key, when imported back. This means, CM likely gets old Windows password hash from the imported key's .crd file to decode it.

There might be another way to recover a db Master Password from its WinHello key? Previous System Restore point will return old Win password and WinHello keys with it? Apparently, there is no Private Messaging service at Github.

[Andre3424]

@shuffle-c Thanks a lot! This is exactly what I was looking for. However, I found a quite strange behaviour and do not want to publish here before I send it to you. Is there a way I can send you a message?

[shuffle-c]

@sambul13 Sounds promising, prev restore point might help you decode CM files with the tool above. I've added my e-mail to my profile.

@Andre3424 Good to hear. Sure, send me a message to the e-mail which is in my profile.

[sambul13]

@shuffle-c Does KeePassWinHello key contain a KeePass DB Master Password or its hash? Is it encrypted and how? The above CredentialsFileView doesn't seem to show content of any valid WinHello key, including keys matching current user acc. May be WinHello key structure is different from other Credential Manager keys, or its encrypted twice?

It looks like Win 10 Restore Points don't contain any registry hives at all, as browsed by Shadow Explorer (it may depend on the Restore Point max size), so not sure if old Windows Password is restored from hives with Windows 10 Restore Point. It seems possible to figure out old Windows Password hashes using DPAPI Credential History. It also sounds protected content like KeePass Master Password can be derived from a WinHello key by using DPAPI Master Password instead of Windows Password.

[ghost]

I don't think we should let keepasswinhello recover the master password, and it's a correct and safe operation for the windows credential manager to automatically delete the key when the windows login password is changed/deleted, because if you lose your computer/hard drive and don't turn on bitlocker, anyone will use pe system to delete your system password, and may use your credentials to log in to your keepass database without a master password.

[shuffle-c]

59