Unlock database only for the browser extension's use

[Hocuri]

Expected Behavior

Before being able to copy a password to the clipboard or to do autotype I want to be prompted for the database password ("Master password") a second time. Therefore, somebody who has physical access to my computer while the database is unlocked can authenticate to websites but can not actually find out my passwords (or at least it would be very hard).

Current Behavior

When the database is unlocked, I can copy the passwords to clipboard and do autotype without authenticating myself.

Possible Solutions

• provide an option for this in the settings
• automatically require the database password if a browser extension is configured

Context

• I am filling in passwords only over the KeepassXC-browser extension.
• The Firefox built-in password manager has exactly this behavior (you need to type in the master password a second time before seeing the cleartext passwords).

Debug Info

KeePassXC - Version 2.3.1
Revision: 2fcaeea

Libraries:

• Qt 5.5.1
• libgcrypt 1.8.1

Operating system: Linux
CPU architecture: x86_64
Kernel: linux 4.4.0-116-generic

Enabled extensions:

• Auto-Type
• Browser Integration
• Legacy Browser Integration (KeePassHTTP)
• SSH Agent
• YubiKey

[droidmonkey]

can authenticate to websites but can not actually find out my passwords

Full stop, this is impossible.

If you really want to endure the pain of typing your master password all the time then just set "lock on minimize" to true.

[hifi]

You can also set a timeout for automatically locking your database after inactivity.

[Hocuri]

If you really want to endure the pain of typing your master password all the time then just set "lock on minimize" to true.

I am filling in passwords only over the KeepassXC-browser extension. This should still be possible, just autofill and copying to clipboard not.

Of course, it also possible to find out my passwords over the browser extension but it is much more difficult.

[droidmonkey]

Either your database is unlocked or locked. There cannot be any in between state without (a) confusing the user or (b) playing security theatre with your database. I do not endorse this proposed feature.

Furthermore, would your proposal restrict someone from viewing an entry?

[Hocuri]

Furthermore, would your proposal restrict someone from viewing an entry?

Oh, I forgot this. Of course, viewing passwords also has to be protected like this if this shall make sense.

I do not think that this would confuse users that much: The Firefox built-in password manager also has this behaviour (you have to type in the master password a second time before seeing passwords in clear text or copying them to the clipboard). And Mozilla is quite keen on not confusing users.

[droidmonkey]

Ok so you want to be able to only unlock your database for the browser extension's use, but for anything else you need to unlock it again in the KPXC gui.

[Hocuri]

That's it. My description was probably not very clear (sorry); I edited the issue's title, maybe this one it is better.

[droidmonkey]

This is an interesting idea as a configuration option. I still dont like "half locking" the database though. Maybe this would work well when the quick unlock feature is implemented. #488

[CueHD]

Have you tried some of the other browser extensions. I use the KeepassXC-browser extension at home and Keepass Tusk at work. As far as I can tell, the Tusk extension doesn't let the user browse the Keepass database, it just inserts the usernames & passwords when it finds a website match. Though the usernames are always visible and the passwords are visible upon a button click.

As far as configuring KeepassXC for this purpose, I wonder if it may be easier to have an option to minimize KeepassXC to the system tray with restoration requiring the Master or Quick password. The database would still be unlocked, just not easily shown.

[Hocuri]

the passwords are visible upon a button click

This is exactly what I did not want 😕 :-(.

As far as configuring KeepassXC for this purpose, I wonder if it may be easier to have an option to minimize KeepassXC to the system tray with restoration requiring the Master or Quick password. The database would still be unlocked, just not easily shown.

👍 I like your idea! This might be easier to implement and it can't happen that someone (me, for example: #1809 (comment)) forgets a way to find out the cleartext password.
(although of course it is not up to me to decide this)

I wonder if some RAM could even be saved if the GUI data are deleted and only some daemon for the browser extension runs in background, but this is another issue.

[CueHD]

Or to put it in different words:
The active window is killed but the process stays resident. Trying to start another instance kills the current process and initiates password reentry.

[pvdl]

Is it possible to introduce 'unlock levels'.

Level 1: Full unlocked. User can open database and can change, delete, edit, see unencrypted passwords.
Level 2: Unlocked edit mode. User can open database and can change, delete, edit, but passwords are encrypted / hidden for viewing.
Level 3: Unlocked view mode: only viewing database. No deletion or editing, also unencrypted view passwords
Level 4: Unlocked view mode restricted: view. Passwords are hidden.
Level 5: Unlocked for browser-integration. Plugin may use the required credentials. No user modifications allowed / possible. Important menu's are grayed out.

Depending on your purpose you can open KeepassXC with the appropriate unlock level.
Switching between levels can be done by the master password.

[droidmonkey]

Yikes that is ridiculously confusing to the average and above average user, let alone novice users.