KeePassDX icon indicating copy to clipboard operation
KeePassDX copied to clipboard
verified publisher icon Kunzisoft

Support word completion in the database's password entry field

Open Gabr-F opened this issue 3 years ago • 0 comments

Is your feature request related to a problem? Please describe.

The app's database password field currently doesn't support auto-completion. I imagine there are good security reasons for this. However, it makes unwieldy to manually type whatever password you chose, so most users in all likelihood resort to a much more dangerous copy-and-paste, probably keeping the password in plaintext somewhere. Or they use an extremely short password.

If there was word completion instead, it would become feasible to use and manually type a complex-enough passphrase.

I explain my proposed secure (in my opinion) implementation of this below.

It's a long feature request because I tried to already elaborate many of its implementation details.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

I'm always frustrated when I have to type a long and complex password every time I have to unlock KeepassDX. But actually in reality I'm frustrated that I have to employ such a security-destroying practice as copy-pasting my passphrase, because I tried but it's completely unfeasible to type it manually every time (even with the least strict KeepassDX locking options, on my phone the app gets often terminated for memory pressure, and so entering the password is an extremely frequent necessity).

Describe the solution you'd like

Ok I imagine that leaving the device's keyboard auto-completion is dangerous. I'd like to see the exact reasoning behind this decision, but I can imagine it[^*]

However I see ways to provide a secure word completion support.

First, to clarify, what would be needed would simply be word completion, not word-prediction. A passphrase's words of course need to be completely unrelated, and one where word-prediction were useful would be a bad one (except maybe if it were exceptionally long).

So, if really allowing the keyboards' internal completion would be a bad idea, I suggest implementing it in the app itself. What do I suggest implementing??? Well, a word completion feature, which would work in this way (please bear with me, I think I'm aware of the security issues here):

  • the app includes either a single word dictionary or multiple ones, all with a large-enough amount of entries to be useable as the only source for a secure not-too-long passphrase. Actually I imagine one such dictionary is already included, for the passphrase generation feature.
  • there is a way to complete the words being entered in the database's password field, based exclusively on the word currently being typed
  • at database creation or database-password-change, the user is informed of the app's ability to complete words and thus of greatly simplifying the usage of passphrases; a button, underlined text or whatever, says something like: "Tap here to learn very important information for the usage of this feature"
  • if the user taps the button/text/etc a (short) guide for taking advantage of the feature in a secure way is presented; it should be a local guide rather than a remote webpage, since the information is extremely important and it shouldn't be in any way inconvenient to access. If the app supports the customization of the dictionary used (its choice, etc., I elaborate on this further below), this rather than a simple guide should be first of all a dictionary customization interface, with some explanation of its usage; the outcome of the customization will be kept in account in the advices given thereafter
  • The guide tells what's the minimum amount of words that would give rise to a secure passphrase (calculated taking into account the size of the dictionary being used), stresses the necessity to choose the words completely randomly (or to use a much longer passphrase), and provides some recommendations on how to securely choose a password that includes both words and other characters (since some users would likely be extremely attracted to this option), maybe providing some links to more in-depth guides. It would actually probably be best to include a password/passphrase entering, evaluation and maybe generation system, similar to the one currently provided by the entries' password generation feature.

Now I anticipate a perplexity that many normal users might have: wouldn't having a dictionary and word completion make it easier to deduce the password the user chose? Well, this is the essence of the passphrase strategy for passwords: its security is calculated assuming that the attackers will know that the user is using a passphrase in a certain format and the dictionary he took its words from: you need, and this is why it's very important to guide the user, to choose (randomly) a number of words sufficient for making this attacker's knowledge completely irrelevant.

Details and variations:

  • This feature could be implemented either with an interface in the app itself or with a custom keyboard, but I think the app interface would be simpler to realize and even more convenient for the end-users; such interface would probably consist of a list of proposed words displayed above the cursor (either horizontally or vertically), that the user could tap to complete the current word;
    • the amount of proposed words would have to be decided with a little care, it might have an effect on the security of the passphrase which users would choose (some users might choose the words that appear first, thus reducing the security of the passphrase and thus in theory requiring a longer one)
    • the ordering of such a list should be decided; is it ok, or even better, to just sort it alphabetically, or maybe it would be better to propose the shortest words first? For sure it seems a bad idea to sort based on the words' statistical usage (which would discourage using the less frequent words)
    • it should be decided whether it would be feasible or not to make the list scrollable
  • the word-completion feature could be optional, but it would probably make sense to enable it by default (even for previous installations of the app), since for those who don't need/want it it would only be a minor nuisance that could easily be turned off, while those who would benefit from it might not even notice it exists if it's off by default
  • There could either be just a good, large, English dictionary, or there could be the ability to choose one, load a customized one, combine several of them etc. as several passphrase generators allow. Maybe the single English dictionary could be a first version of the feature, maybe it could forever be the only option; the latter might be acceptable because users who currently have a passphrase in other languages could simply change it to an English-only one (but non-English-speaking users would benefit a lot from a dictionary in their language).
    If loading custom dictionaries were supported it would be appropriate to check them for duplicates (and eliminate them) and warn the user if the amount of different words is low
  • I'm not sure if it would make more sense to add a whitespace after a word's selection or not, maybe it would be better not to (the inconvenience for those who use other separators or different schemes would probably be higher -two key presses- than the convenience for those who use a normal space-separated passphrase -just one press of the spacebar-)

Describe alternatives you've considered

I know that in place of a password you can use a keyfile, an hardware key or biometrics, but so long as the password method is allowed it should support and encourage safe ways to use it; and the only feasible safe way I see is long passphrases with word completion.

Also, biometrics are not supported by all devices.

Additional context

I was extremely surprised that there weren't already similar feature requests, and that none of the phone password managers I tried support this. Maybe no one thought yet that it could be done in a secure way?

A further small side note, if this word completion feature can be implemented it could also be added to the password fields of the individual database entries (when adding new ones or editing the existing); there however, since adding or changing entries' password is a much rarer necessity, of course it would be a lot less useful (especially with the presence of the passphrase generator)

[^*]: I imagine it's because many keyboards send everything you type to their servers, or use that to update their machine learning models, where hints of the passphrase or the entirety of it could unwittingly end-up; I'm less concerned about it because I block the keyboards' internet access with a firewall, but of course this is an uncommon (and not so reliable) practice

P.S. Of course everytime I said "longer passphrase" here I meant "with more words", irregardless of the phrases's length in characters

Gabr-F avatar Sep 22 '22 00:09 Gabr-F