KeePassDX icon indicating copy to clipboard operation
KeePassDX copied to clipboard
verified publisher icon Kunzisoft

Password display with character position number beneath/show selected chars only

Open g0tar opened this issue 3 months ago • 6 comments

Checks

  • [x] I have read the Wiki, searched the open issues, and still think this is a new feature.

Explain the problem clearly and succinctly:

There is this irritating trend in banks to use masked password. When I have to type 13th character it is a PITA to count them manually.

Describe the solution you'd like:

I propose a display mode aiding this, like:

my secret password
123456789012345678

Whether this would be a different field type (so one can use it only when needed), another "unhide" button or global setting, doesn't matter to me.

Describe alternatives you've considered:

No response

Additional context:

No response

g0tar avatar Oct 10 '25 15:10 g0tar

I am quite baffled your bank even supports such incredibly huge passwords. Where the heck are they going to store all those Terraboings of data?

Maybe you could name the specific bank? They are obviously storing your password in plain text respectively store it in a way which allows decryption. This is far below the industry standard of storing salted hashes of passwords. I believe they are in clear violation of common security protocols.

c-b-x avatar Nov 23 '25 19:11 c-b-x

ING BSK (polish division of ING Groep N.V., 4th in size, mandatory), Alior Bank (8th biggest bank in Poland, government-owned, masked are optional now), Pekao SA (the 2nd biggest polish bank, also national, mandatory masking).

The funny thing is ING was the first one allowing to use U2F keys and they actually disabled masked passwords for ING Business.

g0tar avatar Nov 23 '25 21:11 g0tar

ING BSK (polish division of ING Groep N.V., 4th in size, mandatory), Alior Bank (8th biggest bank in Poland, government-owned, masked are optional now), Pekao SA (the 2nd biggest polish bank, also national, mandatory masking).

The funny thing is ING was the first one allowing to use U2F keys and they actually disabled masked passwords for ING Business.

Actually, I do remember having an ING Diba account some decades ago which used this. I'm a bit baffled they are still using this. You really can't teach an old dog new tricks, can you? I had a dozen of bank accounts thereafter and no other bank used this but there seem to be a few according to reddit threads.

Another security consideration: This method requires - or at least encourages - the user to have the password visible in front of them. This wasn't maybe as much of an issue decades ago but with cameras and even drones everywhere, not to mention screen recording, I think this method is a truly terrible idea. It obviously isn't even a second factor but the college dropout version of a capture.

c-b-x avatar Nov 29 '25 09:11 c-b-x

This method discourages truly strong passwords (i.e. random and long), probably trading this for preventing keyloggers ...or video recording in unsafe places.

Your consideration could be mitigated in password manager by extending this ticket to show only tapped letters.

g0tar avatar Dec 02 '25 10:12 g0tar

Beyond having an issue with the bank, the advantage I see is general in nature: when a user manually copies a password or simply wants to know where a letter is positioned, it's not a bad idea. I will probably make a global setting, but since it's not urgent, it will be in version 5.0.0.

J-Jamet avatar Dec 02 '25 10:12 J-Jamet

Thank you!

One more use case is telecodes - when contacting via phone call user is asked to type in (selecting tones) a series of n-th digit of a telecode. This is even worse to count manually, as the series is random and out-of-order (7th, 1st, 3rd, 5th).

g0tar avatar Dec 02 '25 11:12 g0tar