Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change master key UI suggests that it will be modified, not overwritten #1698

Closed
jurf opened this issue Mar 10, 2018 · 5 comments
Closed

Change master key UI suggests that it will be modified, not overwritten #1698

jurf opened this issue Mar 10, 2018 · 5 comments
Milestone
v2.4.0

Comments

@jurf
Copy link

jurf commented Mar 10, 2018

I’ve just spent 20 minutes trying to open my database (and restoring from backups, experimenting, etc.) after changing the key file only. Then I realised that the password was deleted.

Expected Behavior

User is warned that the settings are being overwritten and not modified.

Current Behavior

User is not informed (it is even implied that it is being modified since ‘change’ can mean ‘modify’, not only ‘swap’/‘replace’), leading to confusion when trying to open the database again.

Possible Solution

A simple ‘New security settings:’ text at the start or changing the title to ‘New master key’ would solve this problem.

Steps to Reproduce

  1. Database → Change master key
  2. Untick ’Password’, tick ‘Key file’
  3. Choose/create new key file
  4. Restart KeepassXC, choose new key file, enter old password
  5. HMAC error

Context

I got a notification that my keyfile was old, so I decided to upgrade it. I didn’t want to change my password so I just left it unticked and only created a new keyfile. When I tried opening the database later it just didn’t want to work, throwing HMAC errors.

I’ve since realised that by unticking the password I removed it, but this is bad UI.

Debug Info

KeePassXC - Version 2.3.1
Revision: 2fcaeea
Distribution: Flatpak

Libraries:

  • Qt 5.10.1
  • libgcrypt 1.7.3

Operating system: Linux 4.15.6-300.fc27.x86_64
CPU architecture: x86_64
Kernel: linux 4.15.6-300.fc27.x86_64

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • Legacy Browser Integration (KeePassHTTP)
  • SSH Agent
  • YubiKey
@droidmonkey
Copy link
Member

It is certainly working as designed. Would a simple warning question be sufficient such as "Are you sure you want to remove your password?"

@jurf
Copy link
Author

jurf commented Mar 13, 2018

I’m not saying it’s not working as designed, I’m just saying that the design isn’t communicated well.

Would a simple warning question be sufficient such as "Are you sure you want to remove your password?"

Wouldn’t it be better to explain it before the user tries to apply the settings?

@droidmonkey
Copy link
Member

Sure that can also be done, but people don't read. A popup question usually gets their attention.

@matthewblain
Copy link

I haven't yet tried this, but presumably a colored warning like a password strength warning would work. Like "Your password is so weak... because you don't have one. And you did before!"

@matthewblain matthewblain mentioned this issue Jun 8, 2018
Closed
@phoerious
Copy link
Member

This will be fixed with #1952 in 2.4.

@droidmonkey droidmonkey added this to the v2.4.0 milestone Feb 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.4.0
Development

No branches or pull requests
4 participants
@phoerious @droidmonkey @jurf @matthewblain