You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 16, 2019. It is now read-only.
I'd like to phase out the "keep unlocked" function because it's obscenely insecure. A lot of folks will likely complain, but currently a major issue is that if your computer is shut down while the database is kept unlocked, your password is stored unencrypted on disk. This is true of CKPX and CKP.
Let's do some research on this.
The text was updated successfully, but these errors were encountered:
Is "keep unlocked" very insecure if you have full-disk encryption? If the computer is shut down while the database is kept unlocked, it still wouldn't be able to be accessed without the boot/user password, right?
Wouldn't a PIN practically suffer from the same vulnerabilities as the original "keep unlocked" function if the user's computer doesn't have full-disk encryption? Even a shorter, alternative password of 8 random characters can now be cracked relatively quickly. I know Keepass2Android gives you one shot to enter the last 3 characters, but if your drive is unencrypted, it can be cloned and attempted indefinitely.
Perhaps, we could add back the ability to remember the database password indefinitely, but display a huge warning to the user that they should only do so if their computer has full-disk encryption, and if it is not, their password can be stolen trivially easily if someone has physical access to their device. We could add links for users on how to check to see if their device is full-disk encrypted on various platforms (and instructions on how to do so). Obviously your call though, just wanted to give my opinion.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'd like to phase out the "keep unlocked" function because it's obscenely insecure. A lot of folks will likely complain, but currently a major issue is that if your computer is shut down while the database is kept unlocked, your password is stored unencrypted on disk. This is true of CKPX and CKP.
Let's do some research on this.
The text was updated successfully, but these errors were encountered: