Make two-channel auto-type obfuscation optional.

Issue #22 new
Nicolai Fröhlich
created an issue

Two-channel AT obfuscation is currently broken in Keepass with Windows 8.

The resulting passwords don't match the stored ones. (I can confirm this definitely for Windows 8.1 + KeePass 2.24 & 2.24 )

I have yet to find out about the concrete cause ...but i have a strong suspicion that this is related to Windows 8's policy to disallow UIAccess ( applications sending keystrokes ) for non-trusted applications.

The requirements for a "trusted" application are: - software has to be signed - software has to provide a manifest - software has to be stored in a "safe" location ( Program Files , Program Files (x86 )

PLEASE include an option to make two-channel obfuscation optional and not auto-enabled on every settings-save. While you can manually remove the checkmark after storing settings and save the entry again ... this is pretty annoying currently.

Just leave it up to the user if the wants the TC passwords pasted with two-channel obfuscation. Though generally a good idea ... most users don't use it anyway as it's not checked by default for new entries.

Comments (5)

  1. QasimK

    I am running Windows 8(.0) and I don't have this problem unless I have set TrueCrypt.exe to always run as an administrator. When I do this, the elevation dialog prompts me first, and then KeePass fails to type the password. The failure may be due to the extra delay or what you have said.

    Are you also running TrueCrypt as an administrator?

    It seems that if the problem is with sending key strokes then the two-type channel obfuscation feature doesn't actually affect the failure.

    Indeed after testing with using the control-v auto-type password function, the problem persists regardless of whether the option is enabled.

    (Also, since TrueCrypt.exe works with Two-Channel obfuscation, I see no reason to even give it as an option.)

  2. Nicolai Fröhlich reporter

    I can verify the problem on 2 different machines , running 8.1 - Default and 8.1 Enterprise ... also double-checked that TrueCrypt is not running as Administrator.

    I probably wasn't clear enough when describing the actual bug behavior:

    The password does get typed ... but remains in wrong character order. The characters are being typed but remain in the "obfuscated" order because the direction keystrokes are not executed (LEFT, RIGHT).

    Example: The password is something. The resulting password getting typed by auto-type with two-channel obfuscation enabled is something like: stohmieng

    It's only certain keystrokes/-combinations that require UIAccess in 8.1 and don't work anymore if applications aren't "trusted". As an example applications that map gamecontroller buttons like XPadder or Pinnacle GameProfiler aren't able to map ALT+TAB anymore (except if their creators bought an expensive certificate and forced their users to install the software to program files).

    Two-Channel obfuscation IS broken and this affects people because the plugin FORCES the user to use it by enabling it on every entry-settings save operation.

    The only other explanation i can imagine by now would be a timing-related problem due to the High Precision Event Timer (HPET) being enabled by default in Windows 8.

    Anyways this is an annoying bug and the plugin shouldn't enforce two-channel obf.

  3. Nicolai Fröhlich reporter


    I just tested 2.25 on my Ubuntu machine (KeePass 2.25 + Mono) ... Two-factor obfuscation doesn't work there either ... so it's maybe KeePass itself causing the issue?

    What version of KP are you using Qasim ?

  4. QasimK

    Ah, I did misunderstand what the issue was. I am unable to replicate this with Windows 8.0 and KeePass 2.25 (2.24 worked fine also). Did you first experience this problem when you installed Windows 8.1, and was it from 8.0 or an earlier version?

  5. Nicolai Fröhlich reporter

    Both Windows 8.1 installations are completely fresh installs, no updates - without any additional software or KeePass plugins (not even additional drivers).

    The issue still occurs when booting into the OS for the first time.

    I'm wondering how it is possible that I can even reproduce the issue on Ubuntu with KeePass + Mono ... maybe it's the database-file itself.

    I'll try creating a completely new database and report back if that changes anything.

  6. Log in to comment