KeeForm 2.04

[Jettison]

This is one of those programs that proves the Au3 isn't only for kiddie apps. It's amazing.

Also..For all those who are skeptical about using it, refer to the sticky in this forum...

[rikpal]

I'd like to understand if the version 1.06 of Keeform can be used with Keepass 2.02.

Instructions seems to refer to the Keepass 1.x (e.g. add a line to keepass.ini, not present in the keepass 2.x).

If I need to download another version of keeform, could you pls provide me with the link, I'm not able to find it.

thx in advance.

Riccardo

[AutoDave]

Riccardo,

There are basically two settings in KeePass 2.02 (still alpha):

- tools -> options -> integration -> override url [global setting]

- edit -> edit/view entry -> properties -> override url [entry specific setting]

Cheers,

Dave

[rikpal]

thx a lot Dave.

I'm migrating from 1.07 and I've migrated the database too. the reason of this is because I need the db on a smartphone too (Samsung i600), so only the 2.x is supported in this case.

I've noted that if I check the entries that in the 1.07 where using the keerun, in the migrated version kdbx (2.x) of the db, in the entry settings, it has been automatically filled the override url field, so in this case I've not to do anything apart from the general setting to override the urls.

is this correct?

moroever, I've noted that the multiline entry field that was filled in the 1.07 for each entry (autotype, references to user & passwords, override url, etc.), now it is filled (after the migration) in the kdbx file differently. is this correct?

cheers.

Rik

[AutoDave]

Rik,

sounds correct. But I haven't used KeePass 2.0 a lot, so as always please test and backup before you migrate anything [KeePass 2.02 is still alpha development, I recommend to use KeePass 1.07].

Cheers, Dave

[bluebearr]

AutoDave,

Just had to jump on and say how much I like this program. I use the FireFox password manager for most things, but I have a few work sites that are IE only and I distrust IE's password saving (since it has been shown to be easily broken). I recently started using KeePass to store account info, so I tried KeeForm to access these IE-only apps. It works great! Very convenient. I so far have four web apps that it accesses, and it works with all four.

When I looked at your code, I was really surprised at the simplicity of the FormFiller function. I expected something complicated to detect the correct objects, but it looks like you are just careful about what order you "tag" them as the correct objects to set.

Again, nice job!

[AutoDave]

BlueBearr,

Thanks for your feedback! I am glad to hear that you like KeePass and KeeForm (some call it "KeeCombo").

Cheers,

Dave

[cyaif]

I have come across the following idea on the 'Net. With this method you cannot bypass keyloggers completely, however, you can *REALLY* confuse them. It works with almost any application, but I'll explain it using Keepass as an example. It goes like this (more info @ http://cups.cs.cmu.edu/soups/2006/posters/..._abstract.pdf):

You activate your target window. Now you find any area on that window, which is unresponsive to keystrokes. For Keepass it is the keyfile combobox (so you have to use a keyfile, but you should do it anyway , i.e. if you click the combo box and press a key, Keepass discards that key. While the combo box is still open (or closed, doesn't matter, it should simply must have the focus), just press a random number of keys in that box. Now, you click the password box and type a character of your password. Then you click the combobox again and press some more random keys. And you repeat the process for each character of your password.

The more characters you use, the better. You could use literally hundreds of chars. For even more confusion, I've added a few things of my own:

- I'm making the password dialog completely transparent, since some keyloggers make screenshots after each mouseclick and so they could analyze the number of chars in your password

- your script can click in the password box in varying order, i.e. begin with the a char from the middle of your pass, then on next turn, your script clicks at the very beginning and types the preceding character, then on next it clicks far right in the password box and types the succeeding character (to the very first char), and so on.

I think the idea should be pretty clear and it's well suited to be automated for very sensitive passwords.

Though I'm well aware of Autoit since long, I'm not an Autoit user (I'm using a rival tool, PowerPro; pls be nice to me . I've already written some scripts to automate this with PowerPro, but I thought we all could benefit from the idea and you could expand Keeform to use this technique as well. You would need screen positions of password boxes and unresponsive areas, which I'm sure Autoit could find out by using a shortcut key before the operation begins.

For more techniques against keyloggers, see:

http://en.wikipedia.org/wiki/Keylogger#Keylogger_prevention

Hope this helps and any suggestions/improvements are most welcome.

Cü from PP-Community

[cyaif]

I have come across the following idea on the 'Net...

A similar idea, which does not use any "unresponsive" areas. It abuses the fact that if a portion of text is selected, the next key replaces the selected text. So your script could get the current font width first. And use "mouse selects", e.g. win.mouse("leftdown move -30 0 leftup") in PP-terminology, to replace the dummy chars with real ones. Say your password is "secret".

- begin with typing "asdfg"

- select these 5 chars with mouse and type "s" which replaces those

- now type "werteiop"

- select 8 chars with the mouse

- and type "e" again replacing the dummies

and so on

As before, a transparent window could help against screen-capturing malware and you could mangle the order of characters.

However, IMHO using completely random characters as dummies every time should be avoided because common characters in every session could be found out in the keylogger's logs, which simplifies a succesful brute-force attack.

Cü from PP-Community

[AutoDave]

Hi cyaif,

Thanks for your idea.

You should post this idea or any other question regarding KeePass in the KeePass forum https://sourceforge.net/forum/?group_id=95013.

Cheers,

Dave

[NickNZ]

Hi autodave, great product and i enjoy using it. but i have a question how do i use the keeform in Vista?

i have followed the instructions to get it working and it does work, but only when i log into the local administrators account and not my own, which does have admin privildges.

When i type ctrl U the website appears but is not filled with my details, however it works fine when i log in as administrator.

Any way around this other than using the administrators account?

thanks

Edited August 19, 2007 by NickNZ

[AutoDave]

Hi NickNZ,

Is the protected mode in IE7 activated in your non-admin account? If it is on, KeeForm wouldn't work.

Cheers, Dave

[KeePassUser2007]

Thanks, Keeform is a really nice extension for KeePass. Just downloaded and tried it with KeePass 1.08. Works great, I gave it a 5 star rating

(PS it only supports IE, but this doesn't matter to me)

[AutoDave]

Update: the download problem has been fixed now.

----

Does anybody have an idea why most members have a download problem?

I've tested it myself with various programs

* Internet Explorer: No warning/error, but ZIP is broken.

* Firefox: No warning/error, but ZIP is broken.

* Opera: No warning/error, but ZIP is broken.

* Free Download Manager: ZIP is ok.

Opera first stops the download, but after continuing it, Opera downloads the same corrupted ZIP file as Internet Explorer (random bytes are inserted at the beginning). Firefox downloads something completely different (the ZIP comes close to the correct one, but the last few bytes are missing).

Only Free Download Manager downloads the file correctly. You can find the program here: http://www.freedownloadmanager.org/ .

Cheers,

Dave

Edited September 22, 2007 by AutoDave

[AutoDave]

Some users have problems using KeeForm on Vista (because of the enhanced security features). Here how to fix the issue solution (thanks to Justin):

If you have UAC enabled and protected mode enabled in IE7 (which is the default in Windows Vista), you have to run KeePass as an Administrator for KeeForm to work in the program.

1) Right-Click on the KeePass shortcut and choose Properties.

2) Click the Advanced button.

3) Check 'Run as administrator'.

4) Click Ok twice.

KeeForm should now run fine in KeePass.

[Achilles]

Good work one this!

This must be the thread with the most users that have 1 post...

[x9gglptc]

KeePass 1.09 dosent work with the plugin, any help?!

[AutoDave]

KeePass 1.09 introduced a new, more secure URL opening method. Unfortunately KeeForm- and other cmd://-URLs (like ones containing spaces) may not work as expected any more. Here is a solution for the "KeeForm is not found any more" problem. In the KeePass.ini file please replace

KeeUrlOverride=cmd://KeeForm "{URL}" "{USERNAME}" "{PASSWORD}" {ENTERFORM}

with

KeeUrlOverride=cmd://"{APPDIR}\KeeForm.exe" "{URL}" "{USERNAME}" "{PASSWORD}" {ENTERFORM}

Cheers, Dave

http://keepass.info/help/kb/kb071014_upg_to_1.09.html

Symptoms:

When trying to launch KeeForm by executing the URL field, you receive an error message like the following:

Password Safe

File: KeeForm

Arguments: "http://www.webpage.html" "User" "Password" {ENTERFORM}

The system cannot find the file specified.

Resolution:

If you followed the KeeForm 1.06 quick installation guide (i.e. installed KeeForm into the KeePass application directory and used the URL override method), replace the following line in the KeePass.ini file:

KeeUrlOverride=cmd://KeeForm "{URL}" "{USERNAME}" "{PASSWORD}" {ENTERFORM}

by:

KeeUrlOverride=cmd://"{APPDIR}\KeeForm.exe" "{URL}" "{USERNAME}" "{PASSWORD}" {ENTERFORM}

KeePass will replace {APPDIR} by the KeePass application directory when starting URLs, i.e. you do not need to insert the absolute path to KeePass here!

Please note that you have to replace this line in the KeePass.ini file in the KeePass application directory if you're using the portable ZIP version of KeePass, and in the KeePass.ini file in the user's application data directory if you're using the KeePass installer. For details, see Configuration.

KeeRun can similarly be fixed by replacing KeeRun by "{APPDIR}\KeeRun.exe" (note the quotes!). This of course requires that you installed KeeForm and KeeRun in the KeePass application directory. If you installed it elsewhere, change the path appropriately.

Edited October 14, 2007 by AutoDave

[mrbig1479]

first of all thanks for the program.

but i cant make the program works.

i dont have a KeePass.ini file in the zip i downloaded

there are keerun, keerdp, and keedebug (both exe and au3)

no ini file and i get an error when trying to run any of these.

[AutoDave]

Hi Mr Big, you should install KeePass first. KeePass will automatically generate the keepass.ini file. Then you just add the following line at the end of keepass.ini

KeeUrlOverride=cmd://"{APPDIR}\KeeForm.exe" "{URL}" "{USERNAME}" "{PASSWORD}" {ENTERFORM}

or if you don't want to automatically submit login forms:

KeeUrlOverride=cmd://"{APPDIR}\KeeForm.exe" "{URL}" "{USERNAME}" "{PASSWORD}"

Cheers,

Dave