First I really want to thanks all the contributors (special mention for luckyrat) of KeePass, KeePassRPC and Kee because all these tools are amazing and bring a lot of serenity when I surf on the Web. So a big thank you for this giant work
About my question :
Thanks to KeePassRPC, Kee can communicate safely with KeePass to fill forms without using clipboard and typing. But when I want to modify a password I ask Kee to get a generated password from KeePass. And this new password is stored in the clipboard so that we paste it everywhere it should be one the website so that we validate the modification.
I wonder how safe it is. Kee communication through KeePassRPC is very safe so that a generic malware cannot sniff it (by “generic” I mean a malware that is not specialized in cracking KeePass and its plugins). But during the period where the generated password is stored in clipboard, a generic trojan could make saving of clipboard state and get the new password.
I could be wrong : maybe you implement some obfuscation but I think this precision is worth to be mentioned in documentation (I did not find enough details about this issue anywhere). So what happen precisely when I ask a generated password from Kee ?
By the way, to change the password using Kee, the procedure can be tricky but I found a great one that I share because I never saw it before :
- On the form for password modification, use Kee to fill the old password
- Generate new password with Kee and paste it everywhere it should be
- Logout of the website once the change is validated
- Log in by using Kee login proposition and paste the password once again (the Kee’s one is the wrong old one)
- Now you can use “save latest password” to update KeePass entry
With this procedure, you avoid that Kee learns bad forms only present during password modification.
Thank you in advance for the precision,