Placeholder handling

documentation
placeholder

#1

KeePass placeholders are a powerful feature that can save time configuring and maintaining large password databases and add custom behaviour to suit your workflow and preferences.

Since KeePassRPC 1.8, you can use placeholders anywhere that you would normally include a form field value. This includes the standard KeePass username and password fields as well as any custom form field that you configure for an entry.

Warnings

:warning: General use of placeholders

It is possible to configure your entry form fields with placeholders which will reveal information that you did not intend to. The scope of what can be revealed is as wide as the entire contents of your password database and even some information about your computer. You can view the documentation on the KeePass website to see what information can be accessed using placeholders.

:warning: Plugin placeholders

Some plugins enable additional placeholders. You should ensure that you understand the security impact of using these plugins and weigh that against any perceived increased convenience. For example, the KeeOTP plugin allows you to store the information required to use your KeePass database as a 2nd factor authentication token.

This essentially guarantees account compromise if your password database is compromised, negating one of the protections of multiple factor authentication. In some targeted social engineering attack scenarios you may not even need to intentionally utilise the corresponding placeholder ({TOTP}) in order to allow an attacker to authenticate as you.

This is a complex topic and one that is not specific to this one example plugin so you should ensure you understand the risks before proceeding.

Limitations

It is not possible to execute local programs. The {CMD... KeePass placeholder is disabled for security reasons.

Enabling the feature

This feature is disabled by default and can be enabled in one of two ways:

For the entire database

This is not recommended because it significantly lowers the barrier for an attacker to access your data (explained in the warnings above).

If you do need to enable it (perhaps for test purposes or in already low-security environments) you can do so via KeePass > File > Database settings… > Kee tab > KeePass placeholder tab.

The following screenshot of the Database Settings dialog illustrates this.

grafik

For individual form fields

Open and edit the specific entry in KeePass and then:

  1. Click on the Kee tab
  2. Click on the Form fields tab
  3. Select the form field that contains the placeholder (in this example, the main KeePass username field)
  4. Click on the Edit button
  5. Click on the Enable radio button

Then click OK until you’re back to the main KeePass window and save the changes to your database.

The following screenshots courtesy of @proxymus illustrate the main steps in the process.


grafik

Finding entries that contain placeholders

To aid with migration from KeePass 1.7 or earlier, you may want to find all entries that contain placeholders.

We’re not aware of any specific support for this functionality within KeePass but using a regular expression in the find window should get you pretty close:

You could also search “Other fields” but this will find all entries with Kee configuration data (and probably that of other KeePass plugins too) so if you need to do this, you will most likely need to build some far more complex regular expressions to ensure you don’t have an unmanageable number of false positive matches.

Examples

TODO: Examples such as {TOTP}


[Solved] Kee enters field reference ID instead of referred information
Field references question
[Solved] Kee enters field reference ID instead of referred information
Release notes - KeePassRPC 1.8.0
[Solved] Kee enters field reference ID instead of referred information
UN/PW fields do not populate with v1.80 and v2.39 in FireFox
#2

So this is why the placeholders entries I have set up to use the credentials from one “master” account entry across several domains (each with a different URL having “single sign on”) stopped working. Kee(Fox) entered the literal field ref {REF:U:xxxx} instead of my username and password after updating to 1.8
Enabling “KeePass placeholders” for the entire database did the trick. But I do not want to disregard the warnings… so what would be the trick to enable the placeholders for individual form fields? (I guess I am just requesting to do the TODO :slight_smile: )

thanks!
Theun


#3

I’ve filled in the TODO for the individual form field configuration section now.


#4

While this could almost certainly use improvement and clarification, for people wanting to start using TOTP auto-entry, some basic instructions I wrote for a KeeTrayTOTP github issue (placeholder may vary for other plugins):

You’ll need to add the TOTP fields to Kee’s id/field listing in the browser plugin’s configuration. Different sites will likely use different field IDs, since TOTP doesn’t seem to have any standardized field name. (If you need that ID, right click the field itself and inspect element to see the code that defined it.) Once you’ve added it there, go to the specific entry you want to enable TOTP entry through in keepass. Kee tab > form fields subtab > Add. Name can be anything (I just name these all TOTP), Name is the field name. ID is the field ID, Value (assuming you haven’t changed KeeTrayTOTP’s default placeholder in settings) is {TOTP}. Make sure you click the Enabled radio for use of placeholders with this entry.