Release notes - KeePassRPC 1.8.0

To ensure KeePassRPC clients such as Kee continue to work when you next upgrade KeePass, you should install this new version of KeePassRPC soon. If you have enabled KeePass update checks, you will be notified soon.

There are dozens of other improvements in this version; although many are focussed on power users and some of the information below is therefore a little jargon-heavy, there should be at least a few additional benefits for everyone.


Follow the usual Upgrading KeePassRPC instructions.


  • Works with KeePass 2.39
  • Complete support for KeePass placeholders in any form field
  • Enhanced entry URL matching control
  • Improved entry matching accuracy and speed
  • Extra protection against targeted social engineering attacks

KeePass 2.39 support

The future KeePass version 2.39 will include a change that prevents older versions of KeePassRPC from working. To ensure KeePassRPC clients such as Kee continue to work when you upgrade KeePass, you should install this new version of KeePassRPC soon.

If you wait until you upgrade to 2.39, you will be shown an error message explaining that the old version of KeePassRPC “is incompatible with the current KeePass version”. Updating KeePassRPC after this error message has appeared is safe, if a little more disruptive.

Thanks to @dlech for the code to support this change.

Placeholders (aka. Field References)

Placeholder support has been present for many years but there were a few places where it would not work. A rewritten implementation of this feature now enables support on any form field.

If you previously used placeholders, you will need to enable them on each form field that you want them to function on. Alternatively, although recommended only as a stop-gap, you can re-enable placeholders for all form fields in the new KeePass > File menu > Database Settings... > Kee tab.

More details about placeholders, why and how to use them can be found on the new documentation page.

Enhanced entry URL matching control

The existing fine-grained control over how accurately the URLs of an entry need to match the web page URL being searched for allows for the greatest possible level of control. However, there is a significant minority of people that have different needs and KeePass 1.8 now includes two broader configuration options which will allow for those needs to be met with far less clicking around configuring hundreds of individual entries.

  1. Default matching behaviour

    You can now set a default behaviour for all newly created KeePass entries. If you don’t change this setting, the default behaviour of matching by the web site’s domain name will continue just as with earlier versions of the plugin.

    The setting will also apply to KeePass entries that do not already contain configuration settings specifically for KeePassRPC/Kee, although it is not trivial to identify which entries this includes.

  2. Per-domain matching behaviour

    You can also set a default behaviour when searching for entries that match a specific domain name.

For both of the above, and just like with individual entries, you can choose to match the URL’s domain, hostname or the exact address.

The minimum similarity required for a match is determined by looking for the first place that contains a configuration setting in the following order:

  1. The domain of the URL that is being searched for
  2. The individual entry
  3. The database default setting

Note that this allows individual entries to behave differently when accessed from different websites (in the case where you have multiple URLs attached to that entry) allowing for some truly powerful configuration options that will be especially useful for large enterprises.

Improved entry matching accuracy and speed

In a small number of cases, limitations surrounding the detection of the domain name within a URL will have caused lower quality entry matching. Most of the time this would result in better matches being ranked below lower-quality matches but in one or two cases it may have resulted in entries being entirely omitted from search results.

A revamped domain name detection feature resolves the above issue and now fully meets the current PSL specification, including some additional improvements regarding international domain names and significant performance improvements too which will help KeePassRPC deliver results to Kee more quickly.

There is also a small improvement to the matching behaviour of default usernames and passwords (that is, ones that were created through KeePass rather than Kee and have never been specifically configured for use by Kee). In rare cases this might cause a lower quality match to be selected - if that happens it indicates that your entries were configured incorrectly previously, probably in your attempt to work around this rare situation. In a future version of Kee we will be able to build upon this change to provide slightly improved matching accuracy across the board.

Extra defences against targeted social engineering attacks

Firstly, in earlier versions of KeePassRPC a malicious KeePassRPC client may be able to modify the text displayed on the dialog asking for authorisation to connect to the KeePassRPC server (beyond the designed ability to name and describe themselves in any way they want). This version of KeePassRPC contains a few mitigations against that unlikely possibility in order to reduce the theoretical risk of human error leading to data compromise. Specifically, we will now:

  1. Warn you of a missing client name or description
  2. Limit client names to letters, digits, ‘-’ and ’ ’ (space) characters
  3. Ensure that at least one chunk of informational text on the “Authorise a new connection” dialog contains no strings supplied by the client

Secondly, the improvements to placeholder handling help us to prevent some classes of information disclosure attack by malicious or compromised websites. Again, any risk was dependent upon human error as well as most likely requiring the compromise of one or more remote websites. None-the-less, it was theoretically possible that a sophisticated combination of targeted social engineering and compromise of a previously trusted website could lead to information beyond that contained within the specific entry for that website being revealed. The scope of what can be revealed is identical to that supported by the KeePass placeholder system. The most relevant changes to mitigate this risk is that placeholder handling is now disabled by default and documentation about this feature now includes prominent warnings.

Configuration changes

Some of the improvements in KeePassRPC 1.8 result in modifications to internal configuration stored within your database. Loading your database with an older version of KeePassRPC installed may delete some configuration changes you make using the new version so we strongly recommend taking a backup of your database before upgrading and simultaneously updating KeePassRPC on all computers that you will use to open that database.

Other changes

  • KeeFox branding replaced with Kee
  • You can now remove the “Kee” group from your database if you’re not using it (and move the still-useful “Kee Generated passwords” group to whichever part of your database that you want)
  • New JSONRPC API endpoints for retrieving even entries that have no URL: GetAllEntries / GetAllChildEntries
  • Replaced mentions of the “start group” with “home group”
  • Prevent a crash when Page number on form field editor is invalid (#20)
  • Fixed a bug where the username displayed in a Kee search result may be different to the one that gets filled in when that entry is auto-filled (only in the relatively rare case when there are multiple usernames configured on the single entry and one has no Kee configuration)
  • Various other UI improvements: Better sizes for some dialogs, better layout for others, clearer instructions and less jargon in others
  • Various code quality improvements: Disposing more objects (thanks to @manuc66); lots of new automated tests; removed all the obsolete KeePass API calls that we can

Thanks for upgrading something in the chain of Firefox extension-RPC-Kee.

After all of it could not handle login properly, I snapped and replaced all of this with KeepassXC system. For a rational and argumented reason of behaving crazy - not functioning properly on pages like, opening 15 requesters to enter code from Kee connector etc. Was getting too stupid to keep it on a production machine- at least on my system. (No, any troubleshooting failed)

Therefore, I welcome the improvements and keep one eye on the development.

It might even have an entry way back to a production machine some time later on some idle moment.

Where is the setting where I can change the default URL accuracy matching behaviour for new entries?

Also, the per-website setting does not seem to work. or I am too stupid to figure out how. Use case: I have several subdomains {wiki,cloud,webmail}.{domain} and I want the entries to only pop up for the correct subdomain. I thought that what I do is to change the setting for {domain} (without https://) and select matching “by hostname”. That doesn’t seem to have any effect. Next I tried {subdomain}.{domain} both with and without https preprended, that didn’t work either.

What do I have to do to make it work?

1 Like