Methods for entering credentials into browser pages

[LMurphy001]

I'm a longtime user of Keepass trying out KeepassXC (again). I like that KeepassXC is available on Windows, MacOS, and Linux. It's more modern than Keepass. The default auto-type sequence doesn't have {Enter} on the end of it. I easily switched from matching on Title to matching on URL, which I think is safer. Also, I really like the ease of installing and using the KeepassXC-Browser Firefox add-on.

I am using Firefox on Windows 10. Methods for entering credentials:

1. Manually: In KeepassXC, find the entry, and reveal the password. Switch to Firefox and type the username and password I see in KeepassXC into Firefox login form.
2. Clipboard: Open the login page in Firefox. Find the entry in KeepassXC. Switch back and forth between the two apps, using the clipboard to transmit credentials from KeepassXC to Firefox.
3. Auto-type: This mostly works. I have a lot of entries with customized sequences, and I'd like to find all of them and take out the {Enter} key press after the password. I've disabled matching on Title and I'm only matching on URL, and this mostly eliminates the problem I had in Keepass with the wrong credentials being entered into the wrong websites.
4. Browser integration with these boxes unchecked: "Auto-submit login forms", "Automatically fill in single-credential entries", and "Automatically fill in HTTP Basic Auth dialogs and submit them." This method has worked best for me.

Question 1: Did I miss any methods to transmit creditials from KeepassXC to Firefox?

Question 2: How would these be ranked, from most secure to least secure?

Question 3: Is there a way to define multiple URLs for an entry? Some sites have multiple URLs as portals and I don't know how to get KeepassXC to recognize these secondary login pages. For example, if a site times me out, it could go to a page that says "You have been logged out" and then on that same page presents username/password fields. At the moment, I have to return to KeepassXC, find my entry, click the url, and login from there.

Question 4: I am pretty sure that the default auto-type sequence in KeepassXC leaves off the {Enter} key. How can I find all entries that are not using the default template? I want to edit them and remove the {Enter} key.

Question 5: Is it safe to use auto-type for some entries and browser integration for others?

[droidmonkey]

1. You got em all

2. Method 1 and 3 are the same thing, method 4 is as secure as we can get it with a browser, method 2 is least secure.

3. Use the browser integration option on the left hand side when editing an entry (also check out the user guide)

4. The default sequence includes {ENTER} just like KeePass. You can change the default for all your entries by editing the root group and defining a new default with the enter.

5. Yes you pick your risk model and usage.

[LMurphy001]

Thanks! I found the box to add multiple URLs for each entry.

If I understand correctly, 1 and 3 are most secure. 4 is less secure. 2 is least secure.

I'm going to try to go with method 3- Autotype. I've uninstalled the extension and turned off browser integration in KeepassXC.

I am looking for a way to associate three keyboard shortcuts to each of: 1) Auto-type username, 2) Auto-type password, 3) Auto-type totp.

In KeepassXC Settings, I could define shortcuts:
Ctrl-Alt-U = Confirm: "Auto-type username into the previously active window" If Yes, then it auto-types {USERNAME}

Ctrl-Alt-P = Confirm "Auto-type password into the previously active window" If Yes, then it auto-types {PASSWORD}

Ctrl-Alt-T = Confirm "Auto-type TOTP into the previously active window" If Yes, then it auto-types {TOTP}

Having control over the individual field auto-typing would give me more precision on the login form in the browser. It's similar to being able to click the green & white key symbol when using the browser extension. I think it might be more secure, easier to set up, and after I learn the keyboard shortcuts and the flow of it, it would be more efficient.

Does this functionality exist already? I looked in https://keepassxc.org/docs/KeePassXC_UserGuide.html#_keyboard_shortcuts but have not found anything.

If it doesn't exist, is it okay to request a feature addition?

Thank you!

[droidmonkey]

Just use the global shortcut, select the entry you want in the dialog, press Ctrl+1 to type username, Ctrl+2 for password, and Ctrl+3 for TOTP. You can also define three sequences that are just those tokens. We have decided against dedicated global shortcuts.

[LMurphy001]

Thanks for all your replies. I'm going to mark this as answered. However, I'm going to open a separate discussion about behavior of Global Auto-Type Shortcut.

THANK YOU!

[LMurphy001]

Now that I am leaking the URL - or at least parts of it - from the browser's window title, I disagree with the statement that 1 and 3 are the same.

I've been trying out a very simple add-on, "Hostname in Window Title," which allows me to expose parts of href in the browser's window title. Method 3 is working much better, now that it doesn't bombard me with choices.

I understand what Keepass/Keepassxc requires more than what's built into the browser so it can narrow down the list to one entry. I realize Method 1 is more private than Method 3, and is probably more secure than 3.

However, Method 1 is too difficult to achieve for me, and others in my family would never be able to do it. They'd rather have the data written down on paper and not use a password manager.

I will experiment a bit more with Method 3 - Auto-Type - but without the extension which exposes information from within the browser into its Window title bar. This still has problems, however.

A bad actor's website can spoof a legitimate website by mimicking its <title> html tag... not good.

I wish that the browser itself exposed a private and secure method for KeePass/KeePassXC to match up entries, required my permission to use it, and didn't leak the information to anything else I to which I'd not given permission. Mozilla is usually at the forefront of allowing users control of these things.

Without this interface, a good forgery sitting on a typo-squatting page is a bit dangerous without such handshaking and authentication.

Thank you!
Will work with method 3 a bit longer.

[droidmonkey]

I disagree with the statement that 1 and 3 are the same

From a data entry perspective they are the same. Obviously the computer, automated process needs to know what you, the human, want it to do. So you need to give it enough information (window title in this case) to get the job done.

Hostname in window title is NOT based off of an html element and cannot be spoofed. It takes the url hostname in the address bar and adds it to the window title.

If you really want anti phishing protection then you need to use our browser extension which strongly binds the websites url with access to credentials. Typo squatting would not find credentials in the database.