Keepassxc: [Feature Request - Windows] Add support for Windows Secure Desktop when entering master password

Based on the linked article you provided KeePass is really just operating a security theater with their "secure desktop". I very highly doubt this would protect you from key loggers. There is no capability in Windows to provide a proper secure desktop outside of system level processes. In fact, we protect our memory such that attacks on the running KeePassXC process is impossible without administrative permissions.

TLDR; we are not going to implement security theater. If your computer has a key logger installed its game over no matter what you try to do.

I don't think this is just security theater. It may not protect against keyloggers, but it _does_ provide some protection against intentional or accidental phishing by:

1. Greying out the entire screen in a way which can't be emulated by (for example) a phishing website
2. Preventing other applications (like chat applications) from (unintentionally) stealing focus and capturing the user's password as they enter it

Probably not a _huge_ deal, but I don't think it's entirely useless either.

I also support and request this feature.
As far as I know the secure environment is feature provided by Windows, so Windows makes sure that the environment is secure (this is not a feature of the application, that calls the secure mode).

@droidmonkey can you please re-open the issue, so we can discuss about it.
And maybe someone is donating to it.
Thank you!

I searched for "windows secure desktop and found this article (but did not read it):
https://security.stackexchange.com/questions/3759/how-does-the-windows-secure-desktop-mode-work

Maybe this gives you more information

I've read all of that. You basically request windows to create a new desktop that then owns the window you want to secure. That desktop is owned and started by the SYSTEM user. However, that still does not protect you from a keylogger while using your database after you log into it. Any keylogger that has root access will also bypass protection provided by this alternative desktop. If someone else implements it I'd merge into the baseline.

Thank you, @droidmonkey for re-opening it.

I believe what you say (you are a developer, I develop only as a hobby and in Lazarus, a pascal IDE).
And I am far away from being a good developer, so you are the expert!

At the KeePass website I read:

Benefit. Most currently available keyloggers only work on the user's primary desktop and do not capture keypresses on the secure desktop. So, the secure desktop protects the master key against most keyloggers.

If this is true (that this feature can prevent some keyloggers) then this feature increases the security.
Because some (not all) keyloggers are not working on the secure desktop.

https://youtu.be/d__lYpUwIRE

Thank you, @droidmonkey for the video.
For me it is really hard to follow the video (first speaker speaks only Spanish, and at the second speaker I did not get all content).

But I learned that they created a keylogger process on every desktop and if KeePass is creating a secure desktop, then the keylogger is already there and listening.

I also saw (and I hope I understood this correctly) that 1Password also allows to unlock on the secure desktop and that it alerts the user if there is any other process (other than 1Password.exe) running on the secure desktop.
And users can allow or deny the process:

Users get an alert that there is an other app running in the secure desktop and they know that something might be wrong with the system.
So such a warning would make the secure desktop much safer.

My suggestion is that you also implement the secure desktop feature in combination with such a warning, because:

• the secure desktop is safer than the normal desktop (some keyloggers are not working in secure desktop environments)
• the secure desktop with such a warning is safer than the normal secure desktop without a warning

So this feature increases the security in comparison to a normal desktop.
I know that this is not 100% secure, but it is more secure than the normal desktop!

By the way: after 51:38 in the video the speaker talks something about a "bypass" and "wait some seconds" but I don't get everything to understand this (it seems that the 1Password protection can be bypassed by waiting a view seconds and then starting the keylogger).
But I think the text I wrote above (that it is more secure) is still valid.

Sorry I did not know it was in Spanish! I also found a pdf file from black hat that I'll post later.

Here is the PDF I found earlier: https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Bypassing-the-Secure-Desktop-Protections-Slides.pdf

That one's Google-translated, isn't it? :see_no_evil:

Thank you, @droidmonkey

Here is the PDF I found earlier: https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Bypassing-the-Secure-Desktop-Protections-Slides.pdf

That blackhat presentation lays out the problem nicely and also highlights the solution mentioned by @OLLI-S. (also video in english here: https://youtu.be/pEHrwR7WyyA )

So long as Keepass checks that it is the only running process in the secure desktop, the demonstrated vulnerability is mitigated.

The original implementation of the secure desktop entry is in ProtectedDialog.cs a mirror of which is at https://github.com/dlech/KeePass2.x/blob/VS2019/KeePass/UI/ProtectedDialog.cs

Besides all the security points, there is one huge advantage with a secure desktop while entering your password. No other programm pops up in the middle of typing and steals your typingfocus. I experience this all the time with KeepassXC and it is wo annoying. I start some programms, one of the programms is KeepassXC. KeepassXC is ready and I start to enter my password. Then, while I'm typing, firefox or some other program pops in front and I type the last part of the password in the new opened programm. This can't happen with an exclusive (secure) desktop.

This also happens to me (at start-up of my PC I start many apps and some parts of the master-password I type in other applications).
So @burn2k is totally right, the Secure Desktop would solve this problem...

I don't understand this use case. Why would you unlock your database before you need it? Unlocking my database is never the first thing I do after booting the PC, so I've never seen anything pop up in front of KeePassXC.

It can also happen, if your computer is already completely booted. For example, if you start Firefox and KeepassXC at the same time, normally KeepassXC is faster and I start typing my masterpassword. If I'm not fast enough or if I don't wait for Firefox to start first, then I end up typing the password in Firefox. Hope this example helps you to get a better understanding of this use case.

I have several apps that automatically start with Windows.
For example SUMo, MailWasher, KeePassXC, Microsoft PowerToys and others.
When I focus KeePassXC to enter my master password, it happens that while typing an other app gets the focus and so I enter parts of the password in the other app.
This happens very often at my office PC that currently has a slow VPN connection (Home-Office).

Still no update on this?
The only reason I still use keepass is because the extra security features over xc.
However minimal the point in a password manager is extra security.
Please implement secure desktop.
Attached is AceSecurity.cs, aceui.cs and securetextboxex.cs from the keepass source seems to be secure desktop stuff, I'm not smart, but I am pushy :p

So you are OK with any userspace app being able to read the entire memory contents of KeePass, but not OK with KeePassXC not having a marginally more secure "secure desktop" entry for the master password.

So you are OK with any userspace app being able to read the entire memory contents of KeePass, but not with a marginally more secure "secure desktop" entry for the master password.

It's suppose to be encrypted in ram, unless you view the passwords. It's suppose to be encrypted in clipboard too and supposedly modern browsers/sites encrypt password field entries as well as they hide the passwords. Modern Antivirus also run web browsers in an isolated environment etc.
Why wouldn't you isolate your password manager's master key?

You have a lot to learn grasshopper, nothing you wrote is true

Well according to keepass's faq it stays encrypted unless revealed.
Kaspersky safe money says it runs your web browser in an isolated enviroment.
Sys is much more secure than local user.

I suggest you try a memory inspector on KeePass. Everything there is readable by any process of the same user without any special privileges, including the master password. KeePassXC is in fact more secure in the regard. The clipboard is never encrypted, as that would defeat its whole purpose.

Please suggest a windows executable for inspecting memory.
HeapMemView doesn't see keepass
RamMap does, but I don't beleive there's a way to inspect the data with it[?]
As for clipboard encryption, there's methods to do so. But pasting would require decryption.

Process hacker

Well I dumped keepass then viewed in a hex editor, and there's nothing useful. Do you have some post/article about viewing keepass passwords in memory?
As stated in keepass faq I can view email/username/site/autotype/notes/creation date/.... but not any passwords.

OK we are way off topic but this is important. To be clear, merely unlocking the database is not enough to expose passwords in memory thanks to KeePass's "in-memory" encryption. However, the moment you interact with a password (Copy, Auto-Type, reveal it, edit it, etc) it will stick in memory and stay in memory even after database lock. Here is how you can see this:

These screenshots in Process Hacker were taken AFTER the database was locked.

Keepass says it overwrites all mem on exit, it too is encrypted with DPAPI. "Furthermore, KeePass erases all security-critical memory (if possible) when it is not needed anymore, i.e. it overwrites these memory areas before releasing them."
Sounds like XC is easily exploitable and fans here are deflecting.

What are you talking about, those screenshots from process hacker are for KeePass2, not KeePassXC. It is impossible to read the memory of KeePassXC without administrative access, try it for yourself.

If we can return to the topic and stop discussing who is the best password manager...

...I too would like to see this feature. Mainly to be sure to always have the focus on XC when inserting the master password while multiple apps are open, specially during boot, as has already been pointed out.
And yes, it's known that Secure Desktop is not the ultimate security feature and has its limits. But it's still a big help aganist "dumb" and basic malwares / script kiddies, especially if implemented with the 1Password method.

Looking forward to see this implemented! Take this as a bump with a bit of recap of the thread