Value of a Password Field is not Protected
Hello there,
When creating a new entry, it seems that the value of the password field is marked as not protected. This can be best explained by looking at the XML - Format of a given Database.
Consider a newly created password database called testdb.kdbx
. It was created using KeepassXC and imported to gnome-passwordsafe. (You can find the full XML - Dump of the database here: https://pastebin.com/zCLewy7S
I've also attached the database to this issue. The password to decrypt the database is test
.testdb.kdbx)
When adding a new entry, the following XML - portion is generated for the password field:
<String>
<Key>Password</Key>
<Value Protected=\"False\">super_secret_password</Value>
</String>
As you can see, gnome-passwordsafe adds the Protected
attribute on the <Value>
tag and sets it's value to False
.
While some desktop clients such as KeepassXC seems to ignore this attribute when importing the database, other clients (such as KeePassium) normally parses the Protected
attribute.
This can be problematic since such clients then behaves as if the password field is not protected. (In the case of the KeePassium app, the value of the password field is always displayed as a plain text).
In my opinion, gnome-passwordsafe should set the Protected
attribute on the Password field to true. Applications like KeepassXC even seems to omit this attribute completely. (Keep in mind that I've only verified this
using the export functionality of the keepassxc-cli
).
I'm using Version 3.99.2 btw.
Thanks for your attention, Robin.