KeePass Auto-Type guide

The auto-type feature of KeePass allows us to send a sequence of keystrokes to a target window. To auto-fill a form it is not enough to send keystrokes for only the username and password. We will have to send some extra keys like TAB and ENTER as well. KeePass has a default key sequence which works for most input forms. The default sequence is, username, TAB, password and ENTER in that order. Custom key sequences are supported as well.

For auto-type to work, there is a need to match the target window with an entry in the KeePass database. There are two ways to select an entry. Manual selection is one option. The other is to use a global hotkey to trigger auto-type. In this method, KeePass tries to find an entry in the database which matches the currently active window. The hotkey option has some limitations as we will see later, but when it works it is almost as convenient as browser plugins like LastPass.

To take full advantage of the hotkey option you need to learn the window name and custom key sequences options in KeePass. While less important, these features have some usefulness for those who want to go the manual route as well.

Auto-type using manual entry selection

Let us say your currently active window contains a login form. Perform the following steps to log in.

  1. Make the KeePass Window visible. You can use a global hotkey to activate the KeePass window. The hotkey isCTRL+ALT+K by default.
  2. Select the entry you want auto-typed.
  3. Choose the option: Perform Auto-Type from the context menu or use the keyboard shortcut CTRL+V.

KeePass will send the keystrokes to your login form.

KeyPass Entry Menu with perform autotype option selected

There are a couple of points to take note of:-

  1. KeePass doesn’t know which of our windows is the target window. It minimizes itself when we choose auto-type. Then it sends the keystrokes to whichever window is active at that point. It is our responsibility to make sure that this window is the target window.
  2. Before opening the KeePass window,  we have to select the first input box in the page. Usually, this is the username field. Most of the time this happens automatically when you load a page.

Auto-type using the global hotkey

KeePass auto-type can be triggered using a global hotkey. A global hotkey is a system-wide hotkey. It works regardless of which window is currently active. Open the target window, select its first input box and press the global hotkey. This is  CTRL+ALT+A by default. KeePass would attempt to match the current window with an entry in the KeePass database. If it finds a match, It would send the keystrokes needed to the currently active window. The default hotkey might not work if it conflicts with an existing hotkey. You can change the default hotkey by going to Tools➾Options➾Integration.

How does KeyPass find matching entries

The hotkey option has some limitations. KeePass does not have reliable access to internal GUI elements of external windows. For example, it cannot reliably access the address field of a web browser. It does have reliable access to window titles. That is what KeePass uses to identify windows. Window titles are not as good as URLs for matching since they may be somewhat generic. However, most webpages do use the name of the site in the title of their pages. For example, the title of the Amazon sign in page is just that Amazon Sign In.

Let us look at the other side of the equation. KeePass knows the title of the active window. Now it needs to decide which of the KeePass database entries should be used. Since URL matching is out of the question, entry titles are used instead. KeePass takes the title of each of the entries in the database and tries to match each of them with the window title.

If you have specified additional window names in the entry, they too will be used for matching. The topic of additional window names is discussed in the next section.

Matching Rules

A perfect match is not required. If the title of the entry appears somewhere in the title of the window, it is considered a successful match. For example, if the title of the entry is Amazon, it will match the Amazon Sign In window mentioned above. But if the title of the entry is Amazon UK, the match would fail. Choose entry titles with care if you plan to use auto-type. If KeePass finds more than one suitable entry, it displays a window asking you to choose.

Auto-type Entry Selection

Window name, key sequence pairs

As we have seen before, entry titles help KeePass in matching the entries with windows. But this is rather restrictive. What happens if the window has a generic name like login? What if a website has a multi-page login system? We don’t have to rely on titles alone for entry identification. KeePass has the option of adding window titles to an entry. Each of these windows can have its own custom key sequence as well. The Add window name option is available in the Auto-Type tab of the Edit Entry window.

KeePass Auto-Type settings

Click on the Add button to add Window-Sequence pairs.

Window for adding window-sequence pairs

Matching Rules

The matching rules are different for window title matching. There must be a perfect match between the window titles. That is, between the one we specify here and the actual title of the target window. For example, the string “Amazon Sign In” will not match the window title “Amazon Sign In – Google Chrome”. KeePass supports wild cards to make such matching possible. The wildcard asterisk character will match any string including an empty string. If we specify “Amazon Sign In*” as the window title it will match “Amazon Sign In – Google Chrome”, “Amazon Sign In – Firefox”, “Amazon Sign In”, etc.

Regular Expressions

KeePass also supports the use of regular expressions. Enclose the string using double forward slashes (//) to tell KeePass to interpret the string as a regular expression. For example the regular expression pattern //Amazon Sign In.*// matches the Amazon Sign In windows mentioned above. Regular expressions are very powerful once you learn to use them. They are overkill for a simple case like this though.

We also have the option to add different key sequences to each window title. Custom key sequences are discussed in detail in the next section.

Two-channel Auto-Type obfuscation

Another option that is available in the Auto-Type tab is Two-channel Auto-Type obfuscation. By default, KeePass sends simulated keypresses to the target window. If Two-channel Auto-Type obfuscation is enabled, it uses a combination of keypresses and copy-paste instead. Some of the characters are sent using key presses, the remaining ones are sent using copy and paste. This is better for security so it is probably better to turn this option on, but do remember that it does not work on all windows.

The problem of duplicates

Adding window names to the entry can help with windows with generic names like login, but there are a couple of issues to be aware of. It is possible that more than one site has such generic page titles. This leads to duplicate window names in the database. KeePass shows a selection window if it hits duplicates during a search. The required entry will have to be selected manually from this selection box.

There is also the risk of sending the wrong credentials if we are not careful. An entry with a generic window name is an entry which can match a lot of windows. Once we create one of those, we need to be careful with all the windows with that name. Before invoking auto-type on a window with a generic title, we have to be sure that there is an entry matching the window in the database. Otherwise, KeePass may choose the entry for another window instead.

Custom keystroke sequences

Certain windows require custom keystroke sequences to be defined. Take a look at the login screen of Skype.

Skype Login

The first screen asks for only the username. We need to get past this screen first, before entering the password. One option we have is to make separate window name entries for each screen. Or we could get more adventurous and try to do it with a single custom keystroke sequence. Either way, we need to customize the keystroke sequence.

Using a single key sequence

Let us look at the single sequence option first. The sequence {USERNAME}{ENTER} will get you past the first screen. But if this is followed immediately by {PASSWORD}{ENTER}, the sequence might fail. This is because there might be a slight delay before the password screen appear. We might end up sending keystrokes to a window which is not yet ready to accept input. KeePass has a special placeholder {DELAY milliseconds} that delays keystrokes; which is handy for this situation. Put the delay in the middle of the sequence like so, {USERNAME}{ENTER}{DELAY 1000}{PASSWORD}{ENTER}. This will make KeePass wait 1000 milliseconds before sending the password. The delay value will have to be adjusted depending on the window in question.

Override default sequence

Using two key sequences

Let us look at the double window name option. I have added a {USERNAME}{ENTER} key sequence and a {PASSWORD}{ENTER} key sequence as shown below. I had to use Skype as the window title for both, as the title does not change in the actual Skype window.

Multiple Window - Sequences

KeePass showed the following selection window when the auto-type hotkey was pressed.

Auto-type Entry Selection

As you can see it worked, but there is a slight problem. We had added only two sequences, KeePass is showing us three. Note that the extra key sequence is the default one. This happens because KeePass is trying to match the title of the entry as well, along with the two window titles which we added. The title of the entry was also Skype.  We can get around this little problem by changing the entry title; for example to something like Skype Windows 10. Or we could delete one of the key sequences and pair it with the entry title as shown below.

Edit Entry - Auto-Type tab

What about those pesky windows which ask you to enter a captcha just to sign-in? The captcha has to be entered manually, but the rest can be handled with a custom key sequence. An extra {TAB} in the key sequence can be used to skip over the captcha field. Enter the captcha first, then move to the first field and press the auto-type hotkey.

Alternatives

Not convinced that auto-type is the right solution for you? Here is a very brief look at some of the plugin based alternatives. These tend to be more convenient but may not be as secure as pure KeePass. The main idea behind the alternatives is to access the address field of the browser somehow or other. This allows for more accurate matching and the need for configuring KeePass entries is minimized.

KeePass plugin, Browser plugin combos

This may be the most convenient option once you set it up. It involves installing plugins which can interact with each other in both the Browser and KeePass. The browser plugin has access to the URL of the current page. This URL is sent to the KeePass plugin, which can then pinpoint matching entries, using the URL field of the KeePass entry.

One drawback of such plugins is that even popular plugins often get abandoned. At the time of writing this article, there are no well-established plugins available. Actively developed plugins are fairly new. Kee plugin created by the same guy who created Keefox seems to be the most promising one. It is available for both Firefox and Chrome. KeePass Tusk for chrome also seems to be quite popular.

KeePassXC

KeePassXC is a cross-platform port of KeePass. It supports the KeePass database format and ships with browser plugins. So there is no need to hunt for third-party plugins. On Linux, KeePassXC is supposed to work better than KeePass.

WebAutoType Plugin

The WebAuto Type plugin takes a different approach; it is a KeePass only plugin without a browser counterpart. It enhances auto-type but does not replace it. I mentioned earlier that external applications like KeePass do not have reliable access to the address field of a browser. External applications may be able to access the address field using accessibility tools; this requires accessibility features to be enabled in the browser. At the moment it works reliably with Firefox. Chrome works only if started with the switch –force-renderer-accessibility.

Here is how WebAuto Type plugin works. When the user presses the auto-type hotkey, WebAuto Type plugin attempts to access the URL from the browser. If it succeeds it does a URL match. If it fails, it hands control to KeePass; which does its usual window title matching.

You are not restricted to just the one URL from the main entry tab. WebAuto Type adds an option to add more URLs to your entry. This works similar to the additional window name option described earlier.Edit Auto Type with WebAuto Type installed

Browser plugins to add URL to the window title

This is perhaps the most interesting approach. There are browser plugins which add the URL of the current page to the window title. Once this is done, window title matching becomes as good as URL matching. Some such plugins can be found here.

Leave a Comment

Your email address will not be published. Required fields are marked *