Change Security/LockDatabaseIdle default to true #12689
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #12689 +/- ##
===========================================
+ Coverage 64.38% 64.42% +0.04%
===========================================
Files 378 378
Lines 39823 39823
===========================================
+ Hits 25638 25652 +14
+ Misses 14185 14171 -14 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
Addendum to #12689 The previous default of 240 seconds was too low. If we enable the lock timeout by default, we should also set a more lenient default timeout by default.
|
"By default" sounds ok but when I have an existing database set not to lock out, value of false is no longer, or not necessarily, a default setting. |
|
Certainly the downside to defaults. This setting was changed since it is a common criticism in security audit findings we have received that it is not on by default. It's a double edged sword. |
Release 2.7.11 (2025-11-23) - Add image, HTML, Markdown preview, and text editing support to inline attachment viewer [keepassxreboot#12085, keepassxreboot#12244, keepassxreboot#12654] - Add database merge confirmation dialog [keepassxreboot#10173] - Add option to auto-generate a password for new entries [keepassxreboot#12593] - Add support for group sync in KeeShare [keepassxreboot#11593] - Add {UUID} placeholder for use in references [keepassxreboot#12511] - Add “Wait for Enter” search option [keepassxreboot#12263] - Add keyboard shortcut to “Jump to Group” from search results [keepassxreboot#12225] - Add predefined search for TOTP entries [keepassxreboot#12199] - Add confirmation when closing database via ESC key [keepassxreboot#11963] - Add support for escaping placeholder expressions [keepassxreboot#11904] - Reduce tab indentation width in notes fields [keepassxreboot#11919] - Cap default Argon2 parallelism when creating a new database [keepassxreboot#11853] - Database lock after inactivity now enabled by default and set to 900 seconds [keepassxreboot#12689, keepassxreboot#12609] - Copying TOTP now opens setup dialog if none is configured for entry [keepassxreboot#12584] - Make double click action configurable [keepassxreboot#12322] - Remove unused “Last Accessed” from GUI [keepassxreboot#12602] - Auto-Type: Add more granular confirmation settings [keepassxreboot#12370] - Auto-Type: Add URL typing preset and add copy options to menu [keepassxreboot#12341] - Browser: Do not allow sites automatically if entry added from browser extension [keepassxreboot#12413] - Browser: Add options to restrict exposed groups [keepassxreboot#9852, keepassxreboot#12119] - Bitwarden Import: Add support for timestamps and password history [keepassxreboot#12588] - macOS: Add Liquid Glass icon [keepassxreboot#12642] - macOS: Remove theme-based menubar icon toggle [keepassxreboot#12685] - macOS: Add Window and Help menus [keepassxreboot#12357] - Windows: Add option to add KeePassXC to PATH during installation [keepassxreboot#12171] - Fix window geometry not being restored properly when KeePassXC starts in tray [keepassxreboot#12683] - Fix potential database truncation when using direct write save method with YubiKeys [keepassxreboot#11841] - Fix issue with database backup saving [keepassxreboot#11874] - Fix UI lockups during startup with multiple tabs [keepassxreboot#12053] - Fix keyboard shortcuts when menubar is hidden [keepassxreboot#12431] - Fix clipboard being cleared on exit even if no password was copied [keepassxreboot#12603] - Fix single-instance detection when username contains invalid filename characters [keepassxreboot#12559] - Fix “Search Wait for Enter” setting not being save [keepassxreboot#12614] - Fix hotkey accelerators not being escaped properly on database tabs [keepassxreboot#12630] - Fix confusing error if user cancels out of key file edit dialog [keepassxreboot#12639] - Fix issues with saved searches and “Press Enter to Search” option [keepassxreboot#12314] - Fix URL wildcard matching [keepassxreboot#12257] - Fix TOTP visibility on unlock and settings change [keepassxreboot#12220] - Fix KeeShare entries with reference attributes not updating [keepassxreboot#11809] - Fix sort order not being maintained when toggling filters in database reports [keepassxreboot#11849] - Fix several UI font and layout issues [keepassxreboot#11967, keepassxreboot#12102] - Prevent mouse wheel scroll on edit username field [keepassxreboot#12398] - Improve base translation consistency [keepassxreboot#12432] - Improve inactivity timer [keepassxreboot#12246] - Documentation improvements [keepassxreboot#12373, keepassxreboot#12506] - Browser: Fix ordering of clientDataJSON in Passkey response object [keepassxreboot#12120] - Browser: Fix URL matching for additional URLs [keepassxreboot#12196] - Browser: Fix group settings inheritance [keepassxreboot#12368] - Browser: Allow read-only native messaging config files [keepassxreboot#12236] - Browser: Optimise entry iteration in browser access control dialog [keepassxreboot#11817] - Browser: Fix “Do not ask permission for HTTP Basic Auth” option [keepassxreboot#11871] - Browser: Fix native messaging path for Tor Browser launcher on Linux [keepassxreboot#12005] - Auto-Type: Fix empty window behaviour [keepassxreboot#12622] - Auto-Type: Take delays into account when typing TOTP [keepassxreboot#12691] - SSH Agent: Fix out-of-memory crash with malformed SSH keys [keepassxreboot#12606] - CSV Import: Fix modified and creation time import [keepassxreboot#12379] - CSV Import: Fix duplication of root groups on import [keepassxreboot#12240] - Proton Pass Import: Fix email addresses not being imported when no username set [keepassxreboot#11888] - macOS: Fix secure input getting stuck [keepassxreboot#11928] - Windows: Prevent launch as SYSTEM user from MSI installer [keepassxreboot#12705] - Windows: Remove broken check for MSVC Redistributable from MSI installer [keepassxreboot#11950] - Linux: Fix startup delay due to StartupNotify setting in desktop file [keepassxreboot#12306] - Linux: Fix memory initialisation when --pw-stdin is used with a pipe [keepassxreboot#12050]
|
With this change, you are forcing people to always have to re-unlock their password databases even when they want to use just a single password item from them. Originally, keepassxc would lock with the screen saver turning on, and it was considered secure enough. Now, even to login to sites (which guess what, I have to sometimes do), I will have to reenter my master password, the one I made intentionally difficult. This is unacceptable. The "security experts" might think this is a good thing, but from a usability standpoint it's a disaster. Thanks for making me extra work with having to turn this explicitly off at everyone I advertised and set up keepassxc for, as they too will experience the effect of this "super-secure" change. |
|
Im sure the 1 second it takes to uncheck the box in the settings (if desired) won't ruin too many lives. Defaults suck no matter what, if this was enabled by default and we then disabled it by default someone else would be here bitching about that too. |
|
You are implying users are "power users" and willing to always look into their settings when such a usability disaster happens. They will just complain to someone else who has it figured out (and is their go-to person in matters like this), and thus create extra work for them turning it off. In this case that's me. You might consider it "bitching" but I'm pretty sure you wouldn't be too happy either if that person was you. |
|
Like all things this will pass and everyone will forget it ever happened (because now it is the default). Best to just zen out, you aren't alone in demand for tech help... |
We prefer to be secure by default. This applies to the browser extension as well. If some users prefer convenience and easier user experience, they are free to configure the application so. We cannot please everyone, and lowering the security preferences is not an optimal goal. I hope you understand this. |
Changes the default value of the Security/LockDatabaseIdle setting to true.
This came up during a BSI security assessment, and I don't see why this shouldn't be true by default.
Type of change