KeePass for multi-page forms and shared domain accounts

I start using KeePass this week after watching a video on keyloggers from DEFCON and after I was made aware of how powerful AES encryption can be after watching a reverse engineering discussion on Wannacry attack last week by Computerphile.

Background asides, as soon as I start using KeePass, I run into two significant drawbacks with browser integration. After a while fiddling around the settings, I manage to make it works perfectly. Here’s the two issues I ran into and how I tackled them.

MULTI-PAGE LOGIN FORMS

The first one is multi-page login forms. Most email providers (Gmail, Outlook, Yahoo) nowadays have this extra layer of security. Multi-page login forms ask the user to enter the username / email address in one page, click “Next” button, then enter the password in a different page. This method prevents simple bot scripts and notifies the user if they got the username wrong (no more guessing which one is wrong now).

Multi-page login is the bane of password managers like KeePass and LastPass. The traditional approach in KeePass is to open the window, select the entry and Ctrl+V manually. KeePass detects which field the pointer is selecting and fills in the blank accordingly. It is hardly convenient though.

Luckily, in KeePass, there’s a way to automate all this without any plug-in. The software allows custom Auto-type sequences and it supports quite a number of operations that allows the user to construct a complete pipeline. Simply go to Edit Entry menu, choose Auto-Type tab, tick “Override default sequence” and copy paste the script below:

{CLEARFIELD}{USERNAME}{ENTER}{DELAY 2000}{PASSWORD}{ENTER}

Save the entry and you’re done.

The next time you have to login Gmail, simply select the text field, press Ctrl + Alt +A and watch the magic happens. The script will clear the text field (if not empty), type your username, press enter, wait 2 seconds for the password page to load, type your password and then login. Everything is done automatically.

SHARED DOMAIN ACCOUNTS

Okay, that’s one neat thing. The next problem occurs when you have more than one email account. This is not a problem in LastPass but it is in KeePass. KeePass matches the title of your browser window. It does not read the URL in the address bar. If you look around, there’s plugin to show the URL in the window title but it is not exactly the most elegant solution out there.

KeePass has a neat entry selection window for forms that match multiple entries. While you cannot create two entries of the same title. You can create custom sequences that target the same window for different entries. Go to Auto-Type tab again, click Add button and select your login form window from the Target Window drop down list. If you can’t find the right window in the list, exit that menu, make sure the form is open and try the same steps again.

You can use this in combination with the other trick to make multiple accounts work for the same multi-page login service.

Keepass multi acc

Advertisements

The bots of Twitter

I hate social networks! I hate their invasive policies! Can I have some privacy on the Internet? Goddammit people! Rule number five of the Internet: We do not forgive, we do not forget.

That’s right. No data on the Internet is safe from scrutiny. No mistake is ever forgiven. Everything is indexed, cached, stored several times over by numerous parties. I can name three off the top of my head: Wayback machine, Google cache and the NSA. Technological advancement makes it cheaper to keep data than to delete it. And people still wonder why it’s a good practice to consciously limit the amount of personal and identifiable information they submitted to the web.

Phone numbers are lucrative targets

A phone number is not something I would carelessly disclose. It’s a direct line of communication to my real-life self. It’s a 2-FA authenticator for my key services. It’s linked to countless of cloud accounts and cloud storage. And it’s something I need to call my bank and approve large, outgoing transactions. As far as network security nowadays is concerned, the risk has been shifted from passwords and PIN codes to a physical “key”, a smart device, and more specifically: the phone number.

Real life hackers don’t sit in basements running Bash scripts. They scrape the net for personal information and connected accounts. As soon as a profile of the target is been created, they will be calling the target’s cellphone provider, impersonating the victim and requesting a lock down of the number with the information they acquired. Now if they’re nefarious and have sufficient information, they can even attempt to claim the victim’s phone number. Oh trust me, the claiming process is as simple as providing the latest 5 outgoing calls. No ID is necessary.

By the time the victim can prove he’s the legitimate owner of the phone number and get it back. Boo hoo! The associated online accounts would all be gone. Knowing where the security risk lies and actively keeping the key hidden and in check is the only effective protection.

There’s a notion in cryptography called “Perfect secrecy“. Watch the game in the video. The box is Twitter, the locks are the encryption promised by it and the chosen card is the phone number. Putting my card in the box, decreases the security level of the card and I’m not going to do that unless I’m promised an equivalent benefit for the risk I’m taking.

And in case any of you are wondering, I’m against using temporary phone numbers on long-term accounts. It’s the same as throwing the key away and hoping it won’t be needed ever again. As for keeping it tucked in a shoebox somewhere, that’s still a bad idea because it’ll end up flagged as inactive by the mobile provider after a few months and I won’t be able to remember to maintain its activity.

My brief history with social networks

So back to Twitter, almost two years ago, when Facebook locked my account for refusing to disclose my real name, I gave Twitter a try. At the time, Twitter required a phone number to complete the registration. I refused to give up my contact number and created this WordPress blog instead.

A few hours ago, I checked back on Twitter’s policies again. Things had been too calm these days with KanColle Wikia Chat now on saving throws and EGScan’s Noblesse forum is practically dead. Hence, I have been looking for ways to get back into the social network game. Twitter appears as a silver lining in this increasingly invasive cyber world and I’m willing to give the humming bird a second chance.

Twitter’s account locking shenanigans

I got through the sign up smoothly with my email address. There’s now a “Skip” button under the “add your phone number” step. How nice of them! And then, everything takes a turn for the worse. To my dismay, my newly created account was immediately suspended! The reason given was:

“Your account appears to have exhibited automated behavior that violates the Twitter Rules: https://support.twitter.com/articles/18311.”

Automated behavior? I didn’t even see any captcha during the sign up.

Oh you know the drill, I’m not going to give up that easily!

I went ahead and sent a support ticket to Twitter. Telling them that I would not give up my phone number or pay their call fee and that neither their Terms of Service nor Twitter Rules had stated anything about a must-have phone number (In fact, in the Terms of Service, in “Using the Services” section, under “Your account” subsection, the statement “If you added your phone number to your account…” implies a phone number is optional) and urged them to unlock my new account.

Soon afterwards, I got a mail notification from Twitter Support. An automated, boilerplate response echoing the same account locked notice from before. At the end of the mail, the mail bot told me that I could reply to the message for further assistance.

Alright, let’s get a human support through this channel.

Sent a reply with the same content as before, plus a request for a human support staff.

Two hours later, I got a positive reply. And I didn’t get one of it, I got FOUR of it back at the time of one minute between each email:

I cracked at the irony. An automated anti-spam bot is accusing me of being a spam bot and then when I call for support, they send a spam bot to support me. Well, I got my account unlocked, that’s the end of it, right?

Wrong, dead wrong!

I logged in my account for the first time ever. Confirmed the email and uploaded the avatar. As soon as I tried to update the biography, I got locked out of my account for the same reason again! I checked the clock. It had been only 10 minutes (precisely, not missing any minute) since they sent me the first unlock email. This is another automated suspension!

#Not A Bot

Mildly ticked off at this point, I looked up for a solution and found #NotABot hashtag. Apparently, I’m not alone. The issue with Twitter automated banning system is a long lasting and widespread one. Users have been admirably creative when it comes to avoiding account locks:

These are just sad, sad tweets to read. It dawned on me how serious the botting issue had been on Twitter. I’m not surprised though. This social network is the place where the devil spawn Tay arose after all. Its trolls and its inherent bot-friendly nature is a recipe for disaster.

Needless to say, I could tell from the email pattern that Twitter Support bot would unlock an account suspended in this manner within 1 hour and 55 minutes (give or take 1 minute) after a reply to the first email and continue to spam a few more “Your account is now unlocked” emails. Then my account would be locked again after 10 exactly minutes if I logged in and didn’t post my first tweet (with typos to prove that I’m #Notabot).

I’m not going to jump ropes to engage in a social network. I have my fair share of the internet over at KanColle Wikia with trolls, spam bots and VSTF (Volunteer Spam Task Force) IP-range blocking our staff members by accident. I called it quit and deactivated my Twitter account during my second grace period.

And that concludes my adventure with Twitter. I know this is not entirely the platform’s fault but this is the end. Farewell, the mocking bird. May fate be kinder with us in a parallel dimension.

Rest in peace @fujihita (4 hours old).