I recently switched from Bitwarden to KeePass paired with Syncthing, and the setup is working smoothly. However, I have some lingering concerns about privacy, specifically regarding KeePass’ autofill functionality when used with Mullvad Browser.
I understand that browser extensions can be fingerprintable since they often modify the DOM. But what about KeePass’ native autofill? From what I can tell, it operates more like a macro, simulating keystrokes to input the username, password, and hit Enter, without altering the page’s DOM. This leads me to believe it might be less detectable.
Is this assumption correct? Could native autofill still introduce fingerprinting risks through other means (e.g., timing patterns, event behaviors)? Or does Mullvad Browser’s anti-fingerprinting protections effectively mitigate these concerns?
You should not be installing any extensions on the Mullvad Browser. It’s not how you’re meant to use it and it does mess with its anti-fingerprinting.
Also, KeePass autofill has always been iffy and does not work and has never been worth it to make it work. Simply copy pasting manually is easier and faster.
Take this with a grain of salt, but I believe this is still fingerprintable
The way you type, which can involve your WPM, how long you hold down keys for, your typing rhythm, are all fingerprintable on their own (note that this is distinct from stylometry). Given that and the fact that KeePass autofill is exactly identical every time you do it, it is possible that it can be fingerprinted
Yes, I understand that extensions can be fingerprintable on Mullvad Browser, but not every extension poses the same risk. From what I’ve gathered in previous discussions on this site, extensions that modify the DOM or network requests themselves are the primary fingerprinting vectors, as I noted earlier:
I understand that browser extensions can be fingerprintable since they often modify the DOM.
It’s working fine for me, but that’s not the point of this discussion. I’m specifically asking whether the native KeePass autofill (not the browser extension) introduces fingerprinting risks. To be honest, I’m not sure how the reliability of autofill relates to the fingerprinting question we’re trying to resolve.
Could we refocus on the core issue: Is native KeePass autofill fingerprintable when used with Mullvad Browser?
Thanks for weighing in. I appreciate the distinction you’re drawing between typing behavior (WPM, key hold duration, rhythm) and the autofill mechanism itself. Those are indeed separate concerns.
You mentioned that KeePass autofill is “exactly identical every time”, that’s an interesting point. But I’m wondering: does that consistency actually create a fingerprintable signature, or is it simply indistinguishable from normal human input at the browser level?
Regarding that, I still want to know if the native autofill action (the actual keystroke injection or form-filling process) leaves detectable traces that differ from manual input.
What I meant was that it’s a deterministic algorithm. It’s exactly the same every time you use autofill, and I presume the exact same every time anyone uses autofill. I don’t think KeePass itself changes how it injects keystrokes between any two logins. Thus, those typing patterns I mentioned would be the same across all users who use it and all times you use it.
Therefore, any site fingerprinting based on typing patterns would likely notice that it’s different from how you regularly type, and perhaps that it’s computerized. Which personally would not be as concerning to me as the initial “fingerprinting how you type” part
You can log into a site for many reasons without using identifiable information (you might use an alias, a random username, or a pseudonym, and sometimes that login might be the only time you ever access that site).
However, even with anonymous credentials, sites can still track you through browser fingerprinting, collecting data about your browser and device configuration (screen resolution, installed fonts, browser version, GPU capabilities, timezone, etc.) to create a unique digital signature.
If you’re not protected against fingerprinting, those sites can link your anonymous identity to your real identity across different sessions and websites (even if you never logged in again). That’s why I asked about the KeePass situation, because the concern isn’t just about what credentials you use, but whether your device itself can be uniquely identified.
Just for your information, I have tested the Mullvad Browser + ProtonPass extension with the EFF tracker and the results with fingerpringting were the same as with no extension.