Hi:

Thanks for your concern. To be clear, KeePass doesn't activate on page load or anything like that. The process goes like this:

I load the page.
Set the focus on the username field.
Type a specific combination of characters (the KeePass 'hotkey').
KeePass reacts to the hotkey.
If there's a match for the page title, it sends keyboard events to the focused field on the page in question, usually something like this: [username string][tab character][password string][enter character]
If there's no match, and there are similarly titled pages, it displays a list of potential matches.
Otherwise it does nothing.

KeePass has another feature that works in a similar way, that pastes the same strings to the currently focused field in the most recently selected window or tab. The difference is that I initiate it from KeePass itself.

In both cases, I initiate the auto-type feature myself.

This is super useful because my hundreds of passwords all look like this:
bS%%mFx%ObSD~2^U\+BY
Which I don't want to try to type; KeePass can and should be doing that for me.

Of course, if I fall for a spoofed page, it won't make a difference whether I type my credentials or KeePass does -- I'm owned. However, the damage is minimal since I never repeat passwords.

I've been using this system for many years, and I've found it to be a good balance of convenience, containment and safety.

I believe the reason that KeePass doesn't use host name is because browsers (or Firefox anyway) doesn't expose the host name in the window title, just the window/tab title, which is of course the contents of the title tag. I assume that KeePass is accessing the page via some Windows API via the window title. There are FF plugins that add the host name to the host name to the Window title, but I would rather not go that route.

Thanks again for taking this under consideration and for your concern.

Sincerely,
Greg

EDIT: Replaced angle brackets with square brackets.