KeePass Password Safe review

KeePass Password Safe is a free open source password manager for Windows ; ports of the password manager are available for Linux, Mac OS X, Android, iOS, and other systems as well.

The review focuses on the Windows version of KeePass, and here in particular version 2.x as it offers more features.

Passwords are used nearly everywhere on today's Internet and even on local devices; you log in on your devices using a password, pin or other authentication options, and need passwords for nearly any service on the Internet.

Some Internet programs, web browsers for instance, come with password saving functionality. Users may install browser extensions to improve the core functionality and use desktop programs or applications for that as well.

Password managers can be divided into three groups: online, local, or mixed. Online password managers use cloud storage to sync data. LastPass is a typical example of an online service. Local password managers run on the local device and store the data on the device by default and not the cloud.

Mixed password managers support both features and give the user the choice to pick the most suitable option. KeePass falls into the mixed category even though it stores its databases locally by default.

KeePass Password Safe

KeePass comes as a portable version and setup version. You can put the portable version of the software on a USB Flash drive to carry it around with you; the functionality of both versions is identical.

KeePass displays a blank interface when you start it for the first time; this may be a bit confusing to new users as it is not clear directly what you need to do to get started.

The very first thing you need to do is create a new database. The database stores the data such as passwords and other information. It is encrypted and can only be opened from within KeePass or compatible programs.

KeePass can load multiple databases which is a great feature of the program as you may separate data if you use different databases for it.

The creation of a new password database is straightforward but it requires more user interaction and offers more options than the creation of a new account for an online password manager:

• Select the name and location of the password database file on the system.
• Select a master password to protect it.
• Advanced options add keyfile and Windows user account authentication options that you may use instead or in conjunction.
• Customize the database's security preferences: pick an encryption algorithm, set key derivation functions and more (optional)
• Customize other parameters such as the name and color of the database, or template file use (optional).

Most of the preferences that KeePass provides are optional. You only need to select a name, location and master password if you want but if you are an advanced user, you can customize the database to better suite your needs.

KeePass rates the password that you enter and goes beyond the usual "need x characters, at least one number so it is secure" scheme of things. It checks for repeats, known weak passwords and more to make sure the selected password is indeed strong.

If you add a second authentication option to it, keyfile for instance, then you increase the security of the database even further. Attackers need the master password and the keyfile to break the password database successfully.

Tip: you can place the KeePass database in the folder of a cloud syncing provider on the device to use syncing. Vanilla KeePass does not support syncing out of the box, but you can use this workaround or plugins to enable the functionality if you require it.

Once you have created the database you may either use KeePass's import functionality to import data from another password manager or start using the program from scratch.

KeePass supports the import of data from web browsers like Chrome, lots of password managers, and generic password files. Plugins extend the import functionality further and integrate seamlessly in the password manager.

KeePass displays information in two panes when you load a password database in the program. The left displays folders that may hold passwords and the right the passwords of the active folder or search results.

A default database includes several folders that you may use; it may improve how you work with KeePass but it is not required for use. The main pane lists titles, usernames, URLs, notes and hidden passwords by default.

You can interact with any data set right then and there by right-clicking on it and selecting one of the available options. Use context menu items to copy the username, password, or URL, and to perform other operations.

A double-click opens the data so that you may edit it and access additional information that the overview may not provide.

Adding new passwords to KeePass is simple; Select Edit > Add Entry to get started. Fill out any of the fields of the new password dialog, e.g. the title, username, password or URL, and click on the save button.

KeePass supports other forms of data and information that you may save alongside username and password:

• Add file attachments to a database entry.
• Add custom strings and notes.
• Select tags.
• Custom colors.
• Define auto-type behavior.

KeePass includes a password generator that you may use to generate strong unique passwords. You can define the password length and the use of characters, e.g. upper and lower case, special symbols, or numbers, in the password manager.

Advanced options include using custom algorithms or patterns (e.g. create a password with six lower case, six upper case and four numbers), preventing the use of similar looking characters, and limiting the use of characters to one in the password.

Passwords that you generate are saved automatically by KeePass.

KeePass does not integrate in browsers automatically but it supports a global hotkey that works with many different programs. You may use Ctrl-Alt-A to fill out log in information automatically if the window is properly identified by KeePass.

You can even customize auto-type behavior for sites that use non-standard login forms or enable Two-Channel Auto-Type Obfuscation to protect against all current keyloggers.

Plugins are available to integrate KeePass in major browsers such as Safari, Chrome or Firefox. If you don't use these options, you may still use good old copy and paste to sign in to sites on the Internet.

KeePass Security

KeePass supports several encryption standards, AES and Twofish, that are regarded as very secure. It encrypts the entire database and uses SHA-256 to hash the master key components.

It protects passwords even while KeePass is running and makes dictionary and brute-force attacks harder by using key derivation functions.

The password manager features security-enhanced password edit controls that protect the data against programs that try to steal passwords that you enter, and you may enable secure desktop use for entering the master password for protection against keyloggers and many other threats.

Users may combine authentication options. Protecting databases with the master password is the default option, you may combine it with using a keyfile for that extra bit of security.

A security audit of KeePass in 2016 found no serious weaknesses in the implementation.

Tip: Check out our how to improve KeePass security guide for additional security related suggestions.

KeePass Plugins

Plugins extend the functionality of the password manager. Most plugins are compatible with KeePass 2.x only but version 1.x users find some plugins for the version of the password manager as well.

Plugins extend KeePass; you can install plugins that add import options for different password formats, backup and synchronization plugins, plugins that integrate with programs or devices, utilities that add functionality, and more.

Installation of plugins is simple but again not as straightforward as it could be:

1. Download the plugin that you want to use.
2. It is provided as a zip archive that you need to extract on your system.
3. Open KeePass, and select Tools > Plugins > Open Folder; this opens the plugin folder of the password manager.
4. Copy the extracted plugin to the plugins folder of KeePass.
5. Restart KeePass.

The plugin that you moved into the folder is loaded by KeePass and ready for use.

KeePass 1.x versus KeePass 2.x

KeePass is offered in two different versions for Windows; KeePass 2.x and KeePass 1.x which are different versions of the password manager that offer different functionality. In other words, KeePass 2.x is not an update of KeePass 1.x.

KeePass 2.x offers features that version 1.x of the software does not support. You can check out the feature comparison table on the official project website for a list of major difference between both versions.

To name a few: KeePass 2.x supports high DPI and offers full Unicode support; it can be run under Mono, supports additional encryption algorithms, better plugins support, supports secure desktop, better import functionality, scripting and triggering support, options to load password databases via URLs, and more.

KeePass 2.x is based on the Microsoft .Net Framework whereas version 1.x of the password manager is not.

KeePass criticism

The password manager faces three main points of criticism:

• It is not pretty and looks old-fashioned.
• It comes without online sync functionality by default.
• Integration in browsers is not the best.

Missing sync and browser integration functionality can be added using plugins. While that adds another party to the whole process, as many plugins are not created by the developer of KeePass but by users, plugins do add missing options to the program.

You may also place the KeePass database in the sync folder of Google Drive, Dropbox or OneDrive, or any other sync service, to have it synced automatically between devices.

I sign in to lots of sites throughout the day and never found the whole process bothersome, even without the use of plugins or the auto-type functionality.

The interface looks indeed as it ifs from the last century; while some users may dislike the program because of that, I don't really care about the looks of programs provided that the looks don't interfere with usability.

Closing Words and Verdict

KeePass is first and foremost a local password manager for Windows. You can run it on other operating systems using Mono or third-party ports, and extend the program if you require functionality that the vanilla version does not include.

The program was audited and the audit turned out fine for the application; it uses strong security options, especially if you combine the master password with use of a keyfile, and comes with an incredible functionality out of the box.

It is not the most comfortable of programs, especially if you are used to online password managers like LastPass that integrate well in browsers and make things very comfortable for you because of that.

KeePass makes up for that in my opinion with the sheer number of features and options; it is probably the password manager that gives you the most control and that is even without any of the plugins that extend its functionality further.

KeePass important resources

• Plugins for KeePass
• The KeePass FAQ