How to improve KeePass security

Martin Brinkmann
Jul 14, 2015
Updated • Feb 20, 2019
Security
|
6

KeePass is my password manager of choice as it ships with everything I require and uses a local database to store passwords instead of an online one.

The program is regularly updated and can be extended through plugins, for instance to improve web browser integration or the importing of passwords from files.

You need to enter a master password or use other authentication means to access the database which protects it from unauthorized access.

KeePass ships with security settings, off by default, to improve the security of the application further, for instance by locking the database after a certain inactivity period.

The following guide lists important security-related preferences of KeePass that improve the program's security.

All options are found in the program preferences:

  1. Start KeePass and select Tools > Options from the menu.
  2. Switch to the Security tab.

KeePass Security settings

Locking the workspace automatically

You find several preferences under security that lock the KeePass database when conditions trigger. You may enable all of these options or only those that you require.

Generally speaking, it is a good idea to lock the database automatically on certain events, e.g. on inactivity. Note that you can use the shortcut Ctrl-l to look the KeePass database manually at any time while the program window is active.

  • Lock workspace after KeePass inactivity
  • Lock workspace after global user inactivity
  • Lock workspace when minimizing main window
  • Lock workspace when locking the computer or switching the user
  • Lock workspace when the computer is about to be suspended
  • Lock workspace when the remote control mode changes.

You need to enter the master password again when the application locks the database automatically. On my system for instance, I have configured all locking preferences for added security. While this may be inconvenient at times, as I need to enter the master password again when I need to access stored information, it improves security of the program and is therefore recommended.

Tip: Check "Always exit instead of locking the workspace" to terminate KeePass on inactivity instead of locking it. Sensitive data may be revealed in locked state if it was interacted with previously.

Other security settings

The same tab lists additional security preferences that some KeePass users may find interesting. The only main preference enabled by default is the clearing of the Windows clipboard after copying information to it from within the program.

  • Clipboard auto-clear time (12 seconds)
  • Clear Clipboard when closing KeePass
  • Exit instead of locking the workspace after inactivity time
  • Always exist instead of locking the workspace
  • Enter master key on secure desktop
  • Clear master key command line parameters after using them once.

Policies

The Policy tab defines operations that are allowed by KeePass. You may use it to prevent certain operations from being executed at all.

  • The loading of plugins
  • Exporting or Importing data.
  • Printing information
  • Copying information
  • Drag and Drop.
  • Unhiding passwords
  • Changing the master password

What you set here depends largely on your needs. For instance, if you never print information, you may want to disable printing. The same goes for exporting data or using plugins.

Miscellaneous settings

You find several security related settings under the advanced tab.

  • Remember and automatically open last database on startup
  • Automatically search key files
  • Remember key sources
  • Remember working directories

Recommendations

Some preferences are listed in bold above and those are the ones that you may want to take a closer look at first.

I have set up KeePass to lock the database on inactivity as it prevents access to the database. This setting may be useful even if you are working alone considering that things like remote access may be enabled on the system KeePass is running on.

Now You: Have another tip? Feel free to share it below.

Summary
How to improve KeePass security
Article Name
How to improve KeePass security
Description
The guide goes through important KeePass settings and preferences that may improve the security of the password manager further.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Armond said on September 10, 2018 at 10:19 pm
    Reply

    “Note that you can use the shortcut Ctrl-l to look the KeePass database manually at any time while the program window is active.”
    Do you mean “lock” the database instead?

  2. Belga said on July 14, 2015 at 6:43 pm
    Reply

    You are speaking of the pro version I suppose ?

  3. anon said on July 14, 2015 at 1:55 pm
    Reply

    I wish they’d implement a multi-password database: decrypts the container in the database depending on the master password entered, so you could have a decoy/dummy or limited set of passwords show up when forced to reveal the password…

  4. tcat said on July 14, 2015 at 10:14 am
    Reply

    Two channel auto type obfuscation can be enabled per entry in auto-type settings.

  5. Randy said on July 14, 2015 at 8:59 am
    Reply

    Might be helpful for you to make note that your comments are in regards to version 2.x

  6. t7yang said on July 14, 2015 at 7:12 am
    Reply

    I think the way that lastpass implement is better which user must enter master password when an event occur like copy password.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.