KeePass 2.36: detect duplicate or similar passwords

A new version of the KeePass password manager has been released which brings the version of the desktop program to 2.36.

KeePass 2.36 ships with new features and fixes for the most part. Several improvements were made in regards to auditing existing passwords.

KeePass users have options now to check for duplicate or similar passwords, and to create a password quality report which provides an estimation of the quality of all passwords.

Existing users may download the new version from the developer website. While KeePass may highlight that a new version is available, automatic updates are not part of the program yet.

KeePass users can check the version of the password manager by selecting Help > About KeePass in the interface.

The update or new installation is straightforward, and there are no surprises included in the installer.

KeePass 2.36

keepass 2.36

Two new password audit options have been added in KeePass 2.36. Both are found under Edit > Shows Entries.



The first, called Find Duplicate Passwords, scans all folders of the password database for identical passwords, and displays them in the interface. The scan should not take longer than a second or two to complete.

The second, called Find Similar Passwords, lists all accounts with passwords that have a similarity of at least 20%. The listing is sorted from the "most similar" to the least similar".

Both password audit options provide KeePass users with options to identify password reuse, and do something about it. While KeePass won't act on its own, it is probably a good idea to go through the listing to modify passwords to make sure that none are identical, or too similar.

The main reason for that is that password reuse is a problem, as attackers may try leaked or hacked passwords on other services as well. Many Internet and computer users reuse passwords for convenience sake. This is not really necessary if a password manager is used, considering that one does not have to remember the passwords as they are just one click away in the password database

Read also:  SepPDF: Split PDF documents on Windows

The third and final feature addition in regards to password auditing is the ability to generate a password quality report. This report estimates the quality of all passwords when run. You find it under Edit > Show Entries > Password Quality Report.

All three reporting options provide you with information on passwords that are potentially weak. The password quality report does so directly, the two others highlight password reuse issues.

The remaining changes in KeePass 2.36 are not as spectacular, but some are useful nevertheless.

To name a few major ones:

  • KeePass 2.36 has a new String search option under Edit > Find, to find strings in the password database.
  • New "Last Password Modification" time option in list view.
  • Program remembers position and size for some dialog windows now.
  • New Configuration option for expiring the master key.
  • Option to disallow auto-type target windows.
  • KeePass window is brought to the front if auto-type errors occur.

You can check out all changes on the KeePass site.

Verdict

KeePass 2.36 introduces new password audit options, and other improvements. The auditing options give you tools at hand to audit saved passwords to make sure they are secure enough, and not too similar or even identical to others.

Now You: Have you audited you passwords before?

Summary
Author Rating
4 based on 13 votes
Software Name
KeePass
Operating System
Windows
Software Category
Security
Landing Page

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to KeePass 2.36: detect duplicate or similar passwords

  1. John June 10, 2017 at 9:32 pm #

    Some very useful new features! Has anyone figured out how to disallow auto-type target windows?

  2. chesscanoe June 10, 2017 at 10:07 pm #

    I suggest also manually recording all the passwords in a small paper notebook. I used another password tool years ago, and when the program inexplicably became unusable at some point, I lost all my passwords.

    • trends June 10, 2017 at 10:49 pm #

      Can you share the name
      of that unreliable tool
      with the rest of us?

      • chesscanoe June 11, 2017 at 1:56 am #

        I intentionally did not mention the product name because it is now probably several versions newer and a comment about an old version is probably not fair to the new product reputation IMHO.

    • Anonymous June 10, 2017 at 11:04 pm #

      I suggest backups :)

    • John June 10, 2017 at 11:53 pm #

      Surely more efficient to export to an XML file, and store that in a separate, secure location.

    • Harushi June 11, 2017 at 6:25 am #

      Password managers usually save your passwords in a file. If your program crashed or something, you could redownload the program and use the file.

    • Klaas Vaak June 11, 2017 at 10:45 am #

      A hard copy is necessary for the reason you mention, but you don't need to manually record them. In Keepass you can go to menu > File > Print, which will give you a list of all your passwords by Group. There are various print options to print the list. Note: disconnect from the internet before you bring up the list.

  3. Anonymous June 10, 2017 at 11:09 pm #

    This similarity tool is useless! Shows tons of similarities between >100 bits passwords! Or, maybe KeePass password generator is broken?

  4. Clairvaux June 11, 2017 at 12:26 am #

    I wouldn't rely too much on password quality testers. Usually, they never tell you what method they use, and against what cracking methods they evaluate passwords.

    If, for instance, they only test against brute-force cracking, they might report as very strong a password that would be easily defeated by a dictionary attack.

    If they evaluate a password only through statistics (number and type of characters), they might give you a false sense of security. You might have a password with many characters, however if it's composed of a word, or even several words, for instance a verse from Shakespeare, then it would be very likely vulnerable to a dictionary attack.

    If you take a common word, or phrase, and think you're being a smart-alec because you've changed o's into zeroes, or some such worn-out method, then this is almost certainly already taken into account by the many commercial password-breaking programs available.

    If your password-strength tester does not test against commonly available lists of most-used passwords, then it's useless.

    If you want some cheap thrills, go and have a look at
    https://www.elcomsoft.com/

    It sells forensics software to law enforcement and such. It's in the business of breaking passwords and encryption. Go see what they can do. You can even download some free trial versions of their (very expensive) software.

  5. Anonymous June 11, 2017 at 7:10 am #

    Can't trust Sourceforge sorry.

  6. Anonymous June 11, 2017 at 7:17 am #

    Also this version removed all my databases colors, f...k.

  7. MikeFromMarkham June 11, 2017 at 2:47 pm #

    I know there are legions of KeePass users who think it's the best thing going, but I've always found it somewhat inelegant and clunky to use compared to a program like LastPass. That won't stop me from trying it out again (something I do every few months), but I'm not convinced these enhancements will change my mind about switching to KeePass permanently at this time. Nevertheless, I thank Martin for his continued excellent updates on this and other potentially useful software.

    • Clairvaux June 12, 2017 at 9:28 am #

      Kee Pass user here. I have never used a cloud-based password manager for security reasons, and yes, I agree that Kee Pass has a clunky look. It has that sweet XP-reminiscent style of user interface, which is a big plus in my opinion.

      Yes, it's not as flattering to the eye as modern cloud interfaces, but it gets the job done and you can see what is where. You're in control. As much as I regret the aesthetically superior interfaces of cloud-based software, I think that security, privacy and control is paramount for this type of program. It also helps that I do not need to sync several devices.

      I wouldn't say the clunkiness extends to the way Kee Pass is used, though. I'm sure, though I haven't tried any, that cloud-based password managers offer a more fluid user experience. However, that fluidity comes at the expense of security and privacy, as many hacks of such services have shown. But I wouldn't say Kee Pass is clunky for a desktop program ; it's normal. It's powerful and very customisable, though, and that might be intimidating. I was intimidated first. Hell, I still am ! There are many functions in Kee Pass I don't use and I don't understand.

      If you want to add some fluidity to Kee Pass user experience, you can use one of its add-ons which integrate it with browsers. (I haven't tried them.) I have decided against installing such add-ons, because they reduce the level of security. The more separation between the browser and the password manager, the better in that respect.

      But I perfectly understand why people would use cloud-based password managers.

      • chesscanoe June 12, 2017 at 2:09 pm #

        Clairvaux says "As much as I regret the aesthetically superior interfaces of cloud-based software...". At least for Skype for Windows 10 cloud application, I highly dislike it because one cannot define a PC-only based font to use. One can do so for the Desktop based Skype. This is one reason I shy away from cloud based applications. If my font observation general assumption is not correct for cloud applications, please correct me.

Leave a Reply