KeePass Password Safe review
KeePass Password Safe is a free open source password manager for Windows ; ports of the password manager are available for Linux, Mac OS X, Android, iOS, and other systems as well.
The review focuses on the Windows version of KeePass, and here in particular version 2.x as it offers more features.
Passwords are used nearly everywhere on today's Internet and even on local devices; you log in on your devices using a password, pin or other authentication options, and need passwords for nearly any service on the Internet.
Some Internet programs, web browsers for instance, come with password saving functionality. Users may install browser extensions to improve the core functionality and use desktop programs or applications for that as well.
Password managers can be divided into three groups: online, local, or mixed. Online password managers use cloud storage to sync data. LastPass is a typical example of an online service. Local password managers run on the local device and store the data on the device by default and not the cloud.
Mixed password managers support both features and give the user the choice to pick the most suitable option. KeePass falls into the mixed category even though it stores its databases locally by default.
KeePass Password Safe
KeePass comes as a portable version and setup version. You can put the portable version of the software on a USB Flash drive to carry it around with you; the functionality of both versions is identical.
KeePass displays a blank interface when you start it for the first time; this may be a bit confusing to new users as it is not clear directly what you need to do to get started.
The very first thing you need to do is create a new database. The database stores the data such as passwords and other information. It is encrypted and can only be opened from within KeePass or compatible programs.
KeePass can load multiple databases which is a great feature of the program as you may separate data if you use different databases for it.
The creation of a new password database is straightforward but it requires more user interaction and offers more options than the creation of a new account for an online password manager:
- Select the name and location of the password database file on the system.
- Select a master password to protect it.
- Advanced options add keyfile and Windows user account authentication options that you may use instead or in conjunction.
- Customize the database's security preferences: pick an encryption algorithm, set key derivation functions and more (optional)
- Customize other parameters such as the name and color of the database, or template file use (optional).
Most of the preferences that KeePass provides are optional. You only need to select a name, location and master password if you want but if you are an advanced user, you can customize the database to better suite your needs.
KeePass rates the password that you enter and goes beyond the usual "need x characters, at least one number so it is secure" scheme of things. It checks for repeats, known weak passwords and more to make sure the selected password is indeed strong.
If you add a second authentication option to it, keyfile for instance, then you increase the security of the database even further. Attackers need the master password and the keyfile to break the password database successfully.
Tip: you can place the KeePass database in the folder of a cloud syncing provider on the device to use syncing. Vanilla KeePass does not support syncing out of the box, but you can use this workaround or plugins to enable the functionality if you require it.
Once you have created the database you may either use KeePass's import functionality to import data from another password manager or start using the program from scratch.
KeePass supports the import of data from web browsers like Chrome, lots of password managers, and generic password files. Plugins extend the import functionality further and integrate seamlessly in the password manager.
KeePass displays information in two panes when you load a password database in the program. The left displays folders that may hold passwords and the right the passwords of the active folder or search results.
A default database includes several folders that you may use; it may improve how you work with KeePass but it is not required for use. The main pane lists titles, usernames, URLs, notes and hidden passwords by default.
You can interact with any data set right then and there by right-clicking on it and selecting one of the available options. Use context menu items to copy the username, password, or URL, and to perform other operations.
A double-click opens the data so that you may edit it and access additional information that the overview may not provide.
Adding new passwords to KeePass is simple; Select Edit > Add Entry to get started. Fill out any of the fields of the new password dialog, e.g. the title, username, password or URL, and click on the save button.
KeePass supports other forms of data and information that you may save alongside username and password:
- Add file attachments to a database entry.
- Add custom strings and notes.
- Select tags.
- Custom colors.
- Define auto-type behavior.
KeePass includes a password generator that you may use to generate strong unique passwords. You can define the password length and the use of characters, e.g. upper and lower case, special symbols, or numbers, in the password manager.
Advanced options include using custom algorithms or patterns (e.g. create a password with six lower case, six upper case and four numbers), preventing the use of similar looking characters, and limiting the use of characters to one in the password.
Passwords that you generate are saved automatically by KeePass.
KeePass does not integrate in browsers automatically but it supports a global hotkey that works with many different programs. You may use Ctrl-Alt-A to fill out log in information automatically if the window is properly identified by KeePass.
You can even customize auto-type behavior for sites that use non-standard login forms or enable Two-Channel Auto-Type Obfuscation to protect against all current keyloggers.
Plugins are available to integrate KeePass in major browsers such as Safari, Chrome or Firefox. If you don't use these options, you may still use good old copy and paste to sign in to sites on the Internet.
KeePass Security
KeePass supports several encryption standards, AES and Twofish, that are regarded as very secure. It encrypts the entire database and uses SHA-256 to hash the master key components.
It protects passwords even while KeePass is running and makes dictionary and brute-force attacks harder by using key derivation functions.
The password manager features security-enhanced password edit controls that protect the data against programs that try to steal passwords that you enter, and you may enable secure desktop use for entering the master password for protection against keyloggers and many other threats.
Users may combine authentication options. Protecting databases with the master password is the default option, you may combine it with using a keyfile for that extra bit of security.
A security audit of KeePass in 2016 found no serious weaknesses in the implementation.
Tip: Check out our how to improve KeePass security guide for additional security related suggestions.
KeePass Plugins
Plugins extend the functionality of the password manager. Most plugins are compatible with KeePass 2.x only but version 1.x users find some plugins for the version of the password manager as well.
Plugins extend KeePass; you can install plugins that add import options for different password formats, backup and synchronization plugins, plugins that integrate with programs or devices, utilities that add functionality, and more.
Installation of plugins is simple but again not as straightforward as it could be:
- Download the plugin that you want to use.
- It is provided as a zip archive that you need to extract on your system.
- Open KeePass, and select Tools > Plugins > Open Folder; this opens the plugin folder of the password manager.
- Copy the extracted plugin to the plugins folder of KeePass.
- Restart KeePass.
The plugin that you moved into the folder is loaded by KeePass and ready for use.
KeePass 1.x versus KeePass 2.x
KeePass is offered in two different versions for Windows; KeePass 2.x and KeePass 1.x which are different versions of the password manager that offer different functionality. In other words, KeePass 2.x is not an update of KeePass 1.x.
KeePass 2.x offers features that version 1.x of the software does not support. You can check out the feature comparison table on the official project website for a list of major difference between both versions.
To name a few: KeePass 2.x supports high DPI and offers full Unicode support; it can be run under Mono, supports additional encryption algorithms, better plugins support, supports secure desktop, better import functionality, scripting and triggering support, options to load password databases via URLs, and more.
KeePass 2.x is based on the Microsoft .Net Framework whereas version 1.x of the password manager is not.
KeePass criticism
The password manager faces three main points of criticism:
- It is not pretty and looks old-fashioned.
- It comes without online sync functionality by default.
- Integration in browsers is not the best.
Missing sync and browser integration functionality can be added using plugins. While that adds another party to the whole process, as many plugins are not created by the developer of KeePass but by users, plugins do add missing options to the program.
You may also place the KeePass database in the sync folder of Google Drive, Dropbox or OneDrive, or any other sync service, to have it synced automatically between devices.
I sign in to lots of sites throughout the day and never found the whole process bothersome, even without the use of plugins or the auto-type functionality.
The interface looks indeed as it ifs from the last century; while some users may dislike the program because of that, I don't really care about the looks of programs provided that the looks don't interfere with usability.
Closing Words and Verdict
KeePass is first and foremost a local password manager for Windows. You can run it on other operating systems using Mono or third-party ports, and extend the program if you require functionality that the vanilla version does not include.
The program was audited and the audit turned out fine for the application; it uses strong security options, especially if you combine the master password with use of a keyfile, and comes with an incredible functionality out of the box.
It is not the most comfortable of programs, especially if you are used to online password managers like LastPass that integrate well in browsers and make things very comfortable for you because of that.
KeePass makes up for that in my opinion with the sheer number of features and options; it is probably the password manager that gives you the most control and that is even without any of the plugins that extend its functionality further.
KeePass important resources
For better browser support of autotype I recommend just using a browser extension which adds the current URL to the window title. Works very well and still gurantees separation between browser and KeePass.
Firefox:
https://addons.mozilla.org/firefox/addon/custom-titlebar-text/
https://addons.mozilla.org/firefox/addon/url-in-title/
https://addons.mozilla.org/firefox/addon/keepass-helper-url-in-title/
Chrome:
https://chrome.google.com/webstore/detail/url-in-title/ignpacbgnbnkaiooknalneoeladjnfgb
As window titles can be set by the page you are on, I added a custom string in front of the URL-part to prevent fraud and accidential matches.
“Cloud” = A computer you have absolutely no control over.
“Cloud” = Trusting someone without even knowing who that someone is.
If your willing to store your password and usernames in the “cloud” why even bother having them?
I use passwordsafe. It does fall into the mixed category but I keep it all local. It’s totally portable too so you don’t just backup the db but the entire program on a usb stick just by copy/paste.
I have used keepassx on my linux computer for many years and i would not use anything else,its simple and effective.
I’m now confused with the last update on Portableapps making two identical versions with 2 different paths, KeePassPortable and KeePassProPortable. Why make it simple when you can make it complicated..
@ Anonymous
KeePassPortable & KeePassProPortable are not identical — see below. Some users might want to keep both (hence the different paths) on the same thumbdrive, depending on whether the host PC has .NET 2.0 or not.
☻ KeePassProPortable = KeePass (Pro) v2.x
→ more features, requires .NET 2.0
☻ KeePassPortable = KeePass (Classic) v1.x
→ fewer features, but doesn’t require .NET on host system
Sorry to contradict you but KeePassPortable & KeePassProPortable I downloaded from Portableapps are both KeePass v2.x.
@ Anonymous
On the contrary, the official PortableApps’ KeePass Classic v1.x & KeePass Pro v2.x are definitely different. When & from where did you manage to download the PAFs, such that their source binaries &/or PAF paths are both KeePass Pro v2.x ?
1) KeePass Portable Classic:
https://sourceforge.net/projects/portableapps/files/KeePass%20Pro%20Portable
☻ v1.35 (2.16 MB, 02 Jan 2018):
→ PAF Path: KeePassPortable
→ Main Binary: \App\keepass\KeePass.exe v1.35 (2.08 MB, 02 Jan 2018)
2) KeePass Pro Portable:
https://sourceforge.net/projects/portableapps/files/KeePass%20Portable
☻ v2.39.0 (4.51 MB, 09 May 2018):
→ PAF Path: KeePassProPortable
→ Main Binary: \App\KeePassPro\KeePass.exe v2.39.0 (3.1 MB, 06 May 2018)
☻ v2.39.1 (4.51 MB, 19 May 2018):
→ PAF Path: KeePassProPortable
→ Main Binary: \App\KeePassPro\KeePass.exe v2.39.1 (3.1 MB, 12 May 2018)
☻ v2.39.1 rev2 (4.51 MB, 20 May 2018):
→ PAF Path: KeePassProPortable
→ Main Binary: \App\KeePassPro\KeePass.exe v2.39.1 (3.1 MB, 12 May 2018)
→ Changes from PAF v2.39.1:
• \App\Readme.txt (advisory text about data folders to preserve);
• \App\AppInfo\appinfo.ini (PAF version no.);
• \App\AppInfo\installer.ini (paths for [FilesToPreserve] & [DirectoriesToPreserve]);
• \App\AppInfo\pac_installer_log.ini (PAF packaging timestamp)
When I around 1970 getting knowledge from password “hashing where the system translates a password into a numerical value, and the password was not stored physically on the computer, I have used many password manager programs.
But sins I have installed KeePass about six months ago slowly but secure I am learning to use the add-ons KeePass is offering. It’s not a ferry smoothly to use password manager program in the beginning but this for me is going quickly away because, for the first time, I have the feeling that KeePass is the real thing.
Hopefully, KeePass will also make for the KeePass 2 password manager an Microsoft IE 11 browser add-on so for all main browsers I can use KeePass.
Or is there maybe already a KeePass 2 M.s.IE 11 add-on?
I have been using LastPass which has worked ok so far, until I changed phones. Now I have to send an sms code to unlock it all the time. It’s probably a setting somewhere. I will check out KeePass, I might migrate over.
I use KeePassXC
Sweet! Best password manager ever!! Never had any trouble using this.
pen & paper which I can hide and swallow if needed.
I don’t trust any of my electronics, whatever they may be, to keep passwords.
https://keepass.info/devstatus.html#classicpro
“What are KeePass Classic and KeePass Professional?
During the initial development of 2.x (i.e. while there was no public alpha version available), it was called “KeePass Professional”. The current 1.x version should be renamed to “KeePass Classic”. This naming should emphasize that 2.x isn’t simply the successor of 1.x. Shortly before the first alpha version was released, there were long discussions about the naming and we finally decided to call the new version “2.x”.
This was done particularly with regard to future development. The naming was changed, but the intention remains the same: 2.x isn’t the successor of 1.x, and 1.x isn’t dead.”
Keepass is THE password manager XP, W7, W10/Linux works on every of these platforms. You’ll find a plugin or a Nirsoft app to enhance it ! When it comes to online storage, I don’t trust any one but me (although…) Keepass backups are considered reliable and secure (no exploit to date), But I use an additional layer (veracrypt) when it come to save my bases online.
Using Cyclonis Password manager. It works swiftly in response to form filling. My encrypted passwords are synced to a cloud service of my choice, so always up to date no matter what laptops I use.
https://portableapps.com/news/2018-05-09–keepass-professional-portable-2.39-released
I have Keepass PRO installed, I don’t see it anymore. No more difference between the two now?
Keepass PRO? Sounds sketchy. Where did you get that from?
Never seen Keepass PRO.
Does it fill in login and password fields automatically like lastpass does?
keepassx for cross platform. works well on linux.
can open keepass files too.
Here is how I use KeePass.
I install keepass using chocolatey package manager, powershell windows software install/uninstall/upgrade via command line.
Then I install the browser extension CKP for chromium.
Then I use chocolatey to upgrade all software installed at least once a week in an administrative cmd prompt using conemu.
That works really nicely to keep all my software up to date.
But my question is what tool exists to update all the keepass plugins?
Thanks
Supposed to be Dashlane. My apologies.
using Dahlonega and overall pleased. Recently I have noticed it not playing nice with Firefox or Opera.
The problem with ads is that you have no control over what gets distributed in the ad Network. So the ad Network becomes a vector of attack.
I have been quite pleased with KeePass for many years. A nice job, thoughtful and intelligent.
People who trust third party repositories for their passwords need to explain why they think it is a good idea. Silly or unimportant passwords, OK, but keys to valuables, not so smart.
I do trust a third party (which is Dashlane) because they probably have way more secure servers than mine, even though I did my best to secure it. But since I’m not a pro in IT security I might have breaches in my security.
I use Bitwarden for my passwords. I trust that the encryption is as good as it claims so it doesn’t matter where my passwords are stored. The bad guys cant get to my passwords without my master password (and yubikey) so they can steal my database if they want, they cant do anything with it.
When I used lastpass it didnt even matter if they had my master password coz I limited the access to my database to my mobile, my home and work computer. The database couldnt be opened even with the master password in any other locations. On top of that I had yubikey.
KeePass does not just claim its encryption is good, it has had it audited by an independent organisation to please the EU because many people there use KP.
Sadly, this is not such a great option for us macOS users. The existing KP ports and quirky methods of running it on Macs are pretty lousy, so I’m currently entrusting my valuables to the good folks at 1Password ;)
Hi AxMi, it is not a browser program. It is a standalone but in that program you can automatic copy/paste from it without manual copy/paste….
And I do not worry about M&S. First you need to have malware on your pc and I have checked my browers here and they are safe and surely with NoScript or likewise…
This seems to be a very bad idea as browser is the most attacked program on the computer, especially in these days of Meltdown and Spectre. It is far safer to do manual copy paste and keep the password data away from browser processes.
Thanks ! I had not noticed that command. However, this says synchronise, not backup. So presumably, it works both ways ? Sounds a bit dangerous to me.
Password depot is another good one. Much functions and you can automatic past the name, password, ect… on the site with one click. Just use the thunder pictogram. You can make also very strong pw’s with it but I use the PWGen app for that.
Kz
You can already achieve that. I sync my passwords to a couple of USB drives using “synchronize active database with a file/URL”
Only thing that would be nice to have integrated is support for TOTP directly in the client (feels more secure than using plugins).
For my sync I use Tresorit (supports proper encrypted sync to phones too, unlike spideroak that demands your key for decryption on their servers when used on phones) as there is no point in avoiding use of cloud based password managers and then putting the keepass DB into unencrypted cloud storage like dropbox (US service making it even worse idea for those of us living elsewhere).
Edit: I would argue that backup should be handled by your backup policy (obviously encrypted at home if pushed to the cloud) and not keepass.
https://github.com/HandyUserscripts/AntiAdware/wiki/Supported-Websites
There’s one thing missing from Kee Pass, though : automatic backup to an alternative folder, presumably on an external disk. There are a few add-ons for that (they are not very good), but given the critical importance of the password file, this should be part of the program, in my opinion.
I should probably update.. but still using sourceforge.net for the download. No thanks.
Although KeePass has much more functionality than PasswordSafe, I feel that, for me, the latter would be a more prudent choice.
If one can get by using a semi-spartan program residing on his/her desktop, without encrypting attached files and other nice-to-have features, PasswordSafe exhibits a reduced attack surface while eschewing the whole dotNet infrastructure.
I am curious how BitWarden is received as well.
KeePass is the best password manager I’ve found, nothing else seems to be as secure. Really a very quality product for free.
I use Syncthing to sync my KeePass and everything else, but Keeweb looks promising.
A grid? what does that even mean? KeePass uses a file that’s encrypted. No one can access it without a password. Dropbox is just used to sync the file.
Hi Martin,
I hope you will to review bitwarden password manager.
Does dropbox have a grid like security feature found in Lastpass? It makes sure no one can access my account even if Lastpass is hacked.
This is how I use KeePass also.
That is my exact setup. I use a password & password file for added security. The password file has never been added to a hosted services.
KeePass + DropBox means it’s everywhere I need it to be. In fact, if i use KeepassDroid I can open the database (which is synced by DropBox on my phone) on my phone too. So it’s synced on every computer and my phone and i have access to my passwords anywhere. Not sure what else i would need.
1) For sync, I solved it by using a kdbx file stored on a personal Nextcloud share accross my PCs;
2) There’s an interesting alternative, keeweb https://keeweb.info/ and it’s online app: https://app.keeweb.info/ in which you can open a local kdbx file without having Keepass installed on PC.
There’s also KeeWeb plugin for Nexcloud that allows you to open a kdbx file through the interface. I’ve never used it but it’s interesting if you do in fact use Nextcloud.
KeePass is the only reliable password manager I have used. I tried LastPass but they got hacked and deep down I knew it was a bad Idea to put my passwords in the cloud anyway, so I went back to KeePass and have never looked back!
have been using password safe for years…i guess its about the same as keypass. never a problem. put out by computer guy bruce schneier who also has a great free newsletter.
apparently there are no Bugfixes… I will skip this one then.
One alert on Virus Total (by Cylance, a behavioural, supposedly innovative antivirus). I’m postponing this for a while.
My bad…
Keypass is the best password manager out there. I use it across OS’s and have my database in the cloud. Works very well for my needs.
I updated it yesterday, but didn’t check what changes had been made, so thanks for the heads up Martin.
Keepass is an excellent password manager, I can recommend it to anyone who is considering the use of such an app. In fact, any sensible person who has to remember say more than 5 passwords should use a password manager.
i’ve been bothered by the keepassRPC 1.7.3 new version alert but on firefox addon site or the actual website it’s still 1.7.2. wtf?
check http://keefox.org/upgrade. Had to google too, and found that reference on github.
I know there are legions of KeePass users who think it’s the best thing going, but I’ve always found it somewhat inelegant and clunky to use compared to a program like LastPass. That won’t stop me from trying it out again (something I do every few months), but I’m not convinced these enhancements will change my mind about switching to KeePass permanently at this time. Nevertheless, I thank Martin for his continued excellent updates on this and other potentially useful software.
Also this version removed all my databases colors, f…k.
Check hashes and you don’t need to.
Haven’t used it in a good long while but recall reading about Sourceforge being bought out and no longer doing the spammy, add on installs, if that was your issue.
https://arstechnica.com/information-technology/2016/06/under-new-management-sourceforge-moves-to-put-badness-in-past/
Clairvaux says “As much as I regret the aesthetically superior interfaces of cloud-based software…”. At least for Skype for Windows 10 cloud application, I highly dislike it because one cannot define a PC-only based font to use. One can do so for the Desktop based Skype. This is one reason I shy away from cloud based applications. If my font observation general assumption is not correct for cloud applications, please correct me.
Kee Pass user here. I have never used a cloud-based password manager for security reasons, and yes, I agree that Kee Pass has a clunky look. It has that sweet XP-reminiscent style of user interface, which is a big plus in my opinion.
Yes, it’s not as flattering to the eye as modern cloud interfaces, but it gets the job done and you can see what is where. You’re in control. As much as I regret the aesthetically superior interfaces of cloud-based software, I think that security, privacy and control is paramount for this type of program. It also helps that I do not need to sync several devices.
I wouldn’t say the clunkiness extends to the way Kee Pass is used, though. I’m sure, though I haven’t tried any, that cloud-based password managers offer a more fluid user experience. However, that fluidity comes at the expense of security and privacy, as many hacks of such services have shown. But I wouldn’t say Kee Pass is clunky for a desktop program ; it’s normal. It’s powerful and very customisable, though, and that might be intimidating. I was intimidated first. Hell, I still am ! There are many functions in Kee Pass I don’t use and I don’t understand.
If you want to add some fluidity to Kee Pass user experience, you can use one of its add-ons which integrate it with browsers. (I haven’t tried them.) I have decided against installing such add-ons, because they reduce the level of security. The more separation between the browser and the password manager, the better in that respect.
But I perfectly understand why people would use cloud-based password managers.
Can’t trust Sourceforge sorry.
I wouldn’t rely too much on password quality testers. Usually, they never tell you what method they use, and against what cracking methods they evaluate passwords.
If, for instance, they only test against brute-force cracking, they might report as very strong a password that would be easily defeated by a dictionary attack.
If they evaluate a password only through statistics (number and type of characters), they might give you a false sense of security. You might have a password with many characters, however if it’s composed of a word, or even several words, for instance a verse from Shakespeare, then it would be very likely vulnerable to a dictionary attack.
If you take a common word, or phrase, and think you’re being a smart-alec because you’ve changed o’s into zeroes, or some such worn-out method, then this is almost certainly already taken into account by the many commercial password-breaking programs available.
If your password-strength tester does not test against commonly available lists of most-used passwords, then it’s useless.
If you want some cheap thrills, go and have a look at
https://www.elcomsoft.com/
It sells forensics software to law enforcement and such. It’s in the business of breaking passwords and encryption. Go see what they can do. You can even download some free trial versions of their (very expensive) software.
This similarity tool is useless! Shows tons of similarities between >100 bits passwords! Or, maybe KeePass password generator is broken?
I suggest also manually recording all the passwords in a small paper notebook. I used another password tool years ago, and when the program inexplicably became unusable at some point, I lost all my passwords.
A hard copy is necessary for the reason you mention, but you don’t need to manually record them. In Keepass you can go to menu > File > Print, which will give you a list of all your passwords by Group. There are various print options to print the list. Note: disconnect from the internet before you bring up the list.
Password managers usually save your passwords in a file. If your program crashed or something, you could redownload the program and use the file.
Surely more efficient to export to an XML file, and store that in a separate, secure location.
I suggest backups :)
Can you share the name
of that unreliable tool
with the rest of us?
I intentionally did not mention the product name because it is now probably several versions newer and a comment about an old version is probably not fair to the new product reputation IMHO.
Some very useful new features! Has anyone figured out how to disallow auto-type target windows?
My password manager, but I don’t like their choice to use sourceforge.net for the download.
and how can I upgrade in Ubuntu ? thks
What would be great is a multi-password db: one password opens one side of the db (dummy), while another opens another (the real one)…
@ Sean, here is a feature of Lastpass you might want to think about …
http://money.cnn.com/2015/06/15/technology/lastpass-password-hack/index.html
Personally, I like the idea of storing my passwords locally on my own machine, rather than on somebody else’s server somewhere out there.
I’ve always been using Lastpass so far. I like a feature that I don’t have to recall the passwords, Lastpass always brings the password(s) for me. Is this feature available at Keypass?
Does this new version break the KeeFox addon (firefox)? Thx.
Question. If I upgrade to this version and later edited my database, will it force upgrade my database to the latest format? I don’t want to upgrade the database format yet until I am assured that my Linux app (KeepassX) and Android app (Keepass2Android) can also open the new format. (I sync my database through various devices via Spideroak.)
http://keepass.info/help/kb/kdbx_4.html#intro
Migration Phase. As not all major KeePass ports have finished adding support for KDBX 4 yet, for now KeePass 2.35 saves databases in this new format only when at least one of the following conditions is fulfilled:
AES-KDF is not selected as key derivation function (KDBX 3.1 only supports AES-KDF; any other key derivation function, like for instance Argon2, requires KDBX 4).
A plugin requests to store custom header data in the KDBX file.
A plugin requests to store custom data in an entry or a group.
As soon as all major KeePass ports support KDBX 4, KeePass will always save in this format.
No, it works just fine
Database Encryption:
Advanced Encryption Standard (AES / Rijndael) 256 bits NIST FIPS 197
ChaCha20 256 bits RFC 7539
Anyone which one is better?
AES is still my preferred cipher. It continues to defy sustained cryptanalysis for almost twenty years. It has also won a block-cipher competition. ChaCha20 is a stream cipher that, while it looks secure, has not had the sustained scrutiny and cryptanalysis as AES. It may be good, or it may have an undiscovered flaw. Be conservative, choose AES.
I’ve been using ‘AnyPassword Pro’ version: 1.07, released March 5, 2011, not updated since … because I’ve got used to it. Certainly not the same aura as KeePass, not tweakable but for my needs quite enough. I tried KeePass once but found it too feature rich considering my environment. I guess concerning security itself KeePass is more advanced but the idea is that I wouldn’t install an armour-plated door if the indoor values don’t require it. Make as simple as possible. The “possible” is subjective when my subjectivity is far tougher when it comes to an OS, a browser.
Hello Martin.
Any plugins you can recommend?
John, I don’t use any. I prefer to do everything manually.
Agreed. ^^
KeePass is the perfect password manager.
I still trust this software, because alternatives are also not ‘better’ and it’s still not bad it constantly gets new updates and fixes much faster compared to KeePassX (last update feb/march 2016). WHich is imho a good signal, homebrew not means it’s automatically bad, maye it’s improved. Of course it’s an alarm signal to take a closer look into it.
I guess the replacement was done because better solutions (https://en.wikipedia.org/wiki/HKDF) and not due security itself, most of such attacks anyway need physically acess. So calm down ladies and gentlemen and not spread something without any facts. it’s simply contra productive to say ‘oh maybe there is something’ .. there is always something in each product.
Let’s wat for the audit and the new build. I still believe it’s a good product.
I agree, in this day and age where you can be “compelled” to give your master password, this feature would be beneficial
I agree too, this would be very useful!
I wish they would implement a “plausible deniability” feature, where entering one password opens one DB, and another opens another… kind of like a Truecrypt volume hidden within another.
Only KeePassX, only C++, only Qt.
The question is, why? Was there any reason to abandon the AES-KDF? I’ve read the KeePass manual since it was only in the 1.xx version, and I’ve come away impressed with the author’s homebrewed key derivation function. Sure it may not be in the same league as bcrypt or scrypt, but it can be as secure as the PBKDF2 standard.
Argon2 seems to be aimed at preventing parallelized attacks especially using GPUs. It does look impressive. But I think it may be overkill.
My main beef with this looming update is breaking backward compatibility. The current KDBX standard is good enough, unless there are undisclosed exploits that the author knows about. I hope that we are not forced to upgrade our KDBX databases while using the newest version of KeePass 2. Just like Veracrypt with its “Truecrypt Mode”.
It doesn’t break backward compatibility, it’s just another option to use if you want
It’s an option right now. The KeePass web site says that will change once “all major ports” are updated to work with the v4 DB format. I use iKeePass on my iPhone and I doubt it’s considered a major port. I’m hoping iKeePass will be updated soon but there’s no way to know.
> homebrewed key derivation function
This is the moment, when you should stop trusting a software.
Buy a USB flash drive with a “write protect” switch. You won’t have to be concerned about infections.
“The signature should read ‘Open Source Developer, Dominik Reichl’. If that is the case, the file is legitimate.”
This is trivial for someone to spoof.
For example, would you notice if the signature read ‘Open Source Developer, Dominik Reich’? Probably not. But that’s a completely different signature (look closely).
Or what about ‘Open Source Developer, Dominic Reichl’? Would you notice that?
It’s also trivial to obfuscate the fake signature even more subtlety using non-standard characters that look like standard characters.
Trying to visually compare signature names, in practice, is useless and is not advised.
The Keepass addon (official chrome) can do this via cloud within the browser (or as fallback from the database file offline on storage). I not know if the Firefox addon already got that ability too, because last time there was no cloud support implemented.
The things with usb stick is, especially if your entire family or friends have access to it, get’s easier infected as the OS because you maybe use this stick in other systems which are already infected or someone ‘accidentally’ infect it – drive-by infection works exactly like this, email attachments, usb sticks and more. Stuxnet was also done via USB-Stick, and I was never really a friend of USB-sticks.
I think if you often have such cases a Sandbox would be the best solution, so that everyone can only get access in this and after all is done it will be deleted. Of course everyone can do whatever he/she wants but it’s simply easier and you not need to worry about everything (or less). :)
I would imagine if you want to use it between multiple devices from USB stick. Or to temporarily use it on a family members machine (if for example you keep your elderly family members on-line credentials with your own passwords due to their dementia and you set up and maintain their PC’s for them). Etc.
What I don’t understand why you would want to create a Sandbox or VM or a MemoryDrive or install into appdata, when you can just run it straight from a USB stick.
I never get the point about the ‘portable’ hype, it mostly requires more space because additional dependencies and libraries. If you want to test it, you can create a Sandbox or VM or a MemoryDrive. If you want it because usb stick, then in most cases you simply can install into appdata anyway (no special access needed).
V1 or 2 who really cares? Both of them are same secure, as mentioned you simply could disable update or just install now this version and everything should be fine.
I’m thankfully that we get a fix even after the author said it will not be fixed:
https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398
What we want more? 10 days to fix this was not that long. :)
Your opinion is not the “correct” one that everybody else should follow. Also, learn some manners. Now you appear as a know-it-all & I’m right -ahole.
Martin, could you please take consideration of this, from the keepass website:
KeePass currently is available in two different editions: 1.x and 2.x. They are fundamentally different (2.x is not based on 1.x). They mainly differ in portability and functionality:
KeePass 1.x: Runs on all Windows systems with GDI+ (already included in Windows XP and higher). Does not need to be installed; is portable. Fewer features than 2.x.
KeePass 2.x: Runs on all Windows systems with Microsoft .NET Framework 2.0 or higher (already included in Windows Vista and higher) and other operating systems (Linux, Mac OS X, etc.) with Mono. Does not need to be installed; is portable.
I’d like you to acknowledge this in your articles about Keepass. There are people using 1.x edition. Thanks.
Even though I could’ve easy got the rundown from their website, it does fail to fine something new. Much as I would love to use Linux again I just can’t do it, but that didn’t stop me from clicking on the Plug-ins link and what you know, something I forgot about, a shit load of Plug-ins for KeePass.
Been using KeePass along with KeeFox for quite some time now, no issues and really easy to use, shame i didnt start using it sooner.
I’ve been using it for many years and have advised lots of people to start using it. Love the product and supported it with a donation once.
Have recently switched to 2.x and am still not really sure whether I like 1.x better. One particular thing that bugs me is new password generation – in 1.x I could generate a password according to the rules I define and, if I didn’t like it, all I needed to do is to hit ‘generate’ button again (if I was looking for a stronger password and not just taking the first one suggested). With 2.x once I click on ‘Generate’ it generates the password and closes the Password Generation window. Annoying.
What I’d love to have, as a new feature (I guess I need to submit it to the developers) is a Favorites folder which would hold my most used items. It gets too annoying to scroll, open tree nodes and locate my entries.
I love KeePass. Free and stable, nothing to complain about, there exist a lot of extensions and such. Now works with Regexp… what someone want more? :)
PS:
Also on Android #1 …. :p
Been using Keepas for 4 yrs+. Coupled with Hostsman from abilhadigital.com and Cyberghost from cyberghost.com it’s the best for Windows users
Now signed with a SHA256 cert instead of SHA1, so Windows SmartScreen Filter should give it less of a hard time now too.
I used Kp 1.x for 8 years, and recently discovered Kp 2.x offered more features, including Auto-Type. Make sure you get Kp 2.32 & use the Auto-Type feature, it’s really worth it !
Thanks for the informative article, Martin. I’ve never used a password manager but recently have been thinking about giving one a spin, and KeePass is the one I’ve been considering.
Oz, you have chosen well – Keepass is great. It is open source, multi-platform, regularly updated/improved, and full of features. This article really is a prompt for me to get off my lazy behind and donate some money to the developer, because he is doing us a great service.
KeePass is a terrific product, I’ve used it for years. Probably the best and most secure password storage out there.
KeePass 2.31 is more secure than KeePass v1.29 with the Auto-Type feature. Keepass2 has ‘Two-Channel Auto-Type Obfuscation.’
Is it possible to install KeePass v2.31 over Keepass v1.29 safely and without losing passwords.
Regarding KeePass. Please read this old but excellent article:
http://ddaydj.blogspot.dk/2011/07/automatically-open-secure-keepass.html
I use Bruce Schneier’s Password Safe (https://www.pwsafe.org/).
I can NOT tell you how much it was nice to read about Optional global URL overrides to open URLS with Internet Explorer or Google Chrome in private browsing mode.
This feature should’ve been added a very long time ago, its not to nice when your paying bills and trying to stay in private mode when opening the urls from keepass. This feature alone has saved me NO less then ten minutes over the course of a year, take it from me, Time Means Everything!
Martin, did you ever post a list of what programs you use? As you say, “KeePass is my password manager of choice”. I’m sure there are other good software programs out there most are not aware of. Future article perhaps? Title: What software Martin uses 2016 edition.
I’ve used KeePass for years on all my devices (Windows laptop, Android phone, Linux desktop).
To sync the database among the 3 devices I use Syncthing. It’s open source, and there is no 3rd party cloud service storing any of my files. Syncthing is peer to peer – only on my own trusted devices touch the data. Everything is encrypted (TLS) while in transit across the internet.
too bad lastpass was hacked within the last year
http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571
Useful tip: Keepass database files normally have the .kdbx or .kdb extension. However, Keepass does not *require* files to have this extension. That’s quite unusual for a program in the Windows platform. (Not unusual in Linux, but that’s another story).
So, for a bit of extra security, you might want to just give your database file a generic name that has nothing to do with passwords (e.g. “oranges” or “shoppinglist”) and then REMOVE the .kdbx extension. If this file ends up in the hands of a malicious person, they won’t know which application opens it. (Double-clicking a Keepass file without the extension does not launch Keepass. Windows just asks which program you want to use to open it.) This advice is particularly useful if you plan to save your database in cloud storage (which I don’t recommend, but I know many people want to do.)
(PS. v.2.31 is an important update of Keepass for me. I was counting off the weeks, and now it’s here. Yay!)
I consciously decided long ago not to use browser password management. I approached this issue from the perspective of common sense: the browser is the most exposed part of my computer to the bad guys on the internet, so why would I want to let the browser store any critical data? It’s a non-starter for me. (In fact, my browser is set to delete absolutely everything in its cache when I close it.)
I’m glad I made this decision. Every once in a while, I read a report about some new security flaw in a browser’s password access permissions. People have found ways over the years to make just about any browser (Firefox, Chrome, etc.) spit out passwords in plain text. Is it a serious problem right now as I type this? Probably not. Probably everything has been reasonably patched. But I just won’t trust that this is so.
Remember, browsers have become fairly complex pieces of software. They have to handle so many network connections, so many extensions/plugins/addons, so much script from the web…. It’s not hard to see how something could get lost in all the noise.
Yup, I agree with what you’re saying: it always comes down to convenience vs. security. (I think we’ve had this conversation before!)
As long as people are making informed decisions, then everything’s ok. The problem is that many people have no idea what’s going on when they click that convenient “remember it for me” button (or “sync it” or “automatically do it” or whatever). Those are the people that get in trouble.
I use Self-Destructing Cookies too, by the way. That represents a reasonable balance between convenience and security for me.
OK, Jason, I clear caches as well, not only at Firefox exit but also within the session, and I moreover delete cookies (that have no exception rule – either keep or block) as soon as a site is closed, with an add-on called “Self-Destructing Cookies”.
This means that I have to login repeatedly if I haven’t set the site’s login cookie to ‘keep’. In this scenario Firefox’s built-in manager is far more convenient than if I had to call every time a Password Manager application : it’s Firefox’s Password Manager and no cookies except the very few I’ve authorized.
But I do insist on the fact that using the browser’s password manager requires absolutely a Master Password which keeps the passwords encrypted. This will be sufficient for indiscreet local eyes (guests at home if applicable) but maybe not (and that was the sense of my post) should my browser suffer from a penetration attempt on the Web. I do have system-wide protections and I moreover always run Firefox within a “Restricted Access” protocol implemented for a given application by running it via a security front-end called “DropMyRights”.
So I guess it all resumes to a balance between comfort and security/privacy. The right balance remains subjective IMO unless to consider that enforced security relies on a “totalitarian” approach implying zero ease of use, moreover maybe not required for an optimal protection if more than more may be sometimes superfluous.
@Tom: I only just noticed this remark of yours, so I want to thank you for mentioning DropMyRights.
I use LastPass , it doesn’t require any download besides the browser addon for faster and better access
@Martin (founder of gHacks), you state in the article,
“[…] data is automatically transferred to cloud storage in god knows which countries when an online password manager is being used.”
I totally agree. But between cloud storage and an independent password manager such as Keepass, how confident may we be with a browser’s built-in password manager? Here with Firefox, once a master password set, do you believe the user’s data is more at risk then with a tool such as Keepass?
I run an application comparable to Keepass named “Any Password Pro” which handles encrypted data of course, but I do rely on Firefox’s password manager (WITH master password) for everyday logins. Firefox’s Sync not used here. Do you believe my encrypted logins within Firefox’s password manager are at risk, I mean is the idea of an external intrusion (a Web intrusion) on my passwords, a valid possibility? This is important, and not only for me.
I use KeePassX and SpiderOak to sync the database between my computers. It’s working very well !
Windows SmartScreen Filter is a PITA with Keepass.
Yesterday the SmartScreen filter gave a red warning when downloaded. Today the red warning is gone as more people have downloaded it, but Windows 10 still won’t let me run it because I have a blank password on my local Windows account (I use Bitlocker password instead of account password).
So I’ll give it a few days for SmartScreen filter to sort itself out.
Its more like a normalized database, with a gui (and extra features like pw generation, integration and a ton of options) than a spreadsheet .. but yeah .. it’s encrypted, .. so what’s your point?
The lastest portable version is provided as well as the regular version on the website
I still afraid of password managers. I should sync the passwords between home and office, but I don’t trust in any cloud service so much to do this (nor store them only online).
I don’t require
I don’t require
I don’t require
what you are using then is a glorified encrypted spreadsheet
Keepass uses standard AES or twofish encryption, better than most “encryption” methods that companies use to store your password (since it seems a lot just hash the passwords). Also this is offline which means it’s not saved in an online database somewhere.
imo, this is the best method of handling multiple passwords, as it’s held offline (but you can sync the database via dropbox if you want) and you can manager numerous different passwords.
I don’t think there’s a better method.
more secure than a notepad (if the law is involved) unless you write your passwords in a secret code. Its as secure as your going to get if you want to use this type of manager
use BitTorrent Sync
yes, janicetr, i also use bruce’s Password Safe. i have tried both keypass and password safe and prefer the latter. works nicely in both windows and linux. not all autofill sites work, however. but most do and if not its easy to copy and paste, then minimize the password program which empties the copy program. the cloud is just out for me. why put my most sensitive stuff on someone else’s computer. thats just a disaster waiting to happen.
or save it to your phone, that way you have it in only one secure location.
you can save your keepass passwords to a secure file and add it to keepass on your work pc
I use sticky password. Its been great until the last ff update. Its no longer signed ‘unless I pay to upgrade it” and will keep me from updating ff. A pass word manger is a must for me. I’m going to look into this one. I luv your site here. Take care.
……god job for the law enforcement…..all passwords at one place !
How secure is this app?
I can’t get KeeFox to work with PaleMoon: it won’t install as it says it is not compatible with Pale Moon v.25.8.1. I’m using the 64-bit version of Pale Moon: perhaps that’s the difference? I have to use PassIFox instead (works well, just not as seamlessly as KeeFox).
Sam sure I put it on the list ;)
How to be a sneaky shit 101:
Mine is called ReleaseNotes.txt and the key is called English.lng and they reside in the root of my KeePass portable folder (I could easily hide those two files in the root of some other portable software dir). Additionally, I have a .kdbx and .key file in the same directory with some bullshit sites and passwords and usernames. You’ll also probably want to turn off KeePass remembering key sources, paths, recently opened files etc (Options>Advanced) – I don’t do this because I don’t back anything to the cloud, and if I did it wouldn’t be the program and settings/ini/config – it would just be the .txt(kdbx) and lng(key) files. If they want the recently opened files info, they’d have to hack into my system, and if they do that, then it’s already too late. At this stage they can have the files, if they can find them, and they still have to get past my awesome password of 2pants-or-not-2pants
Pants, I had long been giving my Keepass files different extensions (a cool feature that most users probably don’t know is possible). But you’ve shown me a new level of paranoia that I truly appreciate: keeping dummy .kdbx and .key files in the same directory. I love it!!
started using KeePass around a year ago, love it, along with KeeFox it integrates very well in PaleMoon (or any other firefox-based browser)
Keepass since 2010 never had a problem dont see the need to change :)
There is a portable classic 1.30 version at PortableApps.com
Portable versions for both v1 and v2 are on the keepass site.
@ PhoneyVirus
Stop your advertisement! Thanks.
Why? Did he/she insult you? Are you a moderator here?
Personally I don’t like coverage on software updates, but when it comes to the likes of Keepass, it gets a warm welcome. I been using Keepass for years and wouldn’t be able to tell you for how long. I wouldn’t be able start my day without Keepass, I have eventing that’s import stored in their and would die if something every happen. Make backup comes of your database trust me do it and do it again store copy’s of copy’s all over the house, yeah that’s how import Keepass means to me.
Thanks for the Preview/Overview Martin
Could you elaborate on this Firefox stuff? What does it do?
At the moment I use the extension KeeFox to access the KeePass database within FF. Does KeePass now have something implemented itself?
KeePass ships with a global hotkey that you can press to sign in to websites in Firefox: https://www.ghacks.net/2013/02/05/keepass-the-global-login-shortcut-to-ease-your-life/
KeePass user since the first day. Works quite good on Android too. Compared to online solutions (or should I say cloud based) I like to keep my stuff on my HDD, so that’s why I use KeePass and of course the ability of Plugins. If something is missing, just search the official site and use the plugin you need. Really really nice and open source.
Much underrated compared to other solution, I don’t know why. Developer is also always friendly and helps if something is wrong or not works like expected. Definitely must use! Thx, for the bump! :)
I’m a home user with a desktop (wired) & a laptop (wireless), both running W7 Home Premium & I have no PW manager at present. I travel with the laptop a few times a year. Not at all a computer geek. Would KeePass or LastPass be better for folks like me? We need “simple” but effective. Thanks in advance.
Well, the benefit of Last Pass is that the syncing is automatic, which means that you only have to install it in each browser and have your username and password with you to access all of your account information.
With KeePass, you would have to find a way to sync the password database file between devices. This is not a huge problem but still something that you need to take care of (for instance by uploading it to a file hosting service such as Dropbox).
@Martin & @ Charlie: KeePass is available in portable form, as you mention Martin, so for a traveling Charlie putting KP on a USB stick is an option.
I don’t understand how anyone can have confidence in a cloud-based password manager, what with all the hacking and ‘accidental’ data leaks going on.
And 2 PC’s x 3 browsers = 6 browser installs. That’s enough for me.
LastPass it is. I don’t want any complications.
I notice the new new password quality meter and a what it is supposed to mean, and I would disagree with the developer. For instance, it rated one of my pseudo-randomly generated 12-char alphanumeric passwords for GMail as 65-bit (weak). But every offline brute-force attack I’ve read says that they can barely attack more 8 characters in a reasonable amount of time, and 12 chars is a few orders of magnitude higher than that. In my opinion, against a non-governmental adversary, 12 characters is enough security. Most of my passwords are 16-char, but I use 12 for this one cause it can be tedious to type 16 chars every time I access the Google Play store. :p
Even the NSA or the FBI wouldn’t bother to waste time and electricity brute forcing a 12-char password. They’d just perform a “rubber-hose cryptanalysis” on my person, or better yet, they’ll just access my cloud account with no warrants necessary. It’s tough being a non-American and using US-based cloud services.
Anyway, I love KeePass 2.xx and I integrate it with my Opera (and Chrome) browsers using the keepasshttp plugin and ChromeIPass extension. It’s almost as usable as Lastpass, but without the fear of using the cloud.
hello martin
this is indeed a great app, it will be awesome if you can write some tips and tricks on keepass to make password management workflow better
I’m not sure if I can get enough tips to warrant an article. Make sure you check out the global hotkey link in this article as it is one of the best features of KeePass.
I am a bit skeptic about using password managers despite their advantages. Practically, all sites are hackable. What happens if KeyPass server(s) is/are hacked? Maybe I ‘m too silly to ask but will greatly appreciate any reply.
KeePass stores all information locally, there are no servers.
Thank you so much again, Martin
@Coyote: I never had any problems with Keepass 1.x remembering where the database containing passwords is located…
I to have never upgraded from 1.x. Not so much for the .net but that it now contains an update checker. I don’t have my wall safe connected to the internet so why would I want my password vault? Plus .net there are tons of features that I don’t need or will make the program more likely to get broken into. For instance 1.x doesn’t remember where key files are stored, 2.x uses the windows registry to record recent locations….
I mainly stayed with 1.x for Linux compatibility (KeepassX). As far as I know, version 2.x supports Mono in Linux, but that is a step I didn’t take yet :)
Linux users can use KeepassXC. I’m using it on my Manjaro OS and it worked very well.
Check dates.
Developers (at least those who are actually good at programming) don’t force the installation of .NET Framework unnecessarily. The installation of .NET Framework is necessary for running applications written in C#, VB.NET and managed C++ languages (also ASP.NET and J#).
In this case, KeePass is written in C# (as per http://keepass.info/devstatus.html#nodotnet )
Martin,
As much as I see KeePass as an invaluable tool, I’ve hesitated upgrading from the v1.x platform to the v2.x platform.
Although I like the advanced feature set and available plugins of 2.x (not the least of which looks to be better dropbox implementation), what’s been holding me back is the .NET requirement.
I don’t have anything against .NET per say, but am worried that one sacrifices portability. Because I experienced ONE instance where an office system prevented me running .NET applications, I stick w/1.x to avoid any repeat scenarios of not being to access my passwords.
Have you any similar experiences or thoughts between running 1.x vs 2.x? It’s somewhat telling that both versions remain supported.
I too don’t understand why developers force the installation of .NET on users. Are they paid by Microsoft to do so ?
I tested Keypass and many other password management programs like LastPass and 1Password while looking for an alternative to RoboForm and they all fell flat, RoboForm was the first on the market and the others seem to have a lot of catching up to do when it comes to features and compatibility. RoboForm is also the only password manager that currently offers live phone support.
I actually switched from LastPass to KeePass, then later switched to RoboForm. Must admit that they all do the job, but after all the security scares of LastPass I just couldn’t stick around. I mean it’s my life basically.
I also use RoboForm and love it. There’s a lot more automation and I find it easier to use than any other password manager.
I use roboform. The interface is better than keepass, more developed.
Same here, been a long time keypass user. However I have never updated past 1.x, is there any reason I should? The .net requirements are a pain in the ass for portability and from what I tested of an early 2.x build the interface actually made it easier for people to figure out how to open the database (i.e. it remembered were the keyfile was last located).
And the best thing: KeePass is a Open source software.
I use this combined with LastPass to have a backup in case things go wrong.
Yeah i use Lastpass, but i also use Keepass as a second preferred option. Sometimes Lastpass doesn’t offer to save passwords on a lot of sites, so i just put those manually into Keepass.
I’ve been using KeePass for probably five years, & I’m a fanboy in spades.
Two-factor authentication login..nice.
jpeg storage of Passport, Drivers Licence etc.
Auto login to websites.
The notes windows is really useful feature;
A place where you can:
Record expiry dates of Utilities. To get a better deal when contract expires.
Make a précis of phone conversations..a great memory refresher.
Also as a BookMark manager….Search any notes for keywords.
I was using Roboform, and Keepass was just so much better. I prefer the drag and drop of Keepass as opposed to the auto fill of Roboform, especially for multiple screen logins. Also, Keepass hides your information from prying eyes until the master password is entered. Roboform is out there for all to see whether a password is entered or not. You just need a password for Roboform to use the auto login and form fill feature.
I use Lastpass as well as Password safe and must say I am leaning towards getting rid of Lastpass since I normally anyway copy the password to my password safe database. I have the file on the Boxcryptor drive so that I have access to it from all my PCs. When I used keepass I was a bit annoyed that it did not immediately flush the contents to disk so when I had the file on boxcryptor I would not see the new stored information from another PC.
We use Pleasant Password Server at work, which integrates nicely with KeePass works great!
Okay I put this on my to-review list ;)
You can easily compare the checksums, which are hosted on the official site.
https://keepass.info/integrity.html
I never found any PUPs or other malware in Kee Pass. Besides, with the availability of Virus Total nowadays, there’s little reason to distrust the download process, especially when coming from such a respected developer.
You’re not as smart as you think you are
I fully agree, which is why I donate to KeePass.
Thanks for mentioning this. I regularly read Bruce Schneier’s blog, but I wasn’t even aware of Password Safe. How would it compare with Kee Pass ?
Edit : OK, I forgot about it. I bookmarked it long ago. It seems less advanced than Kee Pass, no ?
KeePass
Thanks for your reply.
They are different programs, but KeePass 2 supports the import of KeePass 1 password databases.
Ah, my mistake, I misunderstood you.
@Coyote: Are you referring the the database or key file? Either way, I believe this statement is incorrect and is not a valid comparison between the two versions.
1.x DOES have the ability (by default) to ‘remember’ where the database was last opened from. Specifically, have a close look at line 15 of keepass.ini:
KeeLastDb=..Dropboxkeepass.db
Further, line 16 indicates the ability to save the key file’s location:
KeeRememberKeySources=True
Errr that is the problem I was pointing out.
2.x will remember where the key was last opened from. A security flaw to me.
1.x does not. Leaving windows completely unaware that the app was even run. A huge boon for security sake.
2.x even when run portably from a usb drive would leave registry entries.