KeePass Password Safe review

KeePass Password Safe is a free open source password manager for Windows ; ports of the password manager are available for Linux, Mac OS X, Android, iOS, and other systems as well.
The review focuses on the Windows version of KeePass, and here in particular version 2.x as it offers more features.
Passwords are used nearly everywhere on today's Internet and even on local devices; you log in on your devices using a password, pin or other authentication options, and need passwords for nearly any service on the Internet.
Some Internet programs, web browsers for instance, come with password saving functionality. Users may install browser extensions to improve the core functionality and use desktop programs or applications for that as well.
Password managers can be divided into three groups: online, local, or mixed. Online password managers use cloud storage to sync data. LastPass is a typical example of an online service. Local password managers run on the local device and store the data on the device by default and not the cloud.
Mixed password managers support both features and give the user the choice to pick the most suitable option. KeePass falls into the mixed category even though it stores its databases locally by default.
KeePass Password Safe
KeePass comes as a portable version and setup version. You can put the portable version of the software on a USB Flash drive to carry it around with you; the functionality of both versions is identical.
KeePass displays a blank interface when you start it for the first time; this may be a bit confusing to new users as it is not clear directly what you need to do to get started.
The very first thing you need to do is create a new database. The database stores the data such as passwords and other information. It is encrypted and can only be opened from within KeePass or compatible programs.
KeePass can load multiple databases which is a great feature of the program as you may separate data if you use different databases for it.
The creation of a new password database is straightforward but it requires more user interaction and offers more options than the creation of a new account for an online password manager:
- Select the name and location of the password database file on the system.
- Select a master password to protect it.
- Advanced options add keyfile and Windows user account authentication options that you may use instead or in conjunction.
- Customize the database's security preferences: pick an encryption algorithm, set key derivation functions and more (optional)
- Customize other parameters such as the name and color of the database, or template file use (optional).
Most of the preferences that KeePass provides are optional. You only need to select a name, location and master password if you want but if you are an advanced user, you can customize the database to better suite your needs.
KeePass rates the password that you enter and goes beyond the usual "need x characters, at least one number so it is secure" scheme of things. It checks for repeats, known weak passwords and more to make sure the selected password is indeed strong.
If you add a second authentication option to it, keyfile for instance, then you increase the security of the database even further. Attackers need the master password and the keyfile to break the password database successfully.
Tip: you can place the KeePass database in the folder of a cloud syncing provider on the device to use syncing. Vanilla KeePass does not support syncing out of the box, but you can use this workaround or plugins to enable the functionality if you require it.
Once you have created the database you may either use KeePass's import functionality to import data from another password manager or start using the program from scratch.
KeePass supports the import of data from web browsers like Chrome, lots of password managers, and generic password files. Plugins extend the import functionality further and integrate seamlessly in the password manager.
KeePass displays information in two panes when you load a password database in the program. The left displays folders that may hold passwords and the right the passwords of the active folder or search results.
A default database includes several folders that you may use; it may improve how you work with KeePass but it is not required for use. The main pane lists titles, usernames, URLs, notes and hidden passwords by default.
You can interact with any data set right then and there by right-clicking on it and selecting one of the available options. Use context menu items to copy the username, password, or URL, and to perform other operations.
A double-click opens the data so that you may edit it and access additional information that the overview may not provide.
Adding new passwords to KeePass is simple; Select Edit > Add Entry to get started. Fill out any of the fields of the new password dialog, e.g. the title, username, password or URL, and click on the save button.
KeePass supports other forms of data and information that you may save alongside username and password:
- Add file attachments to a database entry.
- Add custom strings and notes.
- Select tags.
- Custom colors.
- Define auto-type behavior.
KeePass includes a password generator that you may use to generate strong unique passwords. You can define the password length and the use of characters, e.g. upper and lower case, special symbols, or numbers, in the password manager.
Advanced options include using custom algorithms or patterns (e.g. create a password with six lower case, six upper case and four numbers), preventing the use of similar looking characters, and limiting the use of characters to one in the password.
Passwords that you generate are saved automatically by KeePass.
KeePass does not integrate in browsers automatically but it supports a global hotkey that works with many different programs. You may use Ctrl-Alt-A to fill out log in information automatically if the window is properly identified by KeePass.
You can even customize auto-type behavior for sites that use non-standard login forms or enable Two-Channel Auto-Type Obfuscation to protect against all current keyloggers.
Plugins are available to integrate KeePass in major browsers such as Safari, Chrome or Firefox. If you don't use these options, you may still use good old copy and paste to sign in to sites on the Internet.
KeePass Security
KeePass supports several encryption standards, AES and Twofish, that are regarded as very secure. It encrypts the entire database and uses SHA-256 to hash the master key components.
It protects passwords even while KeePass is running and makes dictionary and brute-force attacks harder by using key derivation functions.
The password manager features security-enhanced password edit controls that protect the data against programs that try to steal passwords that you enter, and you may enable secure desktop use for entering the master password for protection against keyloggers and many other threats.
Users may combine authentication options. Protecting databases with the master password is the default option, you may combine it with using a keyfile for that extra bit of security.
A security audit of KeePass in 2016 found no serious weaknesses in the implementation.
Tip: Check out our how to improve KeePass security guide for additional security related suggestions.
KeePass Plugins
Plugins extend the functionality of the password manager. Most plugins are compatible with KeePass 2.x only but version 1.x users find some plugins for the version of the password manager as well.
Plugins extend KeePass; you can install plugins that add import options for different password formats, backup and synchronization plugins, plugins that integrate with programs or devices, utilities that add functionality, and more.
Installation of plugins is simple but again not as straightforward as it could be:
- Download the plugin that you want to use.
- It is provided as a zip archive that you need to extract on your system.
- Open KeePass, and select Tools > Plugins > Open Folder; this opens the plugin folder of the password manager.
- Copy the extracted plugin to the plugins folder of KeePass.
- Restart KeePass.
The plugin that you moved into the folder is loaded by KeePass and ready for use.
KeePass 1.x versus KeePass 2.x
KeePass is offered in two different versions for Windows; KeePass 2.x and KeePass 1.x which are different versions of the password manager that offer different functionality. In other words, KeePass 2.x is not an update of KeePass 1.x.
KeePass 2.x offers features that version 1.x of the software does not support. You can check out the feature comparison table on the official project website for a list of major difference between both versions.
To name a few: KeePass 2.x supports high DPI and offers full Unicode support; it can be run under Mono, supports additional encryption algorithms, better plugins support, supports secure desktop, better import functionality, scripting and triggering support, options to load password databases via URLs, and more.
KeePass 2.x is based on the Microsoft .Net Framework whereas version 1.x of the password manager is not.
KeePass criticism
The password manager faces three main points of criticism:
- It is not pretty and looks old-fashioned.
- It comes without online sync functionality by default.
- Integration in browsers is not the best.
Missing sync and browser integration functionality can be added using plugins. While that adds another party to the whole process, as many plugins are not created by the developer of KeePass but by users, plugins do add missing options to the program.
You may also place the KeePass database in the sync folder of Google Drive, Dropbox or OneDrive, or any other sync service, to have it synced automatically between devices.
I sign in to lots of sites throughout the day and never found the whole process bothersome, even without the use of plugins or the auto-type functionality.
The interface looks indeed as it ifs from the last century; while some users may dislike the program because of that, I don't really care about the looks of programs provided that the looks don't interfere with usability.
Closing Words and Verdict
KeePass is first and foremost a local password manager for Windows. You can run it on other operating systems using Mono or third-party ports, and extend the program if you require functionality that the vanilla version does not include.
The program was audited and the audit turned out fine for the application; it uses strong security options, especially if you combine the master password with use of a keyfile, and comes with an incredible functionality out of the box.
It is not the most comfortable of programs, especially if you are used to online password managers like LastPass that integrate well in browsers and make things very comfortable for you because of that.
KeePass makes up for that in my opinion with the sheer number of features and options; it is probably the password manager that gives you the most control and that is even without any of the plugins that extend its functionality further.
KeePass important resources






@Martin Brinkmann: with all due respect, this is now such a basic function, esp. for people reading your articles, that this article is like explaining to the readers how to calculate 1+1.
Yes, I have to agree with this. I can’t imagine that there are many spreadsheet users who are computer literate enough to even casually read ghacks, but don’t know how to use a SUM function.
@Klass Vaak & Herman Cost
Ever thought that people might google it so this artice might show up in the search results. So..no it’s not useless. I think it’s a good strategy explaining stuff even if it’s just basic things. Every day there is a new user on the internet searching for this kind of tutorial.
@Malte: you make a good point, in principle. Nevertheless, nowadays telling people how to do a sum calculation, the simplest of the simple, in a spreadsheet is like teaching grandma to suck eggs.
If say an elderly person would be sitting in front of a spreadsheet wondering how to sum a number of cells, that person is unlikely to look it up on internet, but would ask one of her/his children.
And in any case, Ghacks is not a spreadsheet tricks and tips site, so it would not show up high in the ranking in a Google search.
I`m an elderly person. 71.
My experience in computers spans 50 years, focused on Unix internals, advanced degrees.
I look to the internet for answers, since my children hate me and wouldnt tell me “jack”, even if they knew the answer.
I dont know how to “suck eggs in principle”, or anything else for that matter. I’m retired and not interested in learning. Some other guy learned “the theory of sucking things.”
Never needed spreadsheets, always too darn busy. Thanks for this info. Now I know how to sum two cells.
Everyone starts somewhere.
I am an elderly person and I can use sum, sumif, sumifs and so on. My kids come to me for knowledge on how to use excel and other programs ;)
But then, I was in IT my entire career before I retired :)
There are basic sites, and there are advanced sites. GHacks used to be more for people with technical knowledge. You can’t be everything to everyone though that seems to be the trend these days. Since it’s all about clicks and click bait the wider the topics the more you can remain “relevant”…
However, that mentality tends to alienate the more technical people. I find myself spending less time here every month. It won’t be long before I stop coming here altogether.
I have no mobile or wireless technology.
Anything google or apple is insidious to me. And that accounts now for most of the content here.
As to this article. Avast, and all of their products are untrustworthy. There has been much controversy and negativity regarding their products. I would think a reputable site would be more careful in what they publish… err, sorry, advertise.
@Klaas Vaak: In Martin’s defense, it’s the day after Christmas, and some eggnog recipes pack a *real wallop*. Maybe we’re lucky he could type at all. ;-) More seriously, I don’t use Calc super-often, I typically type in the =SUM() function manually, and I’d actually *forgotten* where the Σ button is located in Calc. (The last time I was a heavy spreadsheet user, it was in an older version of Excel and I’m pretty sure the Σ button was somewhere on one of the “regular” toolbars.) So, the article actually did have a small payoff for me. Plus, there might be other intermediate or advanced users of other types of programs (graphics, audio, video, word-processing) who have never used a spreadsheet in their lives. It’s kind of hard to imagine, I know, but it’s possible.
You were not born with the knowledge you have now. You once had to learn too.
So get down off your high horse, grow up and show a little respect for others who need details.
Overall LO has become a good SW, what prevents me to use it is:
https://wiki.documentfoundation.org/Development/Calc/XMLSource
“it will not store the information about the data source once the data is imported”
Until that functionality is implemented I’m forced to use M$ Office (2003).
@SpywareFan: an interesting alternative for M$ Office is Softmaker’s FreeOffice.
@Klaas Vaak
I have the Softmaker’s Free Office Suite in my computer – – and I LOVE IT!
intelligencia
In the FreeOffice manuals there is no reference to XML data mapping functions.
Another vote for Softmaker’s Free Office, a very nice alternative to MS Office.
Yes, I use functions in Calc: Average, Min and Max. I use the mouse to select the cells.
I don’t usually have to use Sum.
Thanks for the info, and could we have more tips for LibreOffice?
I find that the documentation does not keep up with the changes in LibreOffice.
Also, it is hard to find info in the help documentation.
Thanks Martin for all your great work you put in to make our live easier. Have a nice and healthy 2021.
To all those complaining about this being a simple ‘101’ function: it’s Martin’s blog, he can write a deep-dive review of Windows Calculator if he so wishes. Do you pay his salary or something?
@ShintoPlasm: yes, it is Martin’s blog, but it is a public blog with a comments section, which means he invites people to comment. And having been an avid reader for several years now, I am pretty sure Martin does not expect commenters to agree with him all the time.
You do not help him with agreeing with everything willy-nilly and “honouring” him with praise. Martin, like everyone else in the world, is not perfect, therefore he can only learn from constructive criticism.
Unfortunately you look at constructive criticism as a complaint. I do not agree with you on that and will keep making constructive criticism because I believe in keeping this website one of the best ones – refraining from constructive criticism won’t do that.
Absolutely. People could rather than leaving constructive criticism just stop visiting the site. How is that in the best interest of the site’s authors?
A new way to sum with the latest version is to place the cursor under the numbers to be summed, then press Alt-=, then ENTER.
The SUM function doesn’t work. It just keeps putting the same total no matter what figures I enter.
I would like to know how to make the sum function work. I know how it should work and it works in excel. But when I put the sum function in, it will not make changes when I edit and change the data, the total remains the same
Ditto, Marty. Everyone starts somewhere. Thanks.
Instead of being snarky, maybe you could be helpful. I’d like to add two numbers in a cell;
In Excel, it would be
=5+6
I try that in this piece of crap software, and get a message “Invalid value.”
I used Excel a lot when I was working. Retired now seven years. Excel was great, especially for macros. I now use LibreOffice, which works similarly but the macros are difficult in comparrison to Excel. I couldn’t find anything on macros for Free Office, which was disappointing, so I uninstalled it. I find Zoho to be the most similar to Excel but there you’re stuck with your spreadsheets in the cloud which I didn’t like.
Um… When was this article posted? The date says today (August 23, 2023), but I’m seeing comments from 3 years ago.
I was going to amuse myself and check out the comments for this Avast AV sponsored post since there were so many comments. I thought it funny since they have an article bashing the product in 2019.
What do I see when I go to the comments? Ghacks pulled an “Amazon” and replaced an article on Excel SUM functions with a sponsored post to make it look like a good article.
Anyone and everyone who even has a clue about tech knows that Avast is utter garbage and focuses on spying on you and spamming you with ads these days. Just check out the bad article from 2019 on this very site! If you run Windows 10/11, you already have better antivirus than Avast built-in to Windows.
@graham
surely more importantly is why an ad for dodgy anti-virus has the whole thread on office suites instead.. something in the db is messed up.
On a slight tangent, does foobar2000 have a built in lyrics plug in? I mostly used Linux and Deadbeef, the closest alternative to Foobar there has a very old(and kinda broke) plug in.
If you want news then add this line in uBlock Origin:
ghacks.net##.hentry,.home-posts,.home-category-post:not(:has-text(/Martin Brinkmann|Mike Turcotte|Ashwin/))
@News filter,
> ghacks.net##.hentry,.home-posts,.home-category-post:not(:has-text(/Martin Brinkmann|Mike Turcotte|Ashwin/))
Thanks for the useful information.
Added line to My filters in uBlock Origin.
Magnificently,
I was able to clean up “all articles” by other authors on the Ghacks site.
It’s refreshing to be able to see only useful articles (instead of being buried among inferior articles) by clearing out the obtrusive articles.
Important note: changing policies through the program doesn’t save them automatically. You need to hit Ctrl+S (or go to File > Sve Policies)
What silly click bait article. Even the actual article is ridiculous.
“The launch of HarmonyOS for PC could pose a serious threat to Windows.”
Who cares what people in China use.
Don’t do drugs before working maybe.
What’s next? Look up the biggest Android fork in China and write pointless long article about it how it’ll take over Google’s Android.
HarmonyOS and Excel comments are mixed up.
HarmonyOS is not an open-source OS, only partially components.
P.S.
What is happening with these comments from other articles?
this is funny. it looks like the same base article, comments and all has been repurposed and edited or something for 3 (or more) different articles.
started off as something for some office suite… and then it was some antivirus thing.. and now it’s some iffy os.
wtf is that writer doing? no one reads or comments on the ad articles and he has to reuse old ones to make it look like it’s getting traction? (though it shows up as 0 comments on the homepage, so that can’t be it?)
“HarmonyOS does not have Google. Huawei’s HarmonyOS is a proprietary operating system..”
vs
“HarmonyOS is open-source, which means that it can be customized by developers and manufacturers.”
Both are quotes from the article. So which one is it, open source or proprietary?
Without windows-based videogames able to run, it’ll stay niche.
Huawei better put serious money into a harmonyOS port of Wine, DXVK or Proton if it wants its machine being more than web browsing thin clients.
I won’t trust a foreign OS.
Deeply foreign, I meant. In so many ways.
“I won’t trust a foreign OS.”
You trust Microsoft Windows, Google Android and Apple operating systems just because they are from businesses in your country ? Talk about blind nationalism.
Do not forget also that there is a world outside of USA and that for most of human beings, your favorite operating systems are also of a foreign origin, and as hostile towards them as they are towards yourself.
HAHAHAHA – did you really say “it could pose a serious threat to Microsoft’s Windows operating system”?
It won’t run programs or real games, so it will be useless.
I mean, there are some people who apparently love using tablets and phones for everything, but mostly are people who will barely do anything with their brain in life.
I mean, even if Photoshop, and others are available for iPad, do people think iPad is a threat for windows? not really, maybe for useless consumers who will just, like with a phone, be happy and move on, but not for professional industries which are the ones who matter the most, because are the ones who generate more revenue, since they buy the most expensive hardware and software.
Nothing consumer computing related really makes much money, unless it is data from users that get sold for AI or Ads.
Who knows where this comment is going to wind up. It’s in response to the article about Huawei’s HarmonyOS (HOS) operating system.
Two places in the article it says HOS is open-source. One place the article says HOS is proprietary. Uh, I’m pretty sure it can’t be both. Which is it? If there’s some fine distinction, somebody needs to explain it.
After all of these issues with Ghacks articles and misplaced postings, I’m reminded of this
https://www.ghacks.net/2019/10/07/ghacks-has-a-new-owner-and-that-is-a-good-for-everyone/
@vanp,
Note: I replied to you on September 6, 2023 at Around 2:20 pm, but it was still remain blocked after more than half a day, so I replaced the quoted URI scheme: https:// with “>>” and reposted.
The current ghacks.net is owned by “Softonic International S.A.” (sold by Martin in October 2019), and due to the fate of M&A, ghacks.net has changed in quality.
>> ghacks.net/2023/09/02/microsoft-is-removing-wordpad-from-windows/#comment-4573130
Many Authors of bloggers and advertisers certified by Softonic have joined the site, and the site is full of articles aimed at advertising and clickbait.
>> ghacks.net/2023/08/31/in-windows-11-the-line-between-legitimate-and-adware-becomes-increasingly-blurred/#comment-4573117
As it stands, except for articles by Martin Brinkmann and Ashwin, they are low quality, unhelpful, and even vicious. It is better not to read those articles.
>> ghacks.net/2023/09/01/windows-11-development-overview-of-the-august-2023-changes/#comment-4573033
By the way, if you use an RSS reader, you can track exactly where your comments are (I’m an iPad user, so I use “Feedly Classic”, but for Windows I prefer the desktop app “RSS Guard”).
RSS Guard: Feed reader which supports RSS/ATOM/JSON and many web-based feed services.
>> github.com/martinrotter/rssguard#readme
Regarding “Huawei’s HarmonyOS” you asked about, the developer has stated that it is planning to open source, however the actual situation has been shelved (no such movement).
HarmonyOS – Wikipedia
>> en.wikipedia.org/wiki/HarmonyOS
Therefore, it is “proprietary software”.
Moreover, both the company and its production base are in China. China, Russia, Israel, etc. are “Authoritarian state” and products and companies based in those countries are under state control, and privacy policies can become “famous and innocent.” Those products should be avoided.
Correction of sentence
Before correction: “famous and innocent.”
After correction: “nominal name only titular.”
owl, thanks again for the great info.
HarmonyOS doesn’t run Windows apps. It is no threat to Windows.
I agree.. i bet it cant even run wallpaper engine, it probably has the worst compatibility with software.
iam vary satisfied this work
http://crackscoop.com
ah, wonderful, this message/article cross-posting hasn’t been fixed.
Ignore my comments.
FIX THE F***ING COMMENT SECTION F***ERY, DAMMIT!
RIGHT F***ING NOW!!!!