KeePass Tip: access the password history
KeePass is a powerful password manager for the desktop that is available for Windows officially and through forks for other operating systems as well.
I used to use online password managers like LastPass but switched to KeePass for a number of reasons, one being that I wanted to be in full control over my passwords. I simply did not want them to be stored on a remote server.
KeePass offers lots of features, some native, others can be added by installing plugins.Â You may check all passwords against the Have I Been Pwned database for instance, or use a system-wide shortcut to fill out username and/or password automatically in other programs.
KeePass: password history
KeePass keeps a record of passwords that you add to its database. Just create a new entry and save the database afterward. What some users may not know is that KeePass is also keeping track of the password history.
It is easy enough to change a password, e.g. after a breach, when it expired, or when you want to improve password security by selecting a more secure password. If you checked your passwords against the breach database, you may have stumbled upon some that you may want to change because they were leaked and could potentially be decrypted.
You can look up older entries in KeePass, restore a previous dataset or delete old records. Could be useful if a password change did not go through somehow, or if you need to use passwords for old local accounts or archives.
Here is how you access the information:
- Open KeePass on your system.
- Select the entry by double-clicking it; this opens the Edit Entry menu.
- Go to the History tab.
- There you find listed all previous versions of that entry. Each is listed with date and time.
Buttons are provided to view that entry (useful to copy information, e.g. the password), to delete it, or to restore it. Note that restore adds the current entry to the history when you select the option so that no information is lost.
Now You: do you have other KeePass tips? Which password manager do you use?
I am using a very old pw manager, though updated at regular base. It runs on windows, but with wine, I have made it working on my Ubuntu as well.
It sits on my computer, encrypted, and I have a backup on usb and other computer all encrypted as well and I have a very strong master pw.
The name I have never read in any reviews on PW managers, so I hope that if my notebook gets compromised, the culprit will by the programs-name not even be able to start my pw manager. let alone get it opened without my master pw.
It misses, however the luxury of pw auto fill etc. , So I might give KeePass a read and decide whether to upgrade or not.
I was having trouble with Kee Pass. It was very slow to save (2 minutes !), and one of my most accessed entries began to behave erratically. To the point I thought I had mechanical mouse problems.
I asked the Kee Pass forum, and finally found that the culprits were one or two attachments that were too big, and made up the bulk of my password database. One of them was a pdf manual for some software, that I really did not need there. Nice to have, but not more.
A Kee Pass database is very small. Mine is 2,5 MB, after getting rid of those attachments. Before, it was 47 MB, and that is way too big, according to the developers. I have many entries. Don’t know how many, not sure Kee Pass displays that figure. Everything goes in there : software license codes, hard disks serial numbers…
Use the Find / Large Entries to check.
Actually, it’s better not to attach files at all (unless they are really small). You can store, instead, the path to the file on your computer. Edit Entry / Advanced / Add. Name = whatever you like, Value = the path of the file. You’ll need to copy it from Windows Explorer, there’s no way to browse from within Kee Pass at that point. Then to open the file, you’ll need to copy the path and paste it into Windows Explorer again.
Another hidden place where unneeded baggage can increase the size of the database dangerously is History.
History keeps everything from past versions of entries, so if, at some point, you affixed a large attachment to an entry, then deleted it from ulterior versions, it will lurk there. Fortunately, attachments are not duplicated across history. There’s only one copy of each.
Use Find / Large entries, then check the History of the largest offenders. Fortunately, History displays the size of each past version, so anything unusual will show there immediately.
You can also act preventively and forbid History from taking too much space.
File / Database Settings / Advanced, Limit Number of History Items per Entry, or Limit History Size per Entry.
Many of those features are hard to find. History limits should be in Options, not in Database Settings. Options is where most people will head to find such adjustments. That’s the amateurish side of Kee Pass, which is still showing very much, after all those years.
Wow. i never knew about this function. I used notes area for the same. This is so much easier and best of all no chance of forgetting to do it. Thanks a lot for the tip :)
You’re welcome. The best thing in those custom fields, saved in the Advanced tab, is you can then right-click on any entry, click Copy Field, and then the list of all your custom names for those fields drops down.
Just click on the one you want, and the relevant value is copied in your clipboard. You can then paste it wherever it’s needed.
Wow, I didn’t know this. This would have saved me some grief in the past. Good to know now.
I used KeePass for years (maybe 10 or 15) but switched to Bitwarden https://bitwarden.com/ a few months ago after I read here on ghacks about Bitwarden posting results of it’s security audit https://www.ghacks.net/2018/11/13/results-of-bitwarden-security-audit-published/
Bitwarden is open-sourced and is so much easier to use than KeePass, and works on all my pc’s (has a windows client) and browsers (brave, firefox and chrome) and my android stuff. Again, Keepass was a pain to keep synced with all my devices on my NAS. Bitwarden also has password history and ability to check password against haveIbeenpawned built in too. Plus there is a free version that works for me (am thinking of grabbing a Premium though to support them eventhough don’t really need premium features)
I’m not sure about Bitwarden because you need to place your encrypted passwords in their cloud service. With Keepass, I can place my passwords in Onedrive, Dropbox, etc., and I can also name the file I place it in anything I want, to further hide or disguise it. Am I incorrect about this?
BitWarden gas zero-knowledge into one’s password. They can’t access them simply because they are on their server (which also means one could get permanently locked out of one’s account if forgetting login credentials and/or 2FA tokens), and if someone hacks their server they would need to hack your database as well, just like they would with a breached KeePass’ kdbx file on DropBox for example.
Also, you can self-host BitWarden and avoid the cloud, but it’s less trivial then running KeePass.
I’ve been using KeePass for ages and it’s still a brilliant piece of software. I’ve avoided any cloud-based solution and didn’t even sync’ed KP through the cloud but VPN’en into my own server to connect to the database. However, I would have preferred a more streamlined solution and after looking into BitWarden quite extensively I was convinced it offers the same level of security as KP + cloud sync, plus more convenient and streamlined to use for my neefs (which is completely subjective so one’s miles may vary).
BitWarden is not perfect, though. It still has maturity issues, missing or a little rough around the edges features. Development seems committed though, and with a little patience I trust it’ll continue to mature nicely.
Nice article Martin and some cool tips from Clairvaux. I’d also suggest a guide for Auto-Type. Many people still do not know about it, and keep struggling with KeePass browser plugins which can be obscure to locate, maintain and install and can also be potentially unsafe.
Any particular reason you for using KeePass rather than KeePassXC? I would be interested in a comparison review.
I also feel better syncing my database with any cloud i like.
But need to mention i searched before and the renaming of keepass database (for ex. Changing its type) don’t work much as keepass databases have a header that can easily found by cloud owners so don’t rely on it but it is better than nothing :)
For securing your database i recommend you to change the key derivation function of your database to Argon2. About its setting is in database settings after you opened your database and about the numbers for argon2 read this: