KeePassium is an open-source KeePass client for iOS

About a month ago, I wrote an article about a KeePass client for iOS, called Strongbox. I also mentioned an alternative app named KeePassium and that I followed development of the application on GitHub and Reddit for a while.

KeePassium Password Manager is an application for Apple's iOS operating system.

I looked at the free version of the app exclusively. There is a premium version available for $11.99 per year that lifts the 1 database limit to unlimited and unlocks additional settings.

Let's take a closer look at the app.

How it works

KeePassium's interface is clean, minimal and pretty. When you run the app for the first time, you will be prompted with 2 options: add a database or choose an existing one. If you pick the latter, you can use a database that is hosted on cloud services like Dropbox, Google Drive, iCloud Drive, One Drive, Box, NextCloud, or using WebDAV or SFTP.

Database, password generator and more

You will need to install the corresponding cloud service's app on your iOS device for the option to show up in KeePassium. The advantage here is that KeePassium doesn't need to be connected to the service as it can load the KeePass database from the Dropbox folder on the device.

That's quite fantastic as it removes authentication worries from the entire process. Though KeePassium only saves a database that it creates in the KDBX4 format, it can also open/save KDBX3 and KDB formats. Of course, you can use the app to change the master password too.

Once you add a database, it shows up on the side-bar. Tapping a folder displays all the logins inside it and selecting a login will show the username, password (hidden) and URL on the right pane. You can also attach files and notes to a password entry.

It also hides the actual number of characters in a password so that the information is hidden and is not revealed to others who catch a glimpse of the screen.

You can sort the side-panel by tapping the icon on the bottom left. The search bar on the top of the pane lets you find entries quickly. There is a backup database option which will save an extra copy of the database on your device.

The password generator can be accessed by tapping the + icon on the left panel and selecting "Create Entry". This is also how you add new logins to the database if you create new accounts.

KeePassium can generate random passwords using the following parameters: password length, lower case, upper case, special symbols, digits, and look-alike characters (like 1Il). The autofill option works fine and can be used in Safari or other browsers to securely login to your accounts.

Security

KeePassium is open source and free, though it does have a premium version with some extra features.  The app supports ChaCha20 and AES (like KeePass does) and also supports Argon2, Salsa20, and Twofish algorithms for encryption.

When you switch to another app, Keepassium locks the database as it should. Though I did find it annoying when I was testing it by switching to and from Safari to test the manual copy to clipboard and search options. Maybe keeping the database open for 10 seconds or something could help prevent this, an option to enable this would be sufficient.

The App Lock adds an extra layer of security to KeepPassium. When enabled, you will need to enter your device's passcode just to access the app. You will still need to enter your master password to open the database which makes it time-consuming but provides better security.

The "Unlock with master key" option is disabled by default and for good reason. When you enable it, Keepassium will remember the master key (master password) for the session so you don't have to enter the password every time you open the app. When you switch to another app and return you will find an "unlock" button (instead of a password field) on the app's home screen. The master key will be automatically cleared after the database has timed-out.

I personally don't like such options, because if you forget to clear the master key and hand over your iPhone or iPad to someone, or it gets stolen or taken away, the database and all the passwords and information it contains can be accessed (unless you enable App lock).

The Database time-out is linked to the "unlock with master key" setting and Keepassium's default auto-clear time is 60 minutes. That's too much in my opinion but fortunately it can be customized and set to auto-lock from as low as 30 seconds and up to 24 hours or even never. Of course, you shouldn't keep the database open for that long. I'd say keep it to 30 seconds or a minute for maximum security.

You can optionally use a Key File to unlock the database. I get that some of these options may be convenient for some people, but it really should be security over convenience any day.

Closing Words

The promise of open source, free, no ads, no analytics, and no in-app browser in KeePassium does seem to be true. I'd say you're getting more than what you're paying for, even with the free version. That being said, I misunderstood the Touch ID/ Face ID unlock option in KeePassium. It doesn't unlock the database, it is one of the app lock options. You need to enable "remember  master key", to get it to unlock the database. Well, maybe I'm expecting too much, but as a longtime user of Keepass2Android, it is one feature which I really like.

I think both apps, Strongbox and Keepassium are equally good. This really is a try it yourself and decide kind of situation.

Advertisement