Kee is a Firefox and Chrome extension that can auto-fill passwords from KeePass
A couple of weeks ago, LastPass changed hands, again. Some of my friends ditched it and moved on to BitWarden as a consequence.
While I see the advantages of using cloud-based services to store passwords, especially when it comes to comfort, I do find the use of such service to risky. What if their services get hacked or someone finds a bug in the service's extensions or apps that can be exploited?
Anyway, I managed to convince a friend to switch over to KeePass. His requirements were quite simple: cross-platform sync, a mobile app and auto-fill on desktop. It's easy, just place the KeePass database in your cloud storage service's folder (for e.g. Dropbox, OneDrive, GoogleDrive, or, if you want full control, a self-hosted solution) and you have cross-platform sync. It's safe because the database is encrypted.
My go-to choice for a mobile app is Keepass2Android Password Safe for Android (supports Quick unlock, fingerprint unlock, syncs to your cloud service), and KeePassium or Strongbox for iOS. While auto-type is natively supported in the KeePass desktop application, auto-fill isn't.
You'll need to use a browser extension for that. I used to recommend Tusk, but it is no longer maintained. The Kee add-on by Chris Tomlinson does a fine job. Kee was formerly known as KeeFox, and some of you maybe familiar with it.
You'll need two things to get it working
- The Kee extension for Firefox and Chrome. You'll also need the KeePass desktop application to be running in the background.
- The KeePassRPC plugin (from the same developer) which allows the add-on to communicate with the browser.
Install the extension from the Firefox add-on repository or the Chrome web-store. A new button will be added to the toolbar and it is in the "OFF" state after installation.
Navigate to the KeePass desktop application's plugins folder (normally C:\KeePass\Plugins) and place the KeePassRPC plugin file named KeePassRPC.plgx inside the directory. Restart KeePass if it was already open, and it should load the plugin.
A new tab opens in the browser and you should see a window pop-up (in KeePass) asking you to "authorise a new connection". A code is displayed in the pop-up that you should enter in the box in the browser tab to authenticate the add-on to access the passwords from the desktop client.
The welcome screen of the plugin asks you to choose whether you want to create a new database, or use the existing one. Select the latter and login to your database as usual. That's it: you've setup Kee and KeePass to work together.
The Kee add-on's button is now usable. Does this work with KeePass portable? It does, that's what I use it with.
Kee Features
Bad puns aside, let's take a look at what the extension is capable of. Auto-fill is of course the main feature of the extension. If you're on a webpage that has the same URL as an entry in your database, the username and password fields should be automatically filled by the add-on.
It works on most websites, but in case it doesn't, left click on the add-on's button and select "matched login entries". You can also use the browser's right-click context menu to do the same.
You can use the addon's pop-out menu for searching your database. This is the other option to use if autofill didn't work. You can type the website's name (for e.g. "ghacks") and the extension will list the relevant results to choose from.
Click on an entry (after searching) and it will take you to the corresponding URL. If you click on the hamburger menu icon next to an entry, it gives you three options: Edit, Copy Password and Copy Username. The password isn't edited by Kee, it is done in KeePass.
Kee can be used to save new entries when you login to websites (or generate a new one), but you'll need to manually click the add-on's button and select "Save login". You can choose to save the information in a new entry or update an existing one. The add-on can also be used for generating secure passwords and you can choose from Hex key 40/128/256 bit, or random MAC address. Once generated, it is saved to the clipboard and you can paste it in a password field, and use the save password option to store the new login.
Kee does not send your data to any server. The extension and the plugin are open source.
Note: You may come across "Kee Vault" in the add-on's menu, that is a premium password manager made by the same developer. It is completely optional, and hence not required for Kee to function.
Closing Words
Kee is an open source add-on, and so is the KeePassRPC plugin. You can find them listed on the plugins page on KeePass' official website. KeeForm is a good alternative, but requires installing its desktop application in addition to the extension.
Has anyone read this?
https://forum.kee.pm/t/a-critical-security-update-for-keepassrpc-is-available/3040
Not understood what is “Kee home group†actually? All passwords from this group are exposed.
https://forum.kee.pm/t/keepassrpc-exploit-question/3043/3
I see there is a lot of emotional discusión from those who would bury their passwords in a bunker in the middle of the dessert just because is more secure and those who simply don’t trust something just because they haven’t seen am advert in Google ads about it or a review sponsored by the same company that the software is about.
In my opinion, the keys are security, convenience, usability.
All I want from a password manager is to be able to trust the technology used, use it in my phone, tablet and laptop and and find and use those passwords as easily as possible, including setup.
In this there are only two options for me: KeeVault and BitWarden.
To me, KeeVault is my choice. BitWarden might be more mature as web application, but KeeVault is backed by the KeePass format kdbx and its years of good reputation.
Kee is a malware trojan don’t use it , i have inform keepass, look by your self , it has some external ip code , not a 127.0.0.1 localhost adress, why aren’t you controlling plugin guys ?
I am currently using a NordPass extension to manage all my passwords, maybe you can do a guide on them? (https://nordpass.com/)
Stupid unnecessary additional exposure to cyber attacks,either use chrome which auto fills the information itself or go the proper SSL encrypted best effort paid route via your AV/specialist security development house, simple pfffft
Any advice on a KeePass stup from ChromeOS? Would KeeWeb be best? (Linux apps are available but run in a container in a VM so may not be able to communicate with Chrome in the main OS. Android apps also available, but also with sandboxing)
Been using Keepass for years. I use Syncthing to distribute my kbdx between devices. Works a treat, no 3rd party services needed.
I’m interested in Bitwarden though as its availability is spreading. A little worried about how much work there might be to learn a new product and transfer all my passwords
My three main requirements for a password manager are:
1 – security – ok, obvious.
2 – portability. For a whole range of reasons, installed apps or browser extensions are little use to me. I keep it on a pendrive, with a couple of secure backups.
3 – simplicity. If it isn’t KISS, there’s always a temptation to write things down rather than use it.
4 – insulated from outside interference – that means no cloud, no website services, etc, and blocked by my firewall.
I’ve never found anything better than Keepass for all of these. I’ve tried all the rest – sometimes more than once – and been tempted by some. But imho Keepass still checks all the boxes I need to check personally.
And – by the way – even if some hacker was to break open my kdbx file, he wouldn’t have my actual passwords. They’re in my memory-challenged old head, Keepass being a (now vital) mnemonic aid.
They do say you’re not paranoid if they really are after you… ;o)
Keepass & KeePass Tusk, for so many years I c’ant remind.
MiniKeePass it’s free on iOS and totaly compatible with keepass database.
No In-App Purchase.
EXCELLENT according for me.
KpXC also works well on a Mac.
Use KeeWeb for desktop, has Win/OSX/Linux/Web versions.
And ChromeKeePass is the best addon for Chrome bar none.
I just use an addon that adds the current URL to the window title like https://github.com/erichgoldman/add-url-to-window-title or https://addons.mozilla.org/en-US/firefox/addon/keepass-helper-url-in-title/
No KeePass-Plugin required. Default autotype will work. No “connection” to the browser.
I still use Tusk and I am devastated by the news that the author stopped the development, especially because there is not any fork available.
Devastated? Please don’t die for zeros and ones on a computer!
KeePass does not work well on Linux, KeepassXC works very well and has autofill too for which a global hotkey can be set. The UI of KpXC is a bit more pleasant than KP’s.
KpCX also works well on a Mac.
I’ve tried many pw managers over the years and, IMHO, found LastPass better than any other. Yes, I am well aware that giving you pw to third part, cloud, etc, is a risk. I know what I save and want to save in the cloud and I’m well with it.
Considering how often KeePass is mentioned here I tried it some months ago. I also installed KeeFox for Firefox.
My experience was definitely bad, since in most cases (that means many and many) autofill didn’t work at all. Also user experience is less good compared with LP.
LastPass is not perfect but works very well in most cases.
I think that this aversion against LP is little excessive and same is for the eulogize for KeePass.
I’m using Keepass 2.42.1 on Windows 10 and auto-fill works fine. I just go to the website I want to login to, click on the Username box and press Ctrl+Alt+A. That’s KeePass’ global auto-type hotkey and it works fine for most websites. I previously installed Keywi but soon realized Keepass’ hotkey works just fine, no extensions needed.
I find your advice on using Keepass + cloud storage + browser extension instead of online password manager quite strange. Online password managers do nothing more than sync an encrypted binary blob of your passwords (just like your your .kdbx file) between your browsers/applications – every activity happens on your local machine. So instead of trusting a single entity (for example, Bitwarden), you have to trust at least three (Keepass, Dropbox and the unknown author of the browser extension)…
And also, something like Firefox’s built in “Lockbox” (free) gives most of the same functionality (even on android for non browser apps) and is dead simple to use. I tried keepass, but having to use extensions, manually set up a bunch of stuff, etc. only to have it not be as usable as Lockbox was a no go for me.
While online password managers probably don’t know my password, I do think they can easily compare the data keeping my password secure, matching it to known password lists or people more willing to give up their password. Similar to Google and Microsoft recently did.
I don’t think the EU did an audit, but KeePass is part of some sponsored bounty program. Perhaps they’re even an actual sponsor.
I think many would drop KeePass instantly if the EU somehow got more involved besides paying the tab.
@Cor: EU did do KeePass 1 audit under EU-FOSSA project. Result: https://joinup.ec.europa.eu/sites/default/files/inline-files/DLV%20WP6%20-01-%20KeePass%20Code%20Review%20Results%20Report_published.pdf
KeePass is open-source while whatever the claims are about other online password managers are e.g LastPass, we can’t completely trust them since we don’t know what their code is doing.
Well it’s free, so that’s one. More industrious people might also just self-host, as noted in the article itself, so that might work too. I heard that BitWarden can also be self-host, although I don’t know how that works or if it can work for individual customer or not.
Also honestly Keepass is more proven than many others consider they pass EU audit quite well, and you have the choice to set how strong the protection is, so there’s that.
Bitwarden also passed a third party audit.
https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33
Yeah, honestly, I don’t think you’re going to find KeePass+DropBox to be significantly more secure than Bitwarden.
I use KeePassHttp plugin which is also excellent solution.
“…you can choose from Hex key 40/128/256 bit, or random MAC address.”
or you can add your own saved pattern from KeePass password generator like numbers, lower/upper case letters or special characters because many sites ask you to choose complex passwords.
Since the Keepass2Android supports AutoFill i do not install any unnecessary proprietary application on my phone if it is usable from Firefox too.
I’m currently using this extension and appreciate it a lot.
Only drawback is that it’s documentation is pretty light and the support forum doesn’t help a lot: I’ve two questions unanswered since 6 weeks and still waiting.