KeePass password manager update improves security

Martin Brinkmann
Jun 4, 2023
Updated • Jun 4, 2023
Added clarification about fixed security issue.

Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public. The new version of the application improves security in several meaningful ways, and it addresses potential attack vectors of previous versions of the program.

New and existing KeePass users find the download of KeePass 2.54 on the official website. The installer will update installations of the password manager automatically.

KeePass users who have used URL overrides may want to take a screenshot of them or write them down, as these will be disabled in the new version, unless stored in the enforced configuration file.

Check out my guide on improving KeePass security.

KeePass 2.54 the changes

keepass password manager 2.54

The new password manager version improves the export functionality significantly. Back in February, a warning was released by Belgium's Federal Cyber Emergency Team regarding the export functionality.

It revealed that anyone with access to KeePass' configuration file could export the entire password database without user confirmation.

Reichl released KeePass 2.53.1 to address the issue by adding a master password prompt to data exports.

KeePass 2.54 improves exporting safety further. Exports do require the "export" application policy flag now "in most report dialogs" and the master password. The design of export confirmation dialogs has changed as well. The traditional "ok" button has been replaced with a "Confirm Export" button to make the action clearer, and the banners have a new background color.

Passwords and other sensitive data is hidden behind asterisks now in report dialogs. There is a new button in the toolbar to toggle the hiding of the information.

Another major change pushes several important configuration options into the program's enforced configuration file. The configuration options of the file have priority over changes made to the application's global or local configuration files.

The feature is designed primarily for system administrators who want to enforce certain settings, but it can also be used to protect against manipulation by third-parties.

enforced configuration

Reichl notes that Triggers, global URL overrides, password generator profiles "and a few more settings" are stored in the enforced configuration file in KeePass 2.54. This may have some consequences:

  • Triggers may be used to automate certain tasks in KeePass. The trigger system is turned off if triggers were not saved in the configuration file in earlier versions already. Users need to select Tools > Triggers and check the "enable trigger system" option there to start using them.
  • Global URL overrides are disabled in KeePass, unless they are stored in the enforced configuration. These can be enabled under Tools > Options > Integration > URL Overrides.
  • Password generator profiles. These too are now stored in the enforced configuration. To continue using them, select Tools > Generate Password > Shield button, make the changes and activate the save button.

Information for portable users and users who have used an enforced configuration file already are available on the official website.

Last month's reported security issue has been addressed in the release. Third-parties with access to memory dumps could restore all but the first character of KeePass' master password, which makes identification of the password trivial. The update to KeePass 2.54 resolves the matter.

Now You: do you use KeePass or another password manager?

KeePass password manager update improves security
Article Name
KeePass password manager update improves security
Dominik Reichl, the lead developer of the KeePass password manager, has released KeePass 2.54 to the public.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Anonymous said on June 4, 2023 at 8:33 pm

    I don’t get it, keepass is an offline password manager, if people got it hacked or something, it is because they allowed randoms in their computer, by remote or physical…. so it’s hard to know why would anyone want to hack some random who mean nothing to anyone.
    Plus how many users use Keepass? not many, making it even harder.

    Even a Notepad plaintext file with all passwords is safe if properly managed, just like Windows with password and all that.

    1. NWexplorer said on June 5, 2023 at 10:27 am

      I have been using Keepass for years, but I don’t do anything fancy to get around URL logins. If they change, I change. At least they have never been completely cracked, yet. I just need them to keep them secure enough to discourage amateurs, recorders, and script kiddies. My border does the rest.

  2. Tachy said on June 4, 2023 at 6:02 pm

    If the security of a “safe” needs improved, perhaps one shouldn’t trust it to keep anything “safe”?

    1. Steel Kidney said on June 5, 2023 at 2:41 am

      According to Chrome fanboys, the more exploits found in a “safe”, the more secure it is. The fact a safe is frequently attacked means it is more secure than a safe that is attacked less.

      Don’t ask me what that means, it’s just what they say, and it contradicts what you say.

    2. Amonymous said on June 4, 2023 at 8:37 pm

      So how are we going to keep thing safe then?

      1. Tachy said on June 4, 2023 at 10:51 pm

        That you would ask a random unknown person that question demonstrates the root of the problem.

        Go teach yourself how.

      2. Frankel said on June 5, 2023 at 5:57 am

        Ah yes pretending again we need absolute security. They can always get a rubber hose or jail you forever if you refuse to talk:
        Just look at what it has done for Assange. Does anyone in here feel that important or interesting to the gov?

      3. Anonymous said on June 5, 2023 at 5:17 am

        That you would make a random uniformed statement but then be completely unable to answer a random unknown person’s question demonstrates the root of the problem.

        Go teach yourself how to answer questions properly.

  3. Nils said on June 4, 2023 at 10:21 am

    The security problem reported last month has been fixed with this version. It also says in the change dialogue: “Improved process memory protection of secure edit controls”.

    Dominik Reichl confirms this again here:

    1. Martin Brinkmann said on June 4, 2023 at 11:19 am

      Thank you Nils!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.