What is KeePass password manager?
KeePass is a free and open source (FOSS) password manager. Although not as slick as commercial offerings such as 1Password or LastPass, the fact that users have complete control over their encryption keys (which are generated locally and stored solely by user, so need not be shared with anyone), and that passwords are not stored on a centralized database that is vulnerable to hacking, makes KeePass the most secure password manager available.
Is KeePass password manager secure
KeePass is open source, which means that the code can be scrutinized by anyone qualified to do so to ensure that it does not contain backdoors or other weaknesses. Although this cannot guarantee that everything is above board, it is the best solution available.
Encryption is ‘end-to-end’, which means that it is performed on your desktop (or mobile device), and that only you know your master password or hold your key file (unless you chose to share it, of course!) Therefore, unless you want to share your master password or key file, no-one else can access your database.
The downside is that if you lose your password there is no recovery option! Users should, therefore, be very careful to memorize their master password or store tier key file securely.
One of the great things about this setup is that even if an adversary can access your .kdbx file (the encrypted file in which your passwords are stored), they will be unable to access the contents. This is why it is safe to store .kbdx files on insecure platforms such as Dropbox.
By default KeePass 2 uses strong 256-bit AES encryption with an SHA-256 password hash function to authenticate the data. ‘Classic’ KeePass also supported the TwoFish cipher, which we prefer because it is not NIST certified, but this and other ciphers can be easily added to KeePass 2 using optional plugins.
Those very concerned about security may also like to install a software keyboard plugin to foil keylogging software.
How to setup KeePass password manager
Download the latest version of KeePass. Note that Versions 2.x are referred to as ‘Professional Edition’ while older versions are known as ‘Classic Edition’. A portable version of KeePass is also available that can be carried on a USB stick. We use the ‘Professional Edition’
- Create a new encrypted password database (stored as a .kdbx file) by clicking the icon to the top left of the main window. You can save it anywhere, but (as we discuss below) choosing a Dropbox (or similar) folder will allow easy syncing across devices.
- All passwords in a .kdbx file are protected either by a master password or by a key file. Key files are usually more secure than passwords and can be carried on a USB stick, but it is vital not to lose them! For now we’ll stick with a master password. Make sure you choose one which is secure because this is the weakest link in the entire process.
- Database settings - You can fill in the ‘General’ tab as you see fit.
By default KeePass 2 uses strong AES-256 encryption with an SHA-256 password hash function to authenticate the data. Here we have used TwoFish encryption instead (in KeePass 2.0 this requires a separate plugin - just download it and unzip into the KeePass install folder).
- The other settings can be left alone. Click ‘OK’ to create your secure password database and open the main KeePass window. Create a new password by clicking on the ‘Add Entry’ icon.
KeePass will automatically generate a secure password for you, and you can link it to a particular website and set an expiry date.
By clicking on the ‘Generate a password’ icon next to the ‘Quality’ indicator, you can tailor the password to be generated. This can be useful with websites (etc.) that are fussy about what password is used.
The main screen allows various password management functions. The ‘Open URL’ button will open your default browser at the webpage linked to the password.
One handy feature of KeePass is that it can import passwords from a broad range of sources, including from the Firefox password manager.
A portable version of KeePass is available that can be carried on a USB stick, and while it does not support automatic cloud syncing across devices, similar functionality can be had by a storing the .kdbx file in a cloud storage folder (such as a Dropbox folder). The only real catch with this is that you will have to re-open the .kbdx file to update with the latest passwords.
Integrate Keepass password manager with your browser
By far the most useful plugins for most users will ones that allows full browser integration. We use PassIFox for Firefox (there is also a Chrome version called ChromeIPass). PassIFox is not compatible with Firefox, although it will work with forks of earlier versions of Firefox such as Waterfox or Pale Moon. Fortunately, KeePassHttp-Connector makes a great drop-in replacement.
- Download the KeePassHttp plugin and install it - full instructions are provided on the download page, but just unzip to your KeePass folder.
- Download and install PassIFox (just drag the downloaded passifox.xpi file to your browser), or install ChromeIFox from the Chrome Web Store.
- Run KeePass with your .kdbx password file open (KeePass can be set to run at startup by going to Tools -> Options -> Integration).
- Right-click in the form field of password dialogue, and select ‘Fill User & Pass’. If the web address matches an entry in your KeePass file, the relevant entry will be pasted in. If you have 2 or more matching entries, you will be asked to select one.
As you can see, integrating KeePass with your browser is a bit fiddlier than with most commercial solutions, but is also hardly rocket science…
Thanks to the fact that it is open source, uses top-notch end-to-end encryption, and does not store passwords in a centralized database that can be hacked (and not to mention that it is completely free), KeePass is our top choice of password manager.
There is, however, no getting away from the fact that KeePass has many rough edges compared to its commercial competition, and that to get the most from it requires a bit of rolling up your sleeves and getting your hands dirty (if only a little).
When it comes to keeping your passwords secure, KeePass is hard to beat, but we understand that some may find it fiddly to use. If this is likely to prevent you actually using it, then you are probably better off using a commercial (closed source) alternative that you do use (or use Firefox’s built-in password manager), rather not use a password a manager at all.
For the rest of us, however, KeePass is a fantastic password manager.