They are not stored on a centralized database that can be hacked (as commercial password manager ones often are), and only you hold the encryption keys to them. The main downside of this, of course, is that there is no safety net - no third party that can bail you out if you forget your master password!
KeePass supports a selection of plugins that extend its functionality far beyond that of any other password manager.
Please note that this article concerns KeePass 2.x. (2.42 at time of writing). KeePass 1.x is a fundamentally different program which remains maintained primarily for backward compatibility reasons. We can see no advantage whatsoever in using KeePass 1.x unless you need to work with legacy password files.
Pros
- Open source
- Free
- End-to-end encryption
- Cross-platform support and sync
- Browser integration (via plugin)
Cons
- Not quite as easy to use as some password managers
- A bit ugly
KeePass pricing
KeePass is a community-developed, free and open-source software (FOSS). It doesn’t cost a penny. There are no commercial versions of it.
Features
- Open-source
- End-to-end encryption (e2ee)
- Cross-platform support and sync
- 2FA support
- Browser integration (via plugin)
- Multiple cipher options (via plugin)
Additional features are available via a huge list of plugins and extensions, many of which cater to rather niche requirements.
Cross-platform and sync
Passwords are stored inside encrypted KeePass containers, often referred to as .kbdx files after their file extension. These .kbdx files can be securely stored anywhere, including insecure locations such as Dropbox and Google Drive.
The ability to store .kbdx files safely in the cloud is very handy for syncing across devices, as KeePass-compatible apps on any platform can access and open the files with the correct password (and key file and/or other 2FA if used), modify them, and save the updated version to the cloud location.
This allows for seamless e2ee syncing across devices and platforms. The only issue is that thanks to the locked-down nature of iOS apps, KeePass apps in iOS must import and export .kbdx files from the iOS Dropbox app rather than simply opening and saving the file in Dropbox directly. This is admittedly a bit of a pain but blame Apple, not KeePass.
To see how KeePass works in Android, check out our Keepass2Android review.
Privacy and security
Open-source
Unlike commercial alternatives, KeePass uses 100 percent open-source code. Nothing is guaranteed in this life, but because open source code can be examined by anyone qualified to do so, it provides the best guarantee we have that a program is doing what it is supposed to, and only what it is supposed to.
In 2016 the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA) audited KeePass 1.31, concluding that “the code has a good level from a security point of view, with only a few findings, none of which were critical or high-risk in nature.”
KeePass 1.x differs quite considerably from KeePass 2.x, but these findings are nevertheless very encouraging.
End-to-end encryption
KeePass stores passwords client-side on your desktop in encrypted. kbdx containers. They are encrypted by you, and can only be decrypted by someone with your password. Security can be farther improved by the use of a key file and/or some other form of multi-factor authentication.
.kbdx files are therefore fully end-to-end encrypted. They need never leave your local storage, or you can manually sync them across your devices using USB cables, memory sticks, and suchlike. This ensures that no online adversary can ever access them, even in encrypted form.
For the super-paranoid out there this is great, but thanks to the strong encryption used for each .kddx file it is safe to store them in insecure online locations such as Dropbox. An adversary might able to access the encrypted .kbdx file, but good luck cracking AES-256 to open it!
By default, all .kbdx files are secured using strong 256-bit AES encryption with an SHA-256 password hash function to authenticate the data. This is literally as strong as modern symmetric key encryption allows. The NIST-averse can instead use optional plug-ins to encrypt their passwords with alternative ciphers such as Twofish or Serpent if they prefer.
Two-factor authentication
No matter how strong the encryption, however, the weak point is always human error. Especially when it comes to passwords! With KeePass, you need only remember one master password ever again, but do please make sure it is a strong one!
Or even better, use a passphrase consisting of many words and spaces. Passphrases are also often easier to remember than single passwords, which is good, because if you forget your master password then… oops.
Even the strongest password (or passphrase), though, is a point of weakness. KeePass addresses this with optional out-of-the-box support for two-factor authentication (2FA) via key files. A key file is created when you create the .kbdx database and must be present in order to open the database. A password is still required but is useless without the key file.
The key file can be stored in secure locations such as your home PC, phone, or encrypted USB stick. It should, however, never be stored in insecure locations such as Dropbox as the entire point is that only you have access to it!
It is possible to further secure a database by requiring that you are logged in to a specified Windows User Account when you open a .kbdx file, but this does limit your ability to share passwords to other platforms.
A number of KeePass plug-ins also support 2FA via TOTP codes sent to an authenticator app on your phone, YubiKe, smart card, and more.
Ease of use
We have a detailed How to set up KeePass tutorial. There are a few steps involved, but it’s basically just a matter of following a setup Wizards which holds your hand.
Once installed, you can perform all sorts of password management functions from the main console window, such as creating new passwords, arranging passwords into groups, modifying and deleting passwords, and suchlike.
Each password entry includes a notes section which is useful for storing any useful information securely, not just information directly relating to website passwords. It is also possible to set an expiry date for entries.
As with any good password manager, KeePass can generate strong passwords for you as needed. Some websites have very specific requirements for the passwords they accept, so it’s good that KeePass allows you to tailor the kind of password that it randomly generates.
Browser integration
An important aspect of any password manager is how easy it is to use, and since most of our online activity when using a desktop PC is performed through the browser window, this makes browser integration a central concern.
KeePass does not offer any browser integration out-of-the-box, but it can be easily added using a combination of plugins + browser add-ons. A number of options are available, but we recommend KeePassHTTP-Connector for Firefox and Chrome.
In our How to set up KeePass guide, we cover how to implement to KeePassHTTP-Connector browser integration. Doing this really is very simple and only takes a minute or two, but it has to be recognized that other password managers do similar things without the need for you to do anything.
Once KeePassHTTP-Connector is in place, just click on a username or password field to autofill from your KeePass database. By default, new login details will be saved to the open KeePass database.
A lock icon to the right of password fields (which can be disabled if you find it annoying) will generate a new secure password instantly.
If you're still unsure about KeePass, why not check out some alternatives in our guide to the best password managers?
Final thoughts
No other password manager beats KeePass when it comes to keeping your passwords secure. It is also completely free, and thanks to a huge range of plugins, it is by far the most extensible and flexible password manager around.
We also think it is fairly easy to use. Its user interface does look rather dated, though, and it not as easy to use as many all-in-one password managers.
For those with even slightly techie leanings, we recommend KeePass unreservedly. If you need a slick and idiot-proof password manager that even your grandparents can use, however, then we suggest looking at open source Bitwarden before considering commercial alternatives.