Password Safe is a free and open-source password manager originally developed by crypto-legend Bruce Schneier. It is a Windows program, although ports of it are available for other platforms. In this Password Safe review, we take an in-depth look at this password manager to answer the question is Password Safe worth your time and money?
As volunteer-developed open source software, the base Windows version of Password Safe is free in every sense of the word.
A disk-on-key version, called PasswordSafe2Go is available, though, which allows you to install the app on a USB stick for easy portability across multiple devices. PasswordSafe2Go is tailored for installation by a third party company and costs around $11 USD, with a year’s free updates.
The Android port of Password Safe, PasswdSafe, is free, but pwSafe 2 for iOS and iPadOS costs $2.99 from the App Store. pwSafe for macOS costs $14.99 from the Mac App Store.
- Client-side encryption (e2ee)
- Drag and drop passwords
- Cross-device and cross-platform syncing
- Password management
- Import and export
- File encryption
- Password generator
- Command-line tool
- 2-Factor authentication
Cross-device and cross-platform syncing
Encrypted Password Safe PSAFE files can be stored securely online, for example in your Dropbox account, where they can be accessed using other Password Safe-compatible apps.
The PSAFE files are securely encrypted by Password Safe before being uploaded to the cloud, so even if stored on an insecure platform (such as Dropbox), the passwords will remain secure.
Drag and drop password use
The “Dragbar” (View -> Dragbar visible) allows you to complete forms by simply dragging the relevant icon for entry over to the form. So to enter a username, just drag the User Name icon to the correct login field.
You can drag passwords, usernames, notes, URLs, tiles, and emails. You can also drag an Autotype icon…
If you click on a web page (or better yet a login field), the Autotype feature will attempt to fill in your username and password for you. Results can be a little mixed, but when it works the result is quite impressive.
Import and export
In theory, you can import passwords from plain text, XML, and KeePass v1 CSV or TXT files. In practice, all attempts to import files exported from KeePass 2 in XML and CSV (v1 format) failed.
Passwords can be exported in plain text. XML, or various versions of Password Safe’s own (PSAFE) format.
You can generate a truly secure password using the default algorithm or specify your own rules. This is very useful for generating passwords for sites that have specific minimum password requirements.
2-factor authentication (2FA)
Password Safe provides support for 2FA using a YubiKey 4, YubiKey 4 Nano or YubiKey NEO.
How secure is Password Safe
Password Safe is community-developed open source software which provides end-to-end encryption. So jurisdiction is not really a relevant consideration.
As with most open-source software its code has not been independently audited for security issues, although it is freely available should anyone wish to do so.
The database format used by Password Safe (V3), however, is one of the few to pass several security reviews.
The original Password Safe used Bruce Schneier’s own Blowfish algorithm, but this has been replaced by the much more secure Twofish (also invented by Mr. Schneier!).
This is widely regarded as being very secure, and for some has the advantage over AES that it is completely unaffiliated with NIST.
Password Safe uses Twofish-256 to secure the data itself. Keys are derived using an equivalent of PBKDF2 with SHA-256 authentication and 2048 iterations (can be configured for more).
All cryptographic primitives used are sound, although only a full audit can say how well they have been implemented. That Password Safe was originally developed by Bruce Schneier, though, inspires a great deal of confidence in this regard.
The website provides comprehensive documentation for using Password Safe. There is also a useful FAQ and an active discussion forum. This forum is probably the best place to ask questions, but it is also possible to email the developers directly, who will “do our best to get back to you in a reasonable amount of time.”
Ease of use
You can download the app from a number of mirror sites. As with all open software you should check the downloaded file’s cryptographic hash to ensure its authenticity. The app is not signed with a PGP signature, however.
One thing we really like is that Password Safe has been translated to a whopping 13 languages apart from English, making it much more accessible to many people.
The (Windows) app
Password Safe defiantly rocks the functional over the pretty look, but it is easy to use and works well.
By default Password Safe will lock after five minutes, after which time you need to re-enter the master password. It might be worth noting here that if you forget or lose the master password then game over. There is no password recovery feature, so your passwords will be lost forever.
Each entry can include a password, username, associated URL, email address, and notes. You can set an expiry date on passwords.
The lock time and a bunch of other stuff can be manually configured in the options settings.
It is arguable that Password Safe’s main advantage is its simplicity, but we think the Dragbar and Autotype features are actually pretty groovy. They also have the advantage that you don’t need to install a separate browser add-on to use them as is often the case.
Ports for other platforms
These ports are built on the code for the open-source Windows app, but are not themselves necessarily open source. All of them are interoperable, however, so they can open and edit PSAFE 3 files, which can be securely synced using cloud storage accounts.
Password Safe Android App
Password Safe's Android app is officially called PasswdSafe. PasswdSafe is a free and open-source port of Password Safe. If you open PSAFE 3 files uploaded to Dropbox or Google Drive in their Android apps then the database will automatically load in PasswdSafe.
For other cloud storage providers, OI File Manager should open PSAFE files automatically in PasswdSafe. There is also a companion app, PasswdSafe Sync, which makes syncing from a number of popular cloud services even easier.
You can, of course, create and open PSAFE files from local storage.
PasswdSafe supports fingerprint unlocking, password generation, and password expiration (setting a time limit to passwords). 2FA is available via YubiKey NEO tokens.
Passwords and the like can be copied to the clipboard for pasting into forms, but this is not very secure as items stored to the clipboard can reside in memory for an indefinite amount of time, and are therefore vulnerable to password sniffing by other apps.
As with KeePass2Android, PasswdSafe solves this problem by providing its own keyboard which can directly access an open PSAFE database and enter usernames and passwords into forms without the need to store data on Android’s clipboard.
This works well, although it is a shame that PasswdSafe doesn’t work with the Android 8+’s new Autofill Service.
The Password Safe Mac client is called pwsafe. While Passwd Safe is a fairly straight port of Password Safe to the Android platform, the pwSafe apps for macOS and iOS are commercial products. They are closed source and developed by US company App77.
Passwords are still e2e encrypted, but quite a lot of metadata and device information is gathered by App77 and stored on Microsoft’s Azure servers. This data will be deleted upon request, but this does require a level of trust in App77.
PwSafe for macOS looks like a Mac app, which is to say that it looks a lot better than its old-fashioned Windows parent app. It also sports a dark mode feature.
Overall, functionality is similar to the Windows app, but pwSafe is missing the two features we like best about that app: drag-and-drop password entry and the Autotype feature.
You can instead copy and paste each entry field, or you can click an icon at the bottom of each password entry to save the password (only) to the macOS clipboard and open the associated URL.
This apparent step backward should be mitigated by a Safari browser extension for easy password entry into web forms. Unfortunately, Safari 13 no longer supports web extensions, meaning that the browser extension does not work at the present time.
This is rather disappointing after just paying $15 for an app which is free for Windows, users but we are promised that “a future version of the app will provide a Safari App Extension with equivalent functionality.”
In fairness to App77, the design notes make it clear that a lot of care was taken to ensure the old Safari 11 and 12 browser extension was secure and that it never exposed passwords to the browser itself. We also appreciate the fact that its code was available for inspection (but not modification).
An optional subscription-based feature is iCloud Backups. By default, iCloud only saves the past two versions of a file. With iCloud Backup, an unlimited number of past versions of your PSAFE files are saved to iCloud.
PwSafe for iOS can sync SFAFE safes stored in iCloud. It can also sync safes stored on Dropbox, but this requires an additional in-app purchase of $2.99. You can also create and edit safes that are stored locally.
As with the Mac version of the app, you can save unlimited versions of safes to iCloud using the iCloud Backups subscription service.
Clicking on an entry saves both the password and username to the iOS clipboard. A very cool feature is that if you turn your iDevice upsidedown then the username will be pasted in, instead of the password. Performing this maneuver on an iPad is admittedly a little clumsy, but is still pretty cool.
PwSafe 2 also supports iOS’s built-in AutoFill feature, making entering passwords in most browsers and apps a doddle.
PwSafe supports all the standard Password Safe features, allows fingerprint unlock, and offers a dark mode.
An optional subscription-based feature is Cloud Memory. This basically solves the problem of iOS memory management function auto-closing the app when not in use, and thus requiring that you re-open it every now and again, no matter how long you set the lock timeout function for.
Various projects based on Password Safe are available to a wide variety of other platforms, although many of these appear to be very old and unfinished or abandoned.
Most notably, there doesn’t appear to be any currently supported version of Password Safe for Linux.
Password Safe is a mature, free, and open-source password manager. Which is a very good start. It's aesthetic is that of stolid functionality over form, but its Dragbar and AutoType features are surprisingly sophisticated.
The Password Safe format (PWSAFE) is also well supported by ports on most major platforms, making Password Safe a good choice for cross-platform syncing. PasswdSafe for Android is a solid port in this regard.
Open-source fans will likely be disappointed that pwSafe is closed-source, but it has to be said the iOS app is rather good. The macOS app is a much harder sell, but if you are a Mac user who has committed to the Password Safe way of doing things elsewhere, then it's your only real option for accessing your passwords on your desktop OS.