Password Manager KeePass Review
The major password managers we’ve reviewed on this site are similar in a lot of ways. They have reasonably modern user interfaces, and are easy to set up and use. But some products follow a different path.
KeePass Password Safe, a lightweight, open source password manager is one of those products. It isn’t pretty, and it isn’t easy to set up or use. But KeePass is an extremely powerful and flexible password manager that is best suited to experienced computer users or software developers. And by the way, it is totally free. If this looks or sounds interesting, here’s a quick list of the pros and cons that KeePass brings to the table:
You can consider KeePassXC as a great alternative to KeePass if you want to run your password manager on multiple operating systems, or you need one of the features in the preceding table. You might also want to consider that KeePassXC is being developed by a team (six members currently), while KeePass is a one-person project.
- Completely free of charge (donations accepted)
- Open source
- Dozens of optional plugins to customize user experience
- Complies with GDPR
- Data stored encrypted on your device
- Can run from a thumb drive
- End-to-End (E2E) encrypted using AES-256, ChaCha20, SHA-256, AES-KDF, Argon2
- 2FA and TOTP support
- Not well suited to beginners
- Dated user interface
- Many features require the use of third-party plugins
- Must use plugins to sync between devices
- No master password recovery options
- Limited support
KeePass feature summaryHere’s a quick summary of KeePass features:
- Supported platforms include Windows, with unofficial ports for numerous operating systems and browsers
- Secure password generation
- 2FA support
- Password import/export
- Data is encrypted on your device
- Data encrypted in transit and at rest (E2E) with AES-256, ChaCha20, SHA-256, AES-KDF, Argon2
- Numerous optional sync strategies
Company informationKeePass isn’t published by a company. It is Free and Open Source (FOSS) software distributed under the terms of the GNU General Public License version 2 or later by the author, Dominik Reichl. As often happens with FOSS software, while the core product is created and maintained by Mr. Reichl, much of the KeePass software is actually created and maintained by others.
Third-Party AuditsGiven that third-party audits are expensive, and KeePass is free, I didn’t expect to find any such audits. However, as you can see on the Awards, Ratings, and Opinions page, KeePass was audited twice, most recently in 2016. This last was a code review by the EU’s Free and Open Source Software Auditing project, also known as EU-FOSSA 1. While it would be great to see penetration testing results on KeePass, this code audit, along with the various other audits and awards on this page, are all positive signs for KeePass.
KeePass clientsThere are KeePass clients for most operating systems and web browsers. Here’s what the Windows version looks like: The User Interface for KeePass doesn’t appear to have changed much since the birth of the product back in 2003. It appears that the developer has put his effort into improving the functionality of KeePass rather than the appearance. Given that he is a one-man band as it were, that approach makes a lot of sense. Interestingly, only the Windows version is actually published by Mr. Reichl. All other clients are unofficial releases created by third-party developers. That can be confusing, but it also allows the KeePass ecosphere to evolve much faster than if one person had to do everything himself. So how do you know which client to use? Your best bet is to go to the KeePass Downloads page and try out any of the Contributed/Unofficial KeePass Ports you find there for the device you are interested in. You can find KeePass ports for the major operating systems, web browsers, and smartphones, as well as more exotic targets such as Windows Phone, PocketPC, BlackBerry, Sailfish, and others.
KeePass hands-on testingI tested KeePass on an old Windows 7 machine. Since KeePass isn’t set up to sync between multiple devices by default, I did not attempt to set this up. There are several approaches you can use, involving various levels of manual configuration. If you decide to use KeePass on multiple devices, you’ll need to go to this page to learn about how KeePass synchronization works and configure one of the sync methods yourself. Note: KeePass 1.X and 2.X are available for download. Following the publisher’s advice, this review covers KeePass 2.x.
Installing KeePassI downloaded the installer for KeePass 2.43 from the Downloads page and ran that. The installation was pretty standard at first, but became a bit confusing when it required me to specify where the passwords should be stored and what the file should be called, followed by creating a Composite Master Key: I can see a typical user throwing up their hands at this point and deciding to try a different product. After creating the Composite Master Key (which is required to get access to your stored data) I was able to view the empty Windows client, which looks like this:
Adding login credentials to KeePassWith the client up and running, it was time to add some login credentials. KeePass gives you two ways to add login credentials.
- Import credentials from your web browser or another password manager;
- Enter credentials manually.
Importing login credentialsKeePass can import data from numerous other password managers, as well as Google Chrome and Mozilla Firefox. I tested this capability by importing all my data from Bitwarden. The process only took a couple of minutes, and even replicated my Bitwarden folder structure so all my passwords and notes remained organized.
Adding login credentials manuallyTo add login credentials manually, open KeePass and click the Add Entry button, or press the CTRL+I keyboard shortcut. The Add Entry window appears, and looks like this: Enter the user name and password you want to use in the provided fields. KeePass will generate a Quality score for the password you enter, making it easy to ensure that you don’t create a weak one. The best way to avoid creating weak passwords is to use the KeePass Password Generator. Click the Generate a Password button (circled in red in the preceding image) and in the menu that appears, select Open Password Generator.
KeePass password generatorThe password generator in KeePass is very powerful and customizable (just like the rest of the product), with tons of options. Despite the tons of available options, in most cases, you can just use the default settings, which will give you a very secure password with no fuss or bother.
Auto-type to fill in fieldsWait! We’re not done yet. KeePass takes a very different approach to entering your data into a web page than other password managers. Whereas they just automatically enter the data into the relevant fields on the page, KeePass Auto-Types on the page. The system is a little complicated, but the idea is that you give KeePass the exact sequence of keystrokes you would use if you were logging into the site by hand. You program this sequence of keystrokes on this tab in the Add Entry window: This may seem like a crazy way to do things. It does make setting up most passwords harder than with other products. The benefit is that you can set up KeePass to work with virtually any login screen, no matter how complicated. You’ll have to decide for yourself whether this is a benefit or a reason to look elsewhere.
Working with your passwords and other dataOnce you’ve got login credentials and other data into KeePass, how do you work with that data? Open up KeePass and select the database that contains the data you want to work with. All the data entries are visible when you select the database itself. Or you can select the folder that contains the type of data you are looking for (Secure Notes, for example), and find the correct entry there. Double-click the entry to open the Edit Entry window. The window is virtually identical to the Add Entry window we looked at earlier, which means you can view or edit anything about that entry in this window.
KeePass in actionTo get KeePass to enter your login credentials onto a web page, you need to do a bit more work than with other password managers. Since it is a standalone app instead of a browser extension, you have to tell KeePass what page it needs to fill in. To get KeePass to enter your Login Credentials, follow these steps:
- In your web browser, navigate to the page you want to log into.
- Open KeePass, and select the entry for that page.
- Click the button circled in red in the following image:
Additional KeePass featuresConsidering that KeePass has over 100 Plugins and Extensions that you can use with it, talking about additional features doesn’t make a lot of sense. Aside from the ability to automatically capture Login Credentials (which doesn’t really make sense given the design of KeePass), if you can think of some feature that you would like KeePass to possess, you can probably find a plugin or script that can give you that feature. There is also a large list of available plugins and extensions.
Background of KeePassKeePass started life as a Windows program. It is written using the programming language C#. C# is a fine language, but it requires some special code from Microsoft (the .NET framework). This makes porting KeePass to other operating systems complicated, requiring yet more specialized software to make it all work. Even with that, KeePass running on other operating systems looks like an old Windows program, rather than a modern Mac or Linux app. KeePassX was created several years ago to be a Linux version of KeePass named KeePass/L. In 2006, the developers decided to make KeePassX into a cross-platform app (one capable of running on multiple operating systems). Unfortunately, development work on KeePassX stopped in October of 2016. This caused a group of KeePassX fans to create their own version (a fork) of KeePassX, called KeePassXC…
Meet KeePassXC: The KeePass Cross-Platform Community EditionHere’s how the developers describe KeePassXC,
KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.To make this happen, KeePassXC is written in C++, which makes it possible to run natively on Windows and non-Windows operating systems. KeePassXC can read KeePass password databases, making it easy to migrate your passwords over. That said, they are definitely distinct products. The following table lists some of the differences:
|Runs natively on Windows. To run on other OS’s, must use 3rd-party software.||Runs natively on each operating system it supports|
|Has vast number of third-party plugins||Does not support plugins|
|Built-in cloud sync capability||No built-in sync, works through existing cloud sync service|
|Requires plugins for browser integration||Built-in browser integration|
|Requires Plugins for YubiKey 2FA support||Built-in YubiKey 2FA support|
|Requires Plugins to generate Keyphrases||Keyphrase generator built into Password Generator|
KeePass SupportSince KeePass is created and maintained by the author, there isn’t a support team like you would get with other password managers. That means no phone support, no Twitter, and no email. If you need help with KeePass, the place to get it is in the KeePass forum on SourceForge. The other resource you can use if you have problems is the KeePass Help Center. There is a lot of detailed information here about every aspect of the product. However, much of the information is pretty technical, and may be somewhat confusing for regular users.
How secure and private is KeePass?KeePass is powerful and flexible. But is your data secure and private if you entrust it to KeePass? Let’s see…
SecurityYour KeePass data should be secure against any attacks. It uses AES-256 or ChaCha20 encryption for your data, SHA256 for your key, and further protects against attacks on your password using AES-KDF or Argon2.
- KeePass is Open Source software. Anyone can examine the code. Since KeePass has an active community of users and developers, it seems likely that someone would notice if there was anything objectionable in the code.
- There is no KeePass corporate cloud where your data is stored. About all someone can determine from an attack on KeePass is that you have an account.