KeePass is a free and open source (FOSS) password manager. Although not as slick as commercial offerings such as 1Password or LastPass, the fact that users have complete control over their encryption keys (which are generated locally and stored solely by user, so need not be shared with anyone), and that passwords are not stored on centralized database that is vulnerable to hacking, makes KeePass the most secure password manager available.
As a FOSS program, KeePass is completely free. In its basic form, KeePass is a stand-alone Windows-only program, but KeePassX, is an open source (and entirely compatible) clone available for OSX and Linux, as are iKeePass for iOS and Keepass2Android for Android.
Unlike the commercial more integrated solutions, advanced features in KeePass are added via an extensive library of plugins and extensions. These allow for great flexibility, the opportunity for customization, and improved security (for example using non-NIST encryption ciphers and on-screen keyboards), but this could prove daunting to users who want to keep things simple.
Fortunately, the only plugin that we would consider essential is one that provides browser integration (which we discuss later in this article.)
Sharing passwords across devices and platforms can be achieved by storing encrypted .kdbx files in any cloud storage account (such as Dropbox). Again, setting this up is not as intuitive as it is for commercial offerings, but because the files are encrypted by yourself on your computer, they are secure no matter how insecure the platform they are stored on (such as Dropbox!)
Aesthetics, usability and customer support
Like much FOSS software, KeePass is not as beautiful as its commercial rivals, which combined with a slightly higher learning curve may put the non-technically inclined off. KeePass is not difficult to use, however, so this should not deter anyone with even a modest amount computer know-how.
There is, of course, no official customer support, but a good FAQ is available, and the website Forum is lively.
Security and Privacy
KeePass is open source, which means that the code can be scrutinized by anyone qualified to do so to ensure that it does not contain backdoors or other weaknesses. Although this cannot guarantee that everything is above board, it is the best solution available.
Encryption is ‘end-to-end’, which means that it is performed on your desktop (or mobile device), and that only you know your master password or hold your key file (unless you chose to share it, of course!) Therefore, unless you want to share your master password or key file, no-one else can access your database.
The downside is that if you lose your password there is no recovery option! Users should, therefore, be very careful to memorize their master password or store tier key file securely.
One of the great things about this setup is that even if an adversary can access your .kdbx file (the encrypted file in which your passwords are stored), they will be unable to access the contents. This is why it is safe to store .kbdx files on insecure platforms such as Dropbox.
By default KeePass 2 uses strong 256-bit AES encryption with an SHA-256 password hash function to authenticate the data. ‘Classic’ KeePass also supported the TwoFish cipher, which we prefer because it is not NIST certified, but this and other ciphers can be easily added to KeePass 2 using optional plugins.
Those very concerned about security may also like to install a software keyboard plugin to foil keylogging software.
Download the latest version of KeePass. Note that Versions 2.x are referred to as ‘Professional Edition’ while older versions are known as ‘Classic Edition’. A portable version of KeePass is also available that can be carried on a USB stick. We use the ‘Professional Edition’.
1. Create a new encrypted password database (stored as a .kdbx file) by clicking the icon to the top left of the main window. You can save it anywhere, but (as we discuss below) choosing a Dropbox (or similar) folder will allow easy syncing across devices.
2. All passwords in a .kdbx file are protected either by a master password or by a key file. Key files are usually more secure than passwords and can be carried on a USB stick, but it is vital not to lose them! For now we’ll stick with a master password. Make sure you choose one which is secure because this is the weakest link in the entire process.
3. Database settings – You can fill in the ‘General’ tab as you see fit.
By default KeePass 2 uses strong AES-256 encryption with an SHA-256 password hash function to authenticate the data. Here we have used TwoFish encryption instead (in KeePass 2.0 this requires a separate plugin – just download it and unzip into the KeePass install folder).
4. The other settings can be left alone. Click ‘OK’ to create your secure password database and open the main KeePass window. Create a new password by clicking on the ‘Add Entry’ icon.
KeePass will automatically generate a secure password for you, and you can link it to a particular website and set an expiry date.
By clicking on the ‘Generate a password’ icon next to the ‘Quality’ indicator, you can tailor the password to be generated. This can be useful with websites (etc.) that are fussy about what password is used.
The main screen allows various password management functions. The ‘Open URL’ button will open your default browser at the webpage linked to the password.
One handy feature of KeePass is that it can import passwords from a broad range of sources, including from the Firefox password manager.
A portable version of KeePass is available that can be carried on a USB stick, and while it does not support automatic cloud syncing across devices, similar functionality can be had by a storing the .kdbx file in a cloud storage folder (such as a Dropbox folder). The only real catch with this is that you will have to re-open the .kbdx file to update with the latest passwords.
By far the most useful plugins for most users will ones that allows full browser integration. We use PassIFox for Firefox (there is also a Chrome version called ChromeIPass).
1. Download the KeePassHttp plugin and install it – full instructions are provided on the download page, but just unzip to your KeePass folder.
2. Download and install PassIFox (just drag the downloaded passifox.xpi file to your browser), or install ChromeIFox from the Chrome Web Store.
3. Run KeePass with your .kdbx password file open (KeePass can be set to run at startup by going to Tools -> Options -> Integration).
4. Right-click in the form field of password dialogue, and select ‘Fill User & Pass’. If the web address matches an entry in your KeePass file, the relevant entry will be pasted in. If you have 2 or more matching entries, you will be asked to select one.
As you can see, integrating KeePass with your browser is a bit fiddlier than with most commercial solutions, but is also hardly rocket science…
Update January 2018: Firefox 57+ Quantum uses the the WebExtentions standard for all add-ons. PassIFox is not compatible with Firefox, although it will work with forks of ealier versions of Firefox such as Waterfox or Pale Moon. Fortunately, KeePassHttp-Connector makes a great drop-in replacement.
Strong AES-265 cipher with SHA-256 hash authentication (by default, other options available)
Browser integration and lots of expendable options via plugins
Good open source community support
We weren’t so sure about
Browser integration and cross-platform/device, etc. a bit fiddly to setup
Not very pretty
Thanks to the fact that it is open source, uses top-notch end-to-end encryption, and does not store passwords in a centralized database that can be hacked (and not to mention that it is completely free), KeePass is our top choice of password manager.
There is, however, no getting away from the fact that KeePass has many rough edges compared to its commercial competition, and that to get the most from it requires a bit of rolling up your sleeves and getting your hands dirty (if only a little).
When it comes to keeping your passwords secure, KeePass is hard to beat, but we understand that some may find it fiddly to use. If this is likely to prevent you actually using it, then you are probably better off using a commercial (closed source) alternative that you do use (or use Firefox’s built-in password manager), rather not use a password a manager at all.
For the rest of us, however, KeePass is a fantastic password manager.