KeePass
Written on 05/13/11 at 21:24:05 EST by Darkbee
SoftwareKeePass

  • Usage: Password Manager
  • Platform: Windows, Linux*,Mac*
  • License: Open Source
  • Version: 1.19
  • Download: 1.5 MB


Do you need more than one hand to count all of the websites that you log into on a regular basis?  Highly probable.  Do you use the same combination of username and password over and over regardless of website?  Quite possibly.  Is this secure?  No.  So what do you do if you have many website username and password combinations, or even just a handful but you want to make them more secure by having unique and obscure passwords that you mostly likely won't be able to easily memorize?  Why, you use a password manager of course!  The concept of a password manager has been around pretty much since the dawn of the Internet and I've been using one for years ever since I began to realize that I couldn't remember all the various accounts I'd signed up for and their accompanying information over the years (and believe me their number is vast).

Now of course, these days browsers have built-in capabilities to remember usernames and passwords but I've been burned by this in the past.  Filed under the "I'm a computer guy so you think I'd know better" category, I have failed to make adequate backups in the past and lost browser data such as login information.  Aside from which, if I'm using public computers then I certainly don't want to leave my login information behind for the next user to come along and borrow.  Using the same username and password for every single website ever is not an option e.g. your first name and last two digits of your year of birth for your username and your mom's birthday for your password).  Writing your username and passwords on post-it-notes stuck around your monitor is not an option.  Listing all your username and passwords in an easily readable, even if it's password protected, Microsoft Excel worksheet is not an option. A dedicated and secure tool for managing my sensitive data is the best solution as far as I can tell, and that solution is KeePass.

I've been using KeePass for years, and I've never had a need to look elsewhere.  When I first started looking at password managers I tried many different ones available but they all had features that I didn't like or missing features that I felt were needed.  I eventually settled on TopSecret but then its homepage just disappeared one day and although I was left with fully functional software, it did have some features missing but now without possibility of enhancement.   Then I stumbled upon KeePass and I've never looked back, encouraging many family, friends and co-workers to use it along the way.

For me the first biggest plus in KeePass is its interface; It's not overly cluttered, but it's functional.  There aren't five thousand icons on the toolbar, just those for the most important features you need.  Information is displayed in a succinct way, without the need to maximize the entire application window and it's unobtrusively minimized to the system tray when I'm not using it.  When viewing lists of entries, you can choose which columns you wish to view and reorder those columns, and choose how you wish to sort the list.  This makes finding entries you need a breeze, but if you still can't find what you're looking for then the search box right at the top is always available.  The overall flow of the interface is excellent and I don't feel like I have to click through dozens of screens to get what I'm looking for.

The next and probably the most important feature of all is the auto-type feature that is triggered by a global hotkey.  That is to say that I can set up a keyboard combination of keys that when pressed will spring KeePass into action and it will look at the window that has current focus (my browser) and try to decipher what web form is being displayed and populate it with my username and password details accordingly.  What is even more useful is that if the website I'm using has a non-standard form that expects more than just a username and password, then I can instruct KeePass on precisely what information it should use and in what order.  This is common with banks today that for security reasons may require you to enter your zip code (post code), member ID, mother's maiden name or other additional information.  What's more, sometimes the information is entered across multiple pages, but that's okay because KeePass can handle that too.  You can instruct it to wait for a predetermined period of time before it continues populating web form fields.  This auto-type feature is smart too because if there are any instances where there are several possibilities then KeePass will prompt you for which entry you wish to use.  For example, you might have two GMail accounts, one for personal and one for business use.  So if you go to log into GMail and KeePass sees that there are two GMail entries, it will ask you which one you wish to use to fill out the login page.  In addition, if for some reason the auto-type doesn't automatically work, then you can force KeePass to use a certain entry by selecting it in KeePass and then pressing CTRL+V.  If this doesn't work then your final option is to use functionality to copy a username or password individually to the Windows Clipboard and then paste them into the browser window.  One thing I like about this is that it's secure, where KeePass will actually erase the Windows Clipboard after a period of time so that your username or password doesn't stay on the Clipboard (ready for someone else to paste and possibly misuse).

Finally, and this almost goes without saying but the key component of KeePass is that it's secure.  Even if someone gets hold of your database file, it's encrypted with an industry standard encryption algorithm which means that somebody can't just open the file in Notepad and start merrily reading off your passwords. The only way for them to get to the database would be to try to decrypt it using a brute-force method i.e. try to guess the master password.  As long as your master password is something obscure (but easily memorable by you of course) and sufficiently long the chances of it being guessed correctly are almost nil.  As a side note, remember that your master password should probably be at least 8 characters in length and contain a mixture of upper and lower case letters, numbers and even some symbols.  Choosing your kids' names, of the name of your pet, or a birth date of some kind is not secure, those are all guessable.  It's also worth noting that your browser is mostly likely not secure and that if someone gained access to it, they could retrieve all the username and passwords stored within it.  Even if your browser allows you to set a master password (as Firefox does), the files behind the browser that store all your information are not encrypted and thus easily readable with simple text programs.  You can even take KeePass security a stage further and along with a master password, require a "key file" to access your encrypted database. This key file is just that, a special file that sits on a drive somewhere say a floppy or USB disk and must be accessible when the KeePass database is opened.  I personally don't use this as I feel it's overkill but the option is there for those are have extreme concerns as to the security of their information.

As far as what can be stored in KeePass, it's pretty standard information.  You can categorize all your username/password entries into custom categories or folders.  For example you can create a category for insurance/financial websites and then another category for online gaming websites. The choice is really yours as to how your want to organize the entries.  Aside from the username and password,  each entry can have its own title, you can store an associated web address (URL), also the date of when/if a password expires (it's optional), free-form notes that let you enter any information you want and you can even attach a file (a feature I haven't used).  With the expired passwords, you can choose to be notified upon opening KeePass of those entries that are due to expire soon.  Another great feature I like is that KeePass gives you an indication of the strength of the password you enter, so you have a good idea of whether you're choosing appropriate passwords or not.  Furthermore, you can even have KeePass randomly generate secure passwords for you, and choose specific criteria like only use letters or numbers, or include/exclude spaces etc.

Some final features that may or may not be important to you, but you should definitely consider are:
Import/Export; KeePass allows you to import from various file formats (including some other popular password managers), and you can also export some or all of your information to popular file formats like CSV, HTML or plain text.
Plugins; Everybody likes a product that is expandable by plugins. I personally haven't ever found a need to use a plugin since KeePass has all the features I need built-in.  However, the KeePass website says that many plugins expand the import/export capabilities.
Portability, As a final plus, KeePass can be used portably from a USB Flash drive or similar device, so you can use it on any supported operating system. This is handy if you're frequently away from your primary computer but still need access to all your private data.

Before I wrap up, I wanted to give highlight one important point that I see constantly causes users much confusion.  There are currently two versions of KeePass, one labeled KeePass Classic and given a version number of 1.x, and the other labeled KeePass Professional and given a version number of 2.x.  Well, 2 is clearly higher than 1, so obviously I want version 2 right? Wrong!  But what about Professional, clearly that's better than "Classic", classic means "old", right?  Wrong.  Basically there are two separate versions developed independently using different programming languages (but by the same developers).  KeePass Classic was the original and developed using C++ I think it is, whereas KeePass Professional is developed using Microsoft's .Net platform.  You don't really need to know what that means but from a developer's standpoint, they claim that it's easier to implement some of the more complex security features using the .Net platform. I use the classic version and it more than suffices for my needs, and that also means that I'm not tied to the .Net platform (if it's not installed on the PC, you can't use KeePass Professional until you install it).  Unless you need things like being able to link your KeePass database directly to your Windows User Account, or full Unicode support (which you might for certain languages) then I see no reason to use KeePass Professional over KeePass Classic, it isn't "better", it's just different.  One critical thing you should note that is that the database formats between the two versions are not interchangeable, so although you can transfer between the two, it's rather inconvenient to do so.  It's best just to stick to one version and in my humble opinion that version is Classic unless you have very good reason to go with the Professional version.  To understand the differences for yourself please see the Keepass edition comparison page.

To get back on track and draw this review to a close, whether you only have a handful of username and passwords to remember, or you sign up for every website under the sun, KeePass has something for you to help make your login information more secure, or to help ensure you don't ever have to worry about forgetting/losing vital information.  It's easy to use and has great automation features to ensure you have to do only the minimum of user interaction.  Mostly importantly of all, your usernames and passwords will be kept safe and secure without danger of being exposed or falling into the wrong hands.  Extremely useful if you happen to be an international super spy, and still very useful even if your not!

    Pros
  • It's open source ergo free!
  • A portable version is available from PortableApps.com which means you can run it in Windows from your favorite portable device while you're on the go.  Note that .Net version (KeePass Professional) is not considered portable since many public computers don't have the .Net platform installed.
  • Very easy to use and yet still has a ton of useful features.
  • Excellent integration with browsers to auto-complete login/web forms, with the ability to heavily customize exactly what and in what order the data gets entered into a form.
  • *It's cross platform!  A version for Linux and Mac operating systems can be found at http://www.keepassx.org.

    Cons
  • Not really any that I can think of, sometimes the Auto-Type feature doesn't work for one reason or another but this probably isn't really the fault of KeePass and it does provide some mechanisms for forcing certain sites where username/password entry might be non-standard (i.e. you need to enter additional information).
  • If I had to scrape the barrel then I could complain that there's no explicit field for email address associated with an account but the developers respond to that by saying that often the email address is the username and that you can always add an email address in the free-form notes field, which is fair enough.
  • Not really a con of the software itself per se but I'm critical of the fact that there are two editions of KeePass, which confuses most users.  9 times out of 10 the "Classic" edition will suffice for most users but of course people jump on terms like "professional" and they think "oh I need to uber-mega-super-professional edition just because!".  And that's to say nothing of the fact that they also have different version numbers. If in doubt, just stick with KeePass Classic.

News and Comments Brought to you by: Darkbee.com
The comments are owned by the poster. We aren't responsible for its content.