full screen background image
Monday 20 November 2017
  • :
  • :

What Makes a ‘Good’ Password Manager Good? Part 2: KeePass

KeePass is an open source application available at no cost. It has OSI open source certification.

Downloads for KeePass are available at the developer website. KeePass is available as as a classic 1.x version and “professional” 2.x version. Both versions are in active development. The website has a page describing the differences between the versions. The Windows versions are available with an installer and as a zip file. Both are self-contained. The folder from the installer version, when copied to a USB drive runs fine. The installer merely provides desktop and start menu shortcuts, and automatically copies the program to a desired location.

The 2.x version runs on more operating systems than 1.x, but uses Mono which proved problematic in our test on OSX 10.6.8. This might be overcome with work at the command line in Terminal, but the necessity of this violates the ease of installation requirement.

Ports are available for the 1.x version. The Mac port for this version comes as an OSX app called KeePassX but is reported to have weaker protection against dictionary attacks. The database from version 2.x is not compatible with KeePassX. Thus KeePass is available on Mac OS X if version 1.x is used and reduced protection against dictionary attacks is acceptable.

There is a 2.x compatible port for Android, KeePass2Android. This port installed from Google Play on an Android tablet. It opened a test database created on a Windows Vista computer and transferred passwords to Chrome and Firefox. 2.x ports are available for other platforms as well.

The standard installation of KeePass will allow the login information to be transferred to any web browser by drag and drop. The web page can be accessed from KeePass. Double-clicking on the user name and password in KeePass will copy these to the clipboard for pasting into any browser. More direct interaction with browsers may be available with plugins.

KeePass does not store the password database on the web. They have no plans to offer this ability for security reasons. An individual user could upload the database to a remote storage service and access it there from multiple devices. The database itself is secured as will be discussed further on. The user will have to identify a remote service with acceptable security features where they will do the upload.

KeePass is compatible with a variety of database formats, including the widely used CSV (Comma-Separated Values). Thus, it will be able to import data from any password manager that exports a CSV file. Data from KeePass is readable by any program that reads CSV files.

The standard installation of KeePass does not detect password events in the browser, nor does it fill forms. These capabilities might be available with plugins. However, the availability for specific platform-browser combinations will vary.

KeePass offers the feature of secure notes and attachments. The entire database is encrypted, so any notes or attachments will be secured by the encryption. The standard installation of KeePass does not fill forms, but this feature may be available with plugins.

Both versions of KeePass can be used by multiple users. The synchronization ability is much better in the 2.x version. The 1.x version is not synchronized at all. The 2.x version does not use record-level synchronization, but uses a method which is described in overview. It does not support multi-user permissions, however, a method to approximate this is described in the KeePass discussion forum at Sourceforge.

Security of Encryption

KeePass is an open source project, using open encryption technology. Encryption is done using AES, and hashing is done with SHA-256. These are both well understood and highly regarded algorithms. Additionally, the hash is performed with a random salt. Steps are taken to generate truly random numbers. Steps are taken to prevent against dictionary attacks. Data is encrypted in the memory used by the KeePass process. Some protection against keyloggers is provided. All of the security features are described on the KeePass website.

KeePass allows for 2 factor authentication by providing the option for a keyfile as well as the password. This is all done locally so the user can secure the process to their satisfaction. If the database is stored in an online storage service, the keyfile can be kept locally on each device that needs access. Users will have to decide whether this meets their security needs.

KeePass will generate secure a random password for each site that you use. If you choose your own password KeePass will show an indicator bar describing the strength of the password. It does not prevent you from choosing a poor password but does attempt to warn you with the color coding of the indicator bar.

The availability of plugins gives more functioning to KeePass, but does open a security concern. Plugins are installed by getting copied into the application folder and will run if they are present. This means that KeePass could be targeted with a malicious plugin that would merely need to be copied to the correct location. This could be prevented by write-protecting the folder as an administrator and then running from a non-admin account.

All ports of KeePass to other operating systems are labeled as unofficial on the website. Thus we are not explicitly assured that the security measures described for the main product are implemented correctly in the ports.

KeePass scores well on the openness standard. They use open security algorithms and they are fairly detailed in describing the security of the product. They do this on a dedicated page of the website that is clearly visible in the site menu on each page.

Sean Comeau is a computer security and cryptography enthusiast based in Vancouver, BC, Canada.