KeePass

Last updated
KeePass
Developer(s) Dominik Reichl
Initial releaseNovember 16, 2003;20 years ago (2003-11-16)
Stable release 1.42 and 2.55 [1] (October 12, 2023;5 months ago (2023-10-12)) [±]
Repository Sourceforge
Written in C# (2.x version),
C++ (1.x version)
Operating system Windows, Linux, MacOS, BSD
Platform .NET Framework, Mono
Available inEnglish
Type Password manager
License GPL-2.0-or-later
Website keepass.info OOjs UI icon edit-ltr-progressive.svg

KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. [2] Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices, which normally work with the same copied or shared (remote) password database. [3] [4] [5] [6] [7] KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system (as opposed to cloud storage). [8]

Contents

KeePass comes in two different variants: KeePass 1.x and KeePass 2.x. Although the 1.x variant is the former variant it is supported indefinitely: Dominik Reichl: "2.x isn't the successor of 1.x, and 1.x isn't dead". [9] KeePass 2.x has a different software basis in C# instead of the former C++. Mainly communication features are extended in KeePass 2.x: authentication with the Windows user account, remote and shared database editing as well as many plugins allowing communication and authentication with different web browsers, databases and more. [10] [11]

KeePass 1.x and 2.x support a number of plugins, although 2.x allows more plugins. [11] It has a password generator and synchronization function, supports two-factor authentication, and has a Secure Desktop mode. It can use a two-channel auto-type obfuscation feature to offer additional protection against keyloggers. [12] KeePass can import from over 30 other most commonly used password managers. [12]

A 2017 Consumer Reports article described KeePass as one of the four most widely used password managers (alongside 1Password, Dashlane and LastPass), being "popular among tech enthusiasts" and offering the same level of security as non-free competitors. [13]

A 2019 Independent Security Evaluators study described KeePass as well as other widely used password managers as being unable to control Windows 10's tendency to leave passwords in cleartext in RAM after they are displayed using Windows controlled GUI. [14] In addition, several GitHub projects (KeeFarce, KeeThief, Lazanga) specifically attack a running KeePass to steal all data when the host is compromised. KeePass cannot prevent password theft and, as Dominik Reichl, the administrator of KeePass, states, "neither KeePass nor any other password manager can magically run securely in a spyware-infected, insecure environment." [15]

Overview

Import and export

The password list is saved by default as a .kdbx file, but it can be exported to .txt, HTML, XML and CSV. [16] The XML output can be used in other applications and re-imported into KeePass using a plugin. The CSV output is compatible with many other password safes like the commercial closed-source Password Keeper and the closed-source Password Agent. Also, the CSVs can be imported by spreadsheet applications like Microsoft Excel or OpenOffice/LibreOffice Calc.

File format support can be expanded through the use of KeePass plugins. [17]

Multi-user support

KeePass supports simultaneous access and simultaneous changes to a shared password file by multiple computers (often by using a shared network drive), however there is no provisioning of access per-group or per-entry. [18] As of May 2014, there are no plugins available to add provisioned multi-user support, but there exists a proprietary password server (Pleasant Password Server) that is compatible with the KeePass client and includes provisioning. [19]

Auto-type and drag and drop

An example of KeePass's auto-type function, which is triggered by a global hotkey Keepass-autotype.gif
An example of KeePass's auto-type function, which is triggered by a global hotkey

KeePass can minimize itself and type the information of the currently selected entry into dialogs, webforms, etc. KeePass has a global auto-type hot key. When KeePass is running in the background (with an unlocked database) and user presses down the hotkey, it looks up the selected (or correct) entry and enters every login and/or password characters sequence. [20] All fields, such as title, username, password, URL, and notes, can be drag and dropped into other windows.[ citation needed ]

Windows clipboard handling allows double-clicking on any field of the password list to copy its value to the Windows clipboard.

KeePass may be configured to randomize characters' input sequence to make it harder to log keystrokes. The features is called Two-Channel Auto-Type Obfuscation (TCATO). [21]

Clipboard reset

KeePass automatically clears the clipboard some time after the user has copied one of their passwords into it. KeePass features protection against clipboard monitors (other applications will not get notifications that the clipboard content has been changed).[ citation needed ]

Browser support

The auto-type functionality works with all windows, and consequently with all browsers. The KeeForm extension fills in user details into website form fields automatically. It is available for Mozilla Firefox, Google Chrome, and Microsoft Edge. Internet Explorer also has a browser integration toolbar available. [22]

Built-in password generator

User Interface of the password generator KeePass random password.png
User Interface of the password generator

KeePass features a built-in password generator that generates random passwords. Random seeding can be done through user input (mouse movement and random keyboard input). [20]

Plugins

KeePass has a plugin architecture. There are various plugins available from the KeePass website (such as import/export from/to various other formats, database backup, integration, automation, etc.). Note that plugins may compromise the security of KeePass, because they are written by independent authors and have full access to the KeePass database. [11]

Wrapper

KeePass has an opensource wrapper, QuicKeepass, that allows the use of KeePass more efficiently on Linux. [23]

Cryptography

Runtime security

"Add Entry" dialog in KeePass KeePass add entry.png
"Add Entry" dialog in KeePass

According to the utility's author, KeePass was one of the first password management utilities to use security-enhanced password edit controls, in this case one called CSecureEditEx. [24] The author makes several claims regarding the security of the control and its resistance to password revealing utilities; however, the author does not cite or make any references to any third-party testing of the control to corroborate the claims of its security. [25]

Passwords are protected in memory while KeePass is running. On Windows Vista and later versions, passwords are encrypted in process memory using Windows Data Protection API, which allows storing the key for memory protection in a secure, non-swappable memory area. On previous Windows systems, KeePass falls back to using the ARC4 cipher with a temporary, random session key. [26]

Offline security

Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user. [27] KeePass encrypts the database with the AES, Twofish or ChaCha20 symmetric cipher, where the first two are used in CBC/PKCS7 mode. AES is the default option in both KeePass editions, Twofish is available in KeePass 1.x, ChaCha20 is available only in KeePass 2.35 and higher. [28] However, a separate plugin provides Twofish as an encryption algorithm in KeePass 2.x. In KeePass 1.x (KDB database format), the integrity of the data is checked using a SHA-256 hash of the plaintext, whereas in KeePass 2.x (KDBX database format), the authenticity of the data is ensured using a HMAC-SHA-256 hash of the ciphertext (Encrypt-then-MAC construction). [29]

Notable KeePass derivatives

History

KeePass at one time had a paste-once functionality, where after a single paste operation, the clipboard would be cleared automatically, but this was removed in version 2.x due to incompatibility and insufficient effectiveness. [33]

See also

Related Research Articles

<span class="mw-page-title-main">Brute-force attack</span> Cryptanalytic method for unauthorized users to access data

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

Cut, copy, and paste are essential commands of modern human–computer interaction and user interface design. They offer an interprocess communication technique for transferring data through a computer's user interface. The cut command removes the selected data from its original position, and the copy command creates a duplicate; in both cases the selected data is kept in temporary storage called the clipboard. Clipboard data is later inserted wherever a paste command is issued. The data remains available to any application supporting the feature, thus allowing easy data transfer between applications.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

<span class="mw-page-title-main">Kate (text editor)</span> Text editor

The KDE Advanced Text Editor, or Kate, is a source code editor developed by the KDE free software community. It has been a part of KDE Software Compilation since version 2.2, which was first released in 2001. Intended for software developers, it features syntax highlighting, code folding, customizable layouts, multiple cursors and selections, regular expression support, and extensibility via plugins. The text editor's mascot is Kate the Cyber Woodpecker.

<span class="mw-page-title-main">Far Manager</span> File and archive manager for Microsoft Windows

Far Manager is an orthodox file manager for Microsoft Windows and is a clone of Norton Commander. Far Manager uses the Win32 console and has a keyboard-oriented user interface.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">WinSCP</span> File transfer software for Windows

WinSCP is a free and open-source file manager, SSH File Transfer Protocol (SFTP), File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol (SCP) client for Microsoft Windows.

<span class="mw-page-title-main">Password Safe</span> Free password manager by Bruce Schneier

Password Safe is a free and open-source password manager program originally written for Microsoft Windows but supporting a wide array of operating systems, with compatible clients available for Linux, FreeBSD, Android, IOS, BlackBerry and other operating systems.

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

<span class="mw-page-title-main">Password strength</span> Resistance of a password to being guessed

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

The clipboard is a buffer that some operating systems provide for short-term storage and transfer within and between application programs. The clipboard is usually temporary and unnamed, and its contents reside in the computer's RAM.

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

<span class="mw-page-title-main">KeePassX</span> Free and open-source password manager

KeePassX is a discontinued free and open-source password manager. It started as a Linux port of KeePass, which was at that time an open-source but Windows-only password manager. Both are now cross platform, with KeePassX using Qt libraries and recent versions of KeePass using .NET / Mono. It is built using version 5 of the Qt toolkit, making it a multi-platform application, which can be run on Linux, Windows, and macOS.

<span class="mw-page-title-main">PeaZip</span> File archive computer program

PeaZip is a free and open-source file manager and file archiver for Microsoft Windows, ReactOS, Linux, MacOS and BSD by Giorgio Tani. It supports its native PEA archive format and other mainstream formats, with special focus on handling open formats. Version 9.4.0 supported 234 file extensions.

<span class="mw-page-title-main">Greenshot</span>

Greenshot is a free and open-source screenshot program for Microsoft Windows. It is developed by Thomas Braun, Jens Klingen and Robin Krom and is published under GNU General Public License, hosted by GitHub. Greenshot is also available for macOS, but as proprietary software through the App Store.

<span class="mw-page-title-main">Pleasant Password Server</span>

Pleasant Password Server is a proprietary, multi-user enterprise password server that is fully compatible with a modified version of the KeePass Password Safe. Designed for business users, the password server provides access provisioning as well as per-group and per-entry access restrictions. Pleasant Password Server supports the use of secure passwords, allowing system administrators to manage user passwords from a central web interface.

Master Password is a type of algorithm first implemented by Maarten Billemont for creating unique passwords in a reproducible manner. It differs from traditional password managers in that the passwords are not stored on disk or in the cloud, but are regenerated every time from information entered by the user: Their name, a master password, and a unique identifier for the service the password is intended for.

<span class="mw-page-title-main">KeePassXC</span> Free software password manager

KeePassXC is a free and open-source password manager. It started as a community fork of KeePassX.

References

  1. KeePass 2.55 released on KeePass website
  2. "Setup". KeePass. Archived from the original on 2023-12-09.
  3. "Download". KeePass.
  4. "7Pass" via Word press.
  5. "KeePassDroid". Google Play Store. Brian Pellin. Retrieved 24 March 2024.
  6. "BlackBerry World – KeePass for BlackBerry". Appworld. Blackberry. Archived from the original on 2013-06-22. Retrieved 2014-03-26.
  7. "iOS application". iTunes . Apple.
  8. Zukerman, Erez. "Tools for the Paranoid: 5 Free Security Tools to Protect Your Data". PC World . Retrieved 2013-07-14.
  9. Reichl, Dominik, "Development Status FAQ", KeePass.
  10. Reichl, Dominik, "Edition Comparison", KeePass.
  11. 1 2 3 Reichl, Dominik. "Plugins". Keepass.
  12. 1 2 Rubenking, Neil. "KeePass Review & Ratings". PC Magazine . Retrieved 2014-06-11.
  13. Chaikivsky, Andrew (2017-02-17). "Everything You Need to Know About Password Managers". Consumer Reports. Retrieved 2018-06-23.
  14. Bednarek, Adrian. "Password Managers: Under the Hood of Secrets Management". Security evaluators. Retrieved 2019-03-24.
  15. Reichl, Dominik. "Security Issues". KeePass. Archived from the original on 2019-09-03. Retrieved 2019-03-24.
  16. Reichl, Dominik (2019). "Features". KeePass. Retrieved 2019-12-31.
  17. "2.x Plugins". KeePass. Retrieved 2019-01-26.
  18. Reichl, Dominik. "KeePass Help Center" . Retrieved 2012-12-28.
  19. "Pleasant Password Server" . Retrieved 2014-05-29.
  20. 1 2 Markton, Ben. "KeePass Password Safe Professional". CNET. Retrieved 2014-06-11.
  21. Reichl, Dominik. "Two-Channel Auto-Type Obfuscation". Keepass. Retrieved 2021-09-15.
  22. KeeForm , retrieved 2014-06-24.
  23. "QuicKeepass". September 28, 2021 via GitHub.
  24. Reichl, Dominik. "Secure Edit Controls". KeePass. Retrieved 2009-11-14.
  25. Reichl, Dominik (2005-04-17). "CSecureEditEx – A More Secure Edit Control". The Code Project. Archived from the original on 2006-02-17.
  26. Reichl, Dominik. "Security". KeePass. Retrieved 2007-12-13.
  27. Reichl, Dominik. "Composite Master Key". KeePass. Retrieved 2009-11-14.
  28. Reichl, Dominik. "News: KeePass 2.35 available!". Keepass. Archived from the original on 2024-03-14. Retrieved 2020-10-11.
  29. Reichl, Dominik. "Security". KeePass. Retrieved 2020-10-11.
  30. Geyer, Felix. "KeePassX 2.0 has arrived". Kee pass X. Archived from the original on 2015-12-22. Retrieved 2015-12-07.
  31. "Development stopped". 9 December 2021. Archived from the original on 2021-12-12. Retrieved 2021-12-09.
  32. "KeePassXC Password Manager". KeepassXC. Archived from the original on 2024-03-21. Retrieved 26 January 2017.
  33. Reichl, Dominik. "What happened to the paste-once functionality in 2.x?". KeePass Forums. Retrieved 2012-10-14 via Source forge.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.