KeePass Review (2024)

Editors’ Note, February 9, 2023: A security researcher recently revealed that KeePass is vulnerable to an attack that allows hackers to get at your locally stored passwords using nothing more sophisticated than the free app Notepad. While there haven’t been any known breaches using this method, it’s still worrisome. We’re reexamining KeePass and will update the rating as necessary. That said, KeePass’ rating is already only 2.5 stars. We recommend that you choose one of our top-rated password managers instead.

Many people want a password manager that stays out of sight, quietly collecting credentials and generating new passwords when prompted. Open-source free password manager KeePass is not for those people. It lacks a lot of the ease-of-use features you associate with modern password managers, such as automatic password capture and replay. Its interface isn't particularly attractive either, and the Auto-Type function didn't work with some multipage logins during our testing. On the plus side, KeePass allows for local credential storage, which is more secure than storing your passwords in the cloud, and you can configure it with the features you want using its trove of associated plug-ins. But if you’re looking for a password manager you can set and forget, I recommend the free tier of PCMag's Editors' Choice winner, Bitwarden, instead.

You can install KeePass on Windows, Mac, or Linux systems. Other users have contributed unofficial ports of the product for Android and iOS, but this review specifically covers the official product.

Getting Started With KeePass

Downloading and installing KeePass is easy, but unlike other free password managers such as Bitwarden, LogMeOnce, and NordPass, there is more than one version of the software available. Editions 1.x and 2.x are available to download and are kept current by the developers. A look at an edition comparison chart(Opens in a new window) provided by KeePass shows that edition 1.x is a pared down password manager that doesn't have a lot of security settings included. If you aren't sure which edition to download, KeePass recommends downloading version 2.x.

Getting started with KeePass isn't very user-friendly. After installing the software, a password database window appears with no instructions for use. Other password managers such as LastPass and Keeper prompt users to create a master password and import their existing passwords with just a couple of clicks. Not so with KeePass. If you want to learn how to use the password manager, you must visit the KeePass website and look for the tutorial. Here's an abbreviated summary of the process:

• Create a new password database.

• Click File > New... in the main menu.

• A window pops up and asks you to create a master password.

  See Also

  Best Offline Storage Devices of 2024 - Best Reviews

• Create a strong, unique master password.

• During this step, you can also tick the box that reads Show expert options which allows you to create multi-factor authentication options for your account.

• Choose whether to create a key file or attach the data to the current Windows user account. (I explain these authentication options later in the Multi-Factor Authentication section.)

• Print an Emergency Sheet. It has all the information you need to access your database. You can also print a key file backup at this time.

(Credit: KeePass)

When all this is done, you can finally view your empty database. This is a simple window with your password groups listed in the left menu (including one titled "eMail") and your stored passwords appearing in the larger, right-hand window. When compared with the slick and modern layouts of paid password managers such as Keeper and Zoho Vault, KeePass' database interface looks dated.

Adding Passwords to KeePass

To import your current passwords into KeePass, click the File tab at the top of the window, and choose Import. KeePass can import password files from more than 45 other password managers, including 1Password, Bitwarden, Dashlane, Kaspersky Password Manager, LastPass, and RoboForm. KeePass also imports passwords from Chrome and Firefox browsers. Bitwarden supports imports from more than 50 other password managers and all major browsers.

Creating New Passwords With KeePass

KeePass' standard password creation process is fairly straightforward, but there are a lot of extra options available that can muddy things up pretty quickly. Paid password managers such as 1Password and Keeper make password creation simple, with painless, straightforward instructions.

To add a new password to your database, right-click on the password entry view on the right side of the window. Choose Add Entry, and in the pop-up window, create a title for your entry, your username, password, and other vital information. KeePass automatically generates 20-character passwords containing lowercase letters, uppercase letters, and numbers for new password entries.

(Credit: KeePass)

I strongly advise clicking on the password generator button within the add entry window and ticking the box to include special characters within the settings tab. I typically recommend creating passwords that are at least 20 characters and include both letter cases, numbers, and special characters. In future, I would like for KeePass to include special characters in its password generation default setting.

From the add entry screen, you can choose an expiration date and time for your password. This is a cool feature I haven't seen on other password managers. If you want to remember to update your email password three months from now, you can specify that request when you create or edit the password.

Also on the Settings screen, you can choose to generate a password using a pattern or using an algorithm. KeePass has instructions(Opens in a new window) for generating passwords using these methods, but for most people, especially first-time password manager users, the 20-character passwords created by KeePass (with the special characters box checked) should be sufficient.

One handy feature of the password generator is the password profile section. Clicking on the profiles dropdown menu allows you to choose whether to create new passwords based on the character parameters set by the last generated password, generate a fresh password based on the default settings, create hex keys using 40/128/256-bit settings, or generate a MAC address. The first two options are the easiest to use and accepted by most password fields.

In the advanced tab in the password generation section, you can choose whether you want characters in passwords to appear only once and whether you want to exclude look-alike characters such as 1 I L, or O 0. Have something against the letter K? You can choose to exclude characters from appearing in all future generated passwords, too.

The preview tab creates a list of sample passwords based on the rules you specified on the Settings and Advanced pages. Seeing a preview of your potential passwords can help you decide whether your passwords are complicated enough.

Auto-Type and Using Your Passwords Online

Unfortunately, using KeePass for entering passwords around the web is a bit more complicated than creating them. Where other password managers such as Dashlane and Keeper have browser extensions that capture new passwords and fill in forms with your current credentials with a single click, KeePass does not offer such features. Instead, the program has something called Auto-Type, which is an interesting process but doesn’t seem as handy as credential capture methods used by commercial password managers.

Auto-Type simulates typing at a keyboard to fill in your saved credentials. To use Auto-Type, you need to make sure you have the correct starting input field selected. For example, if you want to fill in a form with a username and password, you need to first click inside the username field. Click back into the KeePass interface, right click on the credential you want to use, scroll down to Perform Auto-Type, and sit back and watch the fields fill in.

To make this process go a bit faster, I recommend memorizing a few KeePass-related keyboard shortcuts. Pressing Ctrl-U launches the URL of the currently selected item in your credential list. After the page opens, pressing Ctrl-Alt-K switches the focus back to KeePass. Click on the password entry again. Pressing Ctrl-V invokes Auto-Type in the window you just left. Yes, it's the same Ctrl-V you use to Paste, which is confusing.

By default, KeePass types the username, simulates a Tab, types the password, and simulates pressing Enter. This is represented as {USERNAME}{TAB}{PASSWORD}{ENTER}. If a given website requires a different sequence of keys, KeePass allows you to create a new Auto-Type sequence using an editor that lets you click the desired items to add them.

In theory, all of the above should make handling multipage logins a snap. However, in testing, I couldn't get Auto-Type to work with Yahoo Mail's two-page login. In this case, I had to manually copy and paste the password into the password field on the second page.

All in all, this method of password replay is just not as fast and user-friendly as the methods deployed by other free password managers such as Bitwarden and NordPass. I would like to see KeePass create an easier method (that doesn't require using a plug-in) for entering credentials into web fields.

Storing Other Credentials in KeePass

Most password managers allow you to store more than just passwords in your database, and KeePass is no exception. You can store a lot of information in the password manager, it just takes a few steps and requires some customization.

For example, adding a credit card entry to your list of credentials requires you to click on the specified group entry, then right click in the credential field. Choose Add Entry and give your credit card entry a title. Click the advanced tab, then click add. Specify a name for your credit card, and add the credit card number to the Value section. Want to add a photo of the front and back of your card? Click Attach to add a file attachment to this database entry.

(Credit: KeePass)

Further customize your entry by clicking on the properties tab and specifying colors, tags, URLs, and associated plug-ins. Click Auto-Type to determine whether to enable the function for this entry. The history tab lets you see all the versions of your credential entry, and you can delete, restore, or view them.

Other password managers make this process so much easier, but they sacrifice some of the customization options. Free password manager Bitwarden only stores payment cards and identity information, but you can add custom fields to the entries. Filling in forms is pretty easy with a paid password manager such as Keeper, where you right click in a form field to bring up the KeeperFill popup and then click a tab matching the record type of the form you want to fill.

Database Synchronization

KeePass maintains its database in local storage, not in the cloud. Keeping your data local minimizes the possibility of a breach. Most other password managers provide convenient storage and synchronization via the cloud, which isn’t inherently insecure but comes with risks not associated with local storage.

With KeePass, you can sync multiple installations, but it's not as automated as cloud-based syncing. At the simplest level, you can synchronize two KeePass database files. Once done, each will contain everything the other does, without duplication. Typically, you would copy your KeePass database to a thumb drive, synchronize it on another system, and then copy it back from the thumb drive. If an item already present in both has been edited in both, the most recent change takes priority. There are a number of plug-ins that ease the synchronization process.

Strong Security With KeePass

KeePass supports the Advanced Encryption Standard (AES) and the Twofish algorithm to encrypt its password databases. Encryption includes the entire database, so that means your usernames, passwords, and notes are all encrypted, too.

The password manager also has security-enhanced password edit controls. The passwords entered in those controls aren't visible in the process memory of KeePass.

Multi-Factor Authentication Options

Unlike LastPass, KeePass does not allow you to use hardware security keys or one-time passwords for multi-factor authentication with its base product. That said, if you choose to use one of the many plug-ins available for KeePass, you can create Time-based One-Time Passwords (TOTPs), use RSA certificate-based keys, or unlock your account using Windows Hello. It's a uniquely customizable experience, but it does require downloading and installing additional software, which is not as convenient and user-friendly as other password managers.

If you choose not to download a plug-in, you can still protect your passwords with forms of multi-factor authentication. You can either create a key file or you can attach your KeePass account to your Windows user account.

A key file is what it says on the tin: a file that contains a key. In this case, you can create an XML file using either Random mouse input (moving your mouse around an image to generate 256 bits of data) or Random keyboard input (typing random characters into a field to generate 256 bits of data). The XML file is stored on your computer. You can use one key to access multiple KeePass databases, but if an attacker accesses your key file, they can access all of your databases until you change your master password.

Choosing to attach your KeePass account to your Windows user account comes with a risk. If a catastrophe such as hard disk damage occurs, you could lose access to your Windows user account. If you lose access to your Windows user account, you will also lose access to your stored KeePass passwords. If you don't know how to recover a Windows account(Opens in a new window) I do not recommend you use this authentication option.

In the future, I'd like to see the plug-in-free version of the software support other forms of multi-factor authentication such as mobile TOTP apps or hardware security keys.

Using KeePass Plug-ins

Throughout this review, I've referenced plug-ins that add much-needed features to KeePass. KeePass has more than 100 of them. There are plug-ins for backup and cloud sync, for integration with other applications, and for importing and exporting to other programs. Plug-ins let you use non-default encryption algorithms, and provide authentication via RFID or Bluetooth, among other special tasks.

(Credit: KeePass)

Plug-ins are crucial for KeePass because they provide features that I've come to expect in modern password managers. Without the plug-ins, KeePass is bare-bones and tricky to manage. The plug-ins include support for the following: cloud-based password syncing, automated password capture and replay, an actionable password strength report, and a time-based one-time password generator such as Google Authenticator. If you want those types of features already included, you're better off using a different password manager.

Keep in mind too, that the plug-ins are not all created by KeePass author Dominik Reichl. With every plug-in you download, you extend your trust to a third-party vendor.

For Experienced Users Only

You can create the password manager of your dreams with KeePass and its library of plug-ins. All you need is the time and technical know-how to make those fantasies a reality. Experienced password manager users may appreciate the wealth of customization options and high levels of security baked into the platform.

If you're looking for your first password manager, or you're not particularly tech-savvy, or you want a slick and modern-looking password management solution, keep searching. KeePass isn't a friendly option for first-tIme users who may be put off by all the steps required to create passwords and fill in login fields. Instead, I recommend another open-source password manager, Bitwarden. It has a generous free tier as well as an inexpensive paid plan that includes top-notch security tools and additional storage. And if you’re willing to pay for your password manager, Editors’ Choice winners Keeper, LastPass, and Zoho Vault are all elegant and secure solutions that also include limited free plans.