KeePass is an open source password manager that’s nearly two decades old. It earned a spot in our top password managers guide on the back of its endless customization and free price tag. That said, KeePass presents more than a few hurdles for technophobes, making it a tough sell for those who are in the market for an easy-to-use password manager.
In this KeePass review, we’re going to detail our experience with the popular tool, comparing it to other password managers along the way. In addition to seeing how it stacks up, we’ll also touch on its features, security, user-friendliness, price and support, all before giving our verdict.
When it comes to protecting your passwords, KeePass is a competent tool, fit with multiple encryption algorithms and key derivation functions. However, there’s no denying the cumbersome usability and lack of functionality without community-created plugins.
Strengths & Weaknesses
- Open source
- Multiple community plugins
- Password database system
- Key file support
- Secure password generator
- No direct two-factor authentication
- No browser extensions
- Limited entry support
- Tough ease of use
Alternatives for KeePass
On its own, KeePass is light in the way of features. Compared to other password managers, such as Dashlane, KeePass doesn’t provide a full security suite. However, given that the software is open source, you can expand your installation with community plugins. That is, if you’re willing to deal with some advanced configuration.
Messing With Plugins
Let’s start with the plugins. KeePass provides an area on its website for plugins that have been created by the community. Some of the additions are small, such as the favicon downloader, while others change how the software functions. For example, there are multiple plugins for syncing with cloud storage services like Google Drive.
The process for installing plugins isn’t difficult (if you’ve ever installed a video game mod, you’ll be fine). That said, for a lot of users, the piecemeal functionality will prove too difficult to get through. Furthermore, like a lot of community modifications, there can be compatibility issues when you have multiple tools loaded at the same time.
Even so, it’s hard to discredit KeePass’ breadth of functionality. As long as you’re willing to go through the process of downloading — and potentially troubleshooting — the different plugins you’re interested in using, you can customize the experience to your liking. As techies, we can get behind that.
Using the Emergency Sheet
When creating a database, you’ll be prompted to print and store an emergency sheet, similar to 1Password (read our 1Password review). That said, the sheet you’re given isn’t as robust as 1Password’s. Instead, KeePass provides the drive location of your vault and two entry fields: one for your master password and another for your backup location.
Although we appreciate the subtle reminder, it’s strange given how hands-off KeePass is otherwise. After all, you can easily write down your master password on a separate piece of paper. We’re not complaining about the inclusion, but it is strange.
Officially, KeePass only supports Windows and a portable installer (more on that in a minute). However, it’s been ported to nearly every platform by the community.
That includes a slew of iOS, macOS, Mac OS X and Android installers, as well as installers for Sailfish OS, Palm OS, BlackBerry and Chrome OS. If you want to build your own installer, you can download the KeePass source code, too.
Although we love the platform support, the most interesting tool is KeePass Portable. With it, you can take your databases anywhere you go. Portable applications can run without any additional installation, meaning you can store KeePass on, say, a USB stick and load it up anywhere.
KeePass Features Overview
|Backup and recovery|
KeePass is a free, open source password manager that earned a spot in our best free password manager guide. However, it didn’t earn the top spot. Although it was beat out by Bitwarden and LastPass (read our LastPass review and Bitwarden review), KeePass is still worth a look if you’re in the market for a free password management tool. However, it’s not the best option for everyone.
We’ll talk more about how KeePass’ ease of use keeps it from being everything it could in the following section. Here, let’s stick to price. KeePass is free forever, without any premium upgrades or any other nonsense. The only way the development team makes money is through donations, which you’re never directly asked to provide.
You can donate in three ways: through PayPal, wire transfer or Flattr. The last option is similar to Patreon, though with far less controversy. Flattr allows you to make a monthly contribution to online creators you support. Regardless of the method you choose, KeePass accepts donations in U.S. dollars and euros.
If you’ve ever downloaded open source software, KeePass’ website should be immediately familiar. The look is dated, there’s no arguing that, but thankfully the website isn’t too difficult to get around. The left-side menu will point you toward the downloads where you can find all of the unofficial KeePass ports, as well as installers for Windows and the portable package.
Installation is painless, though KeePass asks you to select which components you want to install. The core files only account for 3.7MB of the 14.9MB installation. There’s an 8MB component simply called “optimize KeePass performance.”
You can breeze through the installation by clicking “next” — that’s what we did — but it would’ve been nice to see a tooltip or something similar for the vaguely named components.
You can launch KeePass right after installation finishes, but the hand-holding ends there. KeePass dumps you into the interface with little indication about where to go. Granted, anyone with a decent grasp on software can figure out what’s what, but, like it or not, startup tutorials have become standard for password managers.
Creating a KeePass Database
In some ways, KeePass forces you in the right direction by limiting your options. There are only two icons not greyed out in the top toolbar. Clicking on the “new” icon, you can create a database. Like encryption software, KeePass works by creating encrypted files on your machine, which you can decrypt using the software.
When creating a database, you’ll need to set a master password by default. However, there are three authentication options, and you can use any combination of them. The three options include a key file, Windows user account data and a master password, which KeePass tells you the strength of.
After setting your authentication method(s), you can configure your database settings. This is where KeePass starts to get confusing for normal users.
In addition to naming and adding a description for your database, you can choose the encryption algorithm, key derivation function (with the number of iterations) and the data compression method. Thankfully, the defaults are fine, so if anything is confusing, you can simply click “OK.”
Adding Passwords to KeePass
KeePass automatically creates a few groups in your vault, which include internet, networking, Windows, email and general entries. Adding a new entry is simple at first, with a button in the top menu. However, once you land in the “add entry” screen, things get confusing quickly.
There are a plethora of options. By default, KeePass enters your default login for the vault you have open and generates a password. You then need to enter a title for the entry and the appropriate URL, as well as any notes you have.
The first tab is simple, but the others are overwhelming. You can change the tags, add an override URL, set custom entry colors and enter plugin data, just to name a few options.
In many ways, KeePass feels like a framework. It’s a piece of software designed to give you options, which is great for those who don’t mind a bit of reading and the dated look. Those who are looking for a streamlined experience won’t find it with KeePass, though. Other options, such as LastPass and Bitwarden, are easier to use and still free. Read our KeePass vs LastPass comparison.
On its own, KeePass is a local-only password manager. Because of that, the problem of authentication is done away with, much like the Steganos Password Manager. There are some security concerns when it comes to using plugins, though, particularly those that handle cloud syncing.
First, let’s talk encryption. In KeePass 2.x, you have the option between two encryption algorithms: AES and ChaCha20. There are also plugins you can find that support additional algorithms, including Twofish, Serpent and GOST. By default, you’re protected with AES-256, which we recommend you stick with (read our description of encryption for more on that).
Your master password is used to generate a key, which encrypts your database using the chosen algorithm. KeePass also uses a key derivation function plus a salt to protect against dictionary attacks. In KeePass 1.x, you can only use AES-KDF, but in KeePass 2.x, you can use AES-KDF or Argon2.
In addition to adding modern encryption algorithms, KeePass 2.x has one unique security difference over the original version of the software. When checking data integrity, KeePass 2.x uses a HMAC-SHA-256 hash of the ciphertext, whereas KeePass 1.x uses a SHA-256 hash of the plaintext.
Plugin Security Concerns
As KeePass points out on its plugins page for 2.x installations, a malicious plugin can inject itself if it has write access to the KeePass directory. Unfortunately, there’s nothing KeePass can do about that.
However, you can protect yourself by installing KeePass as an administrator. Doing so will ensure the directory is write-protected for normal users. As long as you don’t run the software as an administrator, a malicious plugin can’t write new data to the directory.
That’s a bit of a worst case scenario, though. When it comes to syncing your database files with plugins, things get tricky. Encryption still happens locally, as that’s handled by the KeePass application. However, a plugin can change how this process happens, so if you find a sketchy addition, it’s best to stay away. That’s not to mention syncing your passwords with Google Drive.
KeePass doesn’t provide any direct support, instead offering a dense help center filled with every detail about the software. There are community forums, too, and they’re thankfully active. That said, if you run into issues, you’re forced to rely on the self-help resources available and the community to solve your problem.
The help center is dense with information, almost to a fault. KeePass covers everything from basic setup to advanced XML replacement. Finding your way around the help center is tricky because there isn’t a search bar or organized directory. If you need help, you’ll likely need to click through multiple sections to find what you’re looking for.
It’s tough to fault KeePass, as the development team provides a lot of learning resources for the low cost of free. There’s no denying, however, that paid and free password managers offer more concise self-help resources. In most spots, help center topics read like technical documentation rather than support articles.
The forums, which are highly active, are hosted through SourceForge. At around 3 p.m. on a Friday, there’s one thread with 150 views from today and five threads from the previous day. If you’re looking for support, the forums are your best bet. Not only is the community active, but you can easily filter topics using the search bar.
The KeePass password management tool is highly flexible, though clearly geared toward techies. Those who are looking for a streamlined experience on the free end of things are better sticking with something like LastPass or Bitwarden. That said, those tools don’t provide the level of customization that KeePass does.
What do you think of KeePass? Are you going to download it and give it a shot? Let us know about your experience in the comments below and, as always, thanks for reading.
- Yes, it’s secure. Because the tool only stores your passwords locally, there’s no risk of your data being compromised in transit. Furthermore, you’re given multiple encryption options so you can secure your databases in the way you want.
- No. Because of multiple usability issues, it’s hard to recommend the tool for everyone. That said, techies who like to configure their software will find it indispensable.
- Yes, it’s free. The only way the development team makes money is through donations, which it accepts through PayPal, wire transfer and Flattr.