2016-06-27

Nobody likes passwords.

They're either too simple, so you get hacked, or too complicated, so you forget them. Password manager utilities ease the pain by taking over the task of remembering complex passwords. Many people are content with a password manager that just hums along in the background, taking care of business.

The open-source free password manager KeePass 2.34 is not for those people, but its extremely configurable nature and absolute wealth of plug-ins make it a tinkerer's dream.

And unlike most free password managers, it's free at every level, from consumer up to enterprise.

You can install KeePass on all of your Windows, Mac, or Linux systems. Other users have contributed unofficial ports of the product for iOS and Android, but this review specifically covers the actual, official product.

Getting StartedFirst of all, download and run the somewhat-retro KeePass installer. When it finishes and launches the program, you'll find yourself staring at a blank main window, with no data and almost all user-interface elements grayed out.

The clever user will realize that the only available toolbar buttons are those to create or open a password database.

Aha! Once you create a database, you're ready to roll. Note that this also means you can maintain more than one database, if you feel the need. Multiple open databases appear on tabs.
You can optionally install the portable edition of KeePass on a thumb drive, and keep it in your pocket.
It doesn't write any data outside that drive, so you can use it on any computer.
Multifactor AuthenticationMost password managers require you to create a master password, something that protects all your other passwords. oneID is a rare exception, relying instead on a system of trusted devices. KeePass uses an unusual Composite Master Key system that can use any or all of three distinct authentication methods: master password, key file, and Windows user account.
As you type the master password, KeePass rates its quality. Many products do this, but in a simple-minded fashion that considers "Password1" to be strong, because it's longer than eight characters and contains three different character types. KeePass goes much further, looking for known bad passwords, repeated sequences, L33t-speak substitutions, and more.
If KeePass says your master password is strong, believe it! Just make sure it's something you can remember.

Adding a second authentication factor by using a key file stored on a USB drive vastly increases your account security.

A malefactor who stole your master password couldn't open the database without also picking your pocket to steal the USB drive. KeePass can create a key file for you, or you can use absolutely any file.

There's also an option to authenticate using a key-provider plug-in.
The third option, authentication based on your Windows user account, is deceptively simple.

The fact that you are using your Windows account proves that you have physical access to your computer and that you know the account password.

Changing the Windows password doesn't affect KeePass.

The problem is that if your system crashes, you must restore from a full backup of the system. Just re-creating an account with the same username won't do the job.
You can also configure KeePass to display the login screen on a secure desktop, similar to what you see when User Account Control demands a response.

The purpose of the secure desktop is to prevent a keylogger from capturing your master password, and it should work against most keyloggers.
Creating Password EntriesUnlike LastPass 4.0, LogMeOnce Password Management Suite Premium, and most others, KeePass does not integrate with your browser to capture and save login credentials. You must create each entry manually.
I found it easiest to do this by copy/pasting credentials and URL while separately logging in.
There are a ton of configuration options for each entry. You can give it any title you like, choose a predefined or custom icon, and add notes. You can set a custom foreground and background color, to make it stand out, and add tags.
If the site isn't compatible with your default browser, you can set an override to open it in Internet Explorer, Chrome, Firefox, Opera, Safari, or even Microsoft Edge.

And you can customize its Auto-Type settings. More about Auto-Type later.

There's also an option to set an expiration date, which serves as a reminder that you should change your password.
If you've been using another password manager, you can sidestep this manual data entry by having KeePass import your existing data.
It handles more other programs than any password manager I've seen; almost 40! These include LastPass, Dashlane 4, and RoboForm Everywhere 7, along with many other well-known and little-known competitors.
Tags are your only option for organizing items in Symantec Norton Identity Safe; KeePass gives you more choices.

By default, a new database includes group folders titled General, Windows, Network, Internet, Email, and Homebanking. You can add your own folders and subfolders and move your passwords into them, or view all items having a specific tag.

The way you organize things is up to you.
Password GeneratorWhen you have a password manager on the job, your passwords can (and should) be long and complex. You don't have to remember them, after all. Most password managers include a password generator, but many of them use poor defaults. Norton, for example, defaults to eight-character alphanumeric passwords; that's not good.

Dashlane offers 12-character passwords by default, and Enpass Password Manager 5 goes up to 18 characters.

But KeePass beats them all, with a default password length of 20 characters.

Each time you create a new entry, KeePass automatically populates it with a generated password. You can also generate passwords on demand, and adjust the password generator's many, many configuration settings.
Just about every password generator lets you choose which of four character sets to use: lowercase letters, uppercase letters, digits, and punctuation. KeePass breaks down that last category into four.
It also lets you include the space character and high-ANSI characters such as ü and Ñ.
LastPass, Sticky Password Premium, and a few others let you make passwords easier to type by suppressing the use of too-similar characters such as the digit 0 and capital O. KeePass offers this as an option, along with the option to use each character at most once, but correctly warns that these options reduce security by limiting the pool of possible passwords.
But wait, there's more! If you run into a site or application that requires passwords in a specific format, you can employ a password pattern.

Each of 20 pattern characters represents a specific type of character.

For example, ddddZZZZllll would create a password consisting of four digits, four upper-case vowels, and four lowercase letters.
The option to generate passwords using a custom algorithm is only functional if you've installed a plug-in that supplies such an algorithm.

For those who don't trust the integrity of the system's built in random number generator, there's an option to create a truly random result based on nonsense characters you type and random movements of the mouse.
Auto-Type and Application PasswordsWhile KeePass doesn't automatically capture credentials as you log in to secure sites, it does semi-automatically fill in those credentials for you, using a feature called Auto-Type.

Auto-Type literally simulates typing at the keyboard to fill in the saved credentials.

That means it's not fazed by webpages that use non-standard field names for the username and password.
In fact, it can fill passwords into any application. LastPass 4.0 Premium, Sticky Password, RoboForm, and a few other commercial password managers handle application passwords, but none of the other free ones that I've reviewed include this feature.
Keyboard shortcuts are important in KeePass. Pressing Ctrl+U launches the URL of the currently selected item note that you may need to click in the username field if it isn't automatically selected.

After the page opens, pressing Ctrl+Alt+K switches the focus back to KeePass.

And pressing Ctrl+V invokes Auto-Type in the window you just left.

Even easier, Ctrl+Alt+A is the universal Auto-Type shortcut.
By default, KeePass types the username, simulates a Tab, types the password, and simulates pressing Enter.

This is represented as {USERNAME}{TAB}{PASSWORD}{ENTER}.
If a given website requires a different sequence of keys, KeePass makes it easy to gin up a new Auto-Type sequence using an editor that lets you simply click the desired items to add them.
Here's a simple example.

Gmail takes your username on one page, password on another.

The usual Auto-Type sequence won't work.

After some experimentation, I came up with one that did: {USERNAME}{ENTER}{DELAY 1500}{TAB}{TAB}{PASSWORD}{ENTER}. Whew!

Did you notice the DELAY entry? There are a number of other non-key items in the editor, many of which aren't explained in the help.

DELAY waits the specified number of milliseconds, as you might guess.

APPACTIVATE activates the window that has a specific title.

CLEARFIELD clears the contents of the current field.

And so on.
I'm guessing most users will never need to dig into these.
For your most sensitive sites, you can enable Two-Channel Auto-Type Obfuscation. When TCATO is enabled, KeePass simulate typing some of the keystrokes, but inserts portions of the data using copy/paste.

According to the documentation, no currently available keyloggers can capture logins entered using this technique, though (full disclosure!) it would theoretically be possible to write a keylogger that would do the job.
Database SynchronizationAs noted, KeePass maintains its database in local storage, not in the cloud. Keeping your data local minimizes the possibility of a breach.

Dashlane lets you turn off syncing and stay local.
Sticky Password offers a clever alternative—you can set it to sync only over your local Wi-Fi network.
With KeePass, you can still sync multiple installations.
It's just not as automated as cloud-based syncing.

At the simplest level, you can synchronize two KeePass database files. Once done, each will contain everything the other does, without duplication.

Typically you would copy your KeePass database to a thumb drive, synchronize it on another system, and then copy back from the thumb drive.
If an item already present in both has been edited in both, the most recent change takes priority.
For those with the skills to set up file access on an HTTP page, an FTP site, or a WebDAV installation, syncing is even easier. You upload your database once, then sync each installation with the uploaded copy.

And, you guessed it, there are a number of plug-ins that ease the synchronization process.
More FeaturesPage through KeePass's options and you'll find a ton of ways to enhance the security of your password collection. You can set it to lock after a period of inactivity, or when minimized, or when the desktop is locked, or just before the computer goes to sleep.

By default, it clears any data you copied to the clipboard after 12 seconds. You can adjust that time, and set it to clear the clipboard on exit.
Numerous user interface options let you define when and how the program should minimize. You can also set the fonts used and change the style of some controls.

And a set of advanced options control everything from exactly how KeePass should identify webpages that it can fill to whether it should cancel an ongoing Auto-Type session if the target window changes.
Some banks require a Transaction Authentication Number (TAN) for each login, supplying users with a collection of what are effectively one-time passwords. KeePass stores and manages these for you, keeping track of which have been used already.

That's not a feature I've seen anywhere else.
If you've done a little coding, you may find the Triggers feature interesting.

A trigger is a little script, something like what you might cobble up using IFTTT.

Each trigger starts with an event such as application initialized, opened database file, or custom toolbar button clicked. You can also apply conditions, for example only launching the trigger action based on a particular environment variable's value or the presence of a certain file.

Finally you define what the trigger will do.

There are many possibilities, among them launching a program, displaying a message, and adding or removing a custom toolbar button.
Plug-ins, Plug-ins, Plug-ins!I've mentioned several plug-ins that add features to KeePass or enhance its functionality. On the plug-ins page, you'll find well over 100 of them.

There are plug-ins for backup and cloud sync, for integration with other applications, and for importing and exporting to other program. Plug-ins let you use non-default encryption algorithms, or provide authentication via RFID or BlueTooth.
A collection of general utility plug-ins includes a wide range of functions.

Among other things, they enhance the appearance of the password list, offer an on-screen keyboard for password entry, and remove duplicate entries.

Most importantly, there are plug-ins that provide KeePass with ease-of-use features that we've come to expect in password managers.

Among these are: cloud-based password syncing, automated password capture and replay, an actionable password-strength report, and a time-based one-time password generator (think Google Authenticator).
In many cases there are multiple plug-ins providing the same enhancement.

This crowd of possible enhancements is nice, but also daunting. Which plug-in is best? Are they all as secure as KeePass itself? There's no way I can evaluate them all; I have to look at how KeePass functions on its own.
For the TinkerersKeePass 2.34 is definitely the most configurable of any password manager I've seen. With the Triggers feature, you can even add new action buttons to the toolbar. Just about anything is up for adjustment, from the password generator to the way KeePass fills in passwords.

And don't forget the trove of plug-ins! It's a tinkerer's dream.
However, the vast majority of users aren't tinkerers.

They just want a password manager that does the job and stays out of the way.
If that describes you, I suggest you stick with our Editors' Choice free password managers, LastPass 4.0 and LogMeOnce Password Management Suite Premium. Or, if your budget can stand it, check out a paid password manager.
Back to top
PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Show more