13,336,812 members (77,923 online) Sign in

Search for articles, questions, tips

articles Q&A forums lounge

KeePass Password Safe

Dominik Reichl, 2 Jan 2018

   4.96 (694 votes) Rate this:

KeePass is a free, open-source, light-weight and easy-to-use password safe.

Download executable - 1.48 MB

Download source - 1.84 MB
KeePass homepage (latest unstable release)
Latest translation files

Note: If you like this project, don't forget to vote for it!

Index
Introduction
The First Steps
Features
Security
Internals
Frequently Asked Questions (FAQ)
Thanks and Acknowledgements
Some Final Words

Introduction
Nowadays you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your homepage's FTP password, online
passwords (like CodeProject member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one
password everywhere and someone gets this password, you have a problem... A serious problem. He would have access to your e-mail account, homepage, etc.
Unimaginable.

But who can remember all those passwords? Nobody, but KeePass can. KeePass is a free, open-source, light-weight and easy-to-use password safe for Windows. With
this tool, you only need to remember one single, strong master password or carry a key-file with you (more about this soon).

The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be transferred from one computer to another easily.

KeePass supports password groups, so you can sort your passwords (for example into "Windows", "Internet", "My Homepage", etc.).
KeePass is a Windows application. It has been developed using Microsoft Visual C++ with MFC classes. .NET framework is not required, nor are any other special DLLs.
So it should run on all Windows operating systems without installation of any additional library.

KeePass is distributed under the terms of the GNU General Public License v2. See the file "License.txt" in the downloadable KeePass ZIP package for details.

Master Passwords and Key-disks

KeePass stores your passwords securely in an encrypted database. This database is locked with a master password and/or a key-disk:

If you use a master password, you only have to remember one password or passphrase (which should be good then!).

If you lose this master password, all your other passwords in the database are lost, too. The database is encrypted using very secure algorithms (AES and Twofish) and
there isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords when you lose the key.

The database can alternatively be locked with a key-disk. A "key-disk" is just a normal disk which holds a file with the password bytes (KeePass can generate such disks
for you).

If you lose the key-disk and have no backup copy of the key-file your passwords in the database are lost too, just as when you lose the master passphrase.

If you want to burn a master key CD-ROM, select a writable drive (C:, D:, ?) and generate the master key-file. Burn the file "pwsafe.key" (i.e. C:\pwsafe.key or
D:\pwsafe.key) into the root directory of your CD-ROM (E:\pwsafe.key). You can then insert the key CD-ROM and select the CD-ROM drive in KeePass to load the key
from CD-ROM. For sure, you can do the steps above for any writable and readable media, not just CD-ROMs.

For even more security, you can combine the two methods. You can use a master password and a key-disk together, i.e. both are needed to unlock the database. This
provides maximum, two-factor security: something that you know and something that you own are required.

The First Steps

I will now guide you through the first steps of using KeePass. If you are experienced and don't need this, just skip this section.

Download the binary ZIP file (you don't need the source code package for now) and unzip it somewhere where you can find it again. KeePass doesn't need to be
installed, just unpack the ZIP file and it runs.

So, let's start the KeePass.exe file. You see two gray lists, a menu bar and a status bar.

KeePass by default speaks English. If you want a different language, go to the KeePass homepage and download one of the translations offered there (currently there
are versions for over 26 languages). Unpack the translation file into the KeePass directory, start KeePass, go to the 'View' menu, and change the language by clicking on
'Change Language...' and selecting yours in the opening dialog.

Now let's create a new database. 'File' -> 'New Database'. You see a dialog where you must enter the master password for this database (see the section above for a
screenshot of this dialog). If you want to use a key-disk instead, select a writable disk drive where the key-file will be stored.

You can also let KeePass generate a random master passphrase for you. But I doubt you can remember those... the generator is for creating other passwords.

After you've created the new database, you see an almost empty screen. In the left tree view, you see a few standard password groups which have been automatically
created for you: General, Windows, Network, Internet, e-mail and home banking. Note that you later can delete these standard groups and freely create your own ones.
In the following screenshot, I've created a few sample groups and entries:
The list view on the right is currently empty in your case (you won't see sample entries as in the screenshot above). That's the password entry list. Each password will get
its own entry. Various fields are supported, like title, user name, URL, password, notes, expire time, file attachment, icon and some more.

As you can see in the screenshot, you can add, modify/view, move and delete entries. You can search in the database or only in the current group view. The context
menu also allows you to copy the user name or password to the clipboard (which will be cleared automatically in a few seconds when you do this) or visit the URL of the
entry.

Your first step will be to add an entry. Right-click on the password list on the right and select "Add Entry". The following dialog will open:

Pretty self-explanatory I think. When you click on the three-blue-dots button, the entered passwords will be shown as plain-text, not as asterisks.

When you decide to use KeePass, I recommend you to let KeePass generate your passwords using the password generator. The generated passwords are just less
biased as when a human mind "generates" them. The password generation dialog is also pretty self-explanatory and you shouldn't have any problems understanding
what the various options do. When you click on the "Generate" button, a dialog will pop up asking you to generate some random numbers:

On the left side, you can generate random input using the mouse. Click on the button "Use Mouse As Random Source" and move the mouse in the chaos field above
until the progress bar below is full. KeePass will save the mouse position after a few pixels of movement. So free your mind and move the wildest figures with your
mouse.

On the right side, you can type something into the edit box. You can enter anything there. KeePass will use the text you enter here as a random source. You don't have
to remember what you enter here. Enter many and different characters.

Features
You should by now be able to use the basic features of KeePass. I will now present some more features of KeePass.
Transferring the Password

There are various ways to get the passwords stored in KeePass into other windows. The first, and most simple method is copying them to the clipboard. For this, just
double-click onto the specific field in the main password list. Example: if you want to copy the password of entry X, point onto the password field of the entry in the
main view and double-click. The password is copied to the clipboard. If you enable the auto-clearing option, KeePass will clear the clipboard automatically after some
seconds. This prevents you from forgetting to clear the clipboard yourself, leaving sensitive data in the clipboard.

The second method is drag-n-drop. As in method 1, point onto the field you want to use, click the left mouse button and hold it. Drag the data into other windows.

The third, and the most powerful method is auto-type. KeePass features a very mighty auto-type feature, which types user names, passwords, etc. into other windows
for you. The default auto-typing sequence is: {USERNAME}{TAB}{PASSWORD}{TAB}{ENTER}. But this sequence is customizable, per entry (read the CHM documentation
file that comes with KeePass for more about this). This makes the auto-type feature applicable to all windows and webforms you'll ever see. There are two submethods
to perform an auto-type:

Selecting an entry: Just select the entry that you want to get auto-typed, right-click onto it and click "Perform Auto-Type". KeePass will minimize itself, the
window that had the focus before will come to the front. KeePass starts typing the data into this window.
Global hot key: This is the most powerful of all methods. You leave KeePass running in the background. As soon as you're on a site that requires a login (the
password of which you stored in KeePass before), just press a hot key (by default, Ctrl-Alt-A). KeePass immediately auto-types the data into the target window.

Exporting and Importing, Plug-ins, Printing

KeePass can export the database to TXT, HTML, XML or CSV files. It can import various formats, like CSV, CodeWallet TXT, PwSafe v2 TXT and Personal Vault TXT.

But KeePass also features a plug-in architecture. You can get many free plug-ins from the KeePass homepage. These plug-ins provide additional import/export
functions from/to many other formats, network functionalities, automatic database backup features and much more.

For sure, you can also print the complete password list or current list view. Shortly before printing, you can define which fields (title, user name, etc.) you want to get
listed.

Open Source and Other Operating Systems

And the best: it's completely free and you have full access to its source code! There are already various ports of KeePass to other platforms in development. The 100%
compatible PocketPC version is pretty stable already. A native Linux version (KDE/QT) has been started short time ago and a MacOSX version is currently being
discussed in a mailing list. Visit the official KeePass homepage for more information about the latest status of these ports.

Security
In this section, I will tell you how the databases are encrypted. If you aren't a cryptographer and do not know much about security, you won't understand that much and
you may want to skip this section.

All databases are encrypted. Currently they are encrypted using the Advanced Encryption Standard (AES/Rijndael, 128-bit block cipher, using a 256-bit key) or the
Twofish algorithm (128-bit block cipher, using a 256-bit key). I've chosen the CBC block cipher mode. A 128-bit initialization vector (IV) is generated randomly each time
you save the database.

In order to generate the 256-bit key for AES/Twofish, the secure hash algorithm SHA-256 (SHA-2 family) is used. The user key (the passphrase the user enters or the
binary string in the key-file) plus a random salt is hashed using SHA-256. The random salt is generated randomly each time you save to the database and is saved in it.
This prevents pre-computation of keys.

When using both master key and key-disk together, the final key is derived as follows: SHA-256(SHA-256(master password), key-file contents), i.e. the hash of the
master password is concatenated with the key-file bytes and the resulting byte string is hashed with SHA-256 again. If the key-file contents aren't exactly 32 bytes (256
bits), they are hashed with SHA-256, too, to form a 256-bit key, i.e. the formula above changes to: SHA-256(SHA-256(master password), SHA-256(key-file contents)).

We need to generate several 'random' bytes (for the IV, the master key salt, etc.). For this, several pseudo-random sources are used: current tick count, performance
counter, system date/time, mouse cursor position, memory status (free virtual memory, etc.), active window, clipboard owner, various process and thread IDs, various
window focus handles (active window, desktop, ...), window message stack, process heap status, process startup information and several system information structures.

This pseudo-random data is collected in a random pool. To generate 16 random bytes, the pool is hashed (SHA-256) with a counter to form the final 16 random bytes.
The counter is increased after 16 generated bytes, this way we can produce as many secure random bytes as we need.

Protection Against Dictionary and Guessing Attacks

KeePass offers some protection against guessing and dictionary attacks (note: not brute-force attacks!). This is only needed when using master passwords; key-disks
don't need this, they are more secure anyway. You can't really prevent dictionary and guessing attacks, nothing prevents an attacker to just try all possible keys and look
if the database decrypts. But what we can do (and KeePass does) is to make it harder: by adding a constant time factor to the key initialization, we can make them as
hard as we want. To generate the 'final' 256-bit key that is used for the block cipher, KeePass first hashes the user's key (SHA-256), encrypts the result N times using the
Advanced Encryption Standard (AES) and then hashes it again (SHA-256). Since the AES transformations aren't pre-computable, an attacker has to perform all the
encryptions, too, otherwise he cannot try and see if the key he is currently trying is correct. The key used for the AES transformation is randomly generated and stored
in the database header (this prevents pre-computing the AES transformations, although this is almost impossible anyway).

By default, KeePass sets N to 6000 encryption 'rounds' (full encryptions are meant, has nothing to do with the internal encryption rounds of AES). This has been done in
order to provide compatibility to the PocketPC version (PocketPC processors are slower, therefore the key computation takes longer). Nothing prevents you from
setting this to a much larger value (you can set it in the database Options dialog); if you accept a one-second delay on your PC when opening a KeePass database, you
can even set it to a few 100.000s. Think about this: an attacker now also needs much longer to try a key. If it takes him one second for one key, he can almost forget any
dictionary and guessing attacks.

In-memory Passwords Protection

While KeePass is running, your passwords are encrypted using a 'session key' (randomly generated at startup). This means, that even if you would dump the whole
KeePass process memory to disk, you couldn't find the passwords (at least not in plain text). Note that this only applies to the password fields, not to the usernames,
etc. because of speed reasons. When you want to copy a password to the clipboard for example, KeePass first decrypts the password field using the session key, copies
it to the clipboard and immediately re-encrypts it using the session key. Here, ARC4 is used as the encryption algorithm, the session key has a fixed size of 12 bytes.

KeePass securely erases all security-critical memory when it's not needed any more, i.e. it overwrites those memory areas with random data before zeroing and releasing
it (this applies to all security-critical memory, not only the password field).

Locking the Workspace

What happens when you lock the workspace? Why are you sometimes prompted to save the database first? It's simple: locking the workspace just closes the database
completely, but remembers the last view settings (i.e. which group and entry you selected, list position, etc.). This provides maximum security (unlocking the workspace
is as hard as opening the database the normal way) and prevents data-loss (what if your computer crashes while the workspace is locked?).

Each time you start KeePass, the program will perform a quick self-test where the AES/Rijndael cipher and the SHA-256 are tested against their correct test vectors.

Internals
There is a password manager class (CPwManager) which handles all the operations concerning the database. It exports functions for editing groups, edit password
entries, move them, etc. This core class is portable, it doesn't depend on any Windows system-specific functions.

The class CPwExport handles all the export functions. It can export the complete database or just one group. I decided not to include an XML library which would
blow up the KeePass application horribly. Only XML export is implemented for now, an XML importing plug-in exists.

The file "memutils.h" contains some memory and buffer functions like securely erasing a buffer by overwriting it several times before setting it to zero, the same for
CStrings, a routine for copying strings to the Windows clipboard, and a routine for securely deleting files.
The CNewRandom class is a new pseudo-random number generator. It's based on the SHA-256 hash which hashes random sources with a counter to generate secure
random bytes.

Frequently Asked Questions (FAQ)

Here's a mini-version of the KeePass FAQ. You can find the complete, full FAQ here.

How Can I Help You?

Donate, make a translation, test new releases and submit bugs, spread the word that KeePass is good.

E-Mail Column

In short: I won't implement it. You can find the full answer here: full FAQ.

What are those 'Secure Edit Controls'?

Secure Edit Controls are special password edit controls that are resistant to window spies and memory dumpers. More about this here: Secure Edit Controls.

Thanks and Acknowledgements

At this place I want to thank some people for their support, ideas and source code contributions: (in no particular order)

Szymon Stefanek - for his C++ implementation of the Rijndael cipher.

Brian Gladman - for his C implementation of the SHA-2 (256/384/512) hashing algorithms.
Alvaro Mendez - MFC class for validating edit controls (CAMSEdit).
Brent Corkum - for his XP-like menu (BCMenu).
Davide Calabro - for his CButtonST class.
Zorglab, Chris Maunder, Alexander Bischofberger, James White, Descartes Systems Sciences Inc. - MFC class for color pickers (CColourPickerXP).
Peter Mares - for his side banner window class (CKCSideBannerWnd).
Chris Maunder - for his CSystemTray class.
Hans Dietrich, Chris Maunder - for his XHyperLink class.
Lallous - for the nice CSendKeys engine.
 PJ Naughter - for the single instance checking class.
Bill Rubin - Command line C++ classes.
Boost Developers - Boost C++ libraries.
All translators (see the translations page).
Paul Tannard, Wellread1, Michael Scheer - for feature suggestions, bug reports and helping others in the forums.
Daniel Turini - for suggesting "KeePass" as the name of the project.
Christopher Bolin - for the nice KeePass main program icons.
David Vignoni - for the nice icon theme 'Nuvola' (which is freely usable under the LGPL license).

History
You can find the latest news and version history on the KeePass homepage.

Some Final Words

I will upload the most important and major versions here on CodeProject. For the latest unstable release, see the KeePass homepage.

That's it. I hope I was able to make your life a bit easier with this tool.

License
This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share
TWITTER FACEBOOK

About the Author

Dominik Reichl
Software Developer
Germany

Dominik started programming in Omikron Basic, a programming language for the good old Atari ST. After this, there was some short period of QBasic programming
on the PC, but soon he began learning C++, which is his favorite language up to now.

Today, his programming experience includes C / C++ / [Visual] C++ [MFC], C#/.NET, Java, JavaScript, PHP and HTML and the basics of pure assembler.

He is interested in almost everything that has to do with computing, his special interests are security and data compression.

You can find his latest freeware, open-source projects and all articles on his homepage: http://www.dominik-reichl.de/

You may also be interested in...

MinLock, a KeePass 2.x Plugin to keep minimized KeePass Window Tabs (WndTabs) Add-In for DevStudio
Locked

Windows Mobile Password Safe To Heap or not to Heap; That’s the Large Object Question?
 SAPrefs - Netscape-like Preferences Dialog Introduction to D3DImage

Comments and Discussions

 

You must Sign In to use this message board.

Search Comments

First Prev Next

Similar apps
nigeldecosta 5-Jan-18 3:51

Re: Similar apps

Dominik Reichl 5-Jan-18 3:57

Re: Similar apps

nigeldecosta 5-Jan-18 5:33

Why two versions at the same time 1.35 and 2.37? what's the difference?
sharongav 4-Jan-18 1:53

Re: Why two versions at the same time 1.35 and 2.37? what's the difference?
Dominik Reichl 4-Jan-18 4:07

Thank you for the Excellent work Dominic !

TyrionTheImp 3-Jan-18 4:15

Quality display and password rules

Stefan_Lang 10-Oct-17 23:02

Re: Quality display and password rules

Dominik Reichl 11-Oct-17 3:17

Nice job - thanks

Member 13195705 7-Oct-17 22:26

Re: Nice job - thanks

Berndele 9-Oct-17 2:15

Re: Nice job - thanks

Member 13195705 9-Oct-17 11:16

Re: Nice job - thanks

Dominik Reichl 11-Oct-17 3:44

My vote of 5
Sandra S11 6-Oct-17 12:58

My vote of 5
Dennis Dykstra 6-Oct-17 11:18

I dont use it
andresku 6-Oct-17 3:34

My vote of 5
 Ronald Hoek 5-Jun-17 22:00

My vote of 5
willichan 5-Jun-17 11:37

I like it!
Graham Irons 20-Feb-17 22:55

My vote of 1
Member 2563283 9-Jan-17 20:54

Re: My vote of 1
SteveHolle 5-Oct-17 5:02

Re: My vote of 1
dandy72 5-Oct-17 7:41

I voted 5
Ed Aymami 4-Jan-17 4:28

My vote of 5
jrobb229 3-Jan-17 9:05

Stealing passwords risk?

Rene Balvert 3-Jan-17 4:00

Re: Stealing passwords risk?

nigeldecosta 5-Jan-18 3:46

Refresh 1 2 3 4 5 6 7 8 9 10 11 Next »

General    News    Suggestion    Question    Bug    Answer    Joke    Praise    Rant    Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile Layout: fixed | Article Copyright 2003 by Dominik Reichl
Select Language ▼
Web03 | 2.8.180111.1 | Last Updated 2 Jan 2018 fluid Everything else Copyright © CodeProject, 1999-2018