Hacker News new | past | comments | ask | show | jobs | submit login
KeePass: OpenSource Password Manager (keepass.info)
167 points by Mitt on Feb 4, 2014 | hide | past | favorite | 135 comments



I have tried pretty much every one of the well known password managers (that are open source and work on linux), but never found any of them very convenient to use.

Until I came across this: http://www.zx2c4.com/projects/password-store/

It is simply the easiest, most intuitive password manager out there. One of those things that, once you come across them, you wonder why it took so long for something this logical to come into existence. I am not associated with the project, but these are just a few things I love about "pass"

1. Command-line based: which means I can script it, I can run it remotely, etc.

2. Uses Git to store the passwords: full revision history, changelog, and remote push/sync features that git is SO good at. Other password managers have to reinvent that whole wheel and none seems to do a good job. This also eliminates the need for "hosted" solutions - which I just simply refuse to use.

3. GPG for password encryption: once again, such a natural, awesome way to do things. GPG is already the safest way practical way to secure data-at-rest. I can rest easy that no silly homegrown encryption system was invented. Also, as long as I have the keys, in the worst case I can do the decryption myself, if I do not have access to "pass".

The only thing I believe it might lack is the fact that the names of the entries are in the clear. Which means I cannot setup a github(private) repository as remote for my pass store: the passwords themselves would still be gpg encrypted, thus safe, but the repository will leak names of all websites and userIDs.

In anycase, kudos and thanks to the devs!


Indeed, I love pass. I found that the majority of the time, typing 'pass <servicename>' is faster than clicking through a GUI anyway, and far more convenient if I'm already in the terminal.

And on the web, all the other password managers have browser extensions to autofill data from their own database, but every common browser already does password storage and autofill natively. So once I grab a password from pass the browser remembers it anyway, making extensions unnecessary.

Oh, and the other thing I LOVE about pass is that because it uses GPG, the key encrypting all the data can be held in a nice portable smartcard, since GPG supports them directly, and it all just works when my smartcard is plugged in. I use a yubikey neo with openpgpcard applet for this and it's been great.

I did start writing an OS X dropdown menu for accessing my passwords from pass, but I haven't been in such a hurry to get it done because it doesn't seem all that necessary in practice :)


As someone who does not have my browser remember my passwords I find the auto fill feature of KeePass a necessity.


> the passwords themselves would still be gpg encrypted, thus safe, but the repository will leak names of all websites and userIDs.

Consider encrypting the filenames with Fuse+EncFS. This flaw is pretty huge elsewise; it's why I changed to using gnupg.vim+SublimeGPG.


I went with using a small truecrypt volume mounted at .password-store.


I think just pressing a hotkey to auto-type the correct password and username based on the currently active web page, program, window, etc. is easier still than opening a terminal and running a command. To me at least.


Well, I always have guake running, so for me doing it all on the command-line is WAY faster and more convenient. I forgot to mention that "pass" also has command line completion - which makes retrieval trivial.

I would also be surprised if someone somewhere hasn't already written an "autotype" layer over pass, but thats not something I am personally interested in.

I do agree that for end users this may not be the case. For non-technical people (my parents, for example), I mostly recommend writing their passwords down on paper. They have very few passwords as-it-is, and almost none of them are critical.

My own use case, where I have literally hundreds of pieces of info I need to secure (passwords, key-files, gpg keys, ssh keys, etc), is very different from that of such users. Hence different tools.

Oh, also, "pass" can copy the password to the clipboard, making the copy-paste scenario trivial. In fact, it goes even further by clearing the pass from the clipboard after a preset time.


KeePass can copy to clipboard or do autotype. And I'd say every password manager has to make sure to clear the clipboard afterwards in such cases. This is basic and bog-standard functionality which was present in every password manager I used so far.


I fail to understand how typing anything on the command line would be faster then a single shortcut (cmd + \).


Unfortunately, that's useless if you need to store passwords for anything other than web use, if you need to automate the entering of passwords and so on.


I routinely use it for entering passwords to SSH or RDP sessions, and various other non-web passwords. Why would auto-type work only on the web anyway? You can also customise how the password is entered depending on where you invoke auto-type, e.g. if you need username/password, separated with a tab key in one place, but only the password in another.


Oh, I didn't know that. Sorry!


you make some really good points, as a programmer/scripter but for most end users and consumers they need something intuitive and keeppass is just that. personally I've used roboform now for over 5 years and have never been so happy to pay a yearly subscription fee. stores notes/passwords etc.


I agree. As a programmer/admin, my password storage needs are different than that of an average enduser. Security of my passwords, keys, etc is also significantly more critical and failure cause much more damage. So while KeePass/Lastpass etc might work for an average end user, they suck for my usage scenario.

Never used roboform - its not available for linux, so can't comment there.


We use Keepass at work, but pass is beautiful, the unix way, I'll use it for my personal passwords.


Looks interesting and geeky. Will definitely try this someday. Thanks for the recommendation.



I'm quite surprised to see this on HN homepage, I mean this is such a great and popular tool that I would expect everyone to know about it and find it just an obvious link not to upvote.

Does anyone know if there is a lib to read and write into keepass archives programmatically, e.g. from a C# app? that would be quite useful to manage in an automated way some credentials for production systems, sharing tha archive via versioning repos in a team.


I upvoted it because I use it.

Although since I am studying C#, VB and Java I would be interested to find out the answer to that.




The first link in that link describes a flexible command line you can use for a number of operations. The second describes how you can write c# like script files that will be loaded. Both require the KPScript extension. Why not just bundle/reference keepass.exe since its a .net executable? see http://stackoverflow.com/a/9028433/259130 . Also if you haven't tried it yet you might want to try messing about with https://www.linqpad.net/ (run c# as script file/interactively) like he did.


And if you need multiplatform, there is always KeePassX [1]. I use it on Mac OS X, Windows, iOS, Android and Linux, and it just works.

[1]https://www.keepassx.org/


I was hoping I could find exactly this. Thanks.

The source[1] is also on GitHub too. As a non-c++ programmer, I found it pretty easy to follow along.

[1]: https://github.com/keepassx/keepassx


The dependencies for this seem more appealing than KeePass but unless my searching skills are not up to par there don't appear to be any browser autocompletion plugins.


I've found autotype to be more than enough personally: http://keepass.info/help/base/autotype.html

In fact, I usually just copy the password with Ctrl-C and the username with Ctrl-B. You can configure a secure clipboard erase after n seconds.

One thing I really wish had better support is ssh-based entry-level sync of databases[1]. Keepass has a plugin for it but I don't know the status for KeepassX 2 (currently in a non-stable release state). If I could point KeepassX at an SSH remote path and have it transparently sync at the entry level it'd be almost perfect.

[1]: http://keepass.info/help/v2/sync.html


I've used autotype before and it works fantastic, but you have to be super careful with it. It basically switches back to the last window you had open and immediately types your username and password in. It is very easy for this to type your credentials into the wrong window. When using it (I used it a lot for vmware sessions through an rpd connection), I would find myself clicking back and forth from the target window to keepass a couple times to ensure I was going to hit the right window.


I read that the browser autocompletion plugins from KeePass work with KeePassX, but I've never tested it.


I've been having it on my various systems (Windows, Linux, Android) in the sidelines for a couple months, and after initial fiddling, still haven't actually started using it.

This is mostly because I don't want to have to deal with copy-pasting my password between the KeePass app and the browser (where most of my passwords are needed). Luckily, there are autofill plugins that exist for Chrome [1], Firefox [2], and Android [3].

However:

- said plugins work with KeePass2 which on Linux the GUI theme to the point of being almost unusable (as a C# app using WinForms, it doesn't respect GTK/Qt themeing well).

- getting the KeePass2 plugin needed for the browser plugins requires jumping through hoops on Linux and I haven't gotten it to work (yet?).

- I'm sharing my KeePass database on DropBox (with its own security considerations...) to synchronise between the different systems and...

- The Android app just won't open the shared database.

So it feels like I'm 60% of the way there, but I still don't have a usable system. Hints appreciated.

[1] https://chrome.google.com/webstore/detail/chromeipass/ompiai... [2] https://addons.mozilla.org/EN-us/firefox/addon/passifox/ [3] https://play.google.com/store/apps/details?id=com.hanhuy.and...


Keepass proper has a global Ctrl+Alt+A shortcut that automatically types in your username and password into the form: I've found it works fine on the majority of sites (almost everyone uses username-tab-password-enter, but for the few that don't, you can specify a custom auto type format in keepass. It even has an option to obfuscate the typing to trick keyloggers).

For android, I recommend Keypass2Android: it comes with a custom keyboard you can enable temporarily, which inputs your password without going through the android clipboard. I use it with the dropbox app as well, I'm not sure why it's not working for you.


KeePassDroid is another good one for Android. It does use the clipboard though by giving you two notifications to click on. One for the username, and one for the password of the chosen credentials.

I need to give KeePass2Android a try.


I would try Keepass Droid[1]. I used a similar setup in the past and didn't have issues opening.

Personally, I don't like the idea of browser plugins and I'm perfectly happy using copy and paste.

[1]https://play.google.com/store/apps/details?id=com.android.ke...


For personal use, I've been using LastPass for a few years but have been slowly migrating away from it in recent months. I'm switching to KeePassX which I already use for $work-related data. (I have intentionally avoided the Mono-based applications.)

KeePassX has similar "auto-fill" functionality as well. It's not as perfect or as seamless as LastPass but it is definitely usable (after a bit of one-time per-site tweaking in some cases). Having recently decided that using LastPass presents a non-zero risk, the extra effort I have to spend w/ KeePassX is certainly worth it, IMO.

Although I don't do it now, I have in the past kept my password databases in Dropbox. With Dropbox also installed on my iPhone, I am able to access my password databases use "MiniKeePass" on iOS without any issues.

In addition, there are Windows, Linux, and OS X versions of KeePassX and all of them can open up my .kdb files without any issues.


As others have said, why migrating away from LastPass? They definitely seem to be doing things properly in terms of security and I've been very happy with the security, as well as the ease of use when I set it up on a new machine.


The problem with in-browser password management is that the attacker does not need to escape the browser. Code injection (via XSS or a browser exploit) into a running extension is likely easier than defeating the seccomp-IPC implementation or the AppArmor/SELinux profiles which protect the system. Addons like LastPass are mainly concerned with remote server weaknesses, but nothing will protect the browser from itself.

Another opinion: It's weird loading a browser+environment for non-browser passwords (SSH, HTTP/WebDAV, etc), and it's equally weird managing the passwords separately.


I have the LastPass plugin installed in Firefox, which I use 95% of the time. I also have the mobile app installed on my iPhone.

Why the switch? Recent revelations WRT NSA & the iPhone, recent reports of other plugin developers selling their plugins to shady actors, and my general belief that the most sensitive credentials I have are safer on machines under my control instead of "in the cloud".

I work for an ISP and also manage systems and networks for schools, government organizations, health care facilities, investment firms, law offices, you name it. If someone were to gain access to all of my stored credentials, they could do a LOT of damage -- to myself as well as many, many others.

While I have no reason to believe that there's anything wrong with LastPass (from a security point of view), I am certain that the level of risk is lower with, i.e., KeePassX.


> I've been using LastPass for a few years but have been slowly migrating away from it in recent months.

LastPass user here, wondering why?


same here, why?


(copy/pasted from a sibling reply)

I have the LastPass plugin installed in Firefox, which I use 95% of the time. I also have the mobile app installed on my iPhone.

Why the switch? Recent revelations WRT NSA & the iPhone, recent reports of other plugin developers selling their plugins to shady actors, and my general belief that the most sensitive credentials I have are safer on machines under my control instead of "in the cloud".

I work for an ISP and also manage systems and networks for schools, government organizations, health care facilities, investment firms, law offices, you name it. If someone were to gain access to all of my stored credentials, they could do a LOT of damage -- to myself as well as many, many others.

While I have no reason to believe that there's anything wrong with LastPass (from a security point of view), I am certain that the level of risk is lower with, i.e., KeePassX.


This is probably a good reason ppl stopped using it http://www.tobtu.com/lastpass.php

Plus I wouldn't trust any browser plugin with passwords


I looked into LastPass last week. It looked great on desktops, but on Android it's basically a separate browser. That's a no-go for me, I'd rather stick with Chrome


For those looking for something ultra lightweight, I highly recommend pwdhash (http://pwdhash.com). It's not a password manager, it's just an open source hashing algorithm that protects you from sites storing your password poorly. Instead of depending on them to store your password in a one-way hash, it does it on your end before sending the password to the site.

The algorithm is very roughly base64encode(hash(password + domain)), and then truncated to match your original password length.

The form on the site is just a demo (and backup if you need to use it outside of your own browser). What you really want is the extension (for most major browsers). You can type in the same strong password to every site and the extension will always hash it to the site specific password so you don't have to worry about them storing it poorly. You can also use unique master passwords for certain sites, if you so choose.


I built something like this a while back* but with a slightly more complex algorithm to make it more difficult to find the master password from a set of hashes. I ended up ditching it in favor of KeePass mostly because if a site is hacked and your plaintext hash is compromised there isn't a clean way to generate a new password every time.

* https://github.com/goatslacker/hash


I used pwdhash for a long time, and moved to KeePass. pwdhash is less secure because:

* A site may be able to compromise the browser extension.

* You have to memorize several passwords because sites require different length passwords.

* The code has been reviewed less.

* A key-store like KeePass can store many original passwords, not just one hashed password.

* It doesn't have a non-browser app, so I had to copy paste passwords from the browser, while KeePass has Alt-Ctrl-A.


Oh nice, I've been thinking about something like this a lot lately. I don't really like the idea of truncating the generated password, though. I'd rather it use a proper KDF and fill the password field to its limit.


I think the reason they did it is because a lot of sites have maximum password lengths that would prevent the full output. Those are exactly the type of sites that you want to be using something like this on.


Sure, but as long as the site actually sets the password length limit on the field it shouldn't matter. It will obviously be truncated a lot of the time, but I'd rather it be truncated at thelongestpossible point.

From looking around it seems like the reason is that they wanted the visual representation of typing the password to reflect the number of characters you actually typed as you type them. I'm not sure if this comes out true, though, as I can't actually get it to work in chrome.


The chrome extensions requires putting '@@' at the start of the password field. This turns it yellow to indicate it is now active for that field.

>Sure, but as long as the site actually sets the password length limit on the field it shouldn't matter.

Yes, but in my experience sites rarely implement this. If they do, it's probably inconsistent (i.e. different limits on the login field, create account, and reset password fields).


Yep, tried that. Just doesn't do anything at all as far as I can tell. Maybe it has issues with linux chromium? I dunno.

Re password lengths, my experience is that they usually truncate on the server side at that point, rendering it pretty moot. But yes, I do see this problem. I'm just not sure you're not going to run into it either way if you're practicing good password hygiene. I'd still prefer it make an attempt at adding as much difficulty to the password as possible, though.


I recommend OneShallPass (http://oneshallpass.com) over KeePass. It's open source and auditable like KeePass, but:

1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.

2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.


> 2) It has a free, optional hosted service that stores encrypted passwords with pure client-side decryption, so you can get your passwords from any web-enabled device without having to trust the host.

This is an unbelievably audacious security shell game; I can't really believe this nonsense idea has somehow managed to gain traction.

The server is ephemerally delivering the code that supposedly encrypts your content securely.

How do you not have to trust the host?


> How do you not have to trust the host?

By saving the HTML file and opening your local copy. You can audit the code and verify yourself that nothing will go over the wire unencrypted to their servers, so you get the benefit of them hosting the encrypted passes without having to trust them with your data. If you want it available anywhere, you don't want to save the file locally, and you don't trust the host, just host it yourself or grab it from Github.


And hoping it includes all the java it needs, and doesn't go out and pick up some 3rd party library?

You would have to audit it to ensure it never includes everything else, or posts anything externally with every release.

Not my cup of tea, personally.


> And hoping it includes all the java it needs, and doesn't go out and pick up some 3rd party library?

What Java? It's a self-contained, monolithic HTML file with JS and CSS inline. What dependency are you imagining you're not going to have?

> You would have to audit it to ensure it never includes everything else, or posts anything externally with every release.

Exactly as you would with KeePass, or any other conceivable solution. If you don't want to audit future releases, save the last one you audited and use that.


Oops, JavaScript, not Java.


Don't forget to audit your browser (the thing without a version number anymore and with various metatemplates and it dynamically downloads on every load) and it's implementation of ECMAScript. But everyone already knew that.

Really, auditing this is impossible.


By that logic, you can't know KeePass is safe without auditing Mono, your compiler, your checksum tool, the editor you used for the audit, the logic gates of your CPU, etc. Auditing anything is impossible.

If you can't get a copy of Firefox that you trust hasn't been altered as part of a conspiracy to make you believe OneShallPass is a legit password manager, you've got bigger problems.


I built a similar hosted service on AppEngine called KeeStand (http://keestand.appspot.com). Code is on Google Code (https://code.google.com/p/ariwilson/source/browse/#hg%2FKeeS...).

Additional features: - It works offline. - You can import or export your passwords in CSV form. - If you choose to delete your account, it is immediately and irrevocably destroyed.


1) It doesn't have to be compiled or installed, since it's just a monolithic HTML page with all JS/CSS inline.

The obvious and huge difference then would be that KeePass requires a password or key file to open but an HTML page requires only a browser or text editor. Major, major difference to me.


> The obvious and huge difference then would be that KeePass requires a password or key file to open but an HTML page requires only a browser or text editor. Major, major difference to me.

Did you spend even two seconds looking at OneShallPass? Literally the second thing on the page is a field asking for a passphrase, and yet you came here to complain that it doesn't require a passphrase.

The passwords are encrypted. The fact you can read the decryption algorithm in your text editor doesn't let anyone know your passwords, any more than you being able to download and read the source of KeePass lets you read other people's KeePass passwords.


I use a password locker.

It makes me wish there was an open standard for sites to negotiate a new entry with a password manager, something automatic in the background for new registrations.

Site could send password restrictions, like allowed and required character types, minimum length, even maximum length, though that last one would be frowned upon. The locker would reply with a preferred username and random password and add same to the database upon acceptance.


God damn what you mentioned is a brilliant idea. I wish there was some standard for it. These are problems that I'm often inclined to work on solving, but unfortunately they are also the kind that need lots of time and adoption and formal procedures and acceptance from a large group of people to go anywhere so I tend to just day dream about them for a little while then give up, hoping some standard body or an organization like Mozilla do something about it.


Whats the barrier to an RFC? Can just anyone submit one? I'll try a writeup if anyone thinks it's worth putting out there.


I don't think there's any significant barrier to publishing it (probably no barrier at all). But my perception is everything comes after that ... this kind of stuff tends to be very slow moving.


The only problems I have with KeePass are it is Windows-first (though I know there are third part native clients for Linux, OS X, Android etc) and that browser integration is not comparable to something like LastPass. I do want to get away from LastPass as my trust in the cloud (especially US based cloud services) took a dive after Snowdon.


Except that Lastpass doesn't know your passwords. Everything is encrypted before it is sent to Lastpass using a password you control.


...and a mechanism provided by the party you are attempting to secure passwords from. I use LastPass, but just sayin'.


"sent to Lastpass" is enough to disqualify it for me.

http://www.techdirt.com/articles/20130620/15390323549/nsa-ha...


Been using them for a long time. Best software for these purposes. Developers, if you see this, please enable Bitcoin donations.


I have been using this for right at 2 years now and I like it. I havent tried others but it serves my needs and satisfies whatever attributes I need to feel safe.

At times, it contributes to what I call "log in anxiety" in that it necessitates opening the program, and inputting a password to get my other password. But no one ever said the extra security was synonymous with convenience.

And I dont leave it open, nor do I allow it to store any information in browser plugins as this seems counter productive to the sensitive passwords I use in this program.


Being on OS X, I have moved to 1Password. I'm, to this day, a dedicated proponent of Keepass. Anyone, asking me to suggest a Password Manager - my first answer is Keepass (Windows or Linux). Even for OS X, if one cannot afford 1Password yet or do not want to buy it just yet, Keepass is the one.

* Spend some time learning the Keyboard shortcuts and you're all set.

* Keep the Keepass File on Dropbox, so it's sync across your machines and is backed up.

* Sharing common credentials with a team - server login details, team site details etc - have a common Keepass File on Dropbox and share it with your team. Suggestion is to open it as "read-only" unless you're adding new entries.

* You can also have an additional layer of security by using an additional (optional) Key Locker File (besides the main password) to lock Keepass. You can have that on a thumb-drive or some place you know.

* One thing I really wish 1Password has what Keepass has is the auto-generation a password when you enter a new entry. One can set parameters of what password is generated. I have click to get that in 1Password.

P.S. If I remember correctly, Keepass even has a portable version.


Regarding password generation, if you're using OS X you can use Alfred with a workflow to generate a password.


If I may, I have a question that was inspired by using password managers.

Does anyone see any security issues with supporting on a website allowing the user name and password to be entered together in one field? The normal way of entering the user name into one field and the password into another would continue to work. The site would simply check and if the user name field content is blank, and the password field content has a space in it, the password field content will be assumed to actually be the user name and password together, separated by a space.

The idea here is that you'd then be able to enter both the user name and the password with a single copy/paste operation. This would be convenient when using a password manager on an iPad. I sometimes get tired of having to do this:

1. unlock password manager

2. copy user name

3. switch to browser

4. paste user name

5. switch back to password manager

(If using most paranoid security settings, insert another step of "unlock password manager")

6. copy password

7. switch to browser

8. paste password

If the website supported my single-field option, I could just set the password manager to stop the computer user name and password is the password field, and then it is only unlock/copy/switch/paste.


I believe that instead of messing around with a known standard (username + password fields), it would be better if web services would implement two-factor authentication. Password managers would become useless then, because you would be able to use simple passwords that you may remember, while being even more secure.


In Windows, KeePass has Ctrl+Alt+A to auto-type username<TAB>password.


A while back I set off half a day to setup KeePass, not that setting up KeePass takes that long - but generating random passwords for all the sites that I use did. KeePass is great, there's an app for Windows Phone that is great and there is a third party plugin for Chrome that will both enter and help me save passwords when the vault is open.

Great software, everyone should be using password vaults.


I love KeePass, but I want the freaking policy to apply to the database and not the application opening the database - Which is crazy talk!


Really want to start using KeePass on Android with an NFC token, but it looks like the YubiKey Neo might get a new version soon to support U2F. Anyone know if the U2F thing is worth waiting for? Don't want to spend $50 (probably £50) to find it's obsolete next week.


I started using KeePassX because it was a good cross-platform way to store my passwords. I'd had a couple cases where a password had simply gone -missing- for me, so I figured it was time to put all my eggs in one basket and try to not drop that. I figured it was less of a security vulnerability than reusing the same password a bunch of times. I've currently got the kbd file up on the internet at large, in case my house burns down. I figure it'll make HN if the .kbd files are ever found to be hackable, right?

It's a sort of wishful, hopeful approach to password security, really.


I'm a long-time user of pass (http://www.zx2c4.com/projects/password-store/). I prefer tools that integrate well with the command-line, but there's a few things I didn't like about pass, so I started my own password manager, called passman (https://github.com/manicolosi/passman).

I wouldn't recommend using it yet, but any feedback would be super helpful.


I have been using it since version 1. Unfortunately I have upgraded to KP2 which can't easily export/import to KeePassX which is what I want to switch to, mostly because I very rarely use Windows these days and when I do I don't really need my PW-DB.

I'm syncing it via ownCloud for as a testrun (https, non-US site) and it works fine. Not sure I ultimately want to do that via the cloud though. Might just switch to using a USB stick especially since merging DBs works pretty well.


I have this problem as well. For some reason KeePass 2.x (Windows, at work) cannot read KeePass 1.x databases and KeePassX on my Linux computer at home. So if I want to exchange between the 2, I have export from KeePass 2.x, so now I have 2 databases that are generally in sync, until I forget to export it. So not ideal. I'm considering switching from KeePass 2.x to KeePass 1.x (currently 1.26, released in July of last year, so not too old) but I wish these applications would get their compatibility on the same level.

edit: I wasn't sure if KeePassX had a Windows port -- it does and I downloaded it to replace KeePass at work with.


Installed it, seen "I understand that my encrypted data will be sent to LastPass" then uninstalled it. O_O Yeah, definantly better use KeePassX software. Passwords should never be stored online no matter how secure the service claims to be. Especially with recent revelations about all this privacy/security issues in USA. The KeePassX is still in alpha stages, the only availble stable linux version right now for KeePassX is v0.4.3


Using it and loving it. At the office, we have a usb key that contains the key file to open Keepass. So it's like a key that's also a key, you know...


Is this a desktop-only solution, i.e. no mobile? Then it is bound to be a no-go for most users. My checklist is pretty short:

1. Clients available on web and/or all platforms, must be able to add/copy to clipboard passwords on all platforms. 2. Synced or Shared database between all clients. 3. No subscription cost (upfront cost OK).

Nice-to-have things would be browser plugins, command line interface etc., but that isn't essential.


It has mobile counterparts. The copy/paste part is Ok, the syncing depends on the clients. I think syncing is always through some other service, some apps claim a nice integration with dropbox, some are more tedious (I use miniKeePass on iOS and it's not fun to sync), but you won't have any fees other that what you pay for dropbox or some other third party storage.

Overall keepass is far from perfect and lacks polish, but it's good enough for most purposes, and doesn't require an internet connection, which opens more use cases (keeping banking info or wifi passwords for instance)


If I save the database to dropbox so that I have it on multiple PC's at once, how can I ensure I do not overwrite a database that has new entries?

For example say on PC-A I make a change and save it. On PC-B I have the old database still opened and loaded in KeePass. What happens if I then save in PC-B without opening the database up? That means I just lost the one password?


I've had this experience with 2.x and as I recall, on machine B where the file was already open with unsaved changes, I was prompted to merge changes after Dropbox updated the file on disk. Without recalling the details, I was pretty impressed.


Ah okay. Did not know there was a merge function!


We use a source code repo to handle this. Not perfect but better than losing a password.


What if I am using a mobile device though?


I put a tiny Truecrypt container on my file hoster (HiDrive, Skydrive, Dropbox, etc.) in which I store the KeePass keystore. The keystore itself can't get decrypted, but in case AES has weaknesses one first needs to crack the triple encryption of AES+Serpent+Twofish of the Truecrypt container.


You've added another dependency into the mix here.

I've been comfortable storing my database in Dropbox, with a decent length master password (15char+) on the assumption that it uses a high quality hash that would make bruteforcing the encryption impractical, without having to add another layer of encryption above it. Curious if others feel this is a reasonable assumption?


I do that and keep a Key file locally off Dropbox. The combination should be pretty secure.


I do the same. 20+ character master password and Dropbox. Not worried at all.


Using KeePass combined with btsync - fairly decent combination. Have my db synch'd across all my devices, and available from any desktop machine I have access to. Haven't tried using the android version, but I'm sure it works well.

Now I just have to trust the security of btsync


I love this product. I found it via a stackoverflow question about how to store credentials safely. I started using it over a month ago because I have just stored everything in text files (ips, usernames, pass, secure urls, etc...) and wanted to be more organized and secure.


I use this small commandline application called assword[1]. Available on Debian and probably quite easy to get it to work on other GNU/Linux based systems.

[1] http://finestructure.net/assword/


(Disclaimer: I work for Dashlane). I am sad and curious about the fact that nobody mentions Dashlane here. Is it because you guys never heard of it? Or something else ?

I realize KeePass has they key advantage of being open source, but we have good UX :)

Very interested in your thoughts...


From my perspective, there is no source code to review so we have to trust you to have made sensible security decisions, which at least I don't.

UX isn't a big win. KeyPassX is good enough i.e. works with keyboards entirely, is open source, is reviewed, goes to extra lengths not to leave stuff floating around in RAM as well. Oh and works across all platforms I use.


I've been a long time user of Password Safe. Any compelling reason to switch to KeePass?


Password Safe is the real deal because the master wrote it:

https://www.schneier.com/passsafe.html

It is convenient enough - and when it comes to such sensitive digital areas, then I defenitely prefer to take a conservative position over cloud based and client side encrypted solutions.


I've been using both for a while and can say that they seem fairly equivalent. KeePass by default doesn't exit after a timeout which is something I don't enjoy remembering to configure on install.


Any way to transfer LastPass passwords? I've got a huge deal of entries in Lastpass


That was my biggest issue with switching as I have hundreds of entries in LastPass. I spent a few hours moving over my most important/frequently used entries. For the "leftovers", I simply move 'em from LastPass to KeePassX as I need/use them.


I just figured out I could get the portable LastPass -> Export CSV, and then import that in KeePass


Just make sure you don't have some sort of system-wide backup in-place that's going to backup the CSV file, in clear-text, on your disk during the migration.


As of 2.23 via Debian yes: http://i.imgur.com/vCKvoZF.png


Great! What I did was download Lastpass Portable Version and then exported it as a CSV and imported it into KeePass. KeePass already seems more ideal than LastPass.


Does anyone know a way to read usernames/passwords from a KDBX file hosted on Dropbox/Google Drive (similar to 1passwordAnywhere)? That way, if I'm at a new computer, I do not need to download KeePass to open my KDBX.


I forget how I came to KeePass, but I've been using it since around late-2006.

I like how it [the .kdb file, really] can be accessed//written_to in both Linux and Windows, and that it has a usb-portable version.


I've been using Keepass2 for several years and I couldn't be happier. Although its slightly buggy at times on Linux and getting it running on Mac can be a bit difficult.


It doesn't look so flash using my dark theme unfortunately (Gnome 3, Blackbird theme):

http://i.imgur.com/NQYDBQ8.png


Looks like the menu widget and icons are not using GTK for whatever reason. It may be worth pinging the KeePass developers with a screenshot showing that the GTK theme is not being respected properly when rendering the menu - the menu even looks odd using a light-colored theme like Clearlooks because it doesn't match the theme.


KeePass 2 is built on C# and works in Mono. It doesn't use Gtk# but WinForms, which on Linux doesn't follow theming well.


Love it. Use it with Dropbox, and it has a quirk or two with the lock file, but overall it's fantastic. Highly recommended.


I use KeePass + DropBox + KyPass on my iOS devices, which integrates perfectly with iOS DropBox.

Very happy with the combination.


I do something similar. I have a keyfile that I copy over manually so that people need to get more than just my password + .kdb


How does it compare to 1Password? Lmgtfy, I know, just wanted HN's thoughts.


It is GPL and you have the control over your keyfile(s). A browser plugin for the commercial services could any time sneak evil bits in, so you might feel less safe with them (they could upload your masterkey or your decrypted keyfile, when asked by the NSA).


Evil bits could just as easily sneak into Keepass if the author wanted to. It would require someone else constantly auditing all commits along with verifying binary builds posted on the website match the current source's compiled output.

Edit: my above comment is just to prove a point. We put trust in a lot of the software we run. Software being open source does provide some safety, but very very few people will go through the effort to make that verification.


I'm not sure that would be the case based on http://blog.agilebits.com/2013/12/31/the-nsa-can-do-what-to-... (scroll to the Miscellany section)


Also KeepassDroid on Android.


I like KeePass2 personally


What are the differences? I'm using 1.x and haven't found it lacking yet. I tried 2.x for a work password db and didn't find anything that really stuck out from my casual usage of it.


One difference I immediately see is 2.x doesn't use lock files. If you sync password DB's using Dropbox, all you need to do is relaunch the software to open the updated DB.

I use 1.x mostly as a backup.


Multiple file attachments in entries. I think 1.x only supports one attachment per entry.


1Password is another good option, but it will cost you a bunch.


It's completely worth it. It took me ages to decide, but it's absolutely indispensable now.


if one would use projects like this or pass for storing website passwords, what more do those programs offer that firefox sync does not? legitimately asking here..


Somewhat ambiguous domain name!


For some odd reason, KeePass conforms to the OSI model, so it is trivial to circumvent by NSA, since it communicates with its resource protocols (metadata) to XKeyScore via the presentation layer.


Guys, perhaps you should take a look at this and be a little careful with the use of this kind of programs. https://twitter.com/_sinn3r/status/429789012673302528


At a first glance this looks like a keylogger to me. When your system was already successfully attacked then you’re in trouble.


If you have malware on your device that snoops your clipboard activity then you've lost - that's not 'this kind of programs' fault.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: