Review: KeePass password managerby Steve Ragan - Jul 23 2009, 19:55
Review: KeePass password manager. (IMG:J.Anderson)
The next password manager in The Tech Herald’s series of reviews is KeePass. KeePass could best be described as a small and portable warehouse for your passwords. We took KeePass 2.08 for a spin, with the goal of working out why this little application is so popular and so recommended. Here’s what we discovered.
KeePass isn’t the end all be all of password management software, but for a free application that is OSI (Open Source Initiative) certified, there is a lot of care taken to keep the program useful and small. In all honestly, this is a killer little application.
Installation, which is optional, took forty-one seconds from start to finish. However, KeePass is designed so no installation is needed. It can run from a USB drive, or on a Windows desktop without installing a single thing, so there’s no registry keys, no INI files, nothing. Platform-wise, KeePass is available on almost everything from Windows and Linux, to OS X, iPhone, PalmOS, BlackBerry, Android, and J2ME devices.
Once installation is complete, the first thing you need to do is create a database. This process is straightforward, and begins with the creation of a Composite Master Key (CMK). As with the majority of password managers, this CMK will end up being the only password you will need to remember. So strength, as is the common advice in these reviews, is important.
However, KeePass offers some layers to the CMK. Aside from a password you can also use a key file, as well as the Windows user account to boost control and security over the KeePass database. You can use any one of the options for the CMK or all three, as well as a combination of the three.
Key Files can be created by KeePass, however if you use them, make sure they are stored securely. If they are ever lost, then the KeePass database and all of the passwords stored within are lost as well. There is no backdoor or recovery.
If you use the Windows account option, you can access the KeePass database only with the account that created it. Changes to the account will not hinder access; however, removal of the account will mean the KeePass database will no longer allow access.
KeePass recommends using at least two of the offered options for the best security, and warns against using the Windows account option only. It should be noted that for The Tech Herald’s testing, we only used the master password option, this is because the review, as are all the password manager reviews we will conduct, are based on design, usability, and platform coverage, not overall application security.
Once the database is created, all you need to do is add account information and store your passwords. How you store them and manage them is up to you. There is plenty of room within KeePass to customize the placement, organization, and access to each account. You can create groups for various accounts, sort them and search them, and within each account add detailed information that can be used for auto-fill on forms. For the most part, the process is simple, but if you need help, much like the documentation and resources for RoboForm, KeePass has a wealth of information online. You can access this help from within the database using the various help links.
There are four things you will need for each account: a title, username, password, and URL. If you add just those four items, you can right click the item within the database, launch the URL in your browser and with another click automatically login to the page.
You can also drag and drop fields from the database into the Web form, so there are several ways to use the stored information. Also, if you need to see the passwords stored in the database for any reason, the field masking can be disabled with a single click.
The process to setup groups and accounts takes some effort. While it’s simple to do overall, if you intend KeePass to manage several accounts, it might take some time to get everything entered into the database.
Another item of note is the password generator. This little tool will create some great random and secure passwords for use on your various accounts. Since some effort will be spent adding new accounts to the KeePass database, one thing that might be worth the effort is to change your passwords as you add them. For example if your Yahoo password is “bubbles” then instead of sticking with that as you add the Yahoo account to KeePass, use the generator to create a stronger password and store it. The image below shows the generator, but more detailed information is here.
Now, there are some drawbacks. The largest drawback being that you need to install plugins before there is any browser based functionality. However, the fact that there are plugins that add functionality can also be seen as a bonus. The time spent adding and sorting new accounts is a bit of a hassle, but worth the effort at the end of the day.
Overall, KeePass is affordable, it has a strong support system thanks to an avid community of developers and users, it does exactly what you need it to without overcomplicating things, and it can be used anywhere making it universal. Considering there is no cost at all, download it, and see for yourself.
You can get KeePass from http://keepass.info