KeePass Password Manager

KeePass is a free, open source, multi-platform password manager suitable for personal use.

password manager

"Why use a password manager?"

"What's the difference between the browser's function of saving my password for me?"

In the early days, the easiest and least secure way to manage passwords, but also the most popular way to manage passwords, was to post them at will. Now it may become a password saved by the browser for us. Whether it is a random post or the browser saves passwords, it is very important for those who need to keep their passwords carefully. It's not a good practice.

I won’t talk about random stickers. In addition to random stickers, another slightly better physical record method is girls’ small books. The small books do have the function of keeping confidentiality, but they cannot be backed up. If they are dropped, they will be permanently dropped. In addition, there is the possibility of hand mistakes when copying, and the inefficiency caused by not being able to copy and paste when using it. It will not be a serious approach no matter how you look at it.

More advanced files will be opened and saved, no matter what format, whether encrypted or not, but there will be problems that it is difficult to manage if there are too many records. You must manually plan and organize the format by yourself. In fact, this can also be regarded as a kind of spring, independent password Manager is a simple and effective choice for people who do not have many accounts and secrets.

The browser saves passwords. Since the mainstream browsers have introduced this function, it has indeed solved the needs of most people, and it also comes with the feature of being synchronizable. The computer can also be used with a mobile phone, which is quite convenient. The big companies behind these major browsers (Safari, Firefox, Chrome, Edge) also seem to be trustworthy (Google may have a little...but not so cheap as to hack users' passwords).

However, in some scenarios, it is not enough for the browser to store the password. The most typical example is Taiwan's online banking. Taiwan's online banking often requires four fields when logging in: ID number, account number, password, and verification code. The two fields of password are both password types in terms of attributes, that is, the account number and password of the online banking are essentially passwords. This form of login cannot be handled very well by any browser, and it is easy to cause browsing. The most common case is that the device misjudges the wrong field or cannot remember the account number/password. Finally, the browser's password-remembering function is still too simple, and it is always a combination of account + password. For a login page with two password fields, such as online banking, even if the browser remembers correctly, it will definitely miss the other one.

There is another situation. In scenarios other than the browser, that is, where the browser is not powerful, an independent password manager is also very necessary, including some application software account secrets, game account secrets, remote login account secrets, key authentication, etc. As these digital applications occupy more and more of our lives, a person will only have more and more account secrets. In addition, in order to avoid the security concerns of sharing account secrets Next, a standalone password manager is indeed necessary.

Is KeePass safe?

The next question to ask is "is it safe?"

We can examine the security of KeePass from three aspects, the security of encryption algorithm, the security of open source, and the security of KeePass app.

Security of encryption algorithms

Every password we create in the KeePass app will be aggregated and stored in a file in kdbx format, just like every record in Excel will be stored in an xlsx file. Of course, this kdbx is encrypted. According to the description of KeePass, they will encrypt the kdbx file with three encryption algorithms of AES-256, ChaCha20 or Twofish. These three algorithms are also recognized as the most secure algorithms in the industry.

open source security

Open source does not mean absolute security, but the open source development of KeePass from 2004 to the present 16 years has gone through a long period of testing. In addition, every trip of the KeePass development team is recorded in the version control system for inspection. .

You can also look at the CVE record, there are only four vulnerabilities, and they have already been fixed.

Security of the KeePass app

As mentioned earlier, the password will be stored in the kdbx file, and the native KeePass does not have a cloud synchronization mechanism (only FTP synchronization), even if KeePass has any loopholes, as long as others cannot get the kdbx file, they cannot use it Vulnerability opens encrypted kdbx.

KeePass also has some national certificates to prove its security.

Install and use KeePass

After downloading and installing it from the KeePass website, let's go to the usage part.

The way to start, of course, is to open a new file first, help the new kdbx find a safe directory and save it with a memorable file name, and then set the password for the kdbx file:

In addition to the password, in the "Key file / provider" below, you can also specify a key file for decryption. The password and the key file can be used either or both. If both are used, the kdbx file will be opened when it is opened. The password and key file must be entered for complete decryption.

After setting the password of kdbx, some property settings on the next page can be skipped directly, and then you will go to the main window, click a password or add a password, and the following dialog box will pop up:

The interface is really simple. There are several fields such as title, user name, password, password strength prompt, website address, and remarks, which can be archived after filling in the required fields. In the Advanced tab of the dialog box, you can attach files to this record, for example, some key files can be included here.

After recording the passwords one by one, remember to archive the kdbx file. Personally, it is recommended to archive once every change. In addition, manual mistakes are not avoided when recording, and it is recommended to go to the webpage for each record to verify it once before confirming it.

The above is an introduction to use, because it is really simple, so I won't explain it much.

Situations where KeePass does not apply

In the first sentence of this article, it is said that KeePass is more suitable for personal use, because compared with organizational password management systems, KeePass lacks some functions, which may not be helpful for organizational password management. Here are a few:

• Hierarchical assignment cannot be done, as long as the person who can open kdbx can see all the passwords, it is impossible to do hierarchical assignment, and often the password management used by organizations requires hierarchical assignment.
• Opener authentication is not supported. KeePass's existing password or key file belongs to the decryption and verification of the password file, and lacks the authentication of the opener. This part often needs to be combined with the authentication mechanism of the operating system, and KeePass There is no function of this part.
• More complex decryption verification is not supported. Currently, there are only two decryption verifications, password and key file. Chip card or hardware key is not supported for decryption verification.
• The kdbx password file is stored in the local file. For an organizational password system, a non-local access structure may be required, that is, each time a person unlocks, the central server is verified, and the verification is also performed from the central server. The device downloads the password into memory without storing the physical file locally.

Because of the lack of these features, it is more recommended to use KeePass for personal use.

KeePass' cross-platform sibling

Although KeePass itself is a Windows app, but thanks to the open source feature, KeePass's brother app can be seen on various mainstream platforms, and as .net gradually moves towards open source and cross-platform, KeePass itself also has cross-platform capabilities. The ability to use the platform, you can see KeePass and the sibling apps of other platforms on the KeePass download page. The reason why they are called sibling apps is that those apps of other platforms are not transplants of KeePass, but refer to the specifications of KeePass and kdbx. Independently written apps have their own advantages. The only thing you don't need to worry about is that our kdbx can be used on our computer or mobile phone, so you don't have to worry about being tied to an app or changing platforms to rebuild data.