The databases are encrypted using the best and most secure encryption algorithms. A password database consists of only one file that can be transferred from one computer to another easily.
KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases.
Both of these cyphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
KeePass uses the common CSV export format of various password safes like Password Keeper and Password Agent. Exports from these programs can be easily imported to your KeePass databases. The password list can be exported to various formats like TXT, HTML, XML and CSV.
The application has a portable edition: you can carry it on a USB stick and runs on Windows systems without installation.
Strong Security
- KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these cyphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
- The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
- SHA-256 is used to hash the master key components. SHA-256 is a 256-bit cryptographically secure one-way hash function. No attacks are known yet against SHA-256. The output is transformed using a key derivation function.
- Protection against dictionary and guessing attacks: by transforming the master key component hash using a key derivation function (AES-KDF, Argon2, …), dictionary and guessing attacks can be made harder.
- Process memory protection: your passwords are encrypted while KeePass is running, so even when the operating system dumps the KeePass process to disk, your passwords aren’t revealed.
- [2. x] Protected in-memory streams: when loading the inner XML format, passwords are encrypted using a session key.
- Security-enhanced password edit controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies works against these controls. The passwords entered in those controls aren’t even visible in the process memory of KeePass.
- The master key dialogue can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too.
Changes in KeePass 2.50:
New Features:
- On most Windows systems, AES-KDF is now about twice as fast as before.
- On most Linux systems, AES-KDF is now about 4 times as fast as before, if the ‘libgcrypt’ library is installed.
- On most Windows systems, Argon2d and Argon2id are now about twice as fast as before (for default parameters).
- On most Linux systems, Argon2d and Argon2id are now about 3 times as fast as before (for default parameters), if the ‘libargon2’ library is installed.
- The option ‘Enter master key on secure desktop’ is now also supported by master key prompt dialogues shown during imports, confirmations (before exporting, printing, changing the master key, …) and trigger actions.
- The option ‘Enter master key on secure desktop’ is now also supported by master key creation/change dialogues.
- The key file/provider combo boxes in the master key dialogues now have a tooltip that shows the current value, if the value is very long.
- When running on .NET 4.7.2 or higher, GZip decompression is faster now (i.e. most databases are opened a bit faster, and paste entries from the clipboard is a bit faster, …).
- Added password generation button in the entry string field dialogue.
- When double-clicking the title cell of an entry in the main entry list while holding down the Shift key, the title is now copied to the clipboard.
- Added support for opening URLs with Pale Moon, Epiphany and Midori in private mode.
- Enhanced application detection on Unix-like systems (support for certain Snap packages, …).
- Added support for detecting the latest versions of Chromium on Unix-like systems (for ‘Open with …’ commands in the ‘URL(s)’ menu, for the
{GOOGLECHROME}placeholder, …). - In the ‘URL(s)’ menu, there now are separate commands for Google Chrome and Chromium, if both are installed.
- Enhanced support for detecting Vivaldi, Brave, Pale Moon and Epiphany.
- Added support for importing Kaspersky Password Manager 9.0.2 TXT files.
- Bitwarden import module: added support for importing subfolders, and collection names are now imported as tags.
- In the ‘About KeePass’ dialogue, each item in the components list now has a tooltip that shows the file/folder path of the component, if it is installed.
- In the ‘About KeePass’ dialogue, double-clicking on a component now shows the component file/folder with the file manager.
- In the ‘About KeePass’ dialogue, the components list now has a context menu that provides the following new commands: ‘Show with File Manager’, ‘Copy Version/Status’ and ‘Copy Path.
Improvements:
- If the option ‘An entry matches if one of its tags is contained in the target window title’ is turned on, auto-type now additionally considers tags inherited from groups.
- The built-in password generation patterns ‘Hex Key – *-Bit’ now use upper-case hexadecimal symbols.
- Improved Spr variance check of the password generator (custom string references, …).
- All commands in the password generator menu (shown by the password generator buttons in entry/string dialogues) support the option ‘Show dialogue for collecting user input as additional entropy’ now.
- Improved entropy collection dialogue.
- Improved control state updating in the master key prompt dialogue and in the master key creation/change dialogue.
- Improved key file existence check-in the master key creation/change dialogue.
- Improved master key construction.
- Improved handling of exclusive key providers.
- Improved compatibility of some dialogues with plugins that can cancel closing the dialogue.
- Improved automatic entry selections in the main entry list.
- Access key improvements.
- Improved entry equality test to prevent the creation of unnecessary history entries during certain operations.
- XML Replace: improved entry modification detection.
- Improved initial input focus in the single edit dialogue.
- In the import/export dialogue, the icon of an import/export module now matches the file/procedure type.
- DataVault CSV import module: improved importing of notes.
- Improved native buffer handling.
- When opening/copying the URL of an entry, the last access time of the entry is updated now.
- TrlUtil: added DPI awareness mode declaration.
- Various UI text improvements.
- Various code optimizations.
- Minor other improvements.
Bugfixes:
- Column header context menus are not shown for non-report list views anymore.
- When copying a URL to the clipboard fails, the main entry list is updated now.
- Toggling the password generator option ‘Show dialogue for collecting user input as additional entropy’ now causes a switch to the ‘(Custom)’ profile.
- In the TAN wizard dialogue, group names containing ampersands are displayed correctly now.