Password managers really have taken off since 2014. Of course, power users have been using them before 2014. But what about KeePass? Is KeePass safe to use? It happens to be one of our favorite password managers, as it was one of the first ones we used, and in this article, we’ll go over why we still love it.

One of the reasons is KeePass has one of the best Help docs we’ve seen across multiple offerings of password managers. Another reason is KeePass keeps up with potential security issues.

Not everyone is confident in choosing this option, however. In this article, we’ll go over a few concerns others have had with the security of KeePass, and we’ll present why we think these concerns are vastly overblown.

You Have Control Over the Security of Your Database

First up, we’ll say that the KeePass database is secure. If you don’t think it is by default, you have the option to increase the security. You can increase the resiliency to brute force attacks by increasing the number of PBKDF2 iterations when deriving the database encryption key from your password.

To review database security options, do the following:

  1. In KeePass, Click on File.
  2. Click on Database Settings.
  3. Click on the Security tab.

Change this to what you like. Some people like to use around 5,000,000 rounds (1s delay). We have seen this in multiple forums and answer sites.

KeePass has a newer database format, KDBX 4, which is pretty beefy. Sure, the database is probably still breakable with enough resources thrown at it, including a proper dictionary or password list. The time and cost to do so aren’t feasible, though.

KeyPass Has Stood the Test of Time

If you look at the ratings KeePass has received, you can feel confident using this password management solution. Some accolades include but are not limited to:

  • 45+ recommendations or awards from websites and magazines.
  • Keepass is participating in the EU-FOSSA 2 project, requesting that hackers try to find vulnerabilities.
  • Keepass is the recommended password manager of the German Federal Office for Information Security.
  • Recommended by the Swiss Federal Office of Information Technology, Systems and Telecommunication, and the Federal IT Steering Unit.
  • and many more!

Security Issues

Nearly all password managers have had security issues. KeePass doesn’t store your database, so it would be more secure than other mainstream password managers.

As we mentioned previously, security issues pinned to KeePass are mostly overblown. People see issues and make false claims because they don’t understand how attacks work. Most security issues with KeePass involve other factors to be a problem.

Simply put, your computer would have to be compromised for KeePass to be compromised. By this point, you would have bigger problems. Hacks would be due to bad cyber hygiene and not KeePass itself.

Security Tools

KeePass has written about KeyFarce, a pentesting tool originally posted on the code-sharing site GitHub. This tool would first need to be installed on the target computer. That’s not all. Once the tool has been compiled, delivered, and installed, the target must launch KeePass and log into their database.

Only then can the tool use a DLL injection to get KeePass to export the entire plaintext password database as a CSV file. Yes, this would be bad for you, but once again, this would require your computer to be already compromised. KeeFarce itself is not an attack. Specialized spyware would be needed for this to be an actual problem.

The Real Problem

The developers of KeePass put this in a simple yet profound way. KeePass cannot protect itself from targeted spyware if a computer system is compromised.

“If a bad guy can install software on your computer, it’s not your computer anymore.”

You would need to make sure of the following:

  • Your system is updated.
  • You are using good, updated antivirus software.
  • Do not install software from untrusted sources.
  • Do not click on unknown links and attachments.
  • Use a proper firewall.
  • Secure your system from strangers.

Not only can you avoid an unwanted installation of security tools, but you can also avoid malware.

For password manager security, review set time outs and clipboard clears. These settings should be enabled by default, but it would be good to check your settings to see the defaults.

Crackable Passwords

This is the other elephant in the room. Your database security largely falls on how well-crafted and secure your master password is. Would it easily be cracked by dictionary attacks?

Conclusion

If you would like additional reading on the security of KeePass, we would recommend Part 1* and Part 2* of these case studies by harmj0y. We very much enjoyed them, but be warned; the reading is quite heavy for ordinary people. They go into way more depth on the security efficacy of KeePass through practical means.

Update: The harmj0y case studies appear to be down. Here’s a link to the slide deck to his presentation on the topic: A Case Study in Attacking KeePass. Also, here are the original blog post URLs in case they return:

  • https://www.harmj0y.net/blog/redteaming/a-case-study-in-attacking-keepass/
  • http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/

Let us know what you like or don’t like about KeePass and what you think of their security in the comments below!