KeePass Reviews

KeePass have security flaw in update mechanism, developer refuse to fix 1 Helpful

Negative Review by Distortion
about KeePass Jun 2016

KeePass have MitM security flaw in update check. KeePass uses, in all versions up to the current 2.33, unencrypted HTTP requests to check for new software versions. An attacker can abuse this automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page.

KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.

[Edited by Distortion, October 15]


Possibly the best password/account/license/data/whatever manager there ever was! 1 Helpful

Positive Review by alterkenji
about KeePass and KeePassDroid Feb 2015

I'm using it for everything that needs extra protection; passwords, passcodes, accounts (shops, banks etc), license keys, credit cards and much more.

The auto-type functionality is extremely handy, allowing me to conveniently use unique login/pass for everything (as an example it even works with the login screen in Elder Scrolls Online). There are special cases where it doesn't work by default, but they are very few and since KeePass offers flexible auto-type customization, there's usually a way to get it to work anyway if you need it (e.g. by targeting a specific window/process and altering the keys that are being sent to it). Or you don't have to use auto-type of course. :)

I've never come across a better piece of software for this purpose, and being both free and open source makes it a no-brainer.

I had a few minor problems with it a while ago, but the author fixed them very quickly as soon as I reported them! Dominik Reichl is both very dedicated and highly skilled!

I run it stand-alone and don't use any kind of browser integration since I consider that very insecure. I do however use the simplistic DB Backup plugin to create a new backup every time I save (yes, the more backups with minor changes, the easier it probably is for an adversary to crack the encryption, but I don't have anything incriminating or of national security interest so I don't worry if somebody would decide to do a serious targeted attack on my data - it's good enough for me to keep regular criminals and other idiots away). I place the database + backups in my Dropbox account for off-site backup and painless synchronization between all my devices where I use KeePass (i.e. my Windows workstations, Windows laptop, Android tablet and Android phone - the latter two using KeePassDroid).

Just a tip though: if you're using Dropbox (or any other off-site storage) as off-site backup, don't have the Dropbox login/pass only in KeePass. Why? Let's say your on-site backup and all devices you have KeePass installed on are destroyed (e.g. by fire) or stolen, how are you going to fetch your KeePass backup from Dropbox if you don't remember the Dropbox login/pass? That's a catch-22 you don't want; you'd need the Dropbox login/pass to get the KeePass backup, but you'd need the KeePass backup to get the Dropbox login/pass. Whoops!

Anyway, KeePass is a project well worth donating to, which I of course have done. I sincerely hope everybody else loving it also donates; KeePass deserves to be kept alive! :)

[Edited by alterkenji, February 17]


Best open source password manager

Positive Review by lebaux
about KeePass and LastPass Feb 2015

Best OSI certified piece of software. Very transparent, functional, and with lot of extensions - KeeFox, KeePassDroid, KeePass2Android... if you are on MAC/LINUX, there is a Small KeePassX iconKeePassX Most important factor is that your database is always stored on your drive, and you have absolute control over your passwords, unlike . Don't get me wrong, lastpass is overall good software, but it is still proprietary.