In the article “How do you manage your passwords?” I described some thoughts on how to handle passwords securely. One possible solution to make the handling of passwords more secure is to use a password manager like KeePass. KeePass is free software and can therefore be used completely free of charge on all kinds of devices.

Why KeePass and not a pure cloud solution like LastPass or Bitwarden?

• KeePass, like Bitwarden, is free (not only the desktop program, but also extensions and mobile apps).
• KeePass is independent that it works on the local computer without any corresponding server services, yet the data can be synchronized via a cloud provider.
• KeePass is flexible and offers more implementation options.

See also: Password manager KeePass vs. LastPass vs. Bitwarden - comparison.

KeePass' implementation options range from offline use on a local drive or USB stick, to synchronization via a cloud provider. KeePass allows more leeway in implementation and setting options, or in the choice of plugins and apps, and therefore sometimes requires some planning. However, KeePass requires much less than, for example, a self-hosted Bitwarden installation.

With the right configuration or extensions, passwords can be accessed from anywhere, and when using AutoFill, KeePass automatically suggests passwords when it is started.

To achieve the same comfort as with Lastpass, KeePass requires a bit more steps, but KeePass always remains under its own control, since the password database can be placed on any storage. Unlike LastPass, KeePass does not store the password database with a cloud provider, but in a local file. To make KeePass cloud-ready, the file can be synced via any cloud provider (Dropbox, Google Drive, OneDrive, NextCloud). At this point, please do not panic: If the file falls into the wrong hands, it will be worthless without the associated master password.

Mobile apps allow you to access the password database from your smartphone or tablet.

For the following implementation examples, I tested the operating systems Windows, Linux, and Android as well as the two well-known cloud storages Google Drive and Dropbox.

For database synchronization, the implementation should look something like this:

KeePass should be opened with a local copy of the database, and when it is saved, the changes are then synchronized with the cloud version. On Android, the app takes care of this in all cases. Google Drive has a sync plugin that can do the job, but only for Windows, not Linux. In all cases, however, the cloud provider's sync tool can be used in combination with a trigger in the KeePass client, see Trigger.

KeeWeb

KeeWeb is an alternative KeePass client which can be run directly in the browser without client installation. The KeePass files are compatible with the classic KeePass2 client and can either be opened from an existing KeePass file or created directly in KeeWeb. The data is stored in the browser's memory for the time being, but can also be stored in Dropbox, Google Drive, OneDrive or on a WebDAV folder in addition to a local file.

If the database is stored with a cloud provider, it can be accessed directly in the browser from any client or mobile device, completely without installation. KeeWeb is therefore much faster and simpler to implement than KeePass, but the existing Keepass plugins of the classic Keepass2 client are not compatible with Keeweb.

It would also be conceivable to access the database from certain devices with the KeePass2 client, and from others without installation via KeeWeb.

The easiest way to access KeeWeb is via the KeeWeb website: https://keeweb.info/, alternatively KeeWeb can be hosted on its own static webspace or locally on the client.

But now back to the classic KeePass2 client:

Using the saved credentials

With KeePass, it is possible to enter certain values, such as the username and password, in a window using AutoType. KeePass simulates a keyboard for this and types the corresponding values. To do this, the corresponding field is selected in the window and via keyboard shortcut, default: Ctrl + Alt + A, the corresponding value can be filled e.g. by a previously stored window title in the KeePass entry. It is also possible to select the value in KeePass, then tap on the window and the selected value. AutoType can thus be used for all programs even without the corresponding plugins. By means of URL overrides the values can be passed to certain programs, see e.g. RDP. In addition, there are plugins for certain programs, for example for all common browsers, which take over the filling of the login data and for Android there is an AutoFill integrationas an example . Depending on the operating system, there are different helpers for the use of passwords.

Windows

For the setup on Windows, the first thing you need is of course the actual KeePass client, which is available in different variants: as an example KeePassXC. KeePassXC has, compared to the original KeePass 2 client, a more modern interface, but no triggers or URL overrides, which is currently the reason for me to use the KeePass 2 client.

The download can be found on the following page: sourceforge.net/projects/keepass/files/

If you want to change the language to German, you can do this by installing the language files, which can be downloaded from the following page: http://keepass.info/translations.html.

The database file should be stored on the local hard drive in any case, even for use with remote storage such as Google Drive, Dropbox, or other cloud providers. The use of the local file and a synchronization with the version at a cloud provider increases the stability by creating an additional copy of the database file.

When creating the file, the already mentioned master password is set:

To increase security, I also created a key file. The key file must be available for opening the database file together with the password, so I copied the file to all devices that later need access to the database. If someone should have access to the cloud storage and therefore to the database file, they will additionally need not only the password, but also the key file. The database file alone is worthless.

When the database is called for the first time, it contains 2 sample entries and folders which can be deleted, new entries can be added now:

Browser integration

For the browser integration, i.e. the automatic filling of the passwords in the browser, either AutoType can be used or corresponding plugins.

For Firefox for example the extension KeeFox can be used, for Google Chrome ChromeIPass in combination with KeePassHttp. KeePassHttp is installed as a plugin in KeePass. Source: raw.github.com. As with LastPass, the browser then requires another plugin, in this case ChromeIPass.

The installation is done by simply copying the file KeePassHttp.plgx into the Plugins directory of KeePass:

In addition, we still need the extension chromeIPass to automatically fill in the password fields in the browser: https://chrome.google.com/webstore/detail/keepasshttp-connector/dafgdjggglmmknipkhngniifhplpcldb?hl=en-US

chromeIPass can connect to the password database when KeePass is open. When connecting for the first time, the browser plugin must be linked to KeePass, this is done using “Connect”:

Integration of non-browser credentials:

KeePass can also be used to pass the login to an RDP connection or a Putty session.

If you want your remote desktop connections to log in automatically from KeePass you can configure this using the URL overrides:

RDP (Remote Desktop Session).

To automatically start RDP sessions from KeePass using “Open URL”, RDP must be entered under URL Overrides.

cmd://cmd /c "cmdkey /generic:TERMSRV/{T-REPLACE-RX:/{BASE:RMVSCM}/(:\d{3,4}\z)//} /user:{USERNAME} /pass:{T-REPLACE-RX:!{PASSWORD}!\&!^&!} && start mstsc /v:{URL:RMVSCM} && timeout /t 10 /nobreak && cmdkey /delete:TERMSRV/{T-REPLACE-RX:/{BASE:RMVSCM}/(:\d{3,4}\z)//}"

This version also works with a & in the password and when a port is specified in the URL, the host is determined using T-REPLACE-RX: BASE:HOST or URL:HOST did not work for me.

The original version is from this page: blog.bitcollectors.com/adam

The call from KeePass (URL entry) is then done using the following URL: rdp:IP (e.g.: rdp:192.168.0.2)

Putty

The default URL setting for Putty do not have a password configured for security reasons, also saved profiles cannot be accessed. If you have saved your Putty profiles and want to log them in automatically, you can implement this by adding the following URL override:

cmd://putty.exe -load {URL:RMVSCM} -l {USERNAME} -pw {PASSWORD}

in the next screenshot a saved Putty session:

access from KeePass to it is as follows:

Share / UNC paths

To access the share of a server, a URL override can be created with the following content, for example:

cmd://cmd /c "net use {URL:RMVSCM} /user:{USERNAME} {PASSWORD} && explorer {URL:RMVSCM}"

the call via an entry then goes like this:

The simultaneous access from multiple devices

As already mentioned, KeePass can be configured for simultaneous access from multiple devices, for this of course the database must be in a location that all devices can access.

First, I tested Google Drive as the central storage for the database. The prerequisite for Google Drive is of course a Google account, which must be specified after the setup. Google Drive and KeePass have their own plugin for synchronization. The database is located on the local hard drive (c:\ ....), the GoogleSyncPlugin synchronizes changes of the local database version with the version on Google Drive. Alternatively, the synchronization can also be configuredusing triggers .

It is important to avoid opening the database directly via Google Drive, as entries could possibly be overwritten when using multiple devices. The GoogleSyncPlugin can be downloaded from the following URL: sourceforge.net/projects

The plugin is again unpacked directly into the KeePass plugin directory.

When restarting KeePass, the Google account can be configured for synchronization:

Trigger for synchronization of a KeePass database with Dropbox, Google Drive or any remote storage.

The installation of Dropbox can be started on the following page: https://www.dropbox.com/de/install ,

To prevent the data from being overwritten by another computer if necessary, a local KeePass file should be used and transferred to Dropbox or Google Drive using Trigger, see keepass.info/help/kb. With this setup, the client always uses the local copy and transfers the changes to the remote version when the configured triggers are fired. The file in the remote storage contains all entries and could theoretically be opened directly, but should only be used for synchronization. The database file is thereby several times on the different used devices: Each client has its own version and additionally there is a copy at the cloud storage.

But now to the setup of the triggers. Any name can be used for the creation:

The URL of the open database can be left blank when using only one database. When using multiple databases, the path and filename should be specified, otherwise KeePass will try to synchronize all open databases:

Additionally, the trigger state should be turned off during synchronization:

Now the path to the remote version (Dropbox or Google Drive) must be specified:

And last but not least, the trigger should be enabled again:

With each save operation, the Dropbox version of the database is now automatically synchronized with the local version and thus also works simultaneously from multiple devices.

For example, a network drive could also be used as a central repository. Triggers offer the possibility to execute various tasks, e.g. a batch command could create a backup copy when saving the database, examples can be found on the KeePass page.

Import passwords from Google Chrome

If you want to import your passwords from Chrome into KeePass, you can do this by using the option in Google Chrome: “Export passwords” and then importing them into KeePass.

In KeePass: Import File/Data:

Android

On Android, setup is simple: the Keepass2Android app, available in the Google Playstore, provides access to KeePass files from popular protocols and cloud providers. KeePass2Android works with a local copy of the database and synchronizes it on startup, shutdown, or a save operation, similar to a local copy and synchronization on a PC (as described above).

KeePass2Android can be used as an AutoFill service to automatically suggest passwords, to do this select Keepass2Androidin KeePass2Android: Settings, Application, Password Access and Auto-Fill Service.

Alternatively, retrieving a password can be done using “Share ...” and Find Password (KP2A). Passwords can then be used by the Keepass Keyboard (KP2A):

Ubuntu

Installation on Ubuntu is very similar to the setup already described on Windows:

1. Install KeePass
2. Copy plugins into the program directory
3. Install browser plugin
4. Set up synchronization

The installation is done via package manager: sudo apt-get install keepass2

For Autotype integration the following package is needed: sudo apt-get install xdotool

and a setting under Keyboard:

in KDE under shortcuts: own Shortcuts:

mono /usr/lib/keepass2/KeePass.exe -auto-type

or simply keepass2 -auto-type

Browser integration under Ubuntu

In preparation for browser integration, the keepasshttp plugin must be added:

Download at: https://github.com/pfn/keepasshttp

the file keePassHttp.plgx has to be copied into the folder /usr/lib/keepass2.

Google Chrome

in Google Chrome the extension chromelPass can be added, analogous to the setup under Windows:

see: maxolasersquad.blogspot.co.at

Calling web pages from KeePass with a specific browser

It may be necessary to change the browser for calling a URL, in the following example URLs are opened in Google Chrome

Under Options / Integration / URL Overrides:

Synchronization:

Difficult to synchronize automatically on Ubuntu:

The Google Sync plugin was written for Windows: Ubuntu obviously lacks a dot-net component

Triggers:

Triggers were initially only possible for me via a detour, because the GUI crashed when I clicked on “File/URL”. The problem with the GUI crash did not occur again in the recent past. The trigger can easily be created as described under Trigger. If the GUI still crashes at this point, the URL can be entered into the config file with an editor: ~/.config/KeePass/KeePass.config.xml

 Iq135Bd4Tu2ZtFcdArOtTQ==  /home/username/dropbox/test2.kdbx  

Alternatively, the local database can of course be synchronized via the GUI after a change:

Dropbox:

Since there is an official Dropboxclient for Ubuntu, I recommend using Dropbox and not Google Drive for use on Ubuntu. The Dropboxclient can synchronize single files or folders and notices changes to the cloud storage without manual synchronization.

The installation is done via package manager, from the terminal:

sudo apt-get install nautilus-dropbox

Google Drive:

For Google Drive, the gnome-online-accounts package can be used. For synchronization, see, as described Synchronize: Synchronize with File... or via Trigger).

sudo apt update && sudo apt install gnome-online-accounts

iPhone

For the iPhone there is for example the app MiniKeePass available, because I don't own an iPhone I couldn't test it yet, maybe you can post some experiences.

Mac OSx

For Mac there is besides the paid applications KyPass or KeePassX 2.0 Alpha 6 also a free application: MacPass see: mstarke.github.io/MacPass/

Conclusion

As long as there is no better way than passwords to access our various systems, a password manager can provide more security and at the same time more convenience.

Once you've finished setting up KeePass, you'll never want to part with it again. Using a password manager gives a feeling of sovereignty, just try it ...