ItsGeekToMe.co

Q: Is KeePass safe to use as a password manager?

– Josh L.
Niceville, Florida

A:  I discussed password managers in the column as recently as last month (I.G.T.M. #492 – December 25, 2016), so I won’t waste space in this issue rehashing what password managers are and the benefits of using them.  If you’re interested in learning more, that article and others are available on my website.  Now, if by your question, you meant to ask whether KeePass is a legitimate piece of software, or is it malware, I think you answered your own question with the links you sent me to the KeePass website, and to the Wikipedia article on KeePass. The software obviously exists, and if it was malware, information to that effect would be readily available with a simple Google search.  In fact, KeePass is open source, meaning anyone can obtain and analyze the source code to make sure that the program does what it says it is going to do, and doesn’t do anything you don’t want it to do. 

So, having established that the software is legitimate, the question becomes whether it is safe to use for its intended purpose.  Way back when I first started learning about password managers, my first thought was that the whole concept was something of a violation of the old adage against putting all your eggs in one basket.  In other words, if a hacker somehow gets access to your password manager, he suddenly has the keys to the entire kingdom, rather than being able to unlock a single door.  But if you think about it, the same can be said for all methods one might use to manage the multitude of passwords we need to juggle these days.  That would include the most common one, which is simply using the same password everywhere so you only have to remember one (which is a terrible idea, by the way).  It is because of this threat that password managers need to be extra good at protecting your information, and KeePass does use some very advanced algorithms and techniques, including (according to their own web page) “the best and most secure encryption algorithms currently known (AES and Twofish)”.  Their website talks about the security in greater detail, explaining that “SHA-256 is used as password hash.  SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.” So what?  Sounds like a lot of technical mumbo-jumbo.  Well, it also says that “no [successful] attacks are known yet against SHA-256”.  In simpler terms, and to use the analogy above, that makes KeePass one extremely rugged basket in which to put your eggs.  Still, hackers are good at what they do, and they seek out vulnerabilities in their targets.  So, since the front door is essentially hack-proof, they look for other means of entry.  I found a story from 2015 where KeePass announced a vulnerability in their software that entailed hackers sending fake software updates containing malware.  This has since been fixed, but it does demonstrate that chinks that are present in the armor.

I’ve tried to be comprehensive in my discussion of what was essentially a simple question.  My bottom line answer is simple: yes, it is safe to use for its intended purpose.  You certainly can’t beat the price, as it is free.  As a software engineer myself, I would hope that anyone who benefits from it would want to give a little something back for the authors’ efforts in making the world of computing a little safer.

 • • •

Attention Readers:  Perhaps you’ve been putting off writing-in through the busy holiday season.  Perhaps you’re like the writer of one of one recently-answered question, who let the problem go on for two years before writing in.  Well, if you have an issue for me, now is the time to send it in, as my question queue is running a little low.  Asking is simple – there is a small form to fill-out on my website, after a quick, free registration.