Executive Summary:

KeePass is a lightweight, open-source password manager or safe.
This password manager encrypts your passwords for storage in a database "vault."
Portable password management options include saving KeePass to a USB flash drive for use on public computers.
KeePass helps you create strong, secure passwords by using random password-seeding techniques.

As a security administrator, you might have to keep track of passwords to many different systems, but storing them in a spreadsheet or simple database isn't the most secure solution. A better alternative is a password manager or safe, which securely stores passwords in a separate, encrypted file. KeePass Password Safe is an open-source password manager that's feature-rich, multiplatform, and easy to use. Let's take a look at how KeePass works and how to get started using it—you might decide that this is a tool well worth having.

How KeePass Works
Certain OSs such as Windows Vista and Mac OS X include features to remember passwords, and OS- or application-based password safes generally remember the context-based user credentials (such as a password in a Web browser) on that computer. However, KeePass goes beyond just remembering the passwords that you frequently use. It’s a lightweight program that lets you securely store access credentials for lookup when needed. Think of it as a vault for storing all sorts of different passwords and related information such as a username, the name of a Web site, and even an attachment.

KeePass stores sensitive information in a single database file encrypted by using the highly secure Advanced Encryption Standard (AES) and Twofish algorithms. KeePass keeps passwords encrypted while they're used in memory, so if your OS caches memory to disk, your passwords remain encrypted. The program also includes a secure mechanism for creating random, strong passwords from a seed you generate by creating random input such as wiggling a mouse or pressing keys. This process helps to ensure a truly random password. These types of security mechanisms are a testament to the KeePass development team's emphasis on security.

KeePass is open source and the KeePass development team invites users (or critics) to inspect the program's code to confirm that the security algorithms and features are coded properly. This exposure to scrutiny—not possible with closed or proprietary software—also helps reduce the possibility of vulnerabilities due to coding errors.

Getting Started with KeePass
Download the KeePass installation package or C++ source code from the KeePass Web site (http://www.keepass.info). I tested KeePass 1.06. The entire application is contained within a single executable file, keepass.exe. The installer package includes a Help file and completes common installation tasks such as copying keepass.exe into All Programs and adding the program's icon to the desktop.

KeePass ports and builds are also available for Pocket PC, Linux, Mac OS X, and Palm OS. You can download a portable version so that if you launch it on a public computer by using a USB flash drive, CD-ROM, or other mobile media, it won’t leave sensitive files or data behind on that computer. The program also supports third-party plug-ins and extensions. Some plug-ins let you import data into KeePass from a variety of other password safes or back up your KeePass database at regular intervals, such as when you open or exit the program. Note that adding third-party software to KeePass introduces new code and functionality, which could contain vulnerabilities, spyware, or other malicious software, so make sure you trust the plug-ins that you add. If you use another password vault or store your passwords in a text file or spreadsheet, KeePass lets you import passwords using comma-separated value (CSV) or XML files.

The first time you open KeePass, click File, New to create a new password storage database. Next, create your master key. The master key decrypts your database, so choose a master password that you’ll remember and that's appropriately secure to you. If you forget this password, your data will be forever encrypted and effectively lost. You can also specify a certificate located on a drive, such as a USB drive, for two-factor authentication. When enabled, for example, KeePass might require that you type in a password and insert a USB drive containing a key file, which are both used to decrypt your database. Ultimately, your decision whether to use the certificate option or multifactor authentication will depend on the sensitivity of your data and your need to access it easily.

Figure 1 shows the KeePass UI, which is intuitive to use. The left pane shows a hierarchy of password groups that you can create to suit your organization. For example, you can separate finance server passwords from Help desk passwords, or one domain from another. Organizing password groups makes it easy to browse to an item and also search for a title, URL, note, or other information. Just type the username, site name, or note keyword to search your vault for matching records. The right pane shows the members of a password group, and the bottom pane shows details about the selected item—in this example, details about the Administrator password record. Double-click a password record entry to open the Edit Entry window, which Figure 2 shows, where you can view and edit that record's properties. By default, the password isn't visible and remains secure; however, you can double-click the password to copy it to the clipboard for easy insertion into a logon password field, or click the button that resembles an ellipsis (…) to reveal the password in clear text.

Too Good to Pass Up
Overall, the program's features are well thought out, very robust, and easy to use. The availability of the source code, the fact that KeePass is free, and its extensibility through plug-ins make the program too good to pass up as a secure, easy-to-use method for storing sensitive information.