Platforms: Windows, Mac, Linux; unofficial Android, iOS and Chrome OS ports
Free-version limitations: None; it's all free
2FA: Via plug-ins
Browser plugins: Third-party extensions for Chrome, Firefox, Internet Explorer, Opera, Safari
Form filling: Yes
Mobile PIN unlock: Depends on app
Biometric login: Via plug-ins
Killer feature: Infinitely customizable
The free and open-source password manager KeePass has been around since 2003 and offers a huge number of customization options, as long as you're willing to put up with a bit of a learning curve.
You probably won't need to worry about it disappearing anytime soon, despite the fact that it is free software. It's the best password manager option if you want to maintain complete control of your data.
KeePass' core version is missing a number of features when compared to the strongest offerings out there like Keeper, LastPass or Dashlane, although the many third-party plug-ins made for the service help fill in the gaps. The question is whether it is worth saving $35 to $60 per year.
As you'll see in our KeePass review, if you want a solution that you can just sign into and basically never have to worry about, then KeePass isn't for you. But if you don't mind spending some time to learn and manage a very powerful application, you can do a lot with KeePass.
KeePass: Costs and what's covered
KeePass is the only password manager I've tested that is completely free to use. It's also open-source software, meaning anyone can volunteer to help develop it. KeePass' lead developer, Dominik Reichl, has a donation link on the official KeePass website to help support continued development, but that won't unlock additional functionality – you've already got access to everything.
The tradeoffs are that KeePass lacks the polished user interface of other password managers, and that you'll need to be comfortable tinkering with plugins and extensions to get the most out of KeePass.
That includes finding an online storage solution, such as Dropbox or Google Drive, to host your password database if you want to sync your KeePass vault between your devices using the internet.
The core KeePass desktop application supports password generation and management, syncing via local hard disks or network shares, auto-type form-filling and auto-type hot-key form filling. To unlock the full power of KeePass, you really need to install plugins and extensions.
I tested the "2.x" version of KeePass, which has a rich set of features and can be installed on platforms beyond Windows. KeePass also still develops the "1.x" version, which is simpler, Windows-only and uses a different codebase.
KeePass 2.x officially supports Windows Vista and later, macOS and Linux. However, if you visit the downloads page for KeePass you will see more than 30 additional versions of KeePass that extend support to Android, iOS, Blackberry, Chrome OS, PocketPC, J2ME and browser-based solutions. Browser extension plug-ins are available for Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Apple Safari and Opera.
For this review, I used KeePass on a 2017 MacBook Pro 15 running Windows 10 and macOS 10.14 Mojave, an iPhone 7 Plus, and a Google Pixel 3. Google Chrome was my primary browser across all platforms but testing on macOS and iOS was also done with Safari.
Your first step is a visit to the KeePass downloads page. If you are running Windows Vista, 7, 8, 8.1 or 10, then this will be smooth sailing. Just hit the Download Now link on the Installer for Windows, and you'll have a choice between the 1.x and 2.x development streams.
MacOS and Linux are officially supported, but installing KeePass requires installing the supplemental platforms Mono and XQuartz and a bit more tinkering right off the bat. You'll need to download a KeePass version on the "2.x" development path.
If you are on any other platform, scroll down to the "Contributed/Unofficial" KeePass Ports and KeePass Packages sections to find your OS. You can also opt for KeePass Portable, a version that can be installed on a USB stick and plugged into a PC, Mac or Linux box.
To say that things look sparse when you first launch KeePass is an understatement. It's a basic utility framework with nothing in it. Virtually every option is greyed out until you create your database by clicking File > New, which is when you'll be prompted to create a master password, create a key file or use your Windows user account. If you opt for the key file, you will install the file on a USB drive and will need to plug in the drive when accessing KeePass.
If you would like a full walkthrough, KeePass does have a pretty solid "First Steps Tutorial."
Now, return to the File menu to import any passwords you may have stored with another password manager or in your browser. It's a safe bet that KeePass can import whatever you have, as KeePass has the longest list of supported services and browsers for import that I have seen.
If you don't see your service in the built-in import options, it's a safe bet there's a plugin for it. I imported data from the Chrome browser's built-in password manager and it worked perfectly.
If you want KeePass to sync your passwords across your various devices, you'll need to determine which cloud service or personal server you are going to use. Support for a number of cloud-syncing services, including Dropbox, Google Drive and Microsoft's OneDrive, are available via plugins.
Finally, you will want to install one of the unofficial mobile apps. Check the downloads page or search the iOS and Android app stores for KeePass, and you will find several choices. I opted for Keepass2Android Password Safe on Android and Strongbox on iOS.
KeePass on the desktop
KeePass is functionally solid, but you definitely get what you pay for with the user interface and experience. While some other password managers, such as 1Password, have a bit of a utility feel to them, KeePass feels like a utility from the late '90s.
The core KeePass application offers just the password-manager basics. I'll cover that here and will address plugins in a later section.
The KeePass desktop interface looks like a standard file-manager window, with your database(s) on the left and the data on the right.
You can create groups to sort your login information. By default, the application creates General, Windows, Network, Internet, eMail and Homebanking. You can drag and drop any set of credentials into any group and you can create, edit and delete groups.
To create a new entry, either type "Control + I" or tap the icon of the key with a green download arrow on it. Entries are highly customizable – you can create a title, an icon, custom foreground and background colors, tags, URLs to specify which browser should open them and auto-type settings to handle sites with non-standard forms. You don't need to customize anything, but the fact that you can is just one example of the flexibility of this very simple-looking app.
By default, new entries automatically self-populate with a new password 20 characters in length. Tap on the key with the sun next to it to see additional password options or to jump into the full password generator.
The password generator gives you a ridiculous degree of control, with nine option toggles for different types of characters to include, the ability to exclude any specific characters you like, control over the length with no apparent upper limit and the ability to bring in custom password-generation algorithms.
KeePass doesn't integrate with your browser to capture login credentials as you create or update them. Hopefully, you should be able to import your existing passwords during setup, as adding new credentials must be done manually. You have to open a new entry as you log into an account, and then copy and paste the username and password into the entry form.
KeePass can natively sync your other devices using local network shares or the internet protocols FTP, HTTP and WebDAV. Plug-ins extend support to secure copy protocol (SCP), the FTP secure extensions SFTP and FTPS, and to well-known online storage providers such as Amazon AWS S3, Box, Dropbox, Google Drive and One Drive.
I chose KeeAnywhere, which was both the most recently updated and most comprehensive of the available sync plugins. Once KeeAnywhere was installed, I transferred my database over to a cloud drive and then selected File > Open > Open from Cloud Drive to be up and running with my remote-syncing KeePass database.
To install a KeePass plugin, just open the Tools menu and select Plugins. Click "Get More Plugins" and then download and unzip whatever you wish to install.
Now return to the Plugins menu, click Open Folder and drag-and-drop the extracted folder into the Plugins folder for KeePass. Restart KeePass and your plugin will be operational.
As with most aspects of KeePass, it takes a few steps to achieve this, but everything worked as advertised once I got a handle on it.
KeePass mobile apps
There are no official mobile apps for KeePass, but I'll discuss two unofficial ports for Android and iOS.
Keepass2Android is one of the most popular Android options available and follows Google's Material Design template. I wasn't sure what to expect, but it actually adds some functionality to the core KeePass experience. Cloud syncing is built-in, with support for most major cloud-storage solutions, and I quickly and easily added my database from Google Drive.
Keepass2Android's main screen presents a very basic list of your login groups. Tapping a group displays the included accounts, with the URL and username for each. Tapping an account brings up a bit more information, and from there you can edit the entry with all the options found in the full app.
One nice touch: Keepass2Android has templates for new entries beyond just logins, such as credit cards, ID cards and secure notes. That's something the core KeePass application lacks, and which would greatly expand its utility and ease of use.
If you are on Android 8.0 or later, Keepass2Android will support form filling if you install a separate plugin from outside the Play Store, which might be a step too far for many users. I did run the plugin, which is written by Keepass2Android's developer, to confirm that it worked.
While Keepass2Android is a completely basic Android app, it looks more modern than some other password managers' apps. Critically, it did what it needed to do.
Turning to iOS, I went with Strongbox, which like Keepass2Android is free. There are quite a few KeePass-compatible options in the App Store, including some paid ones and an interesting option called Keepassium that was just entering beta during my testing, so it's worth looking them all over.
What I primarily needed was support for cloud syncing, which Strongbox offers. I simply had to indicate that I wanted to access an existing database. Then I selected Google Drive and signed into my Google account, and all of my data was imported and syncing.
The icons are a bit prettier in Strongbox than in Keepass2Android, but overall Strongbox remains a bare experience. The main screen is just your KeePass database listing your categories and a search box above them. The categories and logins are all in list views; there are no grid or website-logo displays as with some of the nicer password-manager mobile apps.
There isn't a lot of extra functionality baked into Strongbox, but you can access, edit and create new items in your database. The password generator supports up to 88 characters and has nearly as many options as the core KeePass app. While the app claims that form-filling is supported on Safari, I was unable to get that feature to work.
Strongbox covers the basics in terms of giving you access to your KeePass database on your iOS device, but I would take a look at one of the paid apps or the new Keepassium app to see if one of them delivers a bit more features.
KeePass plugins and extensions
There are more than 100 KeePass plugins and extensions that can add functions and transform the looks of the application. I'm going to highlight only a few, but the plugins and extensions page on the KeePass site has the complete list.
Just be sure to check the dates on plugins before you install them. I ran into a few that hadn't been updated in three or more years, which is a risk you run with open-source software.
The official plugins page breaks things up into 11 categories, which should give you some idea of what can be done with KeePass: I/O & Synchronization, Backup, Utilities, Integration & Transfer, Cryptography & Key Providers, Import, Export, Import & Export, Automation & Scripting, Resources and For Developers.
Some plugins, such as KeeForm, ChromeIPass or PassIFox, enable form-filling of your usernames and passwords -- a must-have feature for paid password managers that is missing from the core KeePass experience.
KeePassWinHello, as you might guess, adds support for Windows Hello biometric logins to unlock your KeePass database. There is also KeeOtp or Tray TOTP which add support for two-factor authentication via time-based one-time passwords (TOTP).
The HaveIBeenPwned plugin checks your saved usernames and passwords against the well-known HaveIBeenPwned database of credentials compromised in data breaches. It's not as extensive as some of the breach-scanning features available with the paid versions of Keeper or Dashlane, but it's free.
KeePass relies on AES-256 encryption to secure its password database, like most other password managers. While KeePass defaults to an AES/Rijndael (256-bit key, FIPS 197) algorithm, you can change it to a ChaCha20 (256-bit key, RFC 7539) algorithm in the database settings.
Even if your database should be obtained by someone else, it should remain safe, as your files can be unencrypted only on your device.
As KeePass makes you responsible for your own database, this flexible security is perhaps even more comforting for those who host their own databases online and sync to multiple devices.
Another option available is to use an AES-KDF or Argon2 key derivation to transform your master key and make it more difficult to crack. This may increase save/load times for your database, however.
KeePass lacks native support for common two-factor-authentication options, but there are plug-in options for 2FA via TOTP, another that supports YubiKey and a couple that offer RFID or NFC support.
KeePass review: Bottom line
KeePass is definitely not for the average user. It simply requires too much work and potential frustration to get everything up and running. Most users want a password manager that does most of the work of managing passwords, and solutions like LastPass or Keeper would be much better fits.
With that said, if you enjoy the process of customizing and working with your software, the core KeePass application is solid. And with the right collection of plugins, you can build it up into a product that gets reasonably close to the features of the high-end options, all without having to pay a dime.