How to start with Keepass

And for good reason: it is enough that hackers guess the password once or one of the services has a data leak to make all your accounts become accessible. The recommendations are therefore to use passwords of at least 12 characters including capital letters, tiny, figures and special characters. You must also have a different one for each access that we want to protect.

LOCKSELF at the service of communities

Metropolises, cities, community of agglomerations, regardless of their size and perimeter of action, communities are also very exposed to cyber risk because of their multiple interactions with citizens and companies in their territory.

A digital safe certified by ANSSI

ANSSI CSPN certification

Issued by the National Information Systems System Agency (ANSSI), The CSPN is a sine qua non condition for communities seeking to secure uses of their agents and data sharing internally and outwards.

In the service of the pooling of SI

Centralized data management And users, interconnection to business directories, integration into employee work environments via browsers and emails plugin (Outlook/Office365), the Lockself suite is part of Si harmonization work within communities and public administrations.

A “collaborative” keepass

Widely deployed within the CIOs of communities, Keepass has limits on the sharing of passwords, multi-device accessibility and synchronization. Subjects on which LOCKPASS provides solid guarantees via a simple interface accessible to all business departments.

Referenced on the Ugap multi-publisher market

The reference purchase platform for public actors to streamline the implementation of projects.

They chose Lockself

Tours Métropole teams its automation center

The objective of the deployment of the LockPass solution within the community is to set up a centralized management of passwords in order to reduce bad practices and secure access to the core applications of the pole pole.

To find out more: click here

They chose Lockself

Lockpass for the Hainaut Porte du Hainaut (North)

Since 2019, the agglomeration community has set up the safe Lockpass for its teams.

Ansi certification, possible accommodation in on-premises, so many key characteristics that have convinced the CIO to equip itself with the centralized lockpass manager.

How to start with Keepass ?

Password management is a security issue. We therefore offer you a tutorial for Keepass, the only password manager dubbed by the ANSSI to date. He has the good idea to be free (GPL V2 license) and free.

If we insist so much on managers, it is because they largely simplify the storage and use of passwords. At least, as long as you apply the recommendations on their creation, because if you use the same word on all accounts, you can hardly make it simpler … and more dangerous.

And for good reason: it is enough that hackers guess the password once or one of the services has a data leak to make all your accounts become accessible. The recommendations are therefore to use passwords of at least 12 characters including capital letters, tiny, figures and special characters. You must also have a different one for each access that we want to protect.

This is where managers come into play: they create strong and random passwords according to the defined criteria, store them and come out when needed. They are protected by a master password, which must be robust and which you must remember (and above all never reuse). Even if the functions vary from one solution to another (and between the free and paid formulas of some), this trunk is common to all.

Keepass was one of the managers we tested in a series of articles a few years ago. This small software is known for its robustness, its great lightness, and its certification by the ANSSI. It is not as easy to take in hand as an integrated and synchronized solution like 1Password, Bitwarden or Dashlane, but he has the preferences of people who want to finely control what is made of their identifiers and their data.

We explain how to use it.

Installation and start -up

To install Keepass, we simply go to the official website and download the executable for its system. Note that the software is developed in C# on a basis .NET. It can be executed on macOS and any Linux distribution, provided Mono is installed. We will come back to this point at the end of the article. Here we use Keepass on Windows, but the functions are strictly identical for other platforms.

Once the installation is finished, we launch the application, which appears empty. The original version is in English. To pass it to French, you have to go to View> Change Language. Click at the bottom left of the window on “Get More Languages”, which opens a web page with a list of languages. Recover the file that interests you. Then, still in the same window, click on “Open Folder”. In the open folder, just move the file contained in the downloaded archive. Change the language causes Keepass restart.

Then move on to the creation of the database. Click on file> New. A window appears indicating what will happen: your data will be saved in a database in Keepass format, which will be stored in a location that you will choose. You can imagine, this file will be very precious, so you must make sure that it is not only stored in a safe place, but also that you will regularly make one or more backup copies.

Then comes the choice of password. In the same way as on a competing service, the choice of this key is essential. It must be long, complex and integrate all the advice mentioned above. It will be used to encrypt the database. If we click on “Show the experts of the expert”, we get two options that can be used to strengthen the safety of the base. The first allows you to add a file, which will be systematically necessary for unlocking. Safety increases, but as much knowledge: if you lose the file or it is modified, it will no longer be accepted.

The other option binds the Windows account to the key. This means that the opening of the base can only be done from this account, on this computer. Keepass, however, warns of danger and provides a link for more explanations. If the account becomes inaccessible for one reason or another, the base will become unusable. And it will not simply be a question of recreating an account with the same identifier and password. You have to be able to restore a complete backup, including the SID. Let us add that if you plan to synchronize the base to exploit it on other devices (which is probably the case), it is better not to check this option, which will block this capacity.

Once validated, the window gives way to another, which invites to name the base. We can also add a description to him, practical if we plan to use several. The following tabs make it possible to configure the base more finely. We can for example influence the number of iterations for the derivation of the key (via the AES-KDF function). This figure allows you to add a substantial workload if the base had to be recovered and attacked.

The value is by default 60,000. It can be increased without problem, which will further strengthen security. Be careful however, as it also means more intensive calculations for the local device. The “test” button allows you to test the result according to the value. A simple solution is to click on “a second time”. Keepass then calculates the number of iterations which can be calculated during this interval, which also represents the time it will take to load the base or save changes. The value obtained depends on the power of the machine.

We advise you not to touch the other default values, which will suit most of the use scenarios. Unless, of course, that you have specific needs and you know what you do.

Import your data and fill your database

Here is a probably capital step, because you are already using a manager, even if it is a service included in a browser. If you use a competitor like Bitwarden, Lastpass, 1Password or Dashlane, all offer an export function of data. Keepass takes care of many formats.

In the example above, you can see data export from Bitwarden (via settings> export the trunk) to a JSON file and import into keepass (file> import). In this case, the categories are supported. If you go through a CSV, this will not be the case.

By examining the list in the import window, we realize that Keepass supports many scenarios. In the case of a browser, only Chrome and Firefox are officially taken into account, as well as the Password Export extension. However, above in the list, Keepass offers a “generic CSV importer” that can be used for other data.

We did the test with Edge. As we can see in the capture, we had to modify a little a few parameters in the import options, because each program can have its way of filling the CSV. In the case of Microsoft’s browser, data is displayed in this order: title, address, username, password. It was not the default order proposed by Keepass, so we modified it in the Structure tab. It will therefore be necessary to adapt this sorting according to the provision of the information, which Keepass displays in a raw manner at the beginning.

Note that Keepass can itself export its data in several formats, such as CSV, HTML or XML. It can even create an HTML file dedicated to Firefox.

Regarding the filling of the base, the addition of a new input is done either by the input menu> Add an input, or by the yellow and green button in the toolbar, or by the keyboard shortcut CTRL + I. We are then invited to indicate a title, a username, a password, an address as well as eventually a few comments.

The password generated by default measures 20 characters, but only integrates uppercase and tiny. To modify the generation of passwords, click on the small icon in front of confirmation. In the panel, we recommend the figures, special and parentheses. It is even possible to add certain characters not part of these categories. You can also modify the gear password size.

As soon as the parameters have been accepted, the word generated in the new input is automatically renewed. Above all, Keepass keeps these settings in memory for the next entry creations. After validation, the new input is simply added to the base.

Daily handling

If you only really use Keepass, daily use may seem a little rigid. The application does not integrate into browsers and there is therefore not automatic field filling of fields on identification forms. There is also no suggestion of passwords during registrations, and the latter are not detected by Keepass to offer to record them.

Classic use is to double-click on the username or password to send it to the clipboard, and thus paste it in the form that interests us. There is also security specific to Keepass on this point: the data only remain 12 seconds (by default) in memory, after which they are deleted.

However, the software provides another, more practical means: a keyboard shortcut. Go to the options, then in the Integration tab. There you will see a line called “Automatic entry of the selected input”. Define a shortcut, which will be used to do exactly this: the selected line will pour into the form the identifier and the corresponding password, in addition to validating the connection.

You may have noticed in this panel an “global automatic entry” line, accompanied by the shortcut CTRL + ALT + A. If we haven’t talked about it first, it is because this shortcut does not always work. Depending on the sites, the shortcut sometimes performs his duty, sometimes not. On the other hand, the entry of the entry selects hits each time … except in a case. Some sites have had the unfortunate habit of asking the identifier first for some time, then only after the password. The process causes several uses of the password manager, whatever it is.

Two other shortcuts prove practical on a daily basis: CTRL + Alt + K to display Keepass in the foreground, and ESS to lock the software, then requiring the key key to access information again. All keyboard shortcuts can be modified.

In the advanced options tab, Keepass’s behavior can also be changed, and some are very useful. We can for example impose on the application to always start in reduced and locked mode, automatically record the database when closing, or automatically search the key file on removable supports. In the Integration tab, Keepass can be asked to open automatically with the Windows session.

As for the interface 1 and 2 tabs, they allow you to personalize (slightly) the face of the application, and to modify your reactions in certain cases, such as sending in a notification zone rather than in the taskbar when you reduce the Window, automatically switch Keepass in the background after double-click on a line to copy the data in the clipboard, or reduce the application rather than close it when click on the closing cross.

Good, and on mobile environment ?

For most people, the possibility of being able to bring out your passwords in a mobile environment is not an option. And for good reason: to create a random and strong password for each account, each service and each application is a crucial element of security, but which falls flat if you cannot access it on your smartphone, at least practical way. We must avoid the scenario where the password should be entered by hand by reading it at the same time on the computer.

Keepass is not a synchronized application, the base is recorded locally. It is therefore up to the user to find a way. The most obvious solution would be to record the base on any cloud, which would then make the link between all devices. Functionally, the solution is viable and easy. It all depends on the confidence you have in question, however. The base is encrypted, but the communications of most drives are not encrypted from start to finish, meaning that the publisher concerned has access to the encrypted data. Unless you turn to an end -to -end solution, such as Proton Drive.

Other solutions are almost all of self-hosting. For example, you have a server or a NAS connected to the Internet ? It is a good way to make your Keepass base accessible to your other devices. It is also the operation of the self-centered version of Bitwarden. In all cases, it is better to ensure that the safety of this device is fully ensured, because the shared data will then be very sensitive. Even if, again, the base is protected by strong encryption.

Mobile use also depends on the application used. Because yes, there is no official keepass application. On the other hand, since its code is open source and there is a library, many mobile versions have appeared, both on Android and IOS. Here, everyone will have their idea between the proposed functions, the interface and the rest. A specific point, however, deserves your attention: check that the application is capable of injecting identifiers into other applications and web forms. Some do not do so and offer simple access to information, which will then have to copy and paste. Most offer it, but many reserve it for their paying subscription.

Extensions and plugins

In the same way, there is no official extensions for browsers. On the other hand, there are easily third -party extensions capable of making the link with the software. We advise you to take the time to examine them and find the one you need, because this extension, such as the mobile application, will largely simplify your daily use, avoiding back and forth in software. Important point, all need the Keepasshttp plugin to operate.

The plugins, precisely, let’s talk about it. There are many, very numerous, and cover a wide variety of scenarios of use. A page on the official Keepass website makes it possible to realize the magnitude: there are plugins for everything and anything, and there are chances that you find precisely what you are looking for, if you are however sufficiently comfortable in English, no description being in French.

These plugins are one of the biggest arguments in Keepass, as they have been for a long time for Firefox, before all the navigators go there. Among this mountain of plugins, there are capacities like imports for many other sources, the possibility of intercepting addresses in the browser, the exhibition of the base via a local address, the opening of Bitlocker volumes, management Themes, interfaces for certain specific authentication systems such as that of SAP, management of safety keys by Bluetooth, automatic assembly/disassembly of Truecrypt or Veracrypt volumes, etc.

A word finally on alternative software. The best known is undoubtedly Keepassxc, who has two big advantages. First, a much more pleasant interface to the eye because it is less austere. Then his code is native and therefore does not need to .Net, which is also valid for other platforms. He will therefore have the benefit of performance – even if Keepass remains very light software – and not to claim an additional component (mono). Keepassxc, however, does not support Keepass plugins, but the development team claims a number of functions precisely provided by the plugins. Another difference: the certification of the ANSSI is only worth for Keepass, not for his “offspring”.

This article has been written in order to be as neutral as possible, without referring to specific solutions. Above all, it is Keepass, even if Keepassxc is put forward, because its popularity is as great as the software of which it is a distant fork. So do not hesitate to indicate in the comments how you have completed your daily use of Keepass.