I've saved my options, but when I reopen KeePass I get the old options. What's wrong?
KeePass supports two different locations for storing configuration information: the global configuration file in the KeePass directory and a local, user-dependent one in the user's private configuration folder. Most likely you do not have write access to your global configuration file.
For more details, see Configuration.
Why doesn't KeePass 2.x run on my computer?
Symptoms: When trying to run KeePass 2.x on Windows ≤ XP,
an error message like the following is displayed:
Cause: KeePass 2.x requires Microsoft .NET Framework ≥ 2.0.
Resolution: Install Microsoft .NET Framework 2.0 or higher. It is available as a free download from the Microsoft website: Microsoft .NET Framework download. Alternatively, you can install it through Windows Update (the framework is an optional component).
KeePass 1.x does not require this framework.
Why does KeePass 2.x crash when starting it from a network drive/share?
Symptoms: When trying to run KeePass 2.x from a network drive/share,
you get an error message like the following:
Cause: The strict default security policy by the Microsoft .NET Framework disallows running .NET applications from a network drive/share.
Recommended resolution: Copy/install KeePass 2.x onto a local hard disk, and run the copy.
Alternative, not recommended resolution: Configure the security policy to allow running .NET applications from network drives/shares. Ask your administrator to do this (administrative rights are required). If you have administrative rights and want to do it yourself, you can use the Code Access Security Policy Tool (Caspol.exe) that ships with the .NET framework (helpful instructions can be found here and here).
Why does KeePass 2.x show a FIPS compliance error at startup?
Symptoms: When trying to run KeePass 2.x,
you get an error message like the following:
Cause: KeePass uses the AES/Rijndael encryption and SHA-256 hashing algorithms, for which the Microsoft .NET Framework provides implementations. These implementations might not be FIPS compliant. If the local security policy of the system enforces the usage of FIPS compliant implementations, KeePass cannot run and shows an error message.
Resolution: Configure the local security policy of the system to allow FIPS non-compliant algorithm implementations. To do this, go to Control Panel -> Administrative Tools -> Local Security Policy, open Local Policies -> Security Options, and change the option 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Disabled'.
Alternative resolution: Download and run the following Windows registry file: FipsDisable.reg. By running this file (i.e. importing the modifications in this file into the registry), FIPS compliance enforcement is disabled.
Note: Currently only weaker cryptographic algorithms in the Microsoft .NET Framework are FIPS compliant. As security is the top priority for the KeePass project, an option to use these weaker FIPS compliant algorithms will not be added. Future .NET frameworks might have FIPS compliant implementations of the algorithms that KeePass requires.
Why doesn't the CHM help file work?
Symptoms: When trying to open the KeePass CHM help file from a remote computer or shared network drive, it's not displayed correctly (navigation aborted, ...).
Solution: See Microsoft Security Bulletin MS05-026.
Where can I find more application icons for Windows shortcuts?
How can I add more client icons for password entries?
Does KeePass support a mini mode?
KeePass 1.x OnlyYes, see KeePass 1.x Mini Mode.
KeePass 2.x OnlyA mini mode is not supported yet.
Why doesn't KeePass lock after Auto-Type?
KeePass 1.x OnlyI have enabled the "Use alternative auto-type method (minimize window)" and "Lock workspace when minimizing the main window" options. Why doesn't KeePass lock after auto-typing?
In this very special case, the window minimization only is a way to lose the focus, i.e. the window below comes to the foreground. The minimization is not user-initiated (it's only a side-effect of auto-type), nor a consequence of an external minimization command, therefore it is not (and should not be) affected by the automatic workspace locking handler.
If you worry about having KeePass minimized and unlocked, enable the "Automatically lock workspace after the following number of seconds" option and specify a reasonable amount.
KeePass 2.x OnlyThis does not apply to KeePass 2.x.
Why doesn't Auto-Type work correctly on Polish systems?
On Polish systems, the default auto-type hot key Ctrl+Alt+A conflicts with a system command and is frequently used in typing. Therefore, auto-type is often executed accidentally.
The global auto-type hot key can be changed to a different key combination in the KeePass options (see Auto-Type for details).
Why doesn't printing work in KeePass 1.x?
Symptoms: When trying to print a password list in KeePass 1.x, nothing happens after clicking OK in the 'Print Options' dialog.
Cause: KeePass 1.x uses the application associated with
Alternative Resolution / Workaround: Click 'File' -> 'Print Preview' in KeePass 1.x and manually print the document in the application that just opened the file.
Why does KeePass try to connect to the Internet?
KeePass has an option to automatically check for updates on each program start. In order to check for updates, KeePass downloads a small version information file and compares the available version with the installed version. No personal information is sent to the KeePass web server.
Automatic update checks are performed unintrusively in the background. A notification is only displayed when an update is available. Updates are not downloaded or installed automatically.
The option is disabled by default. You can enable/disable it in 'Tools' -> 'Options' -> tab 'Advanced'.
Is Auto-Type keylogger-safe?
Is the Auto-Type feature resistant to keyloggers?
KeePass 1.x OnlyNo. The Auto-Type feature has been designed in a way that it's impossible for target applications to distinguish real keys from auto-typed ones. This on the one hand has the advantage that the feature is really compatible with all applications out there. On the other hand, the auto-typed keys can of course be logged by keyloggers. If you worry about keyloggers, you have to use one of the other methods (drag&drop, copying to clipboard, KeeForm, ...).
KeePass 2.x OnlyBy default: no. The Auto-Type method in KeePass 2.x works the same as the one in 1.x and consequently is not keylogger-safe.
However, KeePass features an alternative method called Two-Channel Auto-Type Obfuscation (TCATO), which renders keyloggers completely useless. This is an opt-in feature (because it doesn't work with all windows) and must be enabled for entries manually. See the TCATO documentation for details.
Can Auto-Type locate child controls?
No. Auto-Type only checks whether the title of the currently active top level window matches.
Browsers like Mozilla Firefox completely draw the window (all controls) themselves, without using standard Windows controls. Consequently it is technically impossible for KeePass to check whether an URL matches (methods like creating a screenshot and using optical character recognition are not reliable and secure). Also, it's impossible to check which child control currently has the focus. These problems can only be avoided by using browser integration plugins, i.e. not using auto-type at all.
The user must make sure that the focus is placed in the correct control before starting auto-type.
Could you add the ... encryption algorithm to KeePass?
KeePass 1.x OnlyOnly Rijndael (AES) and Twofish are supported. There are no plans to add additional algorithms for the following reasons:
KeePass 2.x OnlyOnly Rijndael (AES) is supported, but KeePass supports additional algorithms through encryption plugins. You can find encryption plugins on the plugins page.
If you'd like to implement an algorithm, have a look at the ArcFourCipher sample plugin.
Why doesn't KeePass lock when Windows locks and a KeePass sub-dialog is open?
KeePass automatically tries to lock its workspace when Windows is locked, with one exception: when a KeePass sub-dialog (like the 'Edit Entry' window) is currently opened, the workspace is not locked.
To understand why this behavior makes sense, it is first important to know what happens when the workspace is locked. When locking, KeePass completely closes the database and only remembers several view parameters, like the last selected group, the top visible entry, selected entries, etc. From a security point of view, this achieves best security possible: breaking a locked workspace is equal to breaking the database itself.
Now back to the original question. Let's assume an edit dialog is open and the workstation locks. What should KeePass do now? Obviously, it's too late to ask the user what to do (the workstation is locked already and no window can't be displayed), consequently KeePass must make an automatic decision. There are several possibilities:
Obviously, none of these alternatives is satisfactory. Therefore, KeePass implements the following simple and easy to understand behavior:
When Windows is locked and a KeePass sub-dialog is opened, the KeePass workspace is not locked.
This simple concept avoids all the problems above. The user is responsible for the state of the program.
Security consequence: the database is left open when Windows locks. Normally, you are the only one who can log back in to Windows. When someone else logs in (like administrator), he can't use your programs anyway. By default, KeePass keeps in-memory passwords encrypted, therefore it does not matter if Windows caches the process to disk at some time. So, your passwords are pretty safe anyway.
Note. On Windows ≤ XP, the 'Terminal Services' Windows service should be enabled. If this service is disabled, locking KeePass when Windows locks might not work. This service isn't required on newer operating systems.
Printing creates a temporary file. Will it be erased securely?
KeePass creates a temporary HTML file when printing password lists and showing print previews. This file is securely erased (i.e. overwritten multiple times before being removed from the file system tree) when closing the database.
You must wait for the file being printed completely before closing KeePass (and close the print preview before closing KeePass), otherwise it could happen that the printing application blocks KeePass from deleting the file.
There is no way around the temporary file in the current printing system. If you want to write a plugin that directly sends the data to the printer, you can find a plugin development tutorial here: KeePass 2.x Plugin Development.
Why the estimated quality of a password suddenly drops?
For estimating the quality/strength of a password, KeePass not only uses statistical methods (like checking which character ranges are used, repeating characters and differences), it also has a built-in list of about 1500 most common passwords. Such most common passwords are rated down to 1/8th of their statistical rating. Thus, the estimated quality can drop to a lower value while entering a password.
Can I directly edit file attachments?
No, this is not possible (exception: text files, see working with large texts). In order to edit attachments, you need to save them to a (temporary) file, edit it using an external application, import it back to KeePass as attachment, and finally delete the temporary file.
There will no feature be implemented that automates these steps, because of security problems. To see the problems, let's assume that KeePass would support editing attachments. When you click a button, KeePass would save the attachment to a file and open it using its associated external application. When the external application is closed, KeePass would import the temporary file and delete it securely. But what happens when KeePass is closed before the external application? KeePass cannot delete the file because it's eventually locked by the external application. Theoretically KeePass could tell the user this fact before closing, but what to do when the computer shuts down? Here, there's no time left to ask the user what to do. The temporary file would have been leaked, i.e. left unencryptedly on disk, which is obviously very bad.
One could argue that the leakage would only be temporary: at the next start, KeePass could scan the temporary directory for remaining files and delete them. Anyway, the files would be freely accessible (unencrypted) by all other applications during a complete computer shutdown and boot process. If you don't start KeePass on this computer ever again, the file is leaked forever. As KeePass is designed to be portable, i.e. may be securely used on many computers, this temporary leakage is unacceptable.
How to store and work with large amounts of (formatted) text?
KeePass 1.x OnlyThere is no direct support for storing and working with large formatted texts.
KeePass 2.x Only
Can an e-mail address field be added?
A few times it has been requested that a standard entry field for e-mail addresses is added (on the main tab page in the entry editing dialog). The short answer: an e-mail address field will not be added due to usability reasons. Now the long answer.
First of all, let's assume that most of the entries stored in KeePass contain information for logging in to websites. When you register an account for a website, you often have to specify a user name as well as an e-mail address. When you regularly log in later, you usually only need to provide either user name + password or e-mail + password (never user name + e-mail + password). Here the first part (which is either user name or e-mail) serves as identification: you tell the website who you are. The second part (password) provides authentication: you prove to the website that you're really the one who you claim to be.
There are various methods how KeePass can transfer data to
other applications. All of these methods by default assume that the content
of the user name field is used for identification. For example,
the default auto-type sequence of
an entry is
The solution is simple: instead of interpreting the 'User Name' field strictly as a field containing a user name, users should rather interpret it as a field in which the data required for identification is stored. This data can consist of a user name, an e-mail address or something else (e.g. an account number for an online banking website). By handling it like this, the default data transfer configuration will work for most websites, i.e. zero amount of work needs to be put into the configuration. If you had to provide both a user name and an e-mail address at registration time, the other information (which isn't required on a regular basis) can be stored e.g. in the notes field or a custom string field of the KeePass entry.
Now assume a separate e-mail field would be added. When users store both a user name and an e-mail address, KeePass cannot know which of the two is required for identification. So, in order to setup data transfer for the entry, users would be forced to choose which of the two fields should be used.
So, adding an e-mail field would be a step back in usability, because it forces users to put additional time into data transfer configuration. The current system ('User Name' containing identification information, without a separate e-mail field) doesn't require this, and thus is the better solution.
For users that are willing to manually configure the data transfer for each entry, there are multiple ways to get a separate e-mail address field. After switching to the 'Advanced' tab in the entry editing dialog, an e-mail address field can be added as custom string. If the field should appear on the main tab page of the dialog, the KPEntryTemplates plugin can be used.