KeePass Help Center KeePass Home | Downloads | Translations | Plugins | Donate 
Help Center Home | Forums | Awards | Links 







Placeholders

KeePass supports various placeholders.

In many places in KeePass (auto-type, URL field, triggers, ...), placeholders can be used.


KeePass 1.x Only
Placeholders are case-sensitive.

KeePass 2.x Only
Placeholders are case-insensitive.

KeePass uses the abbreviation "Spr" for "String placeholder replacement". An Spr-compiled field is a field where placeholders are replaced when performing an action with this field (like copying it to the clipboard, sending it using auto-type, etc.).

References in a field to (parts of) the field itself are unsupported. For example, the {URL:HOST} placeholder cannot be used in the URL field (but it can be used in the 'Override URL' field).


Entry Field Placeholders


PlaceholderField
{TITLE}Title
{USERNAME}User name
{URL}URL
{PASSWORD}Password
{NOTES}Notes

KeePass 2.x Only
Custom strings can be referenced using {S:Name}. For example, if you have a custom string named "eMail", you can use the placeholder {S:eMail}.

KeePass 2.x Only
PlaceholderIs Replaced By
{URL:RMVSCM}Entry URL without scheme name.
{URL:SCM}Scheme name of the entry URL.
{URL:HOST}Host component of the entry URL.
{URL:PORT}Port number of the entry URL.
{URL:PATH}Path component of the entry URL.
{URL:QUERY}Query information of the entry URL.
{URL:USERINFO}User information of the entry URL.
{URL:USERNAME}User name of the entry URL.
{URL:PASSWORD}Password of the entry URL.
{UUID}UUID of the entry (32 hexadecimal characters).

An example for the {URL:...} placeholders can be found below.


Entry Field References

Fields of other entries can be inserted using Field References.


Paths and Date/Time Placeholders


PlaceholderIs Replaced By
{EDGE}Path to Microsoft Edge, if installed.
{FIREFOX}Path to Mozilla Firefox, if installed.
{GOOGLECHROME}Path to Google Chrome (or Chromium on Unix-like systems), if installed.
{INTERNETEXPLORER}Path to Internet Explorer, if installed.
{OPERA}Path to Opera, if installed.
{SAFARI}Path to Safari, if installed.

PlaceholderIs Replaced By
{APPDIR}KeePass application directory path.

KeePass 2.x Only
PlaceholderIs Replaced By
{GROUP}Name of the entry's parent group.
{GROUP_PATH}Full path of the entry's parent group.
{GROUP_NOTES}Notes of the entry's parent group.
{GROUP_SEL}Name of the group that is currently selected in the main window.
{GROUP_SEL_PATH}Full path of the group that is currently selected in the main window.
{GROUP_SEL_NOTES}Notes of the group that is currently selected in the main window.
{DB_PATH}Full path of the current database.
{DB_DIR}Directory of the current database.
{DB_NAME}File name (including extension) of the current database.
{DB_BASENAME}File name (excluding extension) of the current database.
{DB_EXT}File name extension of the current database.
{ENV_DIRSEP}Directory separator ('\' on Windows, '/' on Unix).
{ENV_PROGRAMFILES_X86}This is %ProgramFiles(x86)%, if it exists, otherwise %ProgramFiles%.

PlaceholderIs Replaced By
{DT_SIMPLE}Current local date/time as a simple, sortable string. For example, for 2012-07-25 17:05:34 the value is 20120725170534.
{DT_YEAR}Year component of the current local date/time.
{DT_MONTH}Month component of the current local date/time.
{DT_DAY}Day component of the current local date/time.
{DT_HOUR}Hour component of the current local date/time.
{DT_MINUTE}Minute component of the current local date/time.
{DT_SECOND}Second component of the current local date/time.
{DT_UTC_SIMPLE}Current UTC date/time as a simple, sortable string.
{DT_UTC_YEAR}Year component of the current UTC date/time.
{DT_UTC_MONTH}Month component of the current UTC date/time.
{DT_UTC_DAY}Day component of the current UTC date/time.
{DT_UTC_HOUR}Hour component of the current UTC date/time.
{DT_UTC_MINUTE}Minute component of the current UTC date/time.
{DT_UTC_SECOND}Second component of the current UTC date/time.


Environment Variables

System environment variables are supported. The name of the variable must be enclosed in '%' characters. For example %TEMP% is replaced by the user's temporary path.


Text Transformations


KeePass 2.x Only
PlaceholderAction
{T-REPLACE-RX:/Text/Search/Replace/} Searches the regular expression Search in Text and replaces all matches by Replace. See below.
{T-CONV:/Text/Type/} Convert Text to Type. See below.


KeePass 2.x Only
{T-REPLACE-RX:/Text/Search/Replace/} – Replace Using Regular Expression:
This placeholder searches the regular expression Search in Text and replaces all matches by Replace.

All parameters are Spr-compiled, i.e. placeholders can be used within them.

The first character after the first ':' specifies the separator character. Any character except '}' can be used as separator character. It must not appear within the parameters. For example, {T-REPLACE-RX:/A/B/C/} and {T-REPLACE-RX:!A!B!C!} are equivalent. The last separator character (before the '}') is required.

Usage example. Let the user name field contain the e-mail address 'myname@example.com' and the URL field '{T-REPLACE-RX:!{USERNAME}!.*@(.*)!https://$1!}'. When running the URL field, KeePass opens 'https://example.com'.


KeePass 2.x Only
{T-CONV:/Text/Type/} – Convert:
This placeholder converts Text to Type.

All parameters are Spr-compiled, i.e. placeholders can be used within them.

Supported types are:
  • Upper or U:
    Upper-case.
  • Lower or L:
    Lower-case.
    Example. Let the user name of an entry be 'Bob' and the URL 'https://example.com/?user={T-CONV:/{USERNAME}/L/}'. When running the URL, KeePass opens 'https://example.com/?user=bob'.
  • Base64:
    The Base64 encoding of the UTF-8 representation of the text.
  • Hex:
    The Hex encoding of the UTF-8 representation of the text.
  • Uri:
    The URI-escaped representation of the text.
  • Uri-Dec:
    The URI-unescaped representation of the text.
  • Raw:
    Spr-compiles Text without encoding the result for the current context.
    Example. Let the user name of an entry be '+'. The auto-type sequence '{USERNAME}a' results in the text '+a', whereas the auto-type sequence '{T-CONV:/{USERNAME}/Raw/}a' results in the text 'A' (because this placeholder inserts '+' into the auto-type sequence without encoding it, and '+a' means to press Shift+A, which results in the text 'A').


Other Placeholders


KeePass 2.x Only
PlaceholderAction
{PICKCHARS}
{PICKCHARS:Fld:Opt}
Shows a dialog to pick certain characters from an entry string. See below.
{PICKFIELD}Shows a dialog to pick a field whose value will be inserted.
{NEWPASSWORD}
{NEWPASSWORD:/Profile/.../}
Generates a new password. See below.
{PASSWORD_ENC}Password in encrypted form. See below.
{HMACOTP}Generates an HMAC-based one-time password. See below.
{TIMEOTP}Generates a time-based one-time password. See below.
{C:Comment}Comment; is removed.
{BASE}
{BASE:RMVSCM}
{BASE:SCM}
{BASE:HOST}
{BASE:PORT}
{BASE:PATH}
{BASE:QUERY}
{BASE:USERINFO}
{BASE:USERNAME}
{BASE:PASSWORD}
Within a URL override, each of these placeholders is replaced by the specified part of the string that is being overridden. See below.
{CLIPBOARD} Gets the clipboard content (text).
{CLIPBOARD-SET:/Text/} Copies Text into the clipboard.
{CMD:/CommandLine/Options/} Runs a command line. See below.


KeePass 2.x Only
{PICKCHARS} – Picking Characters:
Character Picking Dialog The {PICKCHARS} placeholder shows a dialog, in which you can pick characters of an entry string (like the password) at certain positions.

{PICKCHARS} without any parameters lets you pick an arbitrary amount of characters from the password of the entry. A different entry string can be specified by appending a ':' and the name of the field; e.g. {PICKCHARS:UserName}. The names of the standard fields are Title, UserName (without a space), Password, URL and Notes. A custom entry string can be referenced by its name (without an S: prefix).

Additionally, the placeholder supports various (optional!) options. Options are appended after the field name, separated by a ':'. If you want to specify multiple options, separate them by a comma ','. Options are key-value pairs, separated by a '='. The following options are supported:
  • ID: Specifies an alphanumeric ID for the placeholder (see below).
  • C or Count: Specifies the number of characters to pick from the string. When enough characters have been picked, the dialog closes automatically (i.e. you don't need to manually click [OK] anymore).
  • Hide: If set to False, the picked characters in the dialog are shown as plain text by default, i.e. not hidden by asterisks. By default, KeePass uses the hiding setting of passwords in the main window.
  • Conv: Specifies how to convert the picked characters. When this parameter is omitted, no conversion is performed, i.e. the selected characters are auto-typed directly. The option supports the following values:
    • D: Convert the picked characters to down arrow keypresses; e.g. '2', 'c' and 'C' are converted to 2 down arrow keypresses.

      A fixed number of down arrow keypresses can be added by specifying them using the Conv-Offset option. For example, if you specify Conv=D, Conv-Offset=1, then '2', 'c' and 'C' are converted to 3 down arrow keypresses.

      By using the Conv-Fmt option, you can specify the layout of comboboxes. By default, KeePass assumes a combobox containing values from 0 to 9 or from A to Z. If the combobox contains values 0-9A-Z (i.e. first all ten digits, immediately followed by all characters from A to Z), specify Conv=D, Conv-Fmt=0A. Similarly, if it contains values A-Z0-9, specify Conv=D, Conv-Fmt=A0. If digits start with 1 instead of 0 (i.e. the 0 appears after the 9), use 1A and A1 instead of 0A and A0. If the combobox contains values 0-9A-Za-z (i.e. case-sensitive characters), specify 0Aa. All combinations of '0', 'A', 'a' and '?' are supported. If 'A' and 'a' are not specified both, characters are treated as case-insensitive. '?' skips a combobox item.
If you want to show the character picking dialog multiple times within one sequence, assign different IDs to the placeholders. If an ID is specified multiple times (or no ID is specified and the placeholders are the same), KeePass shows the character picking dialog once and reuses the picked characters in all following placeholders with the same ID.

Usage examples:

{USERNAME}{TAB}{PICKCHARS:Password:C=5}{ENTER}
First a dialog is shown in which the user can pick exactly 5 characters from the entry password. Afterwards KeePass types the user name into the target window, presses Tab, types the 5 picked characters and presses Enter.

ComboBox Form {S:Memorable}{TAB}{PICKCHARS:Password:ID=1, C=1, Conv=D, Conv-Offset=1}{TAB}{PICKCHARS:Password:ID=2, C=1, Conv=D, Conv-Offset=1}{TAB}{PICKCHARS:Password:ID=3, C=1, Conv=D, Conv-Offset=1}{ENTER}
First the character picking dialog is shown three times and each time the user can pick exactly one character from the entry password. Afterwards the auto-type process starts: KeePass types the contents of a custom entry string named "Memorable" into the target window. The focus is switched to the next control by pressing Tab, and the first previously picked character is converted to down arrow keypresses (with one additional keypress; e.g. a '1' is converted to two down arrow keypresses). This is repeated two more times with the other picked characters, and finally Enter is pressed.

Note this is not equivalent to picking three characters at once. If you'd use {S:Memorable}{TAB}{PICKCHARS:Password:C=3, Conv=D, Conv-Offset=1}, all the down arrow keypresses are sent to the same, currently active control.

In some browsers (e.g. Opera), setting the focus to a combobox can be slow. If you experience auto-type failures, consider slowing down the focus changes, e.g. by adding {DELAY 250} after each {TAB}, or slowing down the whole sequence, e.g. by prepending {DELAY=150}.


KeePass 2.x Only
{NEWPASSWORD} and {NEWPASSWORD:/Profile/.../} – Generating New Passwords:
The {NEWPASSWORD} placeholder generates a new password for the current entry, based on the 'Automatically generated passwords for new entries' generator profile.

This placeholder is evaluated only once in an auto-type process, i.e. for a typical 'Old Password' - 'New Password' - 'Repeat New Password' dialog, you can use {PASSWORD}{TAB}{NEWPASSWORD}{TAB}{NEWPASSWORD}{ENTER} as auto-type sequence.

In order to use a different password generator profile, use {NEWPASSWORD:/Profile/}, where Profile is the name of the profile. If the specified profile cannot be found, the 'Automatically generated passwords for new entries' profile is used.

A few profile names are special:
  • ~: When specifying '~' as name of the profile (i.e. when using the placeholder {NEWPASSWORD:/~/}), KeePass derives a profile from the current entry password. Not recommended, as the quality can degrade.
  • #: When specifying '#' as name of the profile, you can specify two additional parameters: a pattern and an option.
    • R: Specifies whether to rearrange/permute the characters of the generated password randomly.
      The default value is 0.
      • 0: Do not rearrange.
      • 1: Rearrange.
    Examples:
    • {NEWPASSWORD:/#/HH\-HH\-HH\-HH\-HH\-HH/}
      generates a MAC address.
    • {NEWPASSWORD:/#/uldA{17}/R=1/}
      generates an alphanumeric password of length 20 that contains at least one upper-case letter, at least one lower-case letter and at least one digit (at random positions).
As with the {NEWPASSWORD} placeholder, {NEWPASSWORD:/.../} placeholders are evaluated only once (even when different profiles/parameters are specified).


KeePass 2.x Only
{PASSWORD_ENC} – Encrypting Passwords:
The {PASSWORD_ENC} placeholder is replaced by the password of the current entry in encrypted form. The password is encrypted using credentials of the current Windows user. The encrypted password should not be stored and only works for the current user.

It is intended to be used in conjunction with the -pw-enc command line parameter (see the URL Field page for an example how to define a URL to open an additional KeePass database). The placeholder cannot be used to transfer passwords to other applications (except KeePass), because the target applications don't know how to decrypt encrypted passwords generated by {PASSWORD_ENC}.


KeePass 2.x Only
One-Time Passwords (OTPs):
KeePass provides menu commands in the main window for generating one-time passwords ('Copy HMAC-Based OTP', 'Show HMAC-Based OTP', 'Copy Time-Based OTP', 'Show Time-Based OTP'). Furthermore, one-time passwords can be generated during auto-type using the {HMACOTP} and {TIMEOTP} placeholders.

The parameters for the OTP generation are stored as entry strings and can be edited conveniently using the 'OTP Generator Settings' dialog (which checks the entered values, shows a preview, etc.). Alternatively, you can edit the entry strings directly, as documented below.

{HMACOTP} – Generating HMAC-Based One-Time Passwords:
The {HMACOTP} placeholder generates an HMAC-based one-time password (HOTP) according to RFC 4226.

The shared secret and other parameters can be specified using the following entry string fields (which can be added/edited in the entry dialog on the 'Advanced' tab page):

  • HmacOtp-Secret
    HmacOtp-Secret-Hex
    HmacOtp-Secret-Base32
    HmacOtp-Secret-Base64
    Exactly one of these fields must be present, and its value must be set to the shared secret in the corresponding encoding. In the first case ('HmacOtp-Secret'), the UTF-8 encoding of the value is used as shared secret.
  • HmacOtp-Counter (automatic)
    This field stores the counter value in decimal representation. The default value is 0. When the {HMACOTP} placeholder is replaced (i.e. when generating a one-time password), KeePass updates the counter value automatically.

{TIMEOTP} – Generating Time-Based One-Time Passwords:
The {TIMEOTP} placeholder generates a time-based one-time password (TOTP) according to RFC 6238.

The shared secret and other parameters can be specified using the following entry string fields (which can be added/edited in the entry dialog on the 'Advanced' tab page):

  • TimeOtp-Secret
    TimeOtp-Secret-Hex
    TimeOtp-Secret-Base32 (most common)
    TimeOtp-Secret-Base64
    Exactly one of these fields must be present, and its value must be set to the shared secret in the corresponding encoding. In the first case ('TimeOtp-Secret'), the UTF-8 encoding of the value is used as shared secret. Most services use the Base32 encoding.
  • TimeOtp-Length (optional)
    Specifies the length of the generated one-time password. The default value is 6; the maximum is 8.
  • TimeOtp-Period (optional)
    Specifies the time-step size in seconds. The default value is 30.
  • TimeOtp-Algorithm (optional)
    Specifies the cryptographic algorithm used for the generation of the one-time password. The following algorithms are supported:
    • HMAC-SHA-1
    • HMAC-SHA-256
    • HMAC-SHA-512
    The default value is HMAC-SHA-1.

The date and the time of your system must be correct, otherwise the service/server may reject the generated OTP.

Usage example. Create a new entry and change its default auto-type sequence to {USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 3000}{HMACOTP}{ENTER}. Open the 'OTP Generator Settings' dialog, set the shared secret for HMAC-based OTPs to '12345678901234567890' and select the UTF-8 encoding. When performing auto-type, KeePass sends the user name, presses Tab, sends the password, presses Enter, waits 3 seconds, generates and sends a HMAC-based OTP and finally presses Enter again. The counter value for the OTP generation is updated automatically. With the shared secret above and initial counter value 0, the following OTPs are generated: 755224, 287082, 359152, 969429, 338314, ... (more generated OTPs can be found in the example in RFC 4226).

Plugins. There are plugins that add support for non-standard OTPs (e.g. Steam) and provide additional functions related to OTPs.


KeePass 2.x Only
{URL:...} and {BASE:...}:
The {URL:...} placeholder is replaced by the specified part of the current entry's URL; this typically is useful in an entry-specific URL override (defined on the 'Properties' tab of the entry dialog). The {BASE:...} placeholder is replaced by the specified part of the URL being overridden; this typically is useful in a global URL override (defined in 'Tools' → 'Options' → tab 'Integration' → button 'URL Overrides'), because there no entry context may be available.

Usage example. For the entry URL https://user:pw@keepass.info:80/path/example.php?q=e&s=t, the placeholders return the following values:

PlaceholderValue
{URL} https://user:pw@keepass.info:80/path/example.php?q=e&s=t
{URL:RMVSCM} user:pw@keepass.info:80/path/example.php?q=e&s=t
{URL:SCM} https
{URL:HOST} keepass.info
{URL:PORT} 80
{URL:PATH} /path/example.php
{URL:QUERY} ?q=e&s=t
{URL:USERINFO} user:pw
{URL:USERNAME} user
{URL:PASSWORD} pw

{BASE} supports exactly the same parts as {URL}.


KeePass 2.x Only
{CMD:/CommandLine/Options/} – Running a command line:
The {CMD:/CommandLine/Options/} placeholder runs the specified command line.

A command line consists of a path to an executable file or a document and command line parameters. If the path contains spaces, it must be enclosed in quotes (").

The character after the first ':' specifies the separator character. It can be chosen freely (except '{' and '}'), but it must not occur in the command line or any of the options. For example, {CMD:/Notepad.exe/W=0/} and {CMD:!Notepad.exe!W=0!} are equivalent. The separator character at the end (before the '}') is mandatory.

An option is a key-value pair, separated by '='. Multiple options must be separated using commas ','.

Options:
  • M: Specifies the method for running/opening the executable/document.
    The default value is S.
    • S: Use the system shell (via ShellExecute). With this, executable files are executed and documents are opened using their associated applications. However, no standard input/output is supported.
    • C: Run an executable file (EXE or COM, via CreateProcess); documents are not supported. Standard input/output is supported.
  • O: Specifies what to do with the standard output of the executed application.
    The default value is 1.
    • 0: Ignore the standard output. The placeholder is replaced by an empty string.
    • 1: Replace the placeholder by the standard output.
  • W: Specifies whether to wait for the termination of the executed application.
    The default value is 1.
    • 0: Do not wait.
    • 1: Wait.
  • WS: Specifies the window style. Not all applications support this option.
    The default value is N.
    • N: Normal.
    • H: Hidden.
    • Min: Minimized.
    • Max: Maximized.
  • V: Specifies the verb (action to be performed), e.g. 'Open' or 'Print'. When using the verb 'RunAs', the application is executed with administrative rights (this may require a confirmation via the UAC dialog).

New-line characters at the end of the output are removed (analogous to '$(...)' and '`...`' shell command substitutions).

Usage examples:
  • {CMD:/Notepad.exe/W=0/}
    Runs Notepad and continues immediately.
  • {CMD:/PowerShell.exe -Command "(Get-FileHash '%SYSTEMROOT%\Win.ini' -Algorithm SHA256).Hash"/M=C,WS=H/}
    The placeholder is replaced by the SHA-256 hash of Windows' Win.ini file.








Get KeePass