Is it really secure to have keypass hold all passwords on your computer rather then written down on paper??

I'd certainly rather have all my passwords store in kepass rather than on a piece of paper. Or in a truecrypt encrypted file. Or in a box with an angry animal in front of it.

Anything other than a piece of paper, really.

please explain how keypass is hacker proof

KeePass makes your passwords unreadable. Imagine you would have written your passwords on a piece of paper in a language only you can decipher.

http://keepass.info/features.html#lnksec

How is unreadable?

Germany's Enigma machine had 150 million million million combonations and was hacked.

keepass is the nuts, everyone should have it - even for just online banking stuff

ill stick to what i have now..confused why i would risk all my passwords

The issue is remembering many different secure passwords for multiple sites. If you can do this yourself than your probably ok, its just there are easier solutions like keypass or lastpass (which I use). You don't have to type your password in, dont have to remember it, dont have to generate an at least 10 character password with symbols, upper/lower case, and numbers for every site you visit.

You risk your passwords by typing them in manually. With keepass you "copy/paste" them and are not at risk for piece of **** phishing/keylogging/hacking pricks.

And for me it'd be pretty much impossible to remember passwords that resemble this: !owija.1294awoei

Keepass doesn't protect you from phishing scams at all. Keepass doesn't protect you from "hacking pricks," for example, you're just as likely to fall victim to a man-in-the-middle attack. Keepass also doesn't provide comprehensive protection against keyloggers (eventually, you'll have to enter your master password).

So what does it do? It makes it easier for you not to store passwords in some of the softwares that are the top targets of hackers (e.g., your browser). Keepass can contribute to your system's security but it plays a minor role iyam.

dont keyloggers copy stuff off the clipboard when using copy and paste?

All those in doubt of the security of KeePass. Move the keyfile on a truecrpyt volume. Et voilà ...

That does absolutely nothing for you with regard to the aforementioned criticisms

I agree with all of this. Keepass simply allows you to implement a proper password policy of using unique and strong passwords for all of your accounts. Keepass is open source software so if you are concerned about its security you can audit its source code. If you don't trust the Keepass binaries you can compile it yourself.

I can't answer if Keepass is safer than keeping your passwords written down on a piece of paper because I would have to know what your physical security is like. It's hard for me to imagine a scenario where storing your passwords in Keepass is less safe than storing them on piece of paper and it's certainly more convenient.

Note: The software I'm referring to is Keepass Password Safe. Keypass is a different password manager that is not open-source.

Yes you're right in that way, I was kind of answering to the OP and generally speaking about the average user and malware. Against MITM attacks you're screwed anyways, but the most users get some weak spying malware because they click on attachments, reply to spam mails with "never write me again" and therefore become target of interest to some people and their now confirmed email accounts go through some basic brute force attacks and get screwed due to the surname as password.

This was the basic question, and the answer is yes +100000.

By having not only a master password but using a keyfile as well in KeePass, and moving that keyfile on an encrypted volume itself, you basically remove any chance to get in trouble from the regular, working widespread hacks out there every 12yr old can find in google.

What have to do with when your goal is to make a flush, besides they both are in the 52 card deck? Nothing, you name it.



From the KeePass site:
So, the keyloggers watching your clipboard don't get anything out of it.


@3after, when it comes to security we both probably agree that the weakest link is usually the user and in CTH you'll see a lot of good examples for that.
There is a good saying in German, sounds odd in English, but anyways:
You have to draw dark red, so it comes out pink.

What I mean is, sometimes it's ok for us to give a general statement to make sure the user in question gets it and more important, trusts the statement even if we know there are multiple very sophisticated ways to get around it.

If I'm going to answer to the OP, KeePass is great by itself, but you're screwed anyways if someone is really wanting to get your data and he already struggles to use KeePass, I don't think I would help him by that.

The good thing we can do in this thread, to get OP and maybe some other readers to use KeePass because it would mean an huge improvement when they start using random generated passwords (and not only passwords, you also have form data like name, address, cc info in KeePass) and that's what I tried to achieve.

^ty

All of these things are great points.

Great points here, too.

I guess I sometimes fail to formulate things so that the non-technical users can follow. I'll give it another shot. Instead of stating that "keepass doesn't protect you from this or that," the most fundamental insight I want to convey is that to minimize your risk of getting compromised (at reasonable cost), you need to follow a number of rules. There is no single magical tool ensuring acceptable security on its own. When I hear something like "keepass is da nutz" (or, "this antivirus is da nutz"), I get weary. "Not behaving stupidly" (such as not running cracks or other executables from unreliable sources) isn't sufficient, either (because, for example, attacks are sometimes launched from what you might consider trustworthy sources).

And since there is this need to implement a variety of things to secure your system, I believe funkyworms' sticky is the best resource for non-technical users. It gives you a comprehensive and easy-to-implement package instead of pointing to any singular solution. And that's exactly what I'm calling for at the most basic level.

is there a way to use Keepass for autofilling in passwords like mozilla? It seems like i have to 'right click' then click 'auto type' everytime I wanted my password information to be filled out in my Chrome.

ctrl+alt+a?

Another keypass question: Do people who use multiple computers still find keypass convenient?

For example, if I might want to access my Amazon.com account at home, at work, or on my wife's computer, I am going to need keypass installed and set up on all three machines with identical passwords, right?

Oh, and confession of password stupidity:

I recently realized that for a site that used my e-mail address as the login name, I was using the actual password for that e-mail address as the password for the site.

Keepass has a usb drive option.

The program is keepass, not keypass.

Use Dropbox to sync your keepass database across multiple computers.

This is what I do I just have the keepass file in my dropbox and it automatically ships it to all the other computers.