From LastPass to KeePass

21 Jun, 2023

Years ago, I started using a password management software called LastPass. At the time, that was a good call, but when the story around LastPass began to change, I looked for a better alternative. I found KeePass, migrated my passwords over, and have not looked back since.

Why a password manager?

The safest password is one that is unique to that login. There are many ways to make a password complex and therefore harder to predict, but not reusing passwords is the best place to start.

If you use unique passwords for every new account, then should any one account be hacked, the disclosed username/password combination cannot be used to access your other accounts. This is why it is safest to use a unique password for every new account you create.

This approach presents a conundrum: how can you remember all those passwords? Most of us can't. This leaves us with several options: we could keep a notebook and record all passwords there; however, notebooks can be discovered, or get lost. We could try the same with a digital password file, but again, the loss or theft of that one file would then give a perpetrator access to all your data. A third option is to use some kind of formula that will enable you to iterate passwords, like the names of your favourite movies in alphabetical order, but this adds predictability and may require grammatically correct phrases or sentences, which are weaker than a randomised combination of numbers, symbols and letters, both upper and lower case. And this is where a password manager comes in handy.

LastPass, the rise and fall

When I began to see the need for using unique, randomised passwords, I began looking for a so called password manager. A friend recommended LastPass, and so I took his advice and started an account with them.

I quickly saw the benefits of LastPass. It could:

create a totally randomised password for each new account I set up, to extreme levels of complexity
store username/password/website combinations on the equivalent of a digital note card
hide all of those notecards behind one 'master password' which I could commit to memory
auto-fill all this information in-browser or app with one mouse-click
conveniently store new username/password combinations

Additionally, I discovered that you could also create notes for other kinds of secret information, such as your home Wi-Fi code, banking information, and so on.

LastPass was extremely convenient and had a good reputation at the time. I used it happily for a number of years.

When I became interested in privacy, I began following privacy-related news. A few years ago, I started to hear worrying reports about breaches of LastPass and changes in how they handled securing their (my) data.

These news stories made me aware of the major flaw with using a service like LastPass: by putting all your password eggs in one basket, you really need to be a 100% confident in that basket's total security. In the case of LastPass, a centralised company running closed source software, my only option was to fully trust their security. And so I began investing alternatives.

Search for better alternatives

I had already spent some time exploring resources for privacy, and kept returning to a couple of websites that had provided reliable and useful information, such as Techlore, The New Oil, and Seth for Privacy's podcast and blog.

From these sources and others, I began to see two recurring recommendations: KeePass and Bitwarden. Both are open source, which seemed like a step in the right direction. Both are 'zero-knowledge' and encrypted.

Bitwarden looked easier to set up and use. KeePass looked dated and not as straight-forward to use. Similar to LastPass, Bitwarden had browser auto-fill and password saving features, and could be synced across devices.

But KeePass seemed to have a lot of proponents, so I tried to understand why. I learned that the main feature about KeePass is that the user has to manage the password database. I was learning more about secure cloud services and setting up my own server, and thought I might be able to store my password database myself, thus managing my own passwords totally independently.

KeePass is entirely free to use.

Managing passwords with KeePass

KeePass is open source software that lets you create a password database file, encrypted behind a master password. By downloading the software, you become the manager of your own information, and don't have to trust a company's security.

Organisationally, KeePass feels similar to LastPass. Each username/password/website combination is stored on a digital note card within this one file. The note cards are editable; you can add whatever information you want, not just passwords. You could even keep a secret, encrypted diary in KeePass.

The master password is key. It encrypts the file containing all your passwords. You can store that file anywhere you like: on a private server, on a cloud service you pay for, on a USB stick, even in a mainstream location like Google Drive. As it is encrypted, the password information is not accessible without the master password.

To get started, you can download the KeePass software from the main website. A little more reading reveals there are in fact three versions you can download:

KeePass
KeePassX
KeePassXC

I decided on the third, partly because it seems the best fit for people using multiple operating systems, including Linux. (See Documents below for link to detailed comparison.)

After downloading and installing the software, you see a very simple, somewhat dated interface. I found there were plenty of helpful articles that showed me how to migrate all my LastPass information to KeePass, a relatively painless process. I then deleted all my LastPass information and ended the account.

It may be possible to get browser extensions that work with KeePass, but I decided to keep it simple. There is an auto-fill shorcut that makes life a little bit easier:

open the website you want to log into and place mouse cursor in the empty bar for the username
open KeePass and select the relevant entry
hit ctrl-shift-v
it will ask if you want to 'Auto-fill' and when you click 'yes' it will enter the username and password in order. (It's possible to delay the password auto-entry by a second or so for websites that show the username and password fields on subsequent pages)

I recommend making copies of your database file and updating these copies regularly. I also create new iterations of the database file every couple of months, just in case the current file gets corrupted or I do something irreversible to it by accident. I would memorise the master password, perhaps write it down on paper somewhere, just in case.

If you store the file on a server or cloud service, then you can access your passwords from any location, using any operating system. You can download KeePass for your smartphone, including phones running on custom ROMs. It takes a little getting used to, and never reaches the level of convenience I experienced with LastPass, but it works.

If you do not want to manage your own password database, then I recommend trying Bitwarden. I learned much later it is also possible to self-host Bitwarden.

Problems

Only you have the master password and your database. If you lose either, you lose everything.

The auto-fill keyboard shortcut mostly works, but occasionally 'misfires'. You then wonder where you've sent that information off to.

Repeatedly activating KeePass, typing in your master password, finding the right entry...all of that can feel a bit tedious and repetitive.

The dated interface could be off-putting. But the simplicity of the software makes it feel fast and powerful.

KeePass was recently in the news for a security weakness. I hope that is fixed now.

Today...

I continue using KeePass.

I don't recommend KeePass to family, friends, my kids. I recommend Bitwarden instead. They are not as willing to deal with minor obstacles to preserve privacy as I am, and I don't want to discourage them. Last year, I helped migrate my own family members' LastPass accounts to KeePass, and then helped delete all those accounts.