KeePass is, by far, the most popular password safe for Windows. With Keepass2Android, you can sync your KeePass database with Dropbox, OneDrive, and Google Drive and access your passwords in your Android phone.
Latest posts by Michael Pietroforte (see all)

Password safe in the cloud? ^

You might ask, “It isn’t a bit risky to store your password safe in the cloud?” The short answer is “Yes.” The long answer is “Yes indeed!” So why would the security-minded admin want to sync KeePass to the cloud? Well, sometimes you have to take risks if you want to improve your productivity. More and more of the services I use on Windows I also need on Android, and vice versa. Because I currently have 100+ different passwords for different services, no other convenient way exists to manage my passwords. I also like that I can always bring my passwords with me and easily access them everywhere in an emergency. (Another solution I am currently considering is the use of a master password tool. I will cover this topic in my next post.)

Keepass2Andorid

Keepass2Android

You can take a few security measures to help you remedy the risk. A very secure master password is one. Another is to use a key file for your KeePass database. Of course, this only makes sense if you don’t store the key file on your cloud drive; you have to copy it manually to your phone. Another option, one that Keepass2Android supports, is to store the key file on a second cloud drive on which you (I hope) use another password.

If someone manages to download your KeePass database from your cloud drive, he would still need the key file from the second cloud drive and your master password. This doesn’t completely eliminate the risk because KeePass could contain security holes that an attacker might be able to exploit, but you have to draw the line that separates security awareness from paranoia somewhere.

Sync KeePass to Dropbox ^

I have been using KeePassDroid, the most popular KeePass-compatible Android app (according to the Google Play statistics), for quite a while. I recently moved to Keepass2Android, mostly because it allows me to sync the KeePass database with my cloud drive more conveniently. Keepass2Android supports Dropbox, OneDrive, Google Drive, SFTP (SSH file transfer), FTP, HTTP (WebDav), and HTTPS (WebDav). In addition, you can load the KeePass database from a third-party Android app. Of course, you can also store database files locally on your phone. In this case, you might prefer Keepass2Android Offline, which doesn’t support cloud syncing.

Supported cloud drives

Supported cloud drives

I always feel somewhat queasy when I allow an Android app to access Dropbox. It is not just that you have to trust the developer of the app. The app might contain vulnerabilities that another app could exploit. Keepass2Android has a nice feature that can ease your queasiness a little. You can restrict the password safe app to just one folder on your Dropbox where you store your KeePass database. This feature isn’t available for the other cloud drives.

Merge KeePass database ^

After you give Keepass2Android access to your cloud drive, you can browse your folders for the KeePass database. How is this different from just opening the database from your cloud drive app with KeePassDroid? The main point here is that Keepass2Android will always get the latest version of the database from the cloud when you open the app. Of course, this is only possible if you are online. If not, Keepass2Android will get the database from its cache. If you want to open the latest KeePass database in KeePassDroid, you first have to navigate to the database file in the cloud drive app.

Another difference is that Keepass2Android automatically uploads changes in the database to the cloud drive. This can cause syncing problems if you changed the KeePass database under Windows. Before Keepass2Android saves the database to the cloud, it first checks if the database has been modified and, if it detects changes, it asks if you want to merge the two databases. Because KeePass has a similar feature, you can, in theory, use the KeePass database from two different devices simultaneously. In practice, this can mean that you lose changes if you edit the same entry on both devices before the databases are synced.

Merge Keepass database

Merge KeePass database changes

It therefore makes sense to ensure that changes to the KeePass database are automatically saved. In Keepass2Android, this is the default setting. In KeePass, you can work with triggers to enable auto-save. First, you have to copy this XML file to your Windows clipboard. Then, you open the Triggers dialog window from the KeePass Tools menu. On the Triggers window, you have to click Tools and then Paste Triggers from Clipboard.

Auto-save for Keepass

Auto-save for KeePass

Auto-type ^

Keepass2Android has a few other noteworthy features. If you have previously used a password safe app on Android, you’ll have noticed that it is not as convenient to use as under Windows. The auto-type function of KeePass allows you to automatically send username and password as simulated key presses to the dialog window of the application that requires authentication.

KeePass can identify the application window by its title. This way, you can enter username and password just by hitting the auto-type hot key. The common way in Android is to add username and password to the notification bar, where you can copy one after the other to the clipboard and then paste into the application. This means you have to switch back and forth between the app and the password manager several times.

Keepass2Android also supports the clipboard method but you can avoid this cumbersome procedure if you use the app’s keyboard. After you tap the KP2A key on the Keepass2Android keyboard, the password manager opens a dialog window. You can then either open Keepass2Android to select an entry or let the password tool search for the app that wants you to enter your credentials.

Auto-type - Search in databaseAuto-type - KP2A bar

Keepass2Android keyboard and auto-type

After you find the right account entry, a KP2A bar appears below the authentication window with keys for the user and the password. This is not as convenient as with KeePass under Windows, but it is better than KeePassDroid’s solution and offers some protection from key loggers. Unlike KeePass, Keepass2Android cannot identify websites in browser apps. I guess this is not possible in Android because the URL doesn’t appear in the title bar of the browser app.

QuickUnlock ^

Another noteworthy feature is QuickUnlock. Keepass2Android locks the database after a configurable timeout period, and you have to enter your master password again if you need the credentials of another account. If you enable QuickUnlock, you can just enter a configurable number of characters from the end of the master password. The default setting is three characters, which is a bit short for my taste.

Note that QuickUnlock is only available after you unlocked the database with the complete master password when you first launch Keepass2Android. The app will remind you that QuickUnlock is enabled in the ongoing bar. Once you closed the database manually, you will have to enter the complete password to open it again. Also note that changing the keyword length for QuickUnlock takes only effect after you closed and reopened the database.

Quick Unlock

Quick Unlock

Keepass2Android has a few features and settings I didn’t cover in this review. Check out this comparison table between Keepass2Android and KeePassDroid for additional differences.

What’s your favorite password manager? Do you store your password safe in the cloud?

In my next post, I will discuss a password management solution that doesn’t require you to save passwords in a database and, therefore, also frees you from syncing your password safe.

0
10 Comments
  1. Scott 7 years ago

    IWe use keypass at work, lastpass for everythign else, I'd be keen to see a review of teh last pass VM for enterprise, never seen that doen yet. Keepass, seems to be a locked xls spreadsheet, many more tools in lastpass, and it just works !

    0

  2. Scott, what do you mean with "locked xls"? Laspass isn't free, right? And it seems their Android version doesn't support cloud drive syncing. Another advantage of KeePass is that the database format is open. This is why apps such as KeePassDroid and Keepass2Android can compete on the Android platform.This gives you more choices.

    0

  3. Scott 7 years ago

    Hi, keepass for a team has read write for the first person who goes in, and everyone read, if you have to add a entry the shout goes up around the office who has it locked. That and its format, is a little like xls. Its one step up from a password protected spreadsheet with proper security., Lastpass isn't free, no, not for its mobile devices, its free for everything every day, but if you want to support it and use it on the phones for auto fill etc, $1 a month, not a bad price. Cloud drive syncing ? its all cloud, add an entry anywhere phone , computer etc, its all replicated. Have a try, I did use keepass for a few years, but haven't looked back since last pass. Cant wait till SQLR comes in though and all these passwords are redundant.

    0

  4. Well, isn't every relational database just a spreadsheet? With password protected you mean AES, Rijndael and Twofish encryption?

    But you are right, KeePass is not really a password management solution for teams. If I needed an enterprise password management solution, I would have a look at Secret Server. The feature list of LastPass Enterprise looks nice, too. But this is really a totally different application type.

    For personal use, I prefer to store my passwords on the servers of a well-known company such as Microsoft or Dropbox and not on a relatively small company with limited security resources. But I guess this is a matter of taste. You could also say that LasPass has more to lose if their servers get hacked. They would probably be dead then.

    0

  5. Scott 7 years ago

    Secret server, thanks I'll have a look at that, may be better than TPAM which the company is using over lastpass. The lastpass db, is a blob, decrypted locally, so a compromise at lastpass servers wouldn't reveal anything, they hold nothing but an encrypted blob. check out the security now podcast for a close look at it. The other features, the security check and the scan for emails recently compromised are also nice, now you can also set it up to automatically renew a sites password periodically which is interesting.

    0

  6. Milan 7 years ago

    Another good password management solution for teams is Pleasant Password Server, it uses it's own version of KeePass which connects to the server.

    0

  7. Scott, if their servers get hacked, they are dead anyway. The reasoning goes that if they can't protect their servers, their password tool might also not be safe. Just because something is encrypted, doesn't mean that i can't be cracked. Look at TrueCrypt.

    Milan, that's interesting. I didn't know of Pleasant Password Server. That's the advantage of an open format. It allows others to offer their own solutions. In this case it also improve security because more developers are looking at the code.

    0

  8. Graham 7 years ago

    Hi, the KeePass2Android doco states that if a sync collision occurs the last version wins, and then the penultimate version is saved in KeePass history. So no data is lost.

    Having said that, I only update on one device

    0

  9. Yes, to be on the safe side, you better only update on one device. If yu update without Internet connection, you might indeed lose some data

    0

  10. Animesh Nagar 6 years ago

    Hello Sir,
    I have accidentally forgotten the master password of my keepass2android and thus, I am unable to open the database.
    But I do remember the last 4 digits of my master key.
    Is there any way I can get to open the database.
    I have some very important emails and passwords stored in there...
    Expecting a fast and positive reply...
    Thank you.

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account