Help

Composite Master Key


This document details how KeePass locks its databases.

KeePass stores your passwords securely in an encrypted file (database). This database is locked with a master password, a key file and/or the current Windows account details. To open a database, all key sources (password, key file, ...) are required. Together, these key sources form the Composite Master Key.

KeePass does not support keys being used alternatively, i.e. it's not possible that you can open your database using a password or a key file. Either use a password, a key file, or both at once (both required), but not interchangeably.


Info  Master Passwords

If you use a master password, you only have to remember one password or passphrase (which should be good!). KeePass has some basic protection against brute-force and dictionary attacks, read the security information page for more about this.

If you forget this master password, all your other passwords in the database are lost, too. There isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords.


Info  Key Files

You don't even have to remember a long, complicated master passphrase. The database can alternatively be locked using a key file.

If you lose the key file and have no backup copy of it, your passwords in the database are lost, too. It's just the same as forgetting the master password. There is no backdoor.



Info  Windows User Account


KeePass can make the database dependent on the current Windows user account. If you enable this option, you can only open the database when you are logged in as the same Windows user when creating the database.

You can still change the password of the Windows user account freely. This does not affect the KeePass database.

Be very careful with using this option. If your network breaks and all user accounts are lost, you won't be able to open your KeePass database any more either. Also, when using this option at home and your computer breaks, it is not enough to just create a new Windows account on the new installation with the same name and password; you need to copy the complete account (i.e. SID, ...). This is not a simple task, so if you don't know how to do this, it is highly recommended that you don't enable this option.

If you decide to use this option, it is highly recommended not to rely on it exclusively, but to additionally use one of the other two options (password or key file).

Protection using user accounts is unsupported on Windows 98 / ME.