KeePass   KeePass Help Center Home KeePass Home | Package Downloads | Flag Translations | Blocks Plugins | Donate Donate  
Home Help Center Home | People Forums | Award Awards | Link Links | Search Search  


Additional FAQ

Additional frequently asked questions.

This page answers more questions that are not listed on the Technical FAQ and the Administrative FAQ pages. You might first want to read the standard FAQ pages.

Help  What do the 2.x installation options/components mean in detail?

  • Core KeePass Application Files.
    This installs the files that are absolutely required to run KeePass. The option cannot be disabled.

  • Help Manual.
    This installs a copy of the product documentation that was up-to-date when the KeePass version was released. By default, KeePass shows the product documentation available in the online help center (which is always up-to-date). If a local copy of the product documentation is installed, users can choose to use this instead of the online one (which is useful e.g. when no Internet connection is available) in 'Help' -> 'Help Source'.

  • Native Support Library (KeePass 1.x).
    This library is required for importing/exporting KDB files (created by KeePass 1.x). Furthermore, the library provides native functions for computing key transformations (which are performed for a protection against dictionary attacks); computing them natively is usually a bit faster than computing them using managed code. It is recommended to install this library.

  • XSL Stylesheets for KDBX XML Files.
    KeePass can export databases by applying XSL stylesheet transformations onto the inner XML format of KDBX files. Using this, you can e.g. generate various HTML files (detailed lists, compact tabular lists, ...) or a text file containing only the passwords. This is a feature for experts and is not required for standard KeePass use.

  • Optimize KeePass Performance.
    If this option is enabled, NGen is used to generate a native image of the KeePass assembly. When such a native image is available, KeePass starts and runs faster. Only few additional hard disk space is required (about the size of KeePass.exe) and this does not negatively affect the computer's performance (KeePass is not running in the background all the time, and the option does not make KeePass start automatically at system start-up). Security is unaffected.

  • Optimize KeePass On-Demand Start-Up Performance.
    If this option is enabled, KeePass is started and immediately terminated when the system is started. On Windows XP and earlier, this reduces the on-demand start-up time of KeePass (because all required .NET framework assemblies have been loaded once already). On Windows Vista and higher, it has almost no effect. As KeePass terminates immediately, no memory is blocked.

Help  What is ShInstUtil.exe?

ShInstUtil is a small helper application used by KeePass 2.x during installation and uninstallation.

The tool checks whether .NET is installed. Furthermore, if the user selects the options in the setup program, the tool optimizes the KeePass performance using NGen and/or registers for loading at start-up.

The source code of ShInstUtil can be found in the KeePass source code package.

Help  How to create a global hot-key?

KeePass supports many useful command line options, e.g. to open a specific database, open an entry's URL, lock the KeePass workspace or exit KeePass. If you frequently use such a function, you might want to create global (system-wide) hot-key for it.

In order to create a global hot-key for running KeePass with specific command line options, follow these steps:

  1. In Windows Explorer, navigate to the KeePass application directory, right-click on KeePass.exe and click 'Create Shortcut'.
  2. Rename the shortcut to indicate its function (for example, if the shortcut will lock the KeePass workspace, you could rename it to 'Lock KeePass').
  3. Move the new shortcut either onto the desktop or into a folder of the start menu (using drag&drop).
  4. Right-click on the shortcut, click 'Properties' and switch to the 'Shortcut' tab.
  5. In the field 'Target', append a space and the command line options of your choice.
  6. In the field 'Shortcut key', specify the global hot-key that you wish to use.
  7. Click [OK].

When you now press the global hot-key, Windows runs KeePass using the specified command line options.

Example. In order to create a global hot-key for locking the KeePass workspace, in step 2 rename the shortcut to 'Lock KeePass' and in step 5 append a space and '--lock-all' (without the single quotes).

A complete list of all supported command line options can be found on the Command Line Options help page.

Help  How to change the GUI font size?

KeePass uses the default GUI font that has been specified in the operating system settings. So, if you want to change the font (especially the size of the font) that KeePass and other applications are using, simply change it globally.

On Windows 7 and higher, the font size can be changed in Control Panel -> 'Display'.

Help  Can auto-type answer security questions?

Some websites require users to answer a randomly chosen security question as part of the login. The number of possible questions is usually limited and the correct answers are specified by the user at registration time (e.g. the user's first pet name, favorite color, ...).

In order to automate such logins using auto-type, create an auto-type window/sequence association for each security question, where the keystroke sequence is something like


Here, TheQuestion should identify the question being asked, and TheAnswer should be the correct answer. The sequence types the user name, presses Tab, types the password, presses Tab, types the answer to the security question and presses Enter; this can of course be customized.

When pressing the global auto-type hot key, KeePass displays a dialog to choose one of the sequences. Click the item matching the question being asked (you can identify the item by looking at the comment {C:TheQuestion}) and KeePass fills out and submits the login form (including the answer to the security question).

Help  How can auto-type send other special keys?

For most frequently used special keys (like Tab, Enter, Arrow Up, ...) there exist explicit special key codes (like {TAB}, {ENTER}, {UP}, ...). A list of these explicit special key codes can be found on the Auto-Type page.

However, there are many more special keys, which are less frequently used. These can be sent using the {VKEY X} special key code, which sends the virtual key with value X. For a list of all virtual key codes, please see MSDN: Virtual Key Codes.

{VKEY X} uses the standard value for the extended key bit (depending on the virtual key code). In KeePass 2.x, you can override this: {VKEY-NX X} sends the non-extended virtual key X, and {VKEY-EX X} sends the extended virtual key X. If possible, please use {VKEY X}, not {VKEY-NX X} or {VKEY-EX X}.

The following table lists a few special keys and their corresponding special key codes.

Special KeyCode
Right Control{VKEY 163}
Numeric Keypad Enter{VKEY-EX 13}
Computer Sleep{VKEY 95}

Help  What to do if the input focus is lost when switching between windows?

When an input control in a browser window has the focus and the user switches to a different window and afterwards back to the browser, the browser typically redirects the focus to the input control again. In other words, when switching between windows, browsers usually restore the input focus exactly to where it was before leaving the window.

However, rarely there are websites with buggy scripts that make the input control lose the focus (i.e. when switching back to the browser, the input focus is not where it was before). This can be a problem for auto-type if windows are switched during the auto-type process (e.g. when multiple matching auto-type sequences/entries exist and KeePass shows the selection dialog to pick one).


  • Prevent switching.
    Make sure that only one auto-type sequence/entry matches and use the global auto-type hot key. In this case, no window switching occurs during the auto-type process and thus the input focus loss is not a problem. Of course this approach is only a solution if you only have one account for the website.

  • Adjust sequence.
    Try to find out the exact behavior and adjust the auto-type sequence accordingly. In some cases, the input focus is set to a different control (which might be invisible, thus looking as if the focus was lost completely). You can try to find out how many times {TAB} needs to be pressed to move the input focus to the correct control again. Note this approach is rather volatile, because controls/links might be added on the website in the future, which can break your auto-type sequence.

  • Plugin.
    Use one of the integration plugins. Most integration plugins use different data transfer methods that are not affected by the focus loss problem.

Help  Can auto-type work together with PhraseExpress?

PhraseExpress by default intercepts Tab and Enter keypresses. This makes KeePass' auto-type fail; Tab and Enter keypresses do not reach the target application.

In order to make the Tab and Enter keys work correctly, in PhraseExpress go 'Tools' -> 'Settings' -> node 'Expert Options', deactivate the option 'Route Enter and Tab-key through PhraseExpress', and click [OK].

Help  Can some entries be marked as favorites?

KeePass 1.x Only

KeePass 2.x Only
Yes, by using a tag. Select the favorite entries, right-click on them -> 'Selected Entries' -> 'Add Tag' -> 'New Tag', and enter e.g. 'Favorite'. In order to show all entries having the tag 'Favorite', click the three-keys toolbar button (right of the magnifier toolbar button) and choose 'Tag: Favorite'. Alternatively, this command is also accessible via the main menu: 'Edit' -> 'Show Entries by Tag' -> 'Favorite'.

If you wish all entries with the 'Favorite' tag to be displayed when opening a database, you can create a trigger for this: go 'Tools' -> 'Triggers' -> add a new trigger -> enter a name like 'Show favorites when opening a database', add an event 'Opened database file', and add an action 'Show entries by tag' with the parameter 'Tag' set to 'Favorite'.

Help  Why can't KeePass open URLs like ''?

When e.g. entering '' into the URL field of an entry and trying to open this URL, KeePass shows an error message that the system cannot find the specified file.

The reason for this is that '' is not a complete URL. An URL consists of a protocol identifier (scheme name), a colon and slashes, a host (domain name or IP address), optionally a port number, and the full path to the file. KeePass passes the contents of the URL field to the system shell. The system shell doesn't know how to interpret ''; it could be a local file or specify a host (in this case it's furthermore unclear which protocol to use to connect to the host).

The solution is to complete the URL, e.g. enter '' instead.

Browsers typically assume HTTP when not specifying a protocol. However, KeePass cannot make such an assumption, because its URL field is more flexible: by passing the contents of the URL field to the system shell, KeePass can open/run local files, UNC paths, all kinds of URLs, etc.; additionally, placeholders (like environment variables, entry field references, ...) can be used. For example, without specifying a protocol '' runs the WinSCP command line executable, not the web page

Help  How does 'Delete Duplicate Entries' work exactly?

When running the 'Delete Duplicate Entries' command (in 'Tools' -> 'Database Tools'), KeePass compares all entries in the currently opened database with each other and deletes any duplicates.

Entries are considered to be equal when their strings (standard and custom string fields) and attachments are the same. All other data is ignored.

If one of two equal entries is in the recycle bin, it is deleted preferably; otherwise the decision is based on the last modification time.

Help  How can KeePass mount network drives?

Create a new KeePass entry and set its user name and password fields to the credentials for the network share. Set its URL field to something like the following:

cmd://Net Use Z: \\Server\Path {PASSWORD} /User:{USERNAME}

When double-clicking the entry's URL cell in the entry list of the main window, KeePass replaces the {USERNAME} and {PASSWORD} placeholders and mounts the network share identified by the UNC path \\Server\Path to the drive Z:.

Help  How to send data over StdIn?

In order to run an application 'C:\MyProgram.exe' and send a string 'DATA' to its standard input stream (StdIn), set the URL field of an entry to the following:

cmd://cmd.exe /C echo DATA|C:\MyProgram.exe

When executing the URL field (e.g. by double-clicking its cell in the entry list of the main window), KeePass runs the cmd.exe interpreter (part of Windows), which runs 'C:\MyProgram.exe' and sends 'DATA' to its StdIn stream.

Help  Can the password generator be used stand-alone?

KeePass 1.x Only
Yes. Go 'Tools' -> 'Password Generator' (this is available even when no database is opened).

KeePass 2.x Only
Yes. Go 'Tools' -> 'Generate Password' (this is available even when no database is opened). To generate passwords, click the 'Generate' tab (or the 'Preview' tab when a database is opened).

Help  Is storing the database file in a public place a security problem?

A KeePass database is a regular file, which users can store wherever they want. KeePass does not require Internet/cloud access. Anyway, some users prefer to store their database file in a public place (such as a shared network drive, a webserver, a cloud storage like e.g. Dropbox, ...), in order to always have access to their database whenever an Internet connection is available.

If you use a strong master key, storing the database file in a public place is not a problem.

When opening a database file, KeePass loads the complete database file (in encrypted form) into its process memory and decrypts it there. All work (like editing an entry, creating a group, etc.) is performed with the data in process memory. When the 'Save' command is invoked, KeePass encrypts the data and sends the encrypted data to disk/server. This means that your data is transferred and stored only in encrypted form; the disk/server and network never see your unencrypted data.

Help  Does KeePass support one-time passwords?

KeePass 1.x Only

KeePass 2.x Only
Yes. KeePass 2.x supports both generation and consumption of one-time passwords.
  • Generation.
    • KeePass can generate HMAC-based one-time passwords (HOTPs) as specified in RFC 4226; see the {HMACOTP} placeholder.
    • There exist various plugins for generating time-based one-time passwords (TOTPs); see the plugins page.
  • Consumption.
    Your KeePass database can be protected such that one-time passwords are required to open it; see the OtpKeyProv plugin.

Help  Why is the clipboard not cleared after the specified time?

KeePass (both 1.x and 2.x) has an option to clear the clipboard after a specified time.

Own Content. The clipboard is only cleared if it still contains the last data copied by KeePass.

For example, let the clearing delay be 30 seconds. When you copy a password to the clipboard, the countdown begins. If you copy something else to the clipboard before the 30 seconds have elapsed, KeePass will not clear the clipboard, because the password has been overwritten anyway.

Interfering Applications. On all modern operating systems (Windows, Linux, ...), the clipboard is designed to be accessible by all applications. Other applications may save the clipboard contents and prevent the clipboard from being cleared.

  • Klipper. If you're using Klipper (clipboard manager for KDE), this tool might prevent the clipboard from being cleared. You can disable this (i.e. allow clearing) by clicking the Klipper tray icon -> 'Configure Klipper' -> deactivate 'Prevent empty clipboard'. In this dialog, you furthermore might want to deactivate 'Save clipboard contents on exit' and reduce 'Clipboard history size' to 1, in order to prevent any sensitive data (e.g. passwords) from being saved.

  • Parcellite. You can disable history saving by right-clicking the Parcellite tray icon -> 'Preferences' -> deactivate 'Save history'.

Help  Can I create a database without a master key?

All KeePass databases are encrypted; a master key is mandatory.

If you don't want to enter a master key during opening a database, there are various alternatives to achieve this:

  • If the database is protected using a master password only, create a batch file or shortcut to KeePass.exe, specifying the database path and the master password as command line options. Once such a batch file or shortcut has been created, double-clicking it is sufficient to open the database; the master key dialog doesn't appear.

  • By default, KeePass remembers the location of key files. You could make your database being protected using a key file only. It then is sufficient to simply click the [OK] button in the master key dialog (as the key file location has been remembered and is preselected).

Help  Would client-server login behaviors increase security?

Most login behaviors known from client-server systems would not increase the security of KeePass. When an attacker gets a copy of your database file (which is reasonable to assume, especially due to the trend towards cloud storage), most client-server login behaviors can be circumvented by an attacker by writing an own program that simply does not perform these behaviors.


  • Artificial delays.
    When entering an incorrect password, some systems artificially delay the key verification in order to slow down an attacker trying to guess the password. Implementing this in KeePass would be useless, because an attacker can write an own program that does not perform these delays.

  • Self-destruct / Permanent block (with stronger key).
    After entering several incorrect passwords, some systems destroy themselves or require a stronger key for unlocking (known especially from mobile phones). Implementing this in KeePass would be useless, because an attacker can write an own program that does not perform the self-destruct or permanent block.

Instead of such behaviors, users should use a strong master key and use the protections offered by KeePass (relying on cryptography), which in contrast to the above behaviors cannot be circumvented easily. For example, by specifying a high number of master key transformation rounds, the key derivation requires more computations (more time) and thus reduces an attacker's capability to guess the master password; see Protection against Dictionary Attacks for details.

Help  Shouldn't password generation profiles be stored in the database?

The password generation profiles must be stored independent of any database, such that they are always available (for all databases, and in the case when no database is opened).

You should always assume that an attacker knows the profile that was used for generating a password. For example, profiles are often specified by the website that the password is for, and thus the profile is public.

Trying to keep the profile secret would be security by obscurity, i.e. would be ineffective. Security comes from picking a random password from the space of passwords fulfilling the public constraints. You should always use a profile that restricts passwords as few as possible.

Help  Why save/sync fails with a temporary Internet files error?

Symptoms. When trying to save/sync a database file opened from a mobile device or server, an error message is shown that the access to a path is denied and the path looks like

C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABCDEFGH\Database.kdb(x)

Cause. The mobile device / server does not allow direct access to the file. Windows downloads the file into the temporary Internet files directory and lets KeePass open this local copy. However, Windows cannot copy modified versions of the local file back to the mobile device / server and thus prevents write access to the local file (and therefore KeePass shows that access to the file has been denied).


  • Find a way to open the file of the mobile device / server regularly, i.e. using a standard path (consisting of a drive letter, ":\", path, database file name). There might be drivers coming with the mobile device / service that provide this. With such a driver, all applications (including KeePass) can open and save files normally.

  • Alternatively, store your database in a cloud storage service. For example, for almost all mobile devices there is Dropbox available; opening and saving databases from/to Dropbox usually works well. If your database master key is strong, storing the database in the cloud is not a security problem.

Help  Where are Windows favorites exported to?

KeePass 2.x supports two export formats "Windows Favorites (Folder 'KeePass')" and "Windows Favorites (Root Directory)".

For both formats the export destination is determined already by the type, thus the 'Export to' field is disabled.

The first format creates a folder 'KeePass' within the root directory of your Windows favorites, and creates groups and entry links in this folder. In contrast, the second format creates groups and entry links directly in the root directory of your Windows favorites.

If you want to try out these exports, it is recommended to try the 'KeePass' folder format first (because if you don't like it, you can simply delete the 'KeePass' folder).

In Internet Explorer, the favorites are shown in the 'Favorites' menu.

Help  How to avoid storing credentials in triggers unencryptedly?

For some trigger actions, credentials can be specified as parameters (e.g. the 'Open database file' trigger action optionally allows to specify the master password for the database file to be opened using the 'Password' parameter). Trigger parameters are stored unencryptedly in the configuration file, because KeePass doesn't have any key to encrypt them (the user enters the master key for a database; there is no key for the whole application).

When the trigger runs, often there currently is a database file opened. In this case, instead of storing credentials directly in the trigger parameters, you can store them in the opened database and reference them in the trigger parameters using field references.

For example, assume that you wish to automatically open a file B.kdbx after opening a file A.kdbx. You can store the master password for B.kdbx in the password field of an entry with title 'B.kdbx Info' in the A.kdbx file. Then, create a trigger for the event 'Opened database file' with the file/URL containing 'A.kdbx', and add an action 'Open database file' for B.kdbx with the 'Password' parameter being set to '{REF:P@T:B.kdbx Info}'. When the trigger runs, KeePass automatically retrieves the master password for B.kdbx from the entry in A.kdbx; only the reference is stored in the configuration file.

Valid XHTML 1.0 Transitional Document

Get KeePass

Flattr this

KeePass is OSI Certified Open Source Software
Copyright © 2003-2015
Dominik Reichl, [Legal Contact / Imprint] [Disclaimer] [Acknowledgements] [Donate], Downloads hosted at

Get KeePass Password Safe at Fast, secure and Free Open Source software downloads