KeePass 2.35 password manager released

KeePass 2.35 has just been released; the latest version of the popular desktop password manager for Windows ships with a new file format and Argon2 support among other things.

KeePass is my password manager of choice, and at least some regulars here on Ghacks are using it as well instead of other password managers.

What I like in particular about it is that it is a local password manager that you can extend if you want to. There are plugins to integrate better in browsers, to sync between devices, and for a lot of other things that some users may like but others don’t require.

KeePass was audited recently as well — version 1.x only however — and nothing critical in terms of vulnerabilities were found in the password manager.

KeePass 2.35

keepass 2.35

While you can run an update check in the program itself — it will check for updates automatically as well — you will have to download the latest version of KeePass from the official project site as automatic updates are not supported.

Just head over to the downloads page on the KeePass website to download the latest version. The software is as usually offered as an installer and a portable version.

Installation should not pose any issues at all, nothing seems to have changed in the installer. Your old password database files will load just fine in the latest version of KeePass, so nothing changed in this regard as well.

Changes in KeePass 2.35

KeePass 2.35 ships with a new file format, KDBX 4, which offers improvements over previous versions and new capabilities. We talked about the benefits in a previous article already, so only the basics this time.

KDBX 4 supports ARgon2 key derivation. The function won the password hashing competition recently. The main advantage of it over the function used previously is that it offers better resistance against GPU/ASIC attacks.

keepass argon2

KeePass users can choose between AES-KDF (the default used in KeePass 2.34 and earlier) and Argon2 in the database settings:

  1. Select File > Database Settings.
  2. Switch to Security.
  3. Select one of the support key derivation functions under Key transformation.

Other improves in the new KeePass 2.35 include:

  • Header and data authentication has improved.
  • KeePass header is extensible by plugins (KDBX 4 only).
  • Added ChaCha20 encryption algorithm. Used for password generation now.
  • Support for opening items in Firefox’s and Opera’s private browsing mode. Also, URL override suggestions, and built-in global URL overrides for the private browsing modes of the two browsers.

keepass open

  • Option to show entries that are about to expire, and change the value of expire:soon from the default 7 days.
  • Remember key sources will also remember if a master password has been used.
  • Added force change master password option to File > Database Settings > Advanced.

keepass master key

  • Support for various new password format imports.
  • Plugins can store custom data in groups and entries.
  • Plugin data can now be inspected in the database maintenance dialog. You may also delete it there.
  • Improved auto-type support. Global auto-types works with empty window titles now.
  • The MSI file does not require a specific Microsoft .NET Framework version anymore.

You can access the full list of changes of KeePass 2.35 on the official website.

Closing Words

KeePass 2.35 improves the password manager in several meaningful ways. The new database file format supports new features and a new key derivation function. There is also a new encryption algorithm, and plugins are bound to become more powerful with the extra features they can now utilize.

The upgrade to KeePass 2.35 from previous versions worked fine on two test systems I ran the upgrade on. Everything worked just like before after the upgrade completed.

Now You: Which password manager do you use, and why?