As a result, I have embarked unwillingly on a journey to find a replacement for my trusty companion. I came across the KeePass Password Manager program that operates and looks very similar to Password Safe and is also an open-source project. A search on the Internet does not seem to reveal any vulnerability of this and hence with some trepidation, I decided to give it a road test and below are my experience. It is by no mean an exhaustive comparison or even to gauge its security strength.
While KeePass supports AES-128 in both ver 1.x and 2.x and only supporting Two-fish in ver 1.x, out of the box, the implementation of them is the key to the strength and vulnerability and not so much as the declared algorithm used. This aspect is not examined. The notes below are more a guide for Password Safe users on how to migrate to KeePass painlessly and to become familiar with it.
The good things with KeePass (ver 2.09) vs Password Safe (ver 3.20)
KeePass from a developer's prospective appears to be a more active community than Password Safe and architecturally a better product. While some many argue that the availability of a plug-in architecture can weaken the security of the product, the fact remains that it is there to allow people to extend and to use them when needed. Out-of-the-box, no plug-in.This plug-in architecture is exploited to the fullest, as described below, in migrating the Password Safe database over to KeePass.
KeePass has a large active community producing a variety of plug-ins while Password Safe is more a closed system. KeePass has also spawned off other projects to produce versions for mobile and other operating systems.
Both KeePass and Password Safe are essentially portable applications that do not need to install into the machine. Both products, only KeePass version 2.x, also produce installers that allow people to install them into their machine and uninstall them when not required. I used the portable version that does not require installation.
KeePass has two versions - ver 1.x and ver 2.x - that unfortunately use two different database technologies introducing compatibility issues. Version 2.x can handle version 1.x databases with no loss of data requiring a forward conversion but a version 1.x KeePass cannot open version 2.x database unless is exported into a 1.x format.
KeePass seems to embrace the Windows Security Model better than Password Safe. While Password Safe performs perfectly in a USB drive environment in which it has read-write access to the directory, in a share machine or machine using LUA, Password Safe is found struggling. Sure, you can use the -g option to re-route the configuration file location. But this is very clumsy that you have to specify each user's profile area.
As a digression, under the watchful eyes of Process Monitor, when Password Safe's program as a limited user, it seems to generate a lot of "Access Denied" error when opening system files such as Shell32.dll and others. Just very unusual and I am wondering if they are opening them with too much privilege.
KeePass understands the LUA principle and Windows Profile. It will automatically re-route the per user configuration files in situation that requires this. Password Safe lacks this capability. KeePass ver 2.x also runs fine in non-Windows environment using Mono.
The other nice touch with KeePass in handling multiple users or sharing between machines is the availability of this feature "Enforced Configuration" that allows an administrator to define system-wide settings that each user will inherit.
The bad part of KeePass
Ver 1.x is a native product while Ver 2.x is a .Net product using framework 2. So if you are taking KeePass on a USB drive to be used on some one else machine, such as in an Internet Cafe, and if that machine does not have .Net framework installed, you cannot run KeePass2. But if you have KeePass1.x you can run it on any machine.Start up speed of version 2 is also very much in line with a typical .Net application. Once started, there is no noticeable performance difference.
If you intend on traveling and worry about the availability of the .Net framework issues, use KeePass1.x, which is still a supported product. Not as pretty as KeePass2 but as functional as KeePass2.x. The down side is the database are incompatible.
This issue with the availability of the .Net framework is only a transitional problem as all Vista and Win7 machines have .Net Framework 2 and higher installed by default and many XP machines are progressively supporting .Net Framework. It is only a matter of time.
What extra features I would like to see in KeePass
I would like to see an option that allows me to open the database in read-only format until I reopen it without that option. This prevents user from changing the data accidentally.It would also be a nice feature not to reveal the password permanently until one decides to show it and that stays temporarily until that entry is closed. At the moment KeePass' show or hide state is persistent not only across entries but also for the KeePass installation; Password safe always hide the password when viewing/editing the entry and only shows the password until that entry is closed.
Migrating Password Safe database over to KeePass
If you have a database in Password Safe 1.x, 2.x and 3.x format, you can convert to using KeePass. The process depends on which final version of KeePass to use and below are the steps:1) Download version 1.09 of KeePass into a temporary directory and unzipped it.
2) Download the Password Safe Import plug-in into the directory containing KeePass ver 1.09. Since this plug-in only works for KeePass versions 1.05 to 1.09, we have to use KeePass ver 1.09. If you drop this into newer version of KeePass, they will not recognize this as a valid plug-in.
3) Follow the installation instructions in the Password Safe Import Plug-in as described in the accompanied ReadMe.txt.
4) Create a new database with KeePass 1.09 and then use "Tools/PwSafe Database Import/Import" to import the Password Safe database into KeePass.
If you are going to use KeePass ver 1.x, you can use this database without any further steps.
If you are going to use KeePass 2.x, you have to import this KeePass 1.x database into ver 2.x format. Once that is completed you can wipe the KeePass 1.x's directories and database. This completes the migration process.