KeePassium 1.46 released
KeePassium 1.46 adds a password strength meter, “Have I Been Pwned” audit, favicon downloader and many other improvements.
Password quality indicator
KeePassium is a great tool for making strong passwords. But how strong a password really is? Is P@$$w0rd!1 any good? After all, this is a 10-character mixture of uppercase and lowercase letters, digits and special characters. Would it be better than, say, 1QaZxSw2?
Starting with this version, KeePassium can estimate the strength of your password and warn you about weak ones. Powered by the great zxcvbn library, the app takes into account not only password length and character sets. It digs deeper and considers dictionary words, common substitutions (such as @ for a), and even how far the symbols are on a keyboard. All of this works locally on device, completely offline.
This way, the app can warn you that both sample passwords above are very weak. The first one is a dictionary word “Password” with some character substitutions; the second one is just a sequence of nearby keys on a QWERTY keyboard, peppered with Shift.
Password audit tool
Strong passwords are not enough, though. Every now and then, web services fall victim to data breaches — which means your credentials can end up in the wrong hands.
To protect you from third-party data leaks, KeePassium introduces a password audit tool. Available in the premium version, it uses a well-known online repository of known data breaches, Have I Been Pwned (HIBP). Unfortunately, their dataset is way too large for a mobile device (dozens of gigabytes when compressed), so we had to use the online service. But then, KeePassium cannot just send user passwords to some service, no matter how reputable. Both online and offline approaches are impossible, so what can we do?
The impasse is solved by the concept of k-anonymity which combines online and on-device processing. There, the app gives the service only a vague partial “fingerprint” of the password, calculated like this:
- Take plain-text password
- Calculate its SHA1 hash, a 40-character hex string
- Leave only 5 first characters
- Send these few characters to HIBP
The service receives too little information to have even a theoretical chance of guessing the original password. After sifting through its huge dataset, the service returns a list of full-length “fingerprints” (hashes) that start with the given prefix and match known leaked passwords. While the list can be lengthy, it is small enough for on-device processing. As a result, KeePassium can warn you about leaked credentials while keeping them safe in the process:
Now, you can tap any entry in that list and change its password. However, for some entries this might not be possible — for example if the password is predefined and cannot be changed. You can mark such entries as excluded from audit and they won’t clutter the list ever again.
Favicon downloader
Most websites nowadays have a favicon — a little image that makes it easy to recognize the site. They are particularly handy when you need to find an entry in your database. However, adding a custom icon to an entry is a multi-step process that takes quite a time.
Not anymore! Now KeePassium can quickly download entry icon directly from the website referenced in the entry’s URL field. This does not involve any third-party services that provide favicon downloads, because this would expose part of your data to those services. Instead, KeePassium reaches out to each URL directly, so that none of them can learn about the other sites you use.
You can download favicons for a specific entry only or for the whole database. Once downloaded, these icons will be stored in the database and will show up even offline. This feature is freely available to all users.
Notable mentions
Reload the current database
If you store your database in a cloud, sometimes you may need to ensure that KeePassium shows the latest version of the file. So far, you had to close the database and reopen it again. Now there is a button to reload the database in one touch:
Add attachments using drag and drop
On iPad and Mac, you can add attachments simply by dragging files over an opened entry. Dragging attachments from an entry is coming later.
Disable Quick AutoFill for specific databases
If you have databases shared with clients or family members, you are probably tired of seeing their accounts among your Quick AutoFill suggestions.
Now you can explicitly disable Quick AutoFill for specific databases: go to the list of databases → long-press your database → Database Settings → turn off the Quick AutoFill switch.
Doing so clears all the Quick AutoFill suggestions. (Due to system limitations, we cannot remove them for one database only.) Suggestions relevant for you will be re-populated automatically the next time you load your personal used databases. Databases where Quick AutoFill is disabled will not contribute their suggestions to the system, but you can still use them via the full AutoFill interface.
Customize entry font
Every year we receive a few complaints that the standard entry font could look better. Indeed, that font is specifically designed for readability of similar symbols, which is really important for passwords. After all, a wrong font would turn I|l1! into a set of nearly identical vertical lines.
That said, quite a few people use KeePassium for notes rather than passwords. In this case, general aesthetics of the font outweigh the other criteria. Good news! Now you can customize entry font and enjoy KeePassium in Arial, Times New Roman or any other system font, if you really want to.
