Composite Master Key This document details how KeePass locks its databases.

• Master Passwords
• Key Files
• Windows User Account
• For Administrators: Specifying Minimum Length/Quality of Master Passwords

---

KeePass stores your passwords securely in an encrypted file (database). This database is locked with a master password, a key file and/or the current Windows account details. To open a database, all key sources (password, key file, ...) are required. Together, these key sources form the Composite Master Key.

KeePass does not support keys being used alternatively, i.e. it's not possible that you can open your database using a password or a key file. Either use a password, a key file, or both at once (both required), but not interchangeably.

  Master Passwords

If you use a master password, you only have to remember one password or passphrase (which should be good!). KeePass has some basic protection against brute-force and dictionary attacks, read the security information page for more about this.

If you forget this master password, all your other passwords in the database are lost, too. There isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords.

  Key Files

You don't even have to remember a long, complicated master passphrase. The database can alternatively be locked using a key file.

If you lose the key file and have no backup copy of it, your passwords in the database are lost, too. It's just the same as forgetting the master password. There is no backdoor.

A 'key disk' is just a normal disk which holds a file (called 'pwsafe.key') with password bytes (KeePass can generate such disks for you). If you want, you can also select the key file (which is stored on the key disk) manually, i.e. one disk can then store multiple keys for multiple databases. In this case, you have to tell KeePass which file it should use, you cannot simply select a drive any more (when you just select a drive, KeePass assumes that it should load the 'pwsafe.key' file in the root directory of the disk).

  Windows User Account

KeePass 1.x does not support encrypting databases using Windows user account credentials. Only 2.x and higher support this.

  For Administrators: Specifying Minimum Length/Quality of Master Passwords

Administrators might want to specify a minimum length and/or the minimum estimated quality that master passwords must have. You can tell KeePass ≥ 1.11 to check these two minimum requirements by adding appropriate key/value pairs to the INI configuration file.

The value of the KeeMasterPasswordMinLength key can contain the minimum master password length in characters. For example, by specifying KeeMasterPasswordMinLength=10, KeePass will only accept master passwords that have at least 10 characters.

The value of the KeeMasterPasswordMinQuality key can contain the minimum estimated quality that master passwords must have. For example, by specifying KeeMasterPasswordMinQuality=64, only master passwords with an estimated quality of at least 64 bits will be accepted.