Howto work many people with same password-DB?

  • Koniak

    Koniak - 2011-06-20


    We are a number of people that would like to use the same Keepass passwordfile together in the local network.

    Preferably all users should have their own password which can be removed, when they should no longer have access. All users should be able to change the Keepass-DB, but in some way NOT risk changing the same entries at the same time.

    How can this best be done with Keepass or "how close" can we get?

    Thankfull for any input concerning this!



  • wellread1

    wellread1 - 2011-06-20

    Preferably all users should have their own password which can be removed, when they should no longer have access.

    Each KeePass password file has one and only one Master Key (i.e. password and/or keyfile etc…) used to open the database. Providing different Master Keys to users sharing the same password file is impossible.  However, the Master Key itself can be changed whenever necessary.

    All users should be able to change the Keepass-DB, but in some way NOT risk changing the same entries at the same time.

    KeePass does not attempt to prevent changes to the same entry at the same time by multiple users.   However, in practice it is uncommon for two users to change the same entry because in most credential change scenarios, the second user who attempts to make a change will not have the correct credentials to authorize the change, and would have to obtain the changes made by the first user before continuing. KeePass 2.x also maintains a history of every saved change of an entry.  If for some reason the current entry does not correspond to the correct entry, the history allows you to roll back to any point that was saved by any user.  Also whenever a user saves to the shared password file, KeePass checks to see if the file on disk has been changed.  If it has, it offers the user the opportunity to synchronize the file.  Synchronization can also be initiated by users at any point while working.  If users synchronize regularly, other users can be reasonably certain that they are working with the most recent version of the password file.


  • Paul

    Paul - 2011-06-20

    Removing a single user's access is not possible, but you can use user certificates as keys, and these can expire, or be set as expired.

    cheers, Paul

  • Koniak

    Koniak - 2011-06-21

    Good information, Thank you!

    I can see that normally two users should not need to change the same password "at the same time", and the synchronization function seems quite nice.

    Below follows a short description on a multiuser solution, just as input to the KeePass developers. If they think it could be an option for KeePass.

    We are currently using an old version of

    They have solve the multiuser problem in the following way:
    - A simple central password server service, having the passwordsfiles enrypted with it's own password.
    - Each enduser has a user/password on the server
    - End users run the password application on their own pc, but the application can open passwordfiles directly from the password server.
    - When a user opens a passwordfile from the password server the server: 1. Read the decrypted file using it's own password 2. Encrypts the read passwordfile with the endusers password (ie the encryption key). 3. Send the file to enduser. where it is stored in a cache directory => The endusers application then decrypts the file to meomory using the already supplied user password.
    - The latest version of each passwordfile can always be opened in readonly mode locally on the enduser PC. Using the users password on the passwordserver.
    - The password server as default let the user open the passwordfile in readonly. If a user selects to open the file in change, only ONE user can do this at a time. So file integrity is ensured.



  • Koniak

    Koniak - 2011-06-22

    Hi Paul,

    The link you supplied is for an Internet Password Server for "official" use, which is something completely different.

    What I am describing is a LAN Password server used by a workgroup, in a local LAN. The password server is protected on the installed server and the administrator of that server is also the administrator of the Password Server Service and it's users. This Super Admin has access to all the passwords on the password server, which is OK, since this passwords are NOT personal, but common to the workgroup.

    Since this is used on a LAN there is no problem with sending the complete passwordfile to and from the users.

    Since this function is one of the sellingpoints for Acebits Password Depot and the sole reason that we choose Password Depot over KeePass, I think it's safe to say that it's a relevant function.



  • Paul

    Paul - 2011-06-23

    KeePass is not a password server, if you want one you will have to look elsewhere.

    cheers, Paul


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks