Protecting your Keeper Vault

Recommendations for protecting access to your vault


At the foundation, Keeper is an encryption platform with policies and controls in place to protect customer data. In this security model, the customer is also responsible for protecting access to their vault by following recommended security practices. This document outlines key recommendations that will help you secure the data stored within your vault.

Create a Strong Master Password

For customers who login to Keeper with a Master Password, the key to decrypt and encrypt the Data Key is derived from the Master Password using the password-based key derivation function (PBKDF2), with 1,000,000 iterations by default. All customers who login to the vault are automatically migrated to 1,000,000 iterations.

After the user types their Master Password, the key is derived locally and then unwraps the user's 256-bit AES Data Key. After the Data Key is decrypted, it is used to unwrap the individual 256-bit AES record keys and folder keys. The Record Key then decrypts each of the stored record contents locally.

Keeper implements several mitigations against unauthorized access, device verification, throttling and other protections in the Amazon AWS environment. Enforcing a strong Master Password complexity significantly reduces any risk of offline brute force attack on a user's encrypted vault.

The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password. Keeper enforces a minimum of 12 character master passwords.

Enable 2FA on Your Keeper Account

2FA can be added to any consumer or business account. Business customers can enforce the use of 2FA with various levels of control and security options. The 2FA step comes before the Master Password entry. Performing the device verification and 2FA step prior to the Master Password entry phase offers mitigation of several attack vectors including brute force attack, password testing and account enumeration.

To activate Two-Factor Authentication, visit the Settings screen of the Keeper Web App, Desktop App or mobile application.

Keeper also supports FIDO2-compatible WebAuthn hardware-based security key devices such as YubiKey and Google Titan keys as a second factor. Security keys provide a convenient and secure way to perform two-factor authentication.

Enable 2FA on Your Email Account

Access to your email account is a key component in the overall security of your personal information. Ensure that your email account uses a strong auto-generated password created by Keeper. And ensure that you are protecting your email account with multi-factor authentication. Follow the steps provided by your email provider to lock down your account with the most restrictive methods possible.

We recommend that customers protect email accounts using a hardware-based Yubikey or Google Titan key when possible. If this is not available from your email provider, or if you don't own a Yubikey device, the next best thing is using a TOTP code generator.

Keeper supports the ability to store TOTP codes for logging into your email account or other service. To learn more about protecting TOTP codes in your Keeper Vault, click here.

While using SMS as a two-factor authentication setting is better than having nothing at all, we don't recommend relying on SMS due to well documented SIM swapping attacks.

Be Careful of Browser Extensions

As a general security practice, we recommend that our customers be very cautious with installation of 3rd party browser plugins / browser extensions, such as ad blockers, coupon tools and other "helpful" utilities. Many browser extensions request elevated permissions which have the ability to access any information within any website or browser-based application that you visit. Make sure you fully trust the company who developed the browser extension, and look for their security certifications before you install it.

If you have any other security related questions, feel free to email our team at

Last updated