Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

KeePass Rule Builder

This is a plugin for the KeePass 2 password manager. With this plugin, you can use the KeePass database to keep track of all of the different requirements that websites have for account passwords, and easily generate new passwords according to those requirements.

The strongest passwords are randomly generated. However, some services unwisely place constraints on the passwords that you can use. A website may state that a password must be less than a certain length, or that it must contain certain types of characters, or that it must not contain certain other characters. To make matters worse, every website has different requirements, so changing passwords means reconfiguring your password generator every time.

The password generator in KeePass helps with these challenges, but it can still be difficult to configure it to exactly meet the requirements of each service while keeping passwords as strong as possible.

The purpose of this plugin is to make it easy to tell KeePass how to generate a password for each service and to streamline the process of changing passwords.


To install this plugin, download the latest version from the Releases page and copy it into your KeePass installation’s Plugins directory. See the KeePass documentation for more help.

How to use

Changing a password

To change a password for an entry in KeePass, right-click the password entry and click Generate New Password.

Context menu with “Generate New Password” selected

The Change Password window will open. This window shows the current password as well as a new randomly generated password. Copy those passwords into the appropriate fields where you are setting the password. You can also use the hotkeys Ctrl+Shift+Z and Ctrl+Shift+X to auto-type the old and new passwords, respectively. If you want to set an expiration date, you can do that here.

Change Password window

Once you have successfully changed the password, click Accept to store the new password into the KeePass database. Every time you change the password, the old password will be backed up in the entry’s history.

Password rules

By default, this tool will generate a new password based on the Automatically generated passwords for new entries profile in KeePass. You should configure this profile to produce a very strong password. However, for services for which the passwords generated by this profile are too strong, the plugin can help you generate a password according to each service’s individual password policy.

To specify the rules constraining your password, click the Edit Rule button from the Change Password window, or select Edit Password Rule from the entry context menu. In the Password Rule window, you can specify the rule in one of two ways.


You can select an existing KeePass profile—either one that is built into KeePass or a custom one that you have created. To choose this option, select Profile and choose the profile you want to use.

The Password Rule dialog with the Profile option selected


You can also build a password rule by providing a list of the character sets that may, must, or must not be used in the password. To enter a password rule in this way, select the Rule option in the Password Rule dialog.

Let’s say that a website requires passwords with the following properties:

  • A password must be 8–20 characters long.
  • A password must contain at least one letter.
  • A password must contain at least one digit.
  • A password may contain special characters, from the character set !@#$%^&*().
  • Passwords must be changed every 18 months.

As shown in the screenshot below, we will first enter a Length of 20, the maximum password length. (There is no point in generating a password shorter than the maximum length.) Then click the Add Character Set button to add the built-in Letters and Digits character sets, and specify that both of them are Required. Click Add Character Set again to select a Custom character set, which you can then populate with the “special characters” listed in the password requirements. Finally, indicate that a password generated from this rule expires after 18 months.

The Password Rule dialog with the Rule option selected

Other options available in the Add Character Set menu are All characters, Punctuation, Uppercase letters, and Lowercase letters. If the service for which you are generating a password requires that a password not contain certain characters, you can enter those into the Exclude field.

The Add Character Set menu

The Example field in the Edit Rule window shows a sample password that follows the rule or profile that you have selected. (This is not the same password that will be set to the password entry when you save it.)

The password strength is calculated from the configured rule (not the generated password). Every additional bit of strength represents a doubling of the expected time it would take for a hacker to guess the password by brute force.

Once you have finished entering the password requirements, click Accept. If you were editing the rule from the Change Password window, a new password will automatically be generated using your new rule. Follow the steps above to save this password.

Any time you need to generate another password, just use the Generate New Password menu item. It will automatically use the rule and expiration date that you have set for that entry.

Other features

You can access this plugin’s features from the password generation menu in the standard KeePass editor window. Click Generate From Rule to generate a new password based on the entry’s configured rule, or click Edit Password Rule to edit the rule.

The Add Entry dialog with the Generate From Rule and Edit Password Rule menu items visible

A rule can be configured for a group of entries. This option is available in the context menu of the group. If a group has a rule configured, all entries in that group will use that rule when a password is generated, unless the rule is overridden in the entry itself.

The group context menu with the Edit Password Rule menu item visible

Icons made by Freepik from


A KeePass plugin to generate passwords for websites according to each site’s particular password rules.