KeePassXC - Cross-Platform Password Manager

“KeePassXC is a modern, secure, and open-source password manager that stores and manages your most sensitive information. You can run KeePassXC on Windows, macOS, and Linux systems. An integrated search function allows you to use advanced patterns to easily find any entry in your database. A customizable, fast, and easy-to-use password generator utility allows you to create passwords with any combination of characters or easy to remember passphrases.” - https://keepassxc.org/project/

Useful resources and links

• KeePassXC Official Website - https://keepassxc.org/
• KeePassXC Download Page - https://keepassxc.org/download
• KeePassXC Source Code - https://keepassxc.org/download/#source
• LastPass says hackers stole customers’ password vaults - https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/
• Password manager maker Keeper hit by another security snafu - https://www.zdnet.com/article/password-manager-maker-keeper-hit-by-another-security-snafu/

Installation

KeePassXC can easily be installed on Linux, Windows or MacOS by following the instructions on the download page - https://keepassxc.org/download/

Be careful to ensure you’re downloading software from official sources and verify downloads where possible - https://keepassxc.org/verifying-signatures/

The easiest way to install KeePassXC on Debian Linux based systems is by using a package manager such as apt, by running the following command:
sudo apt-get install keepassxc

General Use

Creating a KeePassXC database file:

1. Click “Create a new database”, name the database as desired then click “Continue”

2. Select the desired decryption time (5.0s recommended) and leave the Database format as “KBDX 4.0” or whatever is recommended then click “Continue”
3. Set a complex passphrase as the password (for example, by using “EFF Dice-Generated Passphrases” - https://www.eff.org/dice and adding numbers and special characters to the mix) and continue
4. If desired add extra security measures by clicking “Add additional protection…” and selecting a Key File and YubiKey Challenge-Response (more information in the official documentation - https://keepassxc.org/docs/) and continue
5. Select a location and filename for the kbdx file and save. Your KeePassXC password database is now ready for use.

Adding entries:
For ease of access, it is recommended to categorise entries and add URLs and icons.

It’s also possible to add notes within each entry.

When generating passwords, it’s recommended to use the password generator and select a password (or passphrase) that meets the maximum acceptable password restrictions for the service to be used. For example, if the entry is for a service that accepts passwords of up to 20-characters, it’s advised to generate a 20-character password that utilises all accepted character types.

Backups:
After adding a few entries, it’s strongly recommended to back up your KeePassXC kbdx file. This can be be done by copying the kbdx file to encrypted storage (e.g. USB sticks) that can be retrieved as required.
Backups need to be performed regularly and all backups should be done to encrypted drives and storage mediums only.
It’s recommended not to back up your kbdx files to any cloud storage or internet accessible systems.

FAQ

Below is an excerpt of commonly asked questions and answers from the official website - https://keepassxc.org/docs/

Why KeePassXC instead of KeePass? https://keepassxc.org/docs/#faq-keepassx
KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft’s .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won’t get the native look and feel which you are used to. KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration.

Why is there no cloud synchronization feature built into KeePassXC? https://keepassxc.org/docs/#faq-cloudsync
Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.

What is a key file and how can I get one? https://keepassxc.org/docs/#faq-keyfile-howto
A key file is a file containing random bytes that can be added to your master key for additional security. Think of it as a really complicated and long password that is read from a file, so you don’t have to remember or type it into your master password field. You can basically use any file you want as a key file, but it is of utmost importance that a) the file never changes and b) it actually contains unpredictable data. If the file changes, it is as if you forgot your password and you will lose access to your database. On the other hand, if the data is not random enough, then it’s a really bad password. So, for instance, a static and never-changing holiday picture is okay, your personal notes file is not. Generally, we recommend you let KeePassXC generate a dedicated key file for you. Go to Database -> Database Settings -> Security. There you click on Add Key File and then on Generate. Select the location where to save the key file, make sure the path to the new file is inserted into the Key File field, and save your database. Don’t forget to keep a backup of the key file in a safe place!

How do I configure my YubiKey / OnlyKey for use with KeePassXC? https://keepassxc.org/docs/#faq-yubikey-howto
To use a YubiKey or OnlyKey for securing your KeePassXC database, you have to configure one of your YubiKey / OnlyKey slots for HMAC-SHA1 Challenge Response mode (see this video for how to do this). Once your YubiKey (or OnlyKey, you got the point…) is set up, open your database in KeePassXC, go to File / Change master key, enable Challenge Response and then save the database. Important: Always make a copy of the secret that is programmed into your YubiKey while you configure it for HMAC-SHA1 and store it in a secure location. If you lose or brick the key or accidentally reprogram it with a different secret, you will permanently lose access to your database!

Custom Implementations and Training

If you’d like to utilise KeePassXC in your organisation, require a customised password management implementation, need any custom documentation or training, or would like more information, feel free to email us to request a meeting or quotation.