Password Managers - KeePassXC
KeePassXC is an free and open source offline password manager running on Linux, BSD and proprietary
operating systems like Windows and macOS.
Database creation
To start users need to create a database in the KDBX 4 format using AES-256 bits for encryption and
Argon2d for key derivation. Others encryption algorithms (ChaCha20 256 bits, Twofish 256 bits), key
derivation functions (Argon2id, AES-KDF), and tuning parameters (transform rounds, memory usage,
parallelism) are available. Most users should keep the default at the exception of the decryption
time which could be increased up to 5.0 seconds for higher protection but slower database opening
time.
Authentication
Master password
Then they have to choose a master password and optional additional protections such as a key file
or a challenge response with hardware authentication devices. These information need to be properly
remembered and stored. Without them it would be impossible to decrypt the vault and access its
content.
Keyfile
Users may use a static keyfile with random data generated by this application to increase
security. The file should be without an extension or end with .bin otherwise it could be modified
unbeknownst to the user. Any change in its content and consequently its hash value would render it
obsolete.
Hardware Key
They may also use physical keys as an extra layer of protection using SoloKeys for hmac-secret FIDO2
extension (not yet implemented) or YubiKeys for HMAC-SHA1 challenge-response.
Add Entry
Once created users can now add new entries by adding a title, username, password or passphrase,
tags, expired date, notes and additional attributes and attachments.
Templates
Contrary to other keepass compatible applications templates for different entry type are not yet
available.
Attachments
Text files containing PGP, SSH keys and images for important documents can be added. But files with
complex format like PDF and ODT should be avoided or have their textual and image information
extracted. Users should be mindful of the size of the documents. The heavier the database is the
longer it will take to be decrypted.
Password & Passphrase generation
Passwords or passphrase should be generated using the application builtin functionalities.
As a default passwords have 20 characters of types A-z a-z 0-9 /*+&… and passphrases have 7
space-separated lowercase words from the EFF large word-list.
Statistics and Security check
Useful information can be found in the statistics page showing among others things the number of
non/unique, shorts/weak passwords and potential compromised password using "Have I Been Pwned".
SSH integration
Users can also manage their SSH keys by enabling the ssh agent, creating an entry add their password
and their private key as an attachment.
Form filling
Browser integration
User should prefer copying login information manually but may benefit from the KeePassXC-Browser
extension. For it to work, they need to enable browser integration, choose the correct web browser
and enable the database connection from the extension.
Syncing
No synchronization features are available to reduce code complexity and avoid being tied to a
specific provider. Since the vault is a single file users should simply put it inside their shared
cloud folder.
Similar software
The password database is readable by several applications. Even if created with KeePassXC it can be
access and modified using KeePass2Android Offline, KeePassDX on Android or KeePassium on iOS.