KeePassXC is a cross-platform password manager that allows you to store all of your passwords in one location. A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them. You only need to remember one master password that allows you to access the encrypted password manager database of all your passwords.
There are a number of programs with names similar to KeePassXC, like KeePassX (defunct), and KeePass. These are based on the same code. This guide recommends KeePassXC because it is cross-platform and more actively developed than some of the alternatives.
Download: For Windows/macOS/Linux: https://keepassxc.org/download
How KeePassXC works
KeePassXC works with password databases, which are files that store a list of all your passwords. These databases are encrypted when they are stored on your computer’s hard disk. So, if your computer is off and someone steals it, they will not be able to read your passwords.
Password databases can be encrypted using a master password and or second method of login such as key file or 2FA (Two Factor Authentication). Since your master password protects all your other passwords, you should make it as strong as possible.
Using a master password
A master password acts like a key — in order to open the password database, you need the correct master password. Without it, nobody can see what’s inside the password database. When using a master password to secure your password database, here are a couple of things to keep in mind:
- This master password will decrypt all of your passwords, so it needs to be strong! It should be hard to guess and long. The longer it is, the less you need to worry about having special characters or capital letters or numbers. So make your master password a passphrase. A passphrase is a string of many words that are easy for you to remember but difficult for others to guess.
- You can create a strong master passphrase using regular, random words. These are easier to remember than unnatural combinations of symbols and capital letters. See our password guide for more details on creating a strong password.
Install KeePassXC and launch it. Click on the Database menu and select “New Database.” You will be prompted to save your password database. Note that you can move the password database file later to wherever you like on your hard disk, or move it to other computers—you will still be able to open it using KeePassXC and the password, or keyfile, you specified before.
What's a keyfile? Using a keyfile in addition to your master password can make it harder for someone to decrypt your password database if they steal a copy. You can use any existing file as a keyfile—an image of your cat for example, could be used as a keyfile. You’ll just need to make sure the file you choose never gets modified, because if its contents are changed then it will no longer decrypt your password database. Sometimes opening a file in another program can be enough to modify it so don't open the file except to unlock KeePassXC. It is safe to move or rename the keyfile, though. keep copies of the key file on a offline external device / USB, preferably multiple devices and make sure to store it separately from your password database.
Next, you will be asked to enter a master password and/or use a keyfile. Select the appropriate checkbox(es) based on your choice.
KeePassXC allows you to organize passwords into “Groups,” which are basically just folders. You can create, delete, or edit Groups or Subgroups by going to the “Groups” menu in the menubar, or by right-clicking on a Group in the left-hand pane of the KeePassXC window. Grouping passwords doesn’t affect any of the functionality of KeePassXC—it’s just a handy organizational tool.
To create a new password or store a password you already have, click on the Group in which you want to store the password, right-click in the right pane, and choose “Add New Entry.” (You can also choose “Entries > Add New Entry” from the menu bar.) For basic password usage:
- Enter a descriptive title you can use to recognize the password entry in the “Title” field. For example, this could be the name of the website or service the password is for.
- Enter the username associated with the password entry in the “Username” field. (If there is no username, leave this blank.)
- Enter your password in the “Password” field. If you’re creating a new password, click on the dice icon to the right. You might want to do this when you are signing up for a new website, or when you are replacing older, weaker passwords with new, unique, random passphrases. After you click the dice icon, a password generator will appear in the window. You can use this to generate a random password. You'll be presented with many options, including what sorts of characters to include and how long to make the password.
- Note that if you generate a random password, you don’t have to remember (or even know!) what that password is. KeePassXC stores it for you, and any time you need it you will be able to copy/paste it into the appropriate program. This is the whole point of a password manager — you can use different long random passwords for each website/service, without even knowing what the passwords are!
- Because of this, you should make the password as long as the service will allow and use as many different types of characters as possible.
- Once you’re satisfied with the options, click “Generate” in the lower right to generate the password. The generated random password will automatically be entered in the “Password” and “Repeat” fields for you. If you are using an old version of KeePassXC, the random password may not be automatically entered into the "Password" and "Repeat" fields, so you should click "Apply" first. (If you’re not generating a random password, then you’ll need to enter your chosen password again in the “Repeat” field.) Then click “OK.”
- Your password is now stored in your password database. To make sure the changes are saved, save the edited password database by going to “Database > Save Database.”
If you need to change/edit the stored password, you can just choose its Group and then double-click on its title in the right-hand pane, and the “Edit Entry” dialog will pop up.
To use an entry in your password database, right-click on the entry and choose “Copy username” or “Copy password.” Go to the window/website where you want to enter your username/password, and paste it in the appropriate field. Instead of right-clicking on the entry, you can also double-click on the username or password of the entry you want, and the username or password will be automatically copied to your clipboard.
KeePassXC allows you to:
- Search your database using the search box (the text box in the toolbar of the main KeePassXC window.)
- Sort your entries by clicking on the column header in the main window.
- Lock KeePassXC by choosing “Tools > Lock Databases.” This allows you to leave KeePassXC open, but have it ask for your master password (and/or keyfile) before you can access your password database again. You can also have KeePassXC automatically lock itself after a certain period of inactivity. This can prevent someone from accessing your passwords if you step away from your computer or lose it. To enable this feature on macOS, choose “Preferences > Settings” from the menu and click on the security options. Then check the box that says “Lock database after inactivity of [number] seconds.” For Linux or Windows, choose “Tools > Settings” from the menu and click on the security options. Then check the box that says “Lock database after inactivity of [number] seconds."
- A setting that helps make your KeePass file more secure by deterring dictionary and brute force attacks that often gets overlooked is ‘Key Transformation,’ accessible in Database > Database Settings > Encryption labeled "Transform rounds." What it does is run the master key through N rounds of encryption before applying it. The higher the N, the more time it takes your CPU to process through all the rounds of encryption. The default is 6000 which takes less than a millisecond for a modern CPU to churn through. My setting is in the high 7 figures and takes about one second. That is a delay I can live with each time I attempt to open my KeePass file. In fact, it kind of feels good to be reminded the program is doing extra work to protect me. The reason for introducing a delay is to slow down a brute force attack to the point it is unfeasible in this lifetime. A brute force attack starts by trying every character (A-Z, a-z, 0-9, symbols), then every two character combination (aa, ab, ac…), then every three character combination (aaa, aab, aac), and so on. A related approach, called a dictionary attack, loops through a dictionary and tries all words and various combinations of words with different delimiters. Eventually, these approaches will find the master password. However, when N is a high enough number, it will cost the attacker one second per attack (per CPU), which is a serious roadblock. If your password is sufficiently strong, say 30 random characters including A-Z, a-z, 0-9, and 10 different possible symbols, that is 72 characters to draw from. That results in 72^30 = 5.24e+55 possible combinations! Only an attacker with a huge number of CPUs or a huge amount of time would be able to check all combinations. I doubt this little technique would deter high-level national security organizations with billions of dollars in funding. However, I have a strong sense that a high N would deter script kiddies and cracking programs. As CPUs get faster, N needs to increase to offset the time it takes to attempt a single crack at the master password. I plan to increase the value every time I get a new machine.
- Attachments: photos, files, anything you want encrypted.
KeePassXC can also store more than just usernames and passwords. For example, you can create entries to store important things like account numbers, product keys, airline frequent flyer information, or serial numbers. There’s no requirement that the data you put in the “Password” field actually has to be a password. Just input what you want to store in the “Password” field instead of an actual password (and leave the “Username” field blank if there’s no username) and KeePassXC will safely and securely remember it for you.
Sync'ing your database between devices
There are some convenient methods to “sync” your KeePass password database with other devices, but “out of the box” your passwords simply live on your computer in an encrypted file that you can only open with a master password/key combination.
If you want to keep you KeePass database synchronized across multiple devices, you’ll need to share your database between those devices. The easiest way to do that is to use a cloud storage service like Dropbox or your own cloud storage, you simply move your KeePass database into a folder on your Dropbox or whichever provider used along with a program called Cryptomator which essentially encrypts your files and show up as random data on the cloud providers end.
If you’re wary of your password database stored on servers you don’t own, you can explore other options like Syncthing, a program that keeps a folder or multiple folders “in-sync” across multiple computers that you own (think Dropbox but without the Dropbox server involved.) However, note that Syncthing involves a bit more set up, though very simple to install and use.
To access your passwords from a smartphone, you’ll need to use an app that can open KeePass databases. There are a handful of such apps for both iOS and Android, I recommend KeePass Droid for Android and MiniKeePass for iOS.
Note that KeePassXC 2.3.0 added a new setting called “Safely save database files”. If you’re having trouble syncing your database you may want to try disabling this feature. You can read more about this issue and set here.
Install the browser extension
A browser extension is a software component that adds additional features to your web browser. Using the KeePassXC browser extension provides a convenient way for your browser and your KeePassXC application to communicate. This will allow you to quickly save or auto-fill passwords on the web.
Starting with version 2.3, KeePassXC offers a new browser plugin called KeePassXC-Browser. It is compatible with Chromium based browsers and Firefoxm, available in the Chrome Web Store and the Mozilla Add-ons repository.
The new addon replaces the old KeePassHTTP add-ons (KeePassHttp-Connector, chromeIPass, PassIFox etc.) and support for those will be removed in future KeePassXC versions.
How to connect KeePassXC-Browser with KeePassXC
After installing the KeePassXC browser extension, you must first start KeePassXC and tweak some settings that are not enabled by default.
1. Enable browser integration
Go to the KeePassXC settings and enable browser integration support under Browser Integration / Enable KeePassXC browser Integration. Without this, the browser extension cannot communicate with KeePassXC:
If enabled, the old KeePassHTTP interface can be disabled by unticking the checkbox Legacy Browser Integration / Enable KeePassHTTP server. Any installed corresponding browser add-on (KeePassHttp-Connector etc.) can be uninstalled.
2. Enable browser support
To allow your browser to access KeePassXC, you need to tell it where to find the KeePassXC program file. Luckily, KeePassXC does this automatically for you. All you need to do is tick the checkbox under Enable integration for these browsers for any browser you want to use KeePassXC with.
3. Connect to the database
Open KeePassXC and unlock your database (this is important, the following steps won’t work if your database is locked or KeePassXC isn’t running.)
Switch to your browser and click the KeePassXC icon next to your address bar. A popup appears telling you that KeePassXC-Browser has not been configured (if you see a different error message, click Refresh and wait a few seconds.)
Press the Connect button. A window appears asking you to enter a name and grant access:
Enter a name of your choice (ideally one that identifies your browser) and click Save and allow access. Your browser is now connected to KeePassXC.
One important note: Do not use Autofill/Autotype. There are proven cases of ad networks deploying fake hidden credential fields to steal your username and password. Disabling auto fill ensures user interaction is required to use your credentials. There is even a demo showcasing autofill abuse.
You're all done! Now you can save any credentials you enter on the web. You can now be able to automatically fill in your usernames/passwords, which is different than autofill, which inputs your information whenever login boxes are available.
KeePassXC is easy-to-use, robust software, and we recommend exploring the program to learn all of the useful things it can do.