KeePassXC – a review

Password managers have seen a new focus (both good and bad) over the last couple of years especially in mainstream news and media. With security folk like Rachel Tobac and Shannon Morse pushing the security mantra (in a relatable way), a lot more people are seeing the light so-to-say and coming around to the fact that protecting their passwords, and other information, is a must for everyone. Proper password management, along with MFA, is one of the biggest protections against online attacks.

Let’s start with what a password manager is. A PM is either an online (cloud/web-based) or offline (local application) storage mechanism that is encrypted in a no. of ways to store credentials (user name, password and other) in a secure manner. It makes use of a single master password to encrypt the vault, within which the contents are encrypted with various mechanisms (depending on the product).

The idea is that you only need to remember 1 strong password to unlock your password vault, and then you’ll have access to your credentials and information. In addition, only you should have access to the master password (and in turn your personal vault), so if using an online service, the service provider will (or should) not be able to see your secured data.

So, are password managers any good? The simple answer is yes. The more nuanced answer is “it depends”.

  1. is your password manager online or offline
  2. are you using a strong master key

Online web-based managers like LastPass, Dashlane and 1Password offer a commercial service for password management, generally along with a slue of features and client-side support. A concern with these online services is that they are subject to attacks that could potentially end in access to your vault – this theoretically should not be much of an issue though depending on the cryptography used by the service provider, and the strength/handling of your master password.

Seeing as the master password is all the stands between your vault and an attacker, it is the most critical part of the solution. A master password should be a minimum of 14 characters with a mix of uppercase, lowercase, numbers and special characters. This is the “it depends” …

Offline password managers by their nature, are more secure than online services depending on how you use them. An individual machine with a secure vault is far less of a target than an online service with potentially hundreds of thousands of vaults.

These PMs typically do not include a syncing function between devices like online services, however they can be retrofitted to operate in a similar fashion through storage clouds like dropbox/gdrive/nextcloud/etc.

KeePassXC

KPXC is a community fork of KeePassX which in turn is a fork of KeePass. It’s been around since 2012 and has gone through a number of iterations up to its current version of 2.7.4 which is a feature rich and modern password manager. It’s cross platform, secure and open source, all features that point to a great product.

The database

KPXC supports Keepass v1 and v2 password formats with v2 being the native format in KPXC’s v3.1 and v4 databases (through the argon2d KDF*).

One can switch from v3 to v4 by selecting the ‘change’ option in the database security encryption settings (for example if you imported an older format db).

Security settings such as transform rounds, memory usage and parallelism are available to increase security.

And talking about security, KPXC offers 2 additional authentication factors in the form of a key file and Challenge-Response through a hardware token such as the YubiKey. Using any one of these in combination with a strong master password should lead to an unbreakable vault.

UI

The UI is a little clunky yet practical, designed to do a single job and do it well. To the left is a hierarchical tree layout for managing groups of passwords. To the right are entries for each group object.

A typical KPXC entry will include:

  • entry name
  • username
  • password
  • url
  • notes

The notes field is free form and can be used to store any related information eg. credit card details, identification or other.

There are a number of advanced capabilities available for each entry as well, including:

  • custom attributes in a key store format
  • entry icon
  • auto type bindings
  • SSH agent integration ( for keys)
  • browser integration

An entry will also include date details (creation, modification and access) along with history/audit information.

Features

Besides the standard password manager function, what else does KPXC have under the covers?

  1. auto-type

This feature allows one to press a user-defined key combination which will cause KPXC to look for an entry which matches the entry url value to the website (or location) you are on.

As an example. if you were on the login.google.com website, and you had an entry in your KPXC which has the url value as login.google.com, then pressing the auto-type key combination would cause the matched entry’s username and password to be automatically populated into the login form on the website.

This makes logging into websites (and other dialogues) a breeze. There are occasions where the match doesn’t work but in that case, you can set a custom auto-type action based on the window title of the application, for that specific entry.

2. password generator

There is a password generation option available in the password field for each entry. There is also a global password generator and both of these can generate complex passwords or phrases. with custom settings available to adjust complexity.

3. Database reports

KPXC includes a reporting feature which allows one to get information on :

  • browser statistics
  • a health check which checks your passwords for complexity
  • a “Have I been Pwned” tool to see which online services that you have accounts with, have been compromised

4. SSH Agent integration

The SSH Agent integration is supported on all target platforms acts as a client for an existing agent. It can automatically add SSH keys from your KeePassXC database to a running SSH agent when unlocked and remove them when locked.

5. Security

KPXC has recently undergone an independent audit with a good outcome – this gives users of the software some assurance as to its security. This, along with its flexible security settings, means it should be on everyone’s radar.

6. Other

There are a host of other features including:

  • database export to csv and html
  • a cli interface
  • auto-open databases

Conclusion

There’s much to like in KPXC with a good featureset, ease of use and good security. There’s not much else to say except give it a go.