Most of my experience with password managers lies with KeePass. For an enterprise environment it is simple to use, easy to deploy and fairly lightweight. For my personal use I can take advantage of its portability and not worry about phishing too much, as I tend to type out websites directly when something sketchy comes around. For work, VMs and other users however, I recommend KeePassXC now. It offers some advantages to KeePass, namely an easier interface, browser integration and TOTP.
The browser integration provides phishing protection => if users click on links asking for credentials, the extension will not recognise the domain and therefore not provide credentials. Along with the easier interface, this means users are more likely to avoid password reuse and less likely to fall for phishing attempts.
First Steps
The KeePassXC team have a great introduction to their password manager, covering details from setting up a database to the configuration of the browser integration. I highly recommend taking a look there before doing the install, even if just to make yourself aware of the different interface. You can find their getting started guide here.
Now, following the steps from the KeePass guide there are some differences in the procedures. The first is the key transformation, instead of telling the system how many iterations you want, KeePassXC suggests choosing how long it takes to decrypt the database.
KeePassXC settings interface, on the security menu, encryption settings tab.
Unlike KeePass, KeePassXC doesn’t provide password templates. nor does it offer the ability to generate a password from the previous password (useful for services with character or length limitations). The password generator takes the last used settings. My recommendation is to check the box to avoid lookalike characters (for those times you need to type it out).
Password creator with the Exclude look-alike characters checkbox ticked
Same as with KeePass, KeePassXC allows entries to autoexpire. This is not checked by default, in my use of the application, it does not stay checked when making several entries. The preset expiry times include 1, 2, 3 weeks, months and years.
KeePassXC new entry window with no expiry date selected.
Same as with KeePass, I recommend renewing your passwords at 6 month intervals, but at least once a year.
TOTP
Unlike KeePass, KeePassXC comes with TOTP support out of the box. While arguably this is not great as it means you are getting all your authentication tokens through the same medium, it does protect your accounts from brute forcing attacks. You can’t set TOTP from the entry window, but after creating the entry right click => TOTP =>Setup TOTP. When generating your tokens, tell the web service you can’t scan the QR code, and enter the secret into the TOTP window.
Setup TOTP window with an empty Secret Key.
It is worth mentionning that you can get the secret from KeePassXC. Not the most secure solution but I can see this being useful for teams connecting to client environments, as the database can be shared through KeeShare with those people who need access to it. With the browser extension, this means seamless logging in to services as all the credentials come from a single place, (and the database can be locked with a passphrase & hardware token).
KeeShare
KeeShare sort of takes the need for cloud sync away accross devices, however my limited experience with this feature was not great. Most likely due to user error and limited time / infrastructure to play with it, it is worth knowing that the KeePassXC team have documented it quite well over here.
Nice to know
You can save credentials from the browser extension directly to your database. These will be in a default “browser credentials” group. You can order them into whatever folder you want if you actively use the standard interface to find them faster.
By default, autotype is enabled in KeePassXC, but with no assigned shortcut. With the browser extension I have not found any reason to activate it. Specially after the shenanigans with KeePass spouting my credentials into a couple services.
The browser extension requires the database to be unlocked in order to use the credentials. The icon turns green when the connection between the extension and the data base is active, and grey if the connection is not present. I have found it particularly useful to be able to hide the window once it has been unlocked as it lets me keep an uncluttered desktop, and the browser lets me know if anything is the matter.
KeePassXC Application Setting window with ‘Minimize window after unlocking database’ checked
By default, the database will be saved after every change (new entry, password change, etc.). I’ve found this behaviour useful, but worth knowing if you have a long decryption time it can slow down your machine. The behaviour can be medified in the Application Settings => File Management.
KeePassXC Application Settings window with ‘Automatically save after every change’ option checked
Sadly, unlike KeePass, there is no option to show expired / expiring soon entries upon loading up the interface. The entries will have a different icon showing that the entry has expired and the title will be crossed through.
KeePassXC expired entry “Test” with the expired entry icon, & title crossed through
KeePass or KeePassXC?
I think it really comes down to the user. Both offer similar levels of protection for the users’ databases, they differ mainly in what they offer out of the box. Neither solution has been ported to Android or iOS which means regardless of what you pick, there will always be another party accessing your passwords. I believe KeePass will continue to have its place in enterprise environments where it outperforms the XC variant through a slimmer interface. KeePassXC does provide a nicer experience for first time users, with default settings that make it easy to use from the get-go. As long as you don’t use TOTP, you can use both with the same database and decide later on.
As we move into 2021, it would be excellent to see better password hygiene for all users, technical or not. When people ask me why it’s important to avoid password reuse, I will refer them to services showing past exposure; namely Have I been pwnd. Finding that your accounts were exposed to breaches often leads to the realisation that the same password was used for insecure services as for more sensitive elements, such as banking or private email. I’ve seen their eyes suddenly shine with hope as they come up with an incredible strategy: “Uniquely complex passphrase to which the service gets appended”. From a password complexity point of view this seems relatively good; you have a long password meeting most service requirements to which you are adding additional complexity by appending the service name. You’ve increased your password / passphrases length making it hardee to guess. While this strategy means you are not reusing the exact same password accross the internet, it means you are trusting the companies to encrypt your credentials. Sadly, even tech giants fail to do this as shown here by Forbes.
After seeing how little tech giants care about your privacy and security, the next question that comes up is “Why can’t I use the password manager from my browser?”. The truth is a browser based password manager is better than no password manager. If users are using this, then that is better than nothing, and some browsers will go so far as to provide breached account warnings. Firefox provides this through it’s Monitor service. The primary disadvantage from the user’s perspective is accessing your passwords for services which are not run in your browser, such as company software not connected to SSO. There are many cloud / app password managers and these will allow you to segregate your accounts from your browsing history. Further, you can access your passwords from accross multiple devices, including mobile. Haveibeenpwned recommends 1password. Whether you decide to go for a cloud/app based password manager or a local storage such as KeePass will depend on your own use case and threat model.
2FA/MFA
You can store your Keepass databse on an USB drive, meaning that in order to access it you’d be needing the drive and the means of unlocking it. 2 Factor Authentication for your password manager. While this feature does not protect your other accounts, it does make KeePass highly portable across operating systems & devices. There are plugins for TOTP making KeePass a viable “1 stop shop”for certain users. It is worth noting that these plugins render the 2nd factor irrelevant, as it only takes access to the database to obtain both the password & TOTP. Some applications will allow linking to biometrics such as fingerprint readers / facial recognition. While the biometrics do make use and access easier, it is worth researching how and where the data is stored in order to avoid exposing your identity beyond what you may require. Choosing a solution for your authentication should include a balance of the usability & security the solution provides. However, this goes beyond the scope of “First Steps” with any password manager.
Why KeePass?
There are many password managers that provide the same service as KeePass while additionally providing backup & synchronisation accross devices. What does KeePass bring to the table?
For people with no previous use of password managers, KeePass is free. Free as in free puppies, not as in free beer. It will require some work to set up, but the default settings do provide decent security.
Additionally, if you are showing this to family members for whom you may need to provide support in the future, they can revoke your access to the database by changing the master password as opposed to learning a complicated management interfaces.
Finally, KeePass does not require yet another account. You can segregate all of your online accounts / aliases by storing separate databases with the single program. If you have some accounts which you want to access from mobile devices but others to stay offline, you can have 2 databases, and sync the mobile through cloud storage to your mobile devices.
First Steps
Hopefully, the above comments convinced you to give KeePass a try. It is a free solution so first thing is to get the KeePass client from their downloads page. Select the local installer or portable binaries depending on your use case. Version 2.X (2.46 at time of writing) is recommended unless you have specific reasons for using 1.X.
After installing or running the local binaries, create a new database. KeePass prompts you through the creation of the database:
KeePass New Database windows prompting where the database will be stored & recommending regular backups on separate storage media
Once you have selected a place to save the database, KeePass presents the authentication method. Master Password is checked by default, but the database can be linked to Windows accounts.
KeePass Create Master Key window with Expert Options showing. Expert Options shows Key file / provider with the warning that if the file is lost or contents changed, the database cannot be opened anymore. Expert options also show Windows user account, with the warning that if the user account is lost, it is not sufficient to create a new account with the same name and password.
From this window multiple elements can be selected, but at least 1 must be chosen to move forward. Connecting to the Windows user account can be a good solution for home users, only needing to access their device in order to access the rest of their passwords. I do not recommend this setting in enterprise environments – I have seen cases of bad GPO deployment where databases were lost due to changes to the account from external providers.
Selecting a master password should include using something memorable rather than a mix of random letters, numbers & special characters. [XKCD] There are random passphrase generators, namely Correct Horse Battery Staple, but ideally you would be using something unique to you and adding entropy through the substitution of some characters. The longer your passphrase the better, given additional characters increase the strength more than increasing complexity (use of special characters).
Once an authentication method is chosen, the creation process continues:
KeePass – Create New Database Step 3 window in the General Tab. Database Name shows “Demo” and Database description reads “This is a demo KeePass database”
Enter identifiable information for the name and description, particularly if running multiple databases. Then move onto the Security tab.
KeePass – Create New Database Step 3 window in the security tab. All settings are on the default
By pressing the ‘1 Second Delay’ button, the number of iterations is updated such that it will take 1 second for each attempt to open the database. This reduces the risk from brute force attacks, as each attempt requires 1 second, as opposed to an attacker being able to try multiple combinations per second. The compression tab allows to use GZip to compress the database, or use no compression.
KeePass – Create New Database Step 3 window in the compression tab. Default setting is GZip
KeePass – Create New Database Step 3 window in the Recycle bin tab. Default setting is to use a Recycle bin & create a new group for deleted entries
If you want to immediately delete entries uncheck the Use a Recycle bin option. Otherwise, leave as-is and control deleted entries as necessary. Finally, the advanced tab. Here the options to recommend & force changing the master key can be found. My recommendation is to check both the “Recommend changing the master key” and “Force changing the master key” and setting both to 180 days (approx 6 months)
KeePass – Create New Database Step 3 window in the Advanced tab. All settings are on their default selection, no elements checked for changes to the master key.
Once you are done with this, KeePass will suggest printing an emergency sheet. This is the only recourse for accessing your database if you forget / lose the master key. If the master key is changed / acces methods modified, this document will need to be generated again. It is important to store this document securely in a safe when printed. The sheet contains instructions to where backups are stored and what the master password is. Both entries are to be filled out by the user.
KeePass Emergency Sheet window explaining that the emergency sheet will contain all the important information required to open the database.
Once this procedure is over, KeePass shows the main window.
KeePass main window after creating a new database
Before starting to create unique passwords all the online accounts, it’s important to create the template. Otherwise, the system will defer to defaults which may not include the standards you or your organisation may be aspiring to. In the tools menu, select Generate password. From here we’re going to establish the defaults for new passwords. First, increasing the length of generated passwords to 40 or more characters. (Length > complexity). Then increase complexity by including all alphanumerical characters, minus, underline & special characters. “Space”, Brackets & Latin-1 can also be picked, but be wary some services may have difficulty processing these characters. Additionally, if you are going to be using these to log in to other devices, these characters may not be available on the keyboard.
KeePass Password Generator window in the Settings tab. ‘Generate using chaarcter set:’ is selected with length of password at 40 characters. Alphanumerical characters are selected, along with ‘Minus’, ‘underline’, and ‘Special’.
Optionally, thinking of the situations where you may need to type out the password rather than copy-paste from the manager we move to the Advanced (!) tab and check ‘Exclude look-alike characters’.
KeePass Password generator window in the Advanced (!) tab, with ‘Exclude lookalike characters’ marked.
From here return to the settings tab and click the ‘save’ icon.
Save icon in the Generate Password tabSave as Profile prompt after clicking the ‘save’ icon. Profile name holds the (Automatically generated passwords for new entries) profile name.
In the save as profile you can click the arrow on the right, and select the ‘Automatically generated passwords’ so that KeePass will use this for all new entries. Alternatively, if you have multiple requirements, you can save repeat the previous steps and save the profiles according to your various needs. For most users, setting this as the default will provide sufficient security, and default complexity can always be increased in the future by following the same steps.
You’ll want to save your database and start creating your entries.
KeePass window with the save icon highlighted.
In order to create a new entry, click on the keys icon which opens the ‘New Entry’ window.
Keepass toolbar with the ‘New Entry’ icon highlightedKeePass Add Entry window
In the Add Entry Window, fill out the fields ‘Title’, ‘User name’, ‘URL’ with the relevant information. If there is additional information for the account this can be stored in the ‘Notes’ field. For example tools using SSO you can mention to ignore the password and rather which credentials need to be used. Additionally, in the Notes field you can mention which method of 2FA/MFA you are using for that entry. Finally, click on the clock at the bottom and select when you want the password to expire.
KeePass Add Entry window with the ‘clock’ icon highlighted
Selecting a time frame will then mark the password entry with a large X in the main window when you are looking to use it next. Default expiry times are 1 & 2 weeks, 1, 3 & 6 months as well as 1 year. My recommendation is 1 year for basic web services and 3-6 months for more sensitive items. This can also be used if you are testing out services, to delete your profile if you are not using the service rather than keeping an inactive account.
If the website / program complains your password is too long or uses characters it doesn’t accept you can change the password manually by clicking the 3 dots next to the password field which will make it legible as plaintext:
KeePass Add Entry window, with the 3 dots highlighted and the password shown in plaintext.
You can remove the problematic characters, and reduce the password length. If you have set an expiry date, it will be better to select the key icon, open the password generator and modify the defaults for the entry.
KeePass Password Generator window for a specific entry, Length reduced to 18KeePass Password Generator Advanced Tab showing the Exclude characters lineKeePass Password Generator showing ‘Derive from previous password’ as the password profile
Now, when you are updating the password for this entry, the password will be derived from the previous requirements.
Cloud Sync
The official installers work for Windows 7, 8, 10 or Server editions. For Linux distributions, KeePass is available in most default repos making it particularly easy to install and deploy. There are community ports to mobile devices such as Android, iOS, and MacOS. These can be found in the downloads page. As mentionned above, one of the advantages of KeePass, is being able to have multiple databases. If you need to provide support to family, they can share their database with you through a cloud storage service. Likewise, if you want to access certain accounts through your phone, you can do this with any number of cloud storage providers or even your own file server.
Things to keep in mind: 1. Sharing your database & master key with other people means they can access all of the accounts in the database. Segregate as needed (ISP credentials are not as sensitive as say, banking). 2. While the database is encrypted once locked, that does not mean people with access to your cloud storage can’t make a copy and brute force their way to your passwords. Select a strong master key and segregate which accounts you want to access from mobile device and which ones only from your PC: 3. If using a mobile port of KeePass, be mindful of how your cloud sotrage managed version control. You can quickly end up with a very different database on your phone than that which you are using on your computer.
Nice to know
You can store your password entries in the order you want. Keeping your entries organised according to what the services provide will help you find them faster. It is however not necessary, as KeePass offers a search bar which will show you all entries that match that description.
KeePass main window, with search bar & sorting pane highlighted
By default, KeePass will offer to autofill forms for you. I have had instances where hardware issues led to credentials beeing sent out on messaging applications. If this is an issue, it can be removed by opening the Options window (Tools->options) and selecting the integration tab. By changing all shortcuts to ‘None’ credentials are only stored in the clipboard when you actively select to copy them.
KeePass Options window with all System-wide hotkeys set to ‘None’.
Finally, if you are setting expiry dates on your credentials, you can let KeePass show you which passwords have expired or will expire soon on startup. The entries appear as follows:
KeePass main window showing expired and soon to expire entries
To set this, in the Options window (Tools -> Options) select the Advanced tab. Scroll down to the “After Opening a Database” group and select both entries.
KeePass Options window, Advanced tab showing the ‘After opening a Database’ group with both options checked.
