Open Source Security Tech

First Steps with KeePassXC

Why KeePassXC?

Most of my experience with password managers lies with KeePass. For an enterprise environment it is simple to use, easy to deploy and fairly lightweight. For my personal use I can take advantage of its portability and not worry about phishing too much, as I tend to type out websites directly when something sketchy comes around. For work, VMs and other users however, I recommend KeePassXC now. It offers some advantages to KeePass, namely an easier interface, browser integration and TOTP.

The browser integration provides phishing protection => if users click on links asking for credentials, the extension will not recognise the domain and therefore not provide credentials. Along with the easier interface, this means users are more likely to avoid password reuse and less likely to fall for phishing attempts.

First Steps

The KeePassXC team have a great introduction to their password manager, covering details from setting up a database to the configuration of the browser integration. I highly recommend taking a look there before doing the install, even if just to make yourself aware of the different interface. You can find their getting started guide here.

Now, following the steps from the KeePass guide there are some differences in the procedures. The first is the key transformation, instead of telling the system how many iterations you want, KeePassXC suggests choosing how long it takes to decrypt the database.

KeePassXC settings interface, on the security menu, encryption settings tab.

Unlike KeePass, KeePassXC doesn’t provide password templates. nor does it offer the ability to generate a password from the previous password (useful for services with character or length limitations). The password generator takes the last used settings. My recommendation is to check the box to avoid lookalike characters (for those times you need to type it out).

Password creator with the Exclude look-alike characters checkbox ticked

Same as with KeePass, KeePassXC allows entries to autoexpire. This is not checked by default, in my use of the application, it does not stay checked when making several entries. The preset expiry times include 1, 2, 3 weeks, months and years.

KeePassXC new entry window with no expiry date selected.

Same as with KeePass, I recommend renewing your passwords at 6 month intervals, but at least once a year.


Unlike KeePass, KeePassXC comes with TOTP support out of the box. While arguably this is not great as it means you are getting all your authentication tokens through the same medium, it does protect your accounts from brute forcing attacks. You can’t set TOTP from the entry window, but after creating the entry right click => TOTP =>Setup TOTP. When generating your tokens, tell the web service you can’t scan the QR code, and enter the secret into the TOTP window.

Setup TOTP window with an empty Secret Key.

It is worth mentionning that you can get the secret from KeePassXC. Not the most secure solution but I can see this being useful for teams connecting to client environments, as the database can be shared through KeeShare with those people who need access to it. With the browser extension, this means seamless logging in to services as all the credentials come from a single place, (and the database can be locked with a passphrase & hardware token).


KeeShare sort of takes the need for cloud sync away accross devices, however my limited experience with this feature was not great. Most likely due to user error and limited time / infrastructure to play with it, it is worth knowing that the KeePassXC team have documented it quite well over here.

Nice to know

You can save credentials from the browser extension directly to your database. These will be in a default “browser credentials” group. You can order them into whatever folder you want if you actively use the standard interface to find them faster.

By default, autotype is enabled in KeePassXC, but with no assigned shortcut. With the browser extension I have not found any reason to activate it. Specially after the shenanigans with KeePass spouting my credentials into a couple services.

The browser extension requires the database to be unlocked in order to use the credentials. The icon turns green when the connection between the extension and the data base is active, and grey if the connection is not present. I have found it particularly useful to be able to hide the window once it has been unlocked as it lets me keep an uncluttered desktop, and the browser lets me know if anything is the matter.

KeePassXC Application Setting window with ‘Minimize window after unlocking database’ checked

By default, the database will be saved after every change (new entry, password change, etc.). I’ve found this behaviour useful, but worth knowing if you have a long decryption time it can slow down your machine. The behaviour can be medified in the Application Settings => File Management.

KeePassXC Application Settings window with ‘Automatically save after every change’ option checked

Sadly, unlike KeePass, there is no option to show expired / expiring soon entries upon loading up the interface. The entries will have a different icon showing that the entry has expired and the title will be crossed through.

KeePassXC expired entry “Test” with the expired entry icon, & title crossed through

KeePass or KeePassXC?

I think it really comes down to the user. Both offer similar levels of protection for the users’ databases, they differ mainly in what they offer out of the box. Neither solution has been ported to Android or iOS which means regardless of what you pick, there will always be another party accessing your passwords. I believe KeePass will continue to have its place in enterprise environments where it outperforms the XC variant through a slimmer interface. KeePassXC does provide a nicer experience for first time users, with default settings that make it easy to use from the get-go. As long as you don’t use TOTP, you can use both with the same database and decide later on.

Privacy Security Tech

Dissecting SPAM

Everyone receives unwanted messages on a daily basis. Sometimes it’s just marketing, in other cases it’s less benign. In the case of a scam or a phishing attack, the sender wants you to hand over some data (usually financial). Having recently received some unwanted, but benign mail it made sense to show what steps to follow when things seem to be a bit…. odd.

Follow your gut

If a message seems to be telling you to do something urgently, makes you feel under pressure or in any other way uncomfortable, take a step back. Who sent you this email? Were you expecting the email? Does the email have any signs of illegitimacy? By inspecting these you can avoid most of the low hanging fruit that make it past your spam filters. I recently received a (benign) spam message which I’d like to deconstruct.

Who sent you the email?

The first thing to do is verify who sent you the email. Anyone can change the name that appears in the “From” field, email adresses take a little more work to impersonate. If the email is unexpected but from a known source, let them know. Their systems may be compromised and you avoided infecting your own system by verifying. Otherwise, it may come from a very distinctly fake adress.

Email headers claiming to be Spotify but from an unrelated account, with a pressing subject line urging to update payment details today.

Assuming the sender had managed to spoof the Spotify domain I would still have been able to see that there was an issue, as the recepeint adress had never been linked to Spotify (use a password manager! they help track these things).

Check the links

Email spoofing Spotify stating that payment failed and several flaws within the content

Usually, links will point to a spoofed domain in an attempt to get PII or CC data. (DHL example here) Will has a great account to follow on Twitter for recent phishing & malware campaigns. In the DHL example, links pointed to the following domains (both are malicious!) sbankrf[.]ru/f4e9f0f6a5/online-gov/wikipedia/ and yoursplace[.]com/invoice.dlh.custumers-pm/ .
Given the initial communication suggested the message came from DHL, it can be seen that neither of the 2 domains is in any way affiliated with DHL. The first URL includes online-gov and wikipedia, neither of which are in any way affiliated with DHL. The second url uses a typo in ‘dlh’ to create the impression of affiliation.

In the case of my Spotify spam… the links pointed to Google maps, at the adress of Spotify HQ in Stockholm, Sweden. As I said, benign message.

Check the Content

Finally, if everything seems legit but you don’t want to bother your friend/colleague/business relation just yet, check the email contents. Many scams contain blatant grammar / spelling errors, with the strategy that those people who click through are more likely to also give up their banking details. Red flags in this case:

  • Spotify New Family -> At the time of writing, such a subscription did not exist.
  • This message was sent. This sentence is really weird. You would expect “sent by” or “sent from” or event “sent to [email adress]” in order to claim the sender is legit. The sentence as it is, suggests the message was sent by someone with a different primary language, rather than the automatic messages from the company.
  • Terms of Use Technical requirements Contact Us This final line, just above the Spotify HQ adress, has no links to any of those pages. In a legitimate email those would link to appropriate pages of the website / mail adresses.

What to do after the fact?

Any of the above points should provide enough verification points for the case if a message or sender are legitimate. This leaves 4 possibilities, which can be trimmed down to 2:

  • Sender is legitimate => contact sender, verify they intended the message for you.
    • If not from sender, follow as though sender is not legitimate.
  • Sender is not legitimate => flag it as spam.

In a corporate environment, it’s good to inform your IT/Security departments such that the malicious domains can be blocked and your colleagues better protected.