Setting adjustments are necessary to get the most out of the app
Whether you’re fed up with online password managers or just mistrust them, KeePassXC is a great way to securely self-manage your passwords. It doesn’t exactly replicate an online password manager, but that’s kind of the point. Overall, it covers the basics, and its ease and flexibility of use make up for its shortcomings.
Price comparison from over 24,000 stores worldwide
Price comparison from Backmarket
Simplicity is an asset. It’s what sells online password managers—they take the hassle out of managing dozens (if not hundreds) of unique, complex logins. You sign up, install a browser extension, click a few buttons, and the service handles the rest. But online password managers require trusting a third-party with sensitive data. While most are worthy of such faith, it takes just one big slip up (like LastPass’s epic failure to strongly safeguard its servers and also fully encrypt all customer data) to prove everyone’s worst fears.
An offline password manager is really the only way to fully control your logins…yet the most popular of them, KeePass, is not exactly simple. Learning its ins and outs can be a turn off to all but the very patient, even if you’re reasonably tech savvy.
Fortunately, there’s a streamlined alternative to the official KeePass app: KeePassXC. It’s just as open source and free, but with its more modern interface, it’s a far easier program to use. Basic features considered standard for password managers are baked into the software, unlike KeePass. You still need the stomach for maintaining and backing up your entire collection of passwords—no small responsibility—but you can be up and running with this app pretty quickly. And once you are, it’s agreat blend of secure password management with lower risk of a stolen password vault.
Further reading: See our roundup of the best password managers to learn about competing products.
KeePassXC: How it works
As an offline password manager, KeePassXC saves your login info in a database file. You can open these .kdbx files in any program capable of reading them (including mobile apps and version 2.x of the official KeePass app), as well as visa versa—it’s the same principle as being able to open a .doc file in Word, LibreOffice, Google Docs, etc. KeePassXC ships with built-in browser integration, too.
Database files can be saved anywhere you wish. You can keep them completely offline, choosing to make copies on every device you want access from. You can put them into the cloud and thus approximate the convenience of an online password manager. You can strike a middle ground and use a service like SyncThing to keep copies of your database(s) synced across devices without using cloud storage.
But no matter how many databases you create and how you choose to store them, you’re solely responsible for maintaining and backing up your files. You have no safety net. If you forget your master password, there’s no recovery option. If your database file corrupts or is accidentally deleted, you’ve lost that data unless you made a backup. If you add a keyfile or hardware key as extra protection for your database, it’s on you to always keep it on hand. This is the trade-off for having full control over all your login info.
KeePassXC: The basics
Opening the app for the first time drops you into a clean, uncluttered screen designed to get you started quickly. You can choose to create a new database, open an existing one, or import one from a CSV file, 1Password, or an older version of KeePass (1.x). The first two options are straightforward—even if you’re not familiar with encryption settings, the app suggests defaults when creating a fresh database that should work well, especially if you’re new to password managers. If you already know your stuff, it’s easy to tweak things to your liking.
What can take longer is switching from a different password manager. You’ll first export your vault to a file, then import that into KeePassXC. If your previous service has sloppy CSV exports, you’ll have to burn time cleaning up the entries. You may also need to spend time on cleanup if you import multiple files into KeePassXC, merge them into one database, and end up with some duplicate entries.
Tip: If you plan to export your existing password vault to a CSV file, use VeraCrypt to create an encrypted folder (“volume”), and save your CSV to that secure location. That way, your passwords remain protected at every step of the transition process.
Once you’ve set up your database (or databases—you can have more than one open at the same time), using it is easy to figure out. This is largely due to the pared-down number of options you have. KeePassXC does not support plugins, like the official KeePass app does. Instead, it gives you all the basic features you’d need from a password manager, and leaves things at that.
Case in point: You get just one kind of entry meant for logins. No other types like secure notes, credit cards, or identities are available. And when you fill out a password entry, there’s just a handful of fields: user ID, password, URL, notes, and tags. You can set up two-factor authentication TOTP tokens as well, plus attach files or create custom attributes (text fields), but that’s it. The fundamentals are covered, but you don’t get more.
Those entries get stored in folders—either in the default “Root” directory, or in a subfolder you create—and you can only interact with them through the left hand navigation bar or the search feature. (The latter is much faster, once you figure out how to use it efficiently.) Moving entries between folders requires dragging and dropping; you can’t also change the assigned folder within the entry itself.
Even the settings are fairly streamlined—though they’re split up so that you separately adjust them for applications and entries, you can’t really go too deep into the menus. You can also usually figure out through context what each setting is for, and whatever isn’t clear can be quickly looked up in the user guide (or answered through a fast online search).
One such thing I had to look up myself was auto-type—KeePassXC’s equivalent of auto-fill. It’s very smooth, and helps bypass the risk of copying passwords to your clipboard (which can be viewed by other apps on your PC) or using the browser extension (a practice that in general can expose a password database or vault to a little more risk). You load the website, click in one of the login fields, then switch to KeePassXC and choose the info you want to auto-type into the webpage. You can even create custom auto-type commands for individual entries, if their login page layout doesn’t match the default auto-type options.
KeePassXC: The stuff you’ll want to tweak
By default, KeePassXC sticks to the most basic experience—and while that’s good enough, you can make the program even better if you dig into the settings.
For users who want an experience closer to that of an online password manage, you’ll need to flip on the built-on browser integration in the application settings. Installing the native KeePassXC browser extensions won’t work otherwise. You can limit it to specific browsers, and even turn access to certain entries on or off in each one’s settings.
For folks who need to share their passwords with others, you’ll want to set up KeeShare. It basically creates a separate database with passwords that get synced between you and other people, as well as your main database. It’s how you can securely share your Netflix password with your household members. Any changes made to those shared entries will be seen by everyone with access.
Alaina Yee / Foundry
For those who want stronger protection for their database files, you can add a keyfile or a hardware key to your login process. (This can be done when first creating a database, or set up afterward.) A keyfile is a separate file that must be provided along with a password to unlock your database, while a hardware key must be physically inserted into your PC and detected by KeePassXC when you enter your password. It’s not exactly two-factor authentication (you can read why in this explanation in KeePassXC’s FAQ), but it does strengthen your password. It also can create a holy headache if you lose the keyfile or hardware key, or if you’re dealing with mobile apps that don’t have good support for hardware keys.
And for anyone who wants to access their database file (either via a local copy or a cloud save) on mobile, you’ll have to pick a third-party mobile app. Obviously, this isn’t a setting to adjust—but because KeePassXC lacks a native mobile app, you’ll have to do a little extra work to find a compatible Android or iOS app that you like. Currently, the most popular options are KeePass2Android or KeePassDX for Android, and Strongbox or KeePassium for iOS, but you may find your tastes don’t run in those directions.
There are other smaller settings you may want to play with, too. For example, the database doesn’t automatically lock after a period of inactivity—I changed that right away. I also decided to clear search queries after several minutes, and lengthen the automatic clearing of the clipboard from 10 seconds to 15. And you may want to keep your entries’ usernames, passwords, and notes hidden from view. These details may seem small, but adjusting them and others to your exact liking can go a long way toward feeling comfortable using KeePassXC on a daily basis.
KeePassXC: What’s missing compared to online services
As good as KeePassXC is as a self-contained password manager, its online competition still outdoes it in a few key areas.
Its biggest weakness: The browser extension is more of a way to autofill login info already in your database. Oh, it can capture and save new login info as you create it for a website, but it doesn’t always recognize those situations. And when it does, the dialog banner often disappears incredibly fast—I had to be very fast on the draw to save my passwords.
KeePassXC also lacks features like password auditing, where it automatically checks if your passwords have been compromised in a data breach, as well as dark web monitoring. You’re on your own on this front.
Setting up a hardware key (like a Yubikey) is more complicated, too. For starters, you have to first configure it to work with KeePassXC. I also spent a lot more time troubleshooting mine than I expected—especially when I didn’t initially realize that you have to start KeePassXC in Windows’ administrator mode for it to recognize a hardware key. Add in the difficulties with the third-party mobile apps I tried, and I eventually just stripped it from my database to finish this review. If you use a strong, unique password at least 24 characters long, you should have enough protection, but I still wanted it to work anyway.
Should you use KeePassXC?
If you’re fed up with online password managers, or you just have never trusted them to begin with, KeePassXC is an excellent way to securely self-manage your passwords. You need far less elbow grease to get up and running (unlike with the official KeePass app), as most modern password-manager features are baked in. It doesn’t exactly replicate an online password manager, but it adequately covers the basics. Overall, its ease and flexibility of use make up for its shortcomings.
Alaina Yee is PCWorld's resident bargain hunter—when she's not covering software, PC building, and more, she's scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.