KeePassXC is one of the best password managers out there, notorious for its (intentional) lack of cloud syncing. But just because it’s offline doesn’t mean it has poor functionality. Here are some useful extras that will improve your security and overall KeePassXC experience.
secret key file
You can maximize the security of your passwords by using a “key file” as a multi-factor authentication method to open your KeePassXC database. Once enabled, in addition to your password, you’ll need to provide that key file. Even if you know the password, you won’t be able to log in without an unaltered copy of the key file.
You can use any file as a key file, but using KeePassXC’s file generator is best, as it’s guaranteed to be unique and not something you’d be tempted to edit. That’s critical because if the key file is ever modified, KeePassXC will no longer recognize it as legitimate, effectively locking it out of its database.
If you didn’t create your database with a key file, you can always add one by going to Database > Database Settings and then clicking the “Security” tab. Click “Add Additional Protection” and then “Add Key File”, and KeePassXC will allow you to generate a unique key file or browse an existing one. Be sure to back up your key file with a copy in a secure location so you don’t lose access.
The ability to generate strong passwords instead of letting you create passwords yourself (or worse, reuse old passwords) is a standard feature of any reputable password manager. However, you may not realize all that you can do with the KeePassXC generator.
Since account logins often require (or don’t allow) specific types of characters, you can choose character sets to randomly apply to your password, such as numbers, special characters, and even some puzzling ASCII characters. By switching tabs, you can also generate random passphrases (seen in the screenshot above), which is perfect when you need a strong password that’s also easy to memorize.
Password Status Check
If you’ve imported passwords into your database instead of generating them all with KeePassXC’s password generator, you probably have some weak passwords that you need to fix. Fortunately, KeePassXC can find them automatically. With your database open, go to Database > Database Reports and then click on the “Password Health” tab.
As you can see, we had a lot of passwords that needed attention. Each one is rated on a scale of 1 to 100, but even falls into the negative aspects of reused passwords. You can double-click each one to open it and start protecting it.
You can also click at any time on “Weak Passwords” in the lower left corner of your database, or type
is:weak in the search bar. KeePassXC will list all of your accounts whose passwords are rated as “weak” so that you can work by protecting those accounts with strong passwords.
RELATED: How to check if your password has been stolen
This one comes with a big caveat: generating your TOTP (one-time password) codes in the same database as your passwords essentially defeats the purpose of TOTP secrets. Still, it’s better than not using any two-factor authentication (2FA) method at all, since at least you’re protected from anyone who manages to learn your password without breaking into your vault.
However, for maximum security, the best approach is to create a separate database for your TOTP codes with a different password than your passwords. If you’re already using an authenticator app that you like, you’re probably better off sticking with it. The only benefit it adds is that it avoids the need for a separate app for 2FA codes.
To start using KeePassXC for your 2FA logins, you’ll need to highlight an entry in your database and go to Entries > TOTP > Configure TOTP, where you’ll be prompted for the secret key provided by the account you’re securing.
RELATED: How to activate two-factor authentication on Instagram
If you find yourself opening your KeePassXC database multiple times a day but don’t want to leave it open, you can make your life easier by enabling the quick unlock feature. Assuming you’ve set up Windows Hello or, on a Mac, Touch ID, you can lock your database when you’re not using it and unlock it again in a flash using your authentication method (face recognition, fingerprints, PIN, etc.)
Most people have dozens or hundreds of passwords to manage, so finding them all can be a pain. However, grouping your passwords not only makes them easier to find, but also easier to apply group rules. For example, you can configure each new entry in a group to automatically get a specific icon or to use a custom autotype scheme by default.
To get started, simply click Groups > New Group on the top menu bar and give it a name, then use the menu tabs on the left to adjust different settings for the group.
Compared to dedicated password managers like KeePassXC, your browser’s built-in password manager may feel more convenient thanks to its ability to fill out website login fields with almost no interaction on your part. However, you can get a similar KeePassXC experience by installing the official browser extension for Chrome, Firefox or Edge and connecting it to your database.
You will need to ensure that each entry in your database that you want to use has the correct URL associated with it (for example,
facebook.com for your Facebook login) The extension relies on those when you visit a website to find the relevant credentials to login.
Third-Party Cloud Sync
This is not a feature, but rather a fix for one of KeePassXC’s biggest drawbacks. The app itself can’t sync your passwords over a network, which means you’re on the burden of manually copying or moving the databases every time you need your passwords on another device. You can solve that problem with a cloud storage service you probably already use, like Google Drive or OneDrive.
Save your database password to a cloud-synced folder on your device and you’ll have instant access to the latest version of your database anywhere else you sync that folder. If you don’t want to move your KeePassXC database, you can easily sync any folder to the cloud using symbolic links. Just make sure the account you’re syncing with is also secure.