Weak passwords, reused passwords, or passwords based on “magic formulas” weaken your online security significantly. We suggest password management software to generate strong passwords, store passwords securely, and keep track of passwords.
In this tutorial for beginners, we set up and show a typical use case of KeePassXC, an open-source password manager.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
The following steps are required before creating your first database:
- Download KeePassXC and install it on your operating system. For this tutorial, we use KeePassXC 2.6.0. If you install another version of KeePassXC, the setup and usage might differ.
- Start KeePassXC.
- If your operating system manages the KeePassXC package, select “No” when asked, “Would you like KeePassXC to check for updates on startup?” If you update it manually, or you are unsure, select “Yes.”
Create your first database
After starting KeePassXC, click “Create new database.” Set the database name and a description, as shown in the picture below. Click “Continue.”
Keep or change the encryption settings
After setting a name and description, you can change the encryption settings. We recommend staying with the defaults if there are no particular reasons to change them.
- You can set the “Decryption Time” to up to 5 seconds. This value slows down the decryption of your locked database to make brute-force attacks time-consuming.
- We recommend using “KDBX 4.0” (default) as the database format.
If you want to change the encryption algorithm, key derivation function, or other advanced settings, click “Advanced Settings,” as shown in the picture below:
The “Advanced Settings” allow you to choose:
- Encryption Algorithm: AES 256-bit (default), Twofish 256-bit, ChaCha20 256-bit.
- Key Derivation Function: Argon2 (KDBX 4 – recommended; default), AES-KDF (KDBX 4), AES-KDF (KDBX 3.1).
- Transformation rounds: 10 (default).
- Memory Usage: 64 MiB (default).
- Parallelism: 2 threads (default).
We recommend AES-256 and Argon2. The remaining parameters (transformation rounds, memory usage, parallelism) can be increased to slow down your database’s decryption time.
The defaults are shown in the image below:
After setting the “Encryption settings,” click “Continue.”
Set a password or passphrase
Finally, you have to set a password or passphrase that is used to protect all database entries. We recommend that you click the small dice icon (🎲) in the password field to generate a random passphrase.
Clicking the dice icon opens the “Generate Password” window, as shown in the picture below:
Alternatively, you can select “Passphrase.” We recommend setting a 9-word passphrase since it is easier to avoid spelling mistakes when unlocking your database. You can write down the passphrase and store it offline.
The following screenshot shows the default setting (7-word passphrase):
After setting your password or passphrase, click “Done.” If you want to add a key file or YubiKey, see Next steps.
Check the settings
You created your first database. Now, we recommend checking the default settings of KeePassXC. Go to “Tools” → “Settings.”
We recommend selecting “Backup database file before saving,” as shown in the next picture. Enable or disable the remaining settings as required.
The security settings allow you to customize timeouts and lock events:
Create your first entry
After creating the database itself, you can add your first entry. You should see an empty “Root” folder, as shown below:
Click “Entries” → “New Entry.” Alternatively, press CRTL + N, or click the “plus” icon.
Enter the title of the account, your username for the account, your password, and the URL. If you didn’t set a password for the account before, click the “dice” icon to generate a random password or passphrase again.
Moreover, you can set a date when your password expires. There are some presets for the expiration (click “Presets”).
If you click the “download” icon (to the right of the URL field), KeePassXC downloads the favicon of the URL. Then, the favicon is shown in front of the password entry in your database. The favicon makes it easier to find the account you search visually.
An example entry is shown below:
Additionally, you can set attributes or add attachments. These features can be helpful in some use cases:
Instead of downloading the favicon, you can select default icons or manually add icons, as shown below:
Done. You created your first database and your first entry. Now, you can add more entries, migrate to strong passwords, and fully discover all settings of KeePassXC.
Tip: Use the “Auto-Type” feature that automatically types your username and password into a form. On Linux, select the form, switch to KeePassXC, select the correct entry and press SHIFT + CTRL + V.
Customize KeePassXC for your use cases. You can read our article “Modern credential management” for advanced credential management.
Besides, you can add a key file or YubiKey for additional protection. Finally, have a look at the statistics, as explained below:
Add a key file or YubiKey/OnlyKey
KeePassXC supports adding a key file or a YubiKey for additional protection. Understand the pros and cons of both options.
A key file can be any file. However, you should use a file that contains random bytes. For instance, on some Linux systems, you can enter the following command to create a key file, containing about 10MB of random bytes: dd if=/dev/urandom of=keyfile bs=1M count=10.
- Some benefits: It is free (no cost). You can easily back up your key file. It is beginner-friendly.
- Some drawbacks: Malware or an attacker can easily copy your key file. You can accidentally modify or remove the key file.
YubiKey or OnlyKey
A YubiKey is a physical security token (see our YubiKey articles). We recommend setting up two YubiKeys (primary + backup).
- Some benefits: It drastically improves the encryption key. It can’t be accidentally modified.
- Some drawbacks: It isn’t free. You need a backup in case you lose your YubiKey. Setting it up may be hard for beginners.
In the following, you see the settings “Database Credentials” where you can add a key file or a YubiKey:
KeePassXC gives an insight into your passwords, as shown in the picture below. Check these statistics regularly to improve the strength of your passwords:
Is KeePassXC the perfect and most secure password manager? No, it isn’t. For instance, attackers can steal your passwords by installing malware on your system, even if you set a 50-digit password and use a YubiKey. Furthermore, other password managers are more appropriate for specific use cases.
Our message is: Use a password manager of your choice. KeePassXC and KeePass 2 generate strong passwords for you and store them securely. Moreover, they help you to use your passwords every day.
- KeePassXC: Homepageexternal link
- KeePassXC: Getting Started Guideexternal link
- KeePass Password Safe 2external link (the original KeePass)