Quick Links

KeePassXC is one of the best password managers out there, known for its (intentional) lack of cloud-syncing. But just because it's offline doesn't mean it's light on functionality. Here are some handy extras that will enhance your security and overall experience of KeePassXC.

Secret Key File

You can maximize your passwords' security by using a "key file" as a multi-factor authentication method to open your KeePassXC database. Once enabled, in addition to your password, you'll have to provide that key file. Even if you know the password, you won't be able to login without an unaltered copy of the key file.

Key file for a KeePassXC database.

You can use any file as a key file, but using KeePassXC's file generator is best since it's guaranteed to be unique and isn't something you'll be tempted to edit. That's critical because if the key file ever gets modified, KeePassXC will no longer recognize it as legitimate, effectively locking you out of your database.

If you didn't create your database with a key file, you can always add one by going to Database > Database Settings and then clicking the "Security" tab. Click "Add Additional Protection" and then "Add Key File," and KeePassXC will let you either generate a unique key file or browse for an existing one. Be sure to back up your key file with a copy in a secure location so you don't lose access.

Password Generator

KeePassXC's passphrase generator.

The ability to generate strong passwords rather than leaving you to create passwords yourself (or, worse, reusing old passwords) is a standard feature of any respectable password manager. However, you may not realize how much you can do with KeePassXC's generator.

Since account logins often require (or don't allow) specific types of characters, you can choose character sets to apply randomly to your password, like numerals, special characters, and even some baffling ASCII characters. By switching tabs, you can also generate random passphrases (seen in the screenshot above), which is perfect when you need a strong password that's also easy to memorize.

Password Health Check

If you've imported passwords into your database rather than generating them all using KeePassXC's password generator, chances are you have some less-than-secure passwords that need fixing. Fortunately, KeePassXC can automatically find these for you. With your database open, go to Database > Database Reports, and then click the "Password Health" tab.

Click the Password Health tab in KeePassXC.

As you can see, we had a lot of passwords that needed attention. Each is rated on a scale of 1-100, but it even drops into the negatives for reused passwords. You can double-click each one to open and start securing it.

You can also at any time click "Weak Passwords" in the lower-left corner of your database, or type

        is:weak
    

into the search bar. KeePassXC will list all of your accounts whose passwords it's graded as "weak" so you can get to work securing those accounts with strong passwords.

Related: How to Check if Your Password Has Been Stolen

TOTP Generator

This one comes with a huge caveat: generating your TOTP (timed one-time password) codes in the same database as your passwords essentially defeats the purpose of TOTP secrets. Still, it's better than not using any two-factor authentication (2FA) method at all since at least you're protected from anyone who manages to learn your password without accessing your vault.

For maximum security, though, the best approach is to create a separate database for your TOTP codes with a password different from the one for your passwords. If you're already using an authenticator app you like, you're probably better off sticking with it. The only benefit it adds is avoiding needing a separate app for 2FA codes.

To start using KeePassXC for your 2FA logins, you'll need to highlight an entry in your database and go to Entries > TOTP > Set Up TOTP, where you'll be asked for the secret key provided by the account you're securing.

Related: How to Turn on Two-Factor Authentication on Instagram

Quick Unlock

A locked KeePassXC database with the quick unlock button available.

If you find yourself opening your KeePassXC database multiple times a day but don't want to leave it open, you can make your life simpler by enabling the quick unlock feature. Assuming you've set up Windows Hello or, on a Mac, Touch ID, you can lock your database when you're not using and unlock it again in a flash using your authentication method (facial recognition, fingerprinting, PIN, etc.)

Password Groups

Most people have dozens or hundreds of passwords to manage, so finding them all can be a pain. Grouping your passwords, though, makes them not only easier to find, but also easier to apply group rules. For example, you can set every new entry in a group to automatically get a specific icon, or to use a custom auto-type scheme by default.

To get started, just click Groups > New Group in the top menu bar and give it a name, then use the left-hand menu tabs to adjust different settings for the group.

Browser Integration

Compared to dedicated password managers like KeePassXC, your browser's built-in password manager can feel more convenient thanks to its ability to complete website login fields with almost no interaction from you. You can get a similar experience from KeePassXC, though, by installing the official browser extension for Chrome, Firefox, or Edge and connecting it to your database.

You'll need to make sure each entry in your database you want to use has the correct URL associated with it (for example,

        facebook.com
    

for your Facebook entry) The extension relies on those when you visit a website to find relevant credentials to enter.

Third-Party Cloud Sync

This isn't a feature but a workaround for one of KeePassXC's biggest drawbacks. The app itself can't sync your passwords over a network, which means you're burdened with manually copying or moving databases anytime you need your passwords on another device. You can solve that problem with a cloud storage service you probably already use, like Google Drive or OneDrive.

Save your password database to a cloud-synced folder on your device, and you'll have instant access to the latest version of your database everywhere else you sync that folder. If you don't want to move your KeePassXC database, you can easily sync any folder to the cloud using symbolic links. Just make sure the account you're syncing with is also secure.