KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

Last update: Jan 2, 2023

Overview

KeePassXC

KeePassXC is a modern, secure, and open-source password manager that stores and manages your most sensitive information. You can run KeePassXC on Windows, macOS, and Linux systems. KeePassXC is for people with extremely high demands of secure personal data management. It saves many different types of information, such as usernames, passwords, URLs, attachments, and notes in an offline, encrypted file that can be stored in any location, including private and public cloud solutions. For easy identification and management, user-defined titles and icons can be specified for entries. In addition, entries are sorted into customizable groups. An integrated search function allows you to use advanced patterns to easily find any entry in your database. A customizable, fast, and easy-to-use password generator utility allows you to create passwords with any combination of characters or easy to remember passphrases.

Quick Start

The QuickStart Guide gets you started using KeePassXC on your Windows, macOS, or Linux computer using pre-compiled binaries from the downloads page. Additionally, individual Linux distributions may ship their own versions, so please check your distribution's package list to see if KeePassXC is available. Detailed documentation is available in the User Guide.

Features List

KeePassXC has numerous features for novice and power users alike. Our goal is to create an application that can be used by anyone while still offering advanced features to those that need them.

Basic

Create, open, and save databases in the KDBX format (KeePass-compatible with KDBX4 and KDBX3)
Store sensitive information in entries that are organized by groups
Search for entries
Password generator
Auto-Type passwords into applications
Browser integration with Google Chrome, Mozilla Firefox, Microsoft Edge, Chromium, Vivaldi, Brave, and Tor-Browser
Entry icon download
Import databases from CSV, 1Password, and KeePass1 formats

Advanced

Database reports (password health, HIBP, and statistics)
Database export to CSV and HTML formats
TOTP storage and generation
Field references between entries
File attachments and custom attributes
Entry history and data restoration
YubiKey/OnlyKey challenge-response support
Command line interface (keepassxc-cli)
Auto-Open databases
KeeShare shared databases (import, export, and synchronize)
SSH Agent
FreeDesktop.org Secret Service (replace Gnome keyring, etc.)
Additional encryption choices: Twofish and ChaCha20

For a full list of changes, read the CHANGELOG document.
For a full list of keyboard shortcuts, see KeyboardShortcuts.adoc

Building KeePassXC

Detailed instructions are available in the Build and Install page and in the Wiki.

Contributing

We are always looking for suggestions on how to improve KeePassXC. If you find any bugs or have an idea for a new feature, please let us know by opening a report in the issue tracker on GitHub, or join us on Matrix community channel or Matrix development channel, or on IRC in Libera.Chat channels #keepassxc and #keepassxc-dev.

You may directly contribute your own code by submitting a pull request. Please read the CONTRIBUTING document for further information.

Contributors are required to adhere to the project's Code of Conduct.

License

KeePassXC code is licensed under GPL-2 or GPL-3. Additional licensing for third-party files is detailed in COPYING.

Comments

Check passwords against hacked password databases [$300]

haveibeenpwned.com has an API to check if passwords have been released in a previous dump. They also provide a sha1-hashed download of their password dump at https://haveibeenpwned.com/Passwords . Their API guideline is available here: https://haveibeenpwned.com/API/v2

Expected Behavior

Ability to check all or a selection of passwords against a password dump (either downloaded or online)

Current Behavior

Currently, KeepassXC does not check against a list of passwords that has been previously compromised.

Possible Solution (bash)

#!/usr/bin/env bash
PASSWORD=('[email protected]' '[email protected]' 'password')
ONLINE=false
RELDIR="../pwnedPasswords"
OFFLINE_DATABASE=("${RELDIR}/pwned-passwords-1.0.txt" "${RELDIR}/pwned-passwords-update-1.txt" "${RELDIR}/pwned-passwords-update-2.txt")
check() {
	if ${ONLINE} ; then
		RESPONSE_POST=$(curl -s -o /dev/null -w "%{http_code}" --data "Password=${1}" "https://haveibeenpwned.com/api/v2/pwnedpassword")
		sleep 1.6
		RESPONSE_GET=$(curl -s -o /dev/null -w "%{http_code}" "https://haveibeenpwned.com/api/v2/pwnedpassword/${1}")
		RESPONSE=${RESPONSE_GET}
		sleep 1.6
		if [ ${RESPONSE} -eq 200 ]; then 
			echo "Bad password: ${1} (GET: ${RESPONSE_GET}, POST: ${RESPONSE_POST})"
		elif [ ${RESPONSE} -eq 404 ] ; then 
			echo "Good password: ${1} (GET: ${RESPONSE_GET}, POST: ${RESPONSE_POST})"
		elif [ ${RESPONSE} -eq 429 ] ; then
			echo "Too fast (wait >1.5s)"
		fi
	else
		if ! ${2} ; then
			CHECK=($(echo -n ${i} | sha1sum))
		else
			CHECK="${1}"
		fi
		LINES=$(cat ${OFFLINE_DATABASE[@]} | grep -i ${CHECK} | wc -l)
		if [ ${LINES} -gt 0 ] ; then
			echo "Bad password: ${1}"
		else
			echo "Good password: ${1}"
		fi
	fi
}

for i in ${PASSWORD[@]}; do 
	PASSWORDHASH=($(echo -n ${i} | sha1sum))
	check ${i} false
	check ${PASSWORDHASH[0]} true
done

Note: Above script checks offline for security (slow). It can be modified to check online for testing.

Context

I would like to check for passwords that have been compromised in a breach or set of breaches. I can currently do this manually with a modified version of the above script, but it is cumbersome and not as secure.

EDIT: echo ${i} -> echo -n ${i} Add note to script that it is meant for proof of concept and can be modified for offline use. Modify script to check offline

user interface new feature bounty :moneybag:

opened by ghost 152

KDBX 5 Standard
Placeholder for KeePass Database (KDBX) standard discussion. This post will be edited to include a list of features and upgrades we would like to bring to Dominik for consideration in the next KDBX format update.

Must Haves:

[ ] Standardize on Argon2id instead of Argon2d

[ ] Add Password Modification Datetime

[ ] Database/Entry Custom Data modification time

[ ] Built-in Entry Layout Specification (https://github.com/keepassxreboot/keepassxc/issues/863#issuecomment-680292058)

[ ] Built-in TOTP Specification (otp attribute)

[ ] Built-in Hardware Key Specification

[ ] Built-in Quick Unlock Specification

[ ] Built-in favorites/pinned items

[ ] Only support straight binary key files

[ ] Multi-valued core and custom fields

[ ] Proper storage format for and deduplication of BLOBs (SQLite can handle this)

[ ] Transactional edits/global history on database level, not entry level (e.g., to undo deletes or moves and to ensure overall consistency)

Nice To Haves:

[ ] Custom icon naming

[ ] Graph instead of tree structure (one item can belong to multiple groups, makes tagging somewhat redundant)

Optional Extensions: None so far

Long form discussions should be held here: #5819
file format EPIC
opened by droidmonkey 124
Add QuickUnlock Feature
With the newest and coolest feature of passphrase generator finally merged in, I find this request even more opportune - as you could tell, I have a LONG passphrase as master key for any of my databases, so my opinion may be a little biased :smile:

A rationale for this feature request is best explained by the author of keepass2android. I use this app regularly on a daily base and could not even think of practically handling the unlock procedure without this service. Here it goes, step by step (courtesy of https://keepass2android.codeplex.com/)

You should protect your password database with a strong (i.e. random and LONG) password including upper and lower case as well as numbers and special characters. Typing such a password ~~on a mobile phone~~ every time you unlock your database is time-consuming and error-prone.

Use a strong password for your database

Load your database and type the strong password once. Enable QuickUnlock

The application is locked after the time specified in the settings

If you want to re-open your database, you can type just a few characters (by default, the last 3 characters of your password) to unlock quickly and easily!

If the wrong QuickUnlock key is entered, the database is locked and the full password is required to re-open

Is this safe? First: it allows you to use a really strong password, this increases safety in case someone gets your database file. Second: If ~~you loose your phone~~ someone seize your laptop and tries to open your password database, the attacker has exactly one chance to make use of QuickUnlock. When using 3 characters and assuming 70 characters in the set of possible characters, the attacker has a 0.0003% chance of opening the file. If this sounds still too much for you, choose 4 or more characters in the settings.

I am not an expert on how this should be done correctly from a crypto perspective, but I am available and open to collaborations so to have this feature implemented :white_check_mark:
new feature EPIC
opened by seatedscribe 102
KeePassXC 2.5.3 crashes on launch on macOS 10.15.4
Expected Behavior

KeePassXC application opens as normal

Current Behavior

Application crashes immediately upon launch. A system dialog is opened (see attached image).

Steps to Reproduce

Upgrade to, or freshly install macOS 10.15.4 beta 3 on a Mac computer

Install KeePassXC by downloading from the keepassxc.org website.

Attempt to open the application.

Context

Note that KeePassX runs without problems on this same beta OS.

Debug Info

Cannot post output from app as it will not open KeePassXC - 2.5.3 Revision: current release version

Operating system: macOS 10.15.4 beta 3 CPU architecture: x64 Kernel: Darwin

Enabled extensions:

None (fresh installation)

platform: macOS
opened by grahampugh 101
Unable to connect to KeePassXC-Browser
I installed official KeePassXC-Browser from https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk

Current Behavior

KeePassXC 2.3.0 with KeePassXC browser integration checked. When trying to connect to KeePassXC-Browser, it triggers the KeePassXC window and that's all. The extension shows "Timeout or not connected to KeePassXC". KeePassHTTP is working correctly like previously.

Debug Info

KeePassXC - Version 2.3.0 Revision: 4c0ed74

Libraries:

Qt 5.9.3

libgcrypt 1.8.2

Operating system: macOS High Sierra (10.13) CPU architecture: x86_64 Kernel: darwin 17.4.0

Enabled extensions:

Auto-Type

Browser Integration

Legacy Browser Integration (KeePassHTTP)

SSH Agent

YubiKey

feature: Browser
opened by gyli 98
Integrated Password Analyzer and Health Check [$170]
Another point for the wish list: I am looking for an integrated password analysis tool that evaluates the passwords in my database both for their equality or similarity among themselves, their password strength as well as their age.

Regarding the implementation, I can imagine several variants. It could be a separate menu point, over which a test procedure can be started. At the end of the check, the result per database entry is displayed in a list. The list should be filterable according to problem type and criticality. Another possibility would be to always check the passwords in the background. For each entry, a kind of traffic light (eg green, yellow, red) and, if necessary, a warning message is displayed which indicates how secure the password of an entry is.

Examples of warning messages:

The password is used several times in the same or similar form (the entries x, y, z... use a related password)

The password is not strong.

The password is quite old (the older a password, the higher the probability that it could be stolen in an attack on the vendor).

Edit: The following plugins for the original Keepass try to achieve the same or similiar goals.

Password Counter

StrengthReport

QualityColumn

QualityHighlighter

EPIC bounty :moneybag:
opened by andkopp 97
Auto-Type Problems with @ in username
Expected Behavior

When using Auto-Type, correct USERNAME should be inserted in Form: eg: [email protected]

Current Behavior

Auto-Type replaces the @ by a " , so it would enter a wrong USERNAME into the Form: eg: myname"mydomain.tld instead of [email protected]

Possible Solution

?

Steps to Reproduce (for bugs)

Go to "site" or app or what-so-ever

Put cursor into the first formfield (eg. for username)

Press Auto-Type Global HotKey

Select the entry

Context

Trying to insert credentials for login into accounts on websites.

Your Environment

KeePassXC version/commit used: (can be found under Help -> About) : KeePassXC v2.1.0

Qt version (e.g. Qt 5.3): Qt 5.6.1

Compiler (e.g. Clang++3.6.0): N/A

Operating System and version: openSUSE LEAP 42.2 (fully patched)

Note

It might be not KeePassXC itself, because it could be, that the behavior changed after the last upgrade of KeePassXC. But I am not absolutely sure. However, you might still be able to track down the source of the problem and help fixing it.
bug feature: Auto-Type
opened by rgloor 94
Add Yubikey 2FA for unlocking databases
Description

This just just https://github.com/keepassx/keepassx/pull/52 rebased against keepassxc. All glory belongs to Kyle Manna This is a merge in feature/yubikey from #119 @johseg you can add commit by pushing to feature/yubikey branch

Things to do:

[x] Add GUI Signals for letting users know when enter the Yubikey https://github.com/keepassxreboot/keepassxc/pull/119#discussion-diff-90652592R169

[x] YubiKey appears more than once in the list when unlocking the database and then locking it again

[x] KeePassXC should remember the check state of the "Challenge Response" checkbox.

[x] Replace Q_FOREACH with C++11 for https://github.com/keepassxreboot/keepassxc/pull/119#pullrequestreview-11167761

[x] Replace Q_DECL_OVERRIDE with C++11 override

[x] Fix libXtst https://github.com/keepassxreboot/keepassxc/pull/119#pullrequestreview-11279305

[x] Fix Travis build with Yubico lib

[x] Hiding interface when plugin is disabled or not loaded (based on #125)

See this PR for more #119

Motivation and Context

Adds 2FA with yubikeys to keepassxc Fixes https://github.com/keepassxreboot/keepassxc/issues/26

How Has This Been Tested?

I've been using his fork for a while. This here is pretty much untested, I use it since today ...

Screenshots (if appropriate):

Types of changes

:negative_squared_cross_mark: Bug fix (non-breaking change which fixes an issue)

:white_check_mark: New feature (non-breaking change which adds functionality)

:negative_squared_cross_mark: Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

:white_check_mark: I have read the CONTRIBUTING document. [REQUIRED]

:negative_squared_cross_mark: My code follows the code style of this project. (I just used the existing code)

:white_check_mark: All new and existing tests passed. [REQUIRED]

:white_check_mark:: My change requires a change to the documentation.

:negative_squared_cross_mark: I have updated the documentation accordingly.

:white_check_mark:: I have added tests to cover my changes.

new feature
opened by TheZ3ro 86
Provide KeePassXC as a FlatPak
Hello.

First, thanks for the awesome work you do!

My question pertains to KeepassXC as Flatpak. I have found KeepassXC on Flathub, but since there's no mention of it on the official KeepassXC page (neither on download, nor blog), I'm hessitant to use it.

https://flathub.org/apps/ (ctrl+F --> "keepassxc")

https://github.com/flathub/org.keepassxc.KeePassXC

I currently use the offical PPA, since the Snaps I've used (KPXC and others) always end up with "Win 95" interface, and a Win 95 window for locating files.

My question is largely this:

Are these official Flatpaks of KeepassXC?

...if no, are there any plans for an official Flatpak?

distribution: Flatpak
opened by iverik-no 82
Add some password-related feature
Description

[X] Add an entropy meter for password generation based on zxcvbn ( #84 )

[X] Make the entropy meter standalone (is accessible with the entropy-meter executable)

[X] Make zxcvbn a separate library that compile with CMake

[X] Update COPYING file with zxcvbn copyright

[X] Add entropy test and gui test

[X] Color the entropy meter based on the password strength

[X] Make password generator a standalone generator like KeePass ( #18 )

[X] Don't require password repeat if password is visible ( #27 )

[ ] Prevent saving password with Enter when the Generator is open

Screenshots (if appropriate):

Types of changes

:white_check_mark: Bug fix (non-breaking change which fixes an issue)

:white_check_mark: New feature (non-breaking change which adds functionality)

:heavy_minus_sign: Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

:white_check_mark: I have read the CONTRIBUTING document. [REQUIRED]

:white_check_mark: My code follows the code style of this project. [REQUIRED]

:negative_squared_cross_mark: All new and existing tests passed. [REQUIRED]

:heavy_minus_sign: My change requires a change to the documentation.

:heavy_minus_sign: I have updated the documentation accordingly.

:white_check_mark: I have added tests to cover my changes.

NOTE the /src/zxcvbn/dict-src.h file contains an english word dictionary auto-generated from zxcvbn-c
opened by TheZ3ro 78
Very large group and entry icons
Too big icons

Since last update, I noticed that opening my habitual database gives a different appearance:

On the left drill-down menu, icons are really big compared to text.

In the "Title" column, icons are so big that the number of listed entries is now reduced.

Globally, I'd say that the icons size is twice their previous version.

My system is : KeePassXC - Version 2.6.2 Revision: e9b9582

Qt 5.15.2 Debugging mode is disabled.

Operating system: Arch Linux CPU architecture: x86_64 Kernel: linux 5.9.14-arch1-1
user interface platform: Linux Qt
opened by KimHono 77
minor improvements to the documentation
Type of change

✅ Documentation (non-code change)

Feel free to cherry-pick if you don't like some of the changes.

Is it intended that you don't use the btn: or menu: features of AsciiDoctor? https://docs.asciidoctor.org/asciidoc/latest/macros/ui-macros/
opened by Mo-Gul 3
Translate Cipher and KDF strings
Fix #8952 - move translations for Cipher and KDF strings into evaluated code instead of globally defined code. The strings were being baked prior to the language being set resulting in only english being displayed.

Testing strategy

Tested by setting alternate language and ensuring the translations showed.

Type of change

✅ Bug fix (non-breaking change that fixes an issue)

bug i18n
opened by droidmonkey 1
Database encryption settings not translated
Overview

KeePassXC displays some translated strings in English.

Steps to Reproduce

Change KeePassXC's language to Polish (100% on Transifex).

Check out these strings:

Argon2d (KDBX 4 – recommended)

Restore Entry(s)

Twofish 256-bit

AES 256-bit

ChaCha20 256-bit

Expected Behavior

The strings are translated on Transifex and should be in KeePassXC as well.

Argon2d (KDBX 4 – zalecany)

Przywróć wpisy

Twofish: 256-bitowy

AES 256-bitowy

ChaCha20 256-bitowy

Actual Behavior

Strings mentioned above are hard-coded in English.

Context

KeePassXC - 2.7.4 Revision: 63b2394

Operating System: Windows 10 22H2
bug i18n
opened by xesarni 4
Set password hint on BSD, fill selection on macOS again
Set x-kde-passwordManagerHint on BSD

Hoist mime handling out of Q_OS_* macros

Defer filling clipboard

Simplify Q_OS_* macro logic

Fill selction on macOS again

Testing strategy

Tested on OpenBSD/amd64 7.2-current with keepassxc-2.7.4p1-browser and copyq-6.3.2. This PR makes passwords copied from KeePassXC no longer appear in CopyQ (after adding a command that ignores values containing the password hint).

Type of change

✅ Bug fix (non-breaking change that fixes an issue)

✅ Refactor (significant modification to existing code)

bug security
opened by klemensn 6
SecretService: Sandboxed applications (Flatpak) accessing KeePassXC using the SecretService API should not all show up as xdg-dbus-proxy and share authorizations
Summary

After #3837 all binaries accessing the KeePassXC store using SecretService now need to be confirmed by a permission prompt. Unfortunately all sandboxed Flatpak applications are displayed as accessing KeePassXC as /usr/bin/xdg-dbus-proxy (PID: ) with any sandboxed application being able to access the key material for all other sandboxed applications. (The issue is probably similar for non-sandboxed applications developed in scripting languages, but unlike those it’s actually possible to reliable determine with sandboxed app the call originates from so it can actually be addressed in a proper way.)

Context

Congratulations on adding #3837 to the codebase more than a year ago, Debian just got it into unstable!

To get the Flatpak App-ID for PID, read the file /proc//root/.flatpak-info as INI (GKeyFile to be exact) and look for the “name” key in the “Application” or “Runtime” section. If the file does not exist, it is not a sandboxed application. The xdg-desktop-portal source code has the exact steps to perform here: https://github.com/flatpak/xdg-desktop-portal/blob/e5153d402d981e3b1f49babaaad0da49e3d4eaa8/src/xdp-utils.c#L575-L681 (C using GLib).

Looking up a Name an Icon for an App-ID is a surprisingly hard endeavour however. Looking up its source, xdg-desktop-portal constructs a .desktop-filename from the App-ID and looks that up using g_desktop_app_info_new (from the GLib Gio-Unix library) to the system launcher/menu text associated with the app… pretty easy to do for a GLib-based app, but unfortunately disregards the fact that Flatpak apps are not actually required to include a .desktop-file by that name in the first place. A more robust approach would be to either:

Use libappstreamqt to look up the software repository metadata for the installed application which all Flatpak applications have to include (there is an equivalent Qt API, but its documentation does not appear to be published online):

Call as_pool_load

Call as_pool_get_components_by_id on the result of the previous call using the App-ID as a parameter

Call as_component_get_pkgname on each of the results of the previous call until a component whose pkgname matches the following is found:
“flatpak:” + (“app” if App-ID lookup found the ID in an Application section, “runtime” otherwise) + “/“ + the App-ID + “/“ + the arch field from the Instance section of the manifest + “/“ + the branch field from the Instance section of the manifest

Finally, call as_component_get_name and as_component_get_icons to get the wanted metadata

Use libflatpak, but that requires figuring out which installation directory was used for the application and that information can only be guessed from the information available in the file that was used for the App-ID lookup. If one does guess the path based on what is available in that file one can (just C API in this case):

Call flatpak_installation_new_for_path

Call flatpak_installation_get_installed_ref on the result with lookup parameters matching those of 1.3.

Call flatpak_installed_ref_get_appdata_name to get the display name – I just realized this does not actually appear to have any way to look up the icon.

Considering how hard it is to reliably convert an App-ID to an application name, it might be best to skip this part entirely and just display (and store!) the App-ID for sandboxed applications accessing KeepassXC using the SecretService API.
new feature
opened by ntninja 0
[macOS] Prompt for a master password, despite having quick unlock via Touch ID after opening the lid
Overview

I have quick unlock enabled. Whenever I try to unlock my database after it has been locked due to closing the lid), there is a prompt for a master password. There is no button for quick unlock. After typing anything in the field (bad / good password), only then prompt to use the Touch ID and the db gets unlocked (given I use the right finger, so this part works fine).

Note: This seems to work as expected if I manually lock the db / put the machine to sleep / lock it.

Steps to Reproduce

Unlock a db with quick unlock enabled.

Close the lid (make sure in your settings that KeePassXC will lock the db in this case).

Open the lid and try to unlock the db.

Expected Behavior

As the quick unlock is enabled, I can click "Unlock Database" button, use the Touch ID to have the db unlocked.

Actual Behavior

I get a prompt for a password, then (regardless the password is valid or not), I get a prompt for using Touch ID.

Context

KeePassXC - Version 2.7.4 Revision: 63b2394

Qt 5.15.6 Debugging mode is disabled.

Operating system: macOS 12.6 CPU architecture: arm64 Kernel: darwin 21.6.0

Enabled extensions:

Auto-Type

Browser Integration

SSH Agent

KeeShare

YubiKey

Quick Unlock

Cryptographic libraries:

Botan 2.19.2

bug platform: macOS feature: QuickUnlock
opened by KORraNpl 2