6 tips and tricks for using KeePassX to secure your passwords

Get more out of your password manager by following these best practices.
256 readers like this.
Lock

JanBaby, via Pixabay CC0.

Our increasingly interconnected digital world makes security an essential and common discussion topic. We hear about data breaches with alarming regularity and are often on our own to make informed decisions about how to use technology securely. Although security is a deep and nuanced topic, there are some easy daily habits you can keep to reduce your attack surface.

Securing passwords and account information is something that affects anyone today. Technologies like OAuth help make our lives simpler by reducing the number of accounts we need to create, but we are still left with a staggering number of places where we need new, unique information to keep our records secure. An easy way to deal with the increased mental load of organizing all this sensitive information is to use a password manager like KeePassX.

In this article, I will explain the importance of keeping your password information secure and offer suggestions for getting the most out of KeePassX. For an introduction to KeePassX and its features, I highly recommend Ricardo Frydman's article "Managing passwords in Linux with KeePassX."

Why are unique passwords important?

Using a different password for each account is the first step in ensuring that your accounts are not vulnerable to shared information leaks. Generating new credentials for every account is time-consuming, and it is extremely common for people to fall into the trap of using the same password on several accounts. The main problem with reusing passwords is that you increase the number of accounts an attacker could access if one of them experiences a credential breach.

It may seem like a burden to create new credentials for each account, but the few minutes you spend creating and recording this information will pay for itself many times over in the event of a data breach. This is where password management tools like KeePassX are invaluable for providing convenience and reliability in securing your logins.

3 tips for getting the most out of KeePassX

I have been using KeePassX to manage my password information for many years, and it has become a primary resource in my digital toolbox. Overall, it's fairly simple to use, but there are a few best practices I've learned that I think are worth highlighting.

  1. Add the direct login URL for each account entry. KeePassX has a very convenient shortcut to open the URL listed with an entry. (It's Control+Shift+U on Linux.) When creating a new account entry for a website, I spend some time to locate the site's direct login URL. Although most websites have a login widget in their navigation toolbars, they also usually have direct pages for login forms. By putting this URL into the URL field on the account entry setup form, I can use the shortcut to directly open the login page in my browser.

KeePassX tip 1 screenshot

  1. Use the Notes field to record extra security information. In addition to passwords, most websites will ask several questions to create additional authentication factors for an account. I use the Notes sections in my account entries to record these additional factors.

KeePassX tip 2 screenshot

  1. Turn on automatic database locking. In the Application Settings under the Tools menu, there is an option to lock the database after a period of inactivity. Enabling this option is a good common-sense measure, similar to enabling a password-protected screen lock, that will help ensure your password database is not left open and unprotected if someone else gains access to your computer.

Locking the database after inactivity

Food for thought

Protecting your accounts with better password practices and daily habits is just the beginning. Once you start using a password manager, you need to consider issues like protecting the password database file and ensuring you don't forget or lose the master credentials.

The cloud-native world of disconnected devices and edge computing makes having a central password store essential. The practices and methodologies you adopt will help minimize your risk while you explore and work in the digital world.

Here are a few more ideas to consider as you develop your best practices.

  1. Be aware of retention policies when storing your database in the cloud. KeePassX's database has an open format used by several tools on multiple platforms. Sooner or later, you will want to transfer your database to another device. As you do this, consider the medium you will use to transfer the file. The best option is to use some sort of direct transfer between devices, but this is not always convenient. Always think about where the database file might be stored as it winds its way through the information superhighway; an email may get cached on a server, an object store may move old files to a trash folder. Learn about these interactions for the platforms you are using before deciding where and how you will share your database file.

  2. Consider the source of truth for your database while you're making edits. After you share your database file between devices, you might need to create accounts for new services or change information for existing services while using a device. To ensure your information is always correct across all your devices, you need to make sure any edits you make on one device end up in all copies of the database file. There is no easy solution to this problem, but you might think about making all edits from a single device or storing the master copy in a location where all your devices can make edits.

  3. Do you really need to know your passwords? This is more of a philosophical question that touches on the nature of memorable passwords, convenience, and secrecy. I hardly look at passwords as I create them for new accounts; in most cases, I don't even click the "Show Password" checkbox. There is an idea that you can be more secure by not knowing your passwords, as it would be impossible to compel you to provide them. This may seem like a worrisome idea at first, but consider that you can recover or reset passwords for most accounts through alternate verification methods. When you consider that you might want to change your passwords on a semi-regular basis, it almost makes more sense to treat them as ephemeral information that can be regenerated or replaced.

I hope these tips and tricks have helped expand your knowledge of password management and KeePassX. You can find tools that support the KeePass database format on nearly every platform. If you are not currently using a password manager or have never tried KeePassX, I highly recommend doing so now!

Picture of Michael's face
Michael McCune is a software developer in Red Hat's emerging technology group. He is an active contributor to several radanalytics.io projects, as well as being a core reviewer for the OpenStack API Special Interest Group. Since joining Red Hat, he has been developing and deploying applications for cloud platforms.

16 Comments

Instead of using the notes field for extra information like security questions, use the "advanced" and tab where you can store additional strings. These strings then become available to copy when you right click on the entry in the key list.

++ excellent suggestion!

i don't find myself needing them on hotkey all that frequently, but this is certainly a good tip.

In reply to by MITBeta (not verified)

Does keepassx store credential on cloud? Last time my harddisk crashed and I lost all my password.

I don't believe there's a dedicated cloud service. But, as Michael suggests, you should consider storing the master copy in a location where all your devices can make edits. That can be, for example, an instance of Nextcloud or ownCloud.

My KeePassX database is saved in my Nextcloud instance, and I can get to it on my laptop, my phone, or my tablet. It's more convenient and consistent than having multiple copies floating around.

In reply to by MK Mekail

good question! as Scott points out, there is no dedicated service built in to KeePassX for storing your database file in the cloud.

i would suggest using something like a cloud synchronized folder to store your database files, these will get backed up every time you save them. i know dropbox has this functionality and i believe others do as well (gdrive, etc).

In reply to by MK Mekail

I use KeepassXC on both my linux computers. I sync via a synced gdrive folder. If you are using Android devices, there is a F-Droid/Play Store app called Keepass2Android which also syncs to the gdrive database file keeping everything in sync.

Keep your 2FA backup codes in your password manager db as well, and you will always have access to your account, even if your phone or 2FA token gets lost or stolen

i am not 100% sure on what is happening with the project, perhaps it is in maintenance mode. i am still using KeePassX 2.0.3 which installed from the Fedora repositories in f29, so it is still active at some level.

the great thing is that KeePassXC also uses the same format data files, so migrating from one to other should be painless.

thanks for the update!

In reply to by pavelbo (not verified)

Nice article. I also use KeePassXC on multiple platforms. I keep the database on a usb key. If you choose to store your database (and/or any backups) on a cloud provider, I would consider using a key/certificate to secure the database in addition to your password. Make sure to keep the key in a secure (i.e. non-cloud) location. This way, you need both the password and key in order to unlock the database.

IF/WHEN your cloud provider is compromised, it may take you some time to realize this and update all of the credentials on your bank sites. Even if you have 2FA or MFA enabled on the accounts, do you have backup codes also stored in the database????

I've added all of my new passwords but I didn't save them. Upon reatarting my computer everything is gone. Is there any way to recover these passwords or did I just lose some forever? Many are for services where it's not possible to reset a password.

sadly, i do not think so. KeePassX stores everything in a database file, if you added all the password information and then did not save the file i do not think there is any record. afaik, there isn't an "autosave" enabled in KeePassX.

In reply to by Billy the lose… (not verified)

Anyone played with Bitwarden ( https://bitwarden.com/ )? 100% open source with modern mobile & web integrations. I've been using KeepassXC for a while and it does seem a bit dated.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.