Skip to content
WARNING: The content here only serves educational purpose. You are fully responsible for your actions.
We do not encourage any kind of sensitive activity or crime.

Password Management 101: How to use Keepass

TLDR: you only need to remember ONE master password to be able to login to every website you need to access.

What is password management, and Why use Keepass?

If you have seen my Offensive Security blog section, or the numerous news regarding massive companies being hacked, you should be aware that no matter where you choose to put your data out there, nowhere is truly safe.

Now let's take the following example, Bob is being lazy (again), and he uses the same password for his laptop, all of his accounts online, and at some point he creates an account on "Spotify":

So Bob has one password for everything he does online. What happens when one of those services (ex: Spotify) gets hacked ?

First thing that happens, is that Bob's password gets leaked online publicly, his password may even end up in the popular password wordlists like in seclists.

This means, that a potential hacker may gain access in not only bob's spotify account, but also in all of his other accounts , since Bob used the same password everywhere.

This could have been avoided if Bob had a different strong password for every service. That way, if one of those services got hacked, only one meaningless password would have been revealed preventing credential stuffing. KeePassXC remembers all of those passwords so Bob (and you) do not have to.

Attack types

Password management addresses several attacker capabilities: - Brute force (attacker copies your .kdbx and tries avery combination of characters) - Dictionary attack (a kind of brute force attack that uses a dictionary of common passwords) - Credential stuffing (reuse of a leaked password on other services)

Entropy and password strength

Strong passwords resist brute-force and dictionary attacks. But what makes a password "strong"? Entropy measures the unpredictability of a password the higher the entropy, the harder it is to crack by guessing.

Entropy formula is:

Entropy β‰ˆ length Γ— logβ‚‚(character_set_size)

Examples (per character): - Digits (10): logβ‚‚(10) β‰ˆ 3.32 bits - Lowercase (26): β‰ˆ 4.70 bits - Lowercase + Uppercase (52): β‰ˆ 5.70 bits - Lowercase + Uppercase + Numbers + Symbols (~94): β‰ˆ 6.55 bits

So longer or more diverse character sets raise entropy. In practice pattern‑based or personal choices reduce true entropy (KeePassXC entropy calculator subtracts for dates, keyboard sequences, names from the entropy formula). Random generation first, memorization second.

Entropy Targets by Use Case: - Everyday accounts: β‰₯ 60 bits - Important accounts: β‰₯ 80 bits - Master password: β‰₯ 100 bits

If you append a birthdate or a common suffix (!) you drastically cut effective entropy because an expert adversary tests these patterns first. Never include personal info or predictable patterns.

Random passwords vs passphrases

Long random passwords are cryptographically strong, but humans cannot memorize "X7$mK9#qL2@pN5!wR" reliably. For a master secret (vault, disk encryption) you need both high entropy and recall (no written copy that could be seized). Some sites cap length; there you rely on diverse characters to reach your target entropy.

Why passphrases work

A passphrase uses random dictionary words instead of random characters. Using wordlists like Diceware or EFF(KeePassXC Default):

  • ~7,776 words per list = ~12.9 bits of entropy per word
  • 6 words β‰ˆ 77 bits
  • 7 words β‰ˆ 90 bits
  • 8 words β‰ˆ 103 bits

Example: correct-horse-battery-staple-mountain-keyboard-dolphin (7 words, ~90 bits)

When to use each

  • Passphrases: Master passwords you need to remember (one per vault / identity; do NOT reuse across disk, OS login, and KeePass)
  • Random passwords: Site/service credentials (stored in KeePassXC, you copy/paste or auto‑type, never memorize)

How to install KeepassXC

Bob can install KeepassXC using apt on debian:

nihilist@mainpc:~/Nextcloud/blog$ sudo apt install keepassxc

nihilist@mainpc:~/Nextcloud/blog$ which keepassxc
/usr/bin/keepassxc

nihilist@mainpc:~/Nextcloud/blog$ keepassxc

That way, Bob can have a unique, strong password for every website he registers an account onto. If one of them gets hacked, the adversary won't gain access to every other account that Bob has.

The only password reuse that there may be is only local to Bob's computer, where he uses a password to unlock his harddrive, log onto his host OS, and open his keepass file. The rest of remote logins are now managed and remembered by Keepass.

Remember that having strong passwords is essential to counter brute force attacks.

Managing passwords for different identities with Keepass

Different identities carry different risks. If your private or anonymous credentials are stored in the same place as your public ones, you're creating links between them. The solution is to have a separate .kdbx file for each VM, each dedicated to a single identity.

This structure, as previously seen, prevents cross-contamination and reinforces mental boundaries.

Public use VM - Linus Torvalds

Passwords used for work, subscriptions, shopping, and everyday browsing.

Private use VM - Nihilist

Passwords used for services you don’t want linked to your real identity, maybe you’re in a support group, dealing with a medical issue, researching personal topics, or asking questions you’d rather keep private.

Anonymous use VM - ZacharyJr

Passwords used for services that must not lead back to you, even pseudonymously, e.g. a forum you post on.

Sensitive use VM - DreadPirateRoberts

Passwords used for sensitive matters, e.g. whistleblowing.

Remember that you shouldn't write your master passwords anywhere. If you are typing them once a day, you won't forget them. but if you are scared of forgetting here are some tips: - Chunking: Group words and try to find logical connections - Familiarity: Choose words that you use frequently in your daily vocabulary - Acronyms: Take the first letter of each word to create a memorable phrase - Rhymes: Use words that sound good together - Imagery: Create a vivid image in your brain than use every word from that image

Using KeePassXC's Entropy Meter

KeePassXC includes a built-in entropy meter to verify password strength before saving.

The displayed bits are reduced from raw theoretical entropy by pattern detection (keyboard runs like qwerty, sequential numbers, dates, common names). KeePassXC uses (zxcvbn algorithm). Always confirm the meter meets your target bits before saving; if not, regenerate randomly.

Auto-lock configuration

Auto-locking ensures your password database doesn't stay unlocked indefinitely if you step away from your computer.

Configuration steps:

  1. Go to: Tools β†’ Settings β†’ Security
  2. Enable and configure: Clear clipboard after: 10-20 seconds (prevents password lingering in clipboard) Lock database after inactivity: 60-120 seconds (balance security vs convenience) Lock database when session is locked or lid is closed: Prevents access if you lock your OS session or if laptop suspends

These settings close your exposure window even if you forget to manually lock KeePassXC, the database secures itself automatically.

KDF hardening and decryption time

Even with a strong master password, an attacker who copies your .kdbx file offline can attempt to brute-force it. Key Derivation Function (KDF) hardening makes each guess computationally expensive, multiplying the time required.

Configuration steps:

  1. Go to: Database Settings β†’ Security
  2. Set Decryption time to a time you are comfortable with. (we recommend at least 2.0s) and use KDBX 4 as the Database format remember that this time is based on your hardware so if the adversary has a faster machine this time is going to be shorter

Advanced settings (optional): For fine-tuned control, click "Advanced" to manually configure Argon2d parameters:

Encryption Algorithm: - ChaCha20: Faster on mobile devices, resistant to timing attacks - AES-256: Industry standard, hardware acceleration on modern CPUs - Twofish: Older, slower without significant security benefits

Selecting Key Derivation Function

The KDF determines how your master password is transformed into the encryption key:

Argon2d (Recommended): - Memory-hard: Forces attackers to use significant RAM, not just CPU/GPU - ASIC-resistant: Specialized hardware provides less advantage - Best for offline password databases

Argon2id: - Hybrid approach combining Argon2d and Argon2i - More resistant to side-channel attacks - Good alternative if Argon2d isn't available

AES-KDF (Legacy): - Older key derivation function, avoid unless forced by compatibility - Only CPU-intensive, vulnerable to GPU/ASIC acceleration - Being phased out in favor of Argon2 variants

KDF Parameters:

Transform Rounds: - Number of passes over memory; higher Transform Rounds increases time cost per guess - Calibrate using KeePassXC benchmark to ~2.0s on your slowest device

Memory Usage: - RAM required (MiB). High memory cost slows GPU/ASIC attackers - Minimum: 64 MiB; Target: 512–1024 MiB (or as high as stable on all devices)

Parallelism: - Threads used. Match available CPU cores (e.g. 4–8). Affects your decryption speed more than attacker resistance.

Key File Setup

A key file adds an additional authentication factor beyond your master password. Even if someone discovers your master password, they still need the key file to access your database.

Creating a Key File:

  1. Go to: Database Settings β†’ Security β†’ Add additional Protection
  2. Click Add Key File β†’ Generate β†’ select path for new key file
  3. Save it to a secure location (USB drive, separate encrypted partition)
  4. Never store the key file in the same location as your .kdbx database

When to use key files

Key files add a second factor (possession). Trade‑offs: - Pros: Raises cost of offline brute force (attacker must obtain file + master passphrase) - Cons: Additional forensic artifact; if stored with the laptop it may be seized together - Sensitive / deniable contexts: Usually avoid (artifact increases evidence surface). Consider a decoy vault strategy instead.

Remotely accessing Keepass

Sometimes you need to access your passwords on the go, but storing them in the cloud is a risk you can't afford. Google Drive, Dropbox, and iCloud all introduce trust and metadata problems. Even if your .kdbx file is encrypted, where and how it’s stored matters.

The solution is to sync your KeePass file using Syncthing and access it using AuthPass.

Syncthing keeps your .kdbx file synchronized across devices using encrypted connections and AuthPass is a password manager that can open .kdbx files, by combining them you will be able to update your password vault on your computer and securely access it on your phone.

Setting it up

  1. On your phone, install Syncthing and AuthPass from F-Droid

  1. On your computer, install syncthing and open it

  2. Click on "Actions" and then "Show ID"

  1. On your phone, open Syncthing, go to "Devices" and click "Add Device"

  1. Either scan the QR-Code on your computer or paste the ID, and name the device

  1. On your computer, click "Add Device"

  1. On your phone, create a folder for KeePass, choose a path and allow your device

  1. On your computer, click "Add"

  1. Choose the path and click "Save"

  1. Open your file manager and move the .kbdx file to the KeePass folder

  1. On your phone, you will see there's one file in that folder, click on the icon

  1. Click on the 3 dots and open the file with AuthPass

  1. Enter the master password

  1. Now you can access your passwords

Next, Bob learns to use PGP encryption using Gnupg.


Suggest changes
meat
nihilist
Rixard 2025-08-09
2024-06-16
Donate XMR to meat:
82sQHXtPaMzNkRxE5EruXZaMR4BXmASvBP62P3495EgcdvghEkv6C1d9cA98eizX6W1TGchUXCtAoZ8cVP4Qi7Nt4fP41FL
Donate XMR to nihilist:
8C1MNeB4KEHGApg6sPxFPn3NWERD3mPv7AjC8mCm1CJCXjoKnf36SYBdZ6ywCMdZRC4cxu7Uax3tufDqMXS2mLvHNCJzQZS
Donate XMR to Rixard:
44T5oyUnkjt3La8QtTeQQZPxqyzua5KkDepK9irM2D6dhRiJWVn5JUUZBXJNbq2gKJeTUQZuVZGQn3oZ3CsRUdwS5hDQerU