KeePassXC the Secure, Offline, Open Source Password Manager

In a vulnerable web and cloud based world, KeePassXC offers excellent password management that’s secure, reliable, offline by default and open source.

A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them all, and/or more importantly avoid using the same non-secure password. You only need to remember one password (and/or key file) that then allows access to an encrypted vault of all your passwords. In today’s online world we all have many passwords, it is increasingly imperative that your passwords are random, strong and secure – that implies needing a way to manage passwords effectively and easily. A password manager.

There are many excellent choices in password management apps to choose from, so first it’s important to decide what criteria are most important to you. Your needs may differ from mine, that’s natural and as it should be, but I’ll offer my personal thoughts on what drives my choice. I’ve used password managers for close to 15 years, have tried most of the bigger known ones and my requirements in choosing one have largely remained unchanged:

  • Secure. The underlying encryption storage engine must be proven and audited.
  • Offline. (Ability to chose or where/if I cloud sync is a plus).
  • Cross Platform.
  • Open Source. (While this is not a 100% deal breaker, it’s preferred).

The main competitors in this arena all use excellent backend secure encryption methods, this means your password database or vault is encrypted and only readable when opened using your master password or key. This ensures that even if your password database is stolen or accessed in some way your passwords will not be legible without your master password, key or going through immense computing effort to crack the encryption. It’s a useless unreadable file for all intent and purposes.

The most popular password managers sync your password database to their online “cloud” storage to allow quick and convenient syncing across your multiple devices. This is my main pet-peeve, I don’t want my password database on someone else’s cloud storage, I prefer to keep it offline – or at least give me the choice to disable that ability.  Now, that being said its a matter of convenience, it makes online syncing a breeze to keep all your devices up to date with any password changes – and yes I know these services operate securely, your password database is not readable without your master password, key and even two-factor authentication. I get it, I do. For me however, nope… I deal with “clouds” all day at work, it rains a lot and I’m often dealing with massive security compromises, I know all about how secure clouds are 🙂 If it’s online in the cloud you must assume its going to be compromised at some point, period. I’ll keep my password vaults offline thank you very much, no matter how well they’re encrypted – or at least let me choose where to sync so I can use my own cloud storage that I control and not be as big a hacking target as the big players.

The cross platform option of having versions for Linux, Mac OSX, Windows, Android, iPhone is a nice touch indeed as we all have various devices and systems. Having a unified utility across every device is great. Many times if a utility is open source, meaning the source code is freely available, this lends itself to cross platform portability. While not a 100% requirement, being open source makes the overall operational transparency and secure code base audibility much more accessible.

So, wtf do I use ? I currently use KeePassXC. “KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.” I’ve used KeePass itself for many years before moving to KeePassXC, but why not just continue using KeePass ? (note, both are excellent solution’s imo)

KeePassXC is platform native using C++/QT whereas KeePass is written using C#/mono, and while mono does run on Linux (my main OS), the overall user experience is kinda, well, meh. Being coded in C++/QT that runs all all the platforms allows KeePassXC to run smoother and natively according to the host operating system. The KeePassXC folks have also done some great work with their own browser plugin too. Overall I find the user experience with KeePassXC much more pleasant and consistent no matter what I’m using.

There, ya go, KeePassXC is my password manager. I’ve tried most of them out there, but wind up just sticking with the tried-true solution. I have to give props to Enpass however – Enpass is a marvelous offline password manager too, very friendly to use, excellent features. Unfortunately the closed source nature of the application and inability to get a full open audit makes me hesitant to use it as my password manager.