location: keepassx

Institute of Mathematics - PublicMathWiki:

Keepass

Contents

  1. Keepass
    1. Features
    2. Description
    3. How KeePassXC works
    4. Creating a Password Database
    5. Best practice: Sync Database via cloud
  2. Browser integration / MFA Setup / Passkeys
    1. Settings
    2. Browser Plugin
    3. Regular Username / Password
    4. MFA
      1. TOTP
      2. Passkey
    5. Same account / different URLs

Features

  • Different passwords for different accounts - don
  • MFA for modern accounts/services.
  • No single device dependency. Your passwords are where you are.
  • Splitted security levels (multiple databases).
  • Awesome browser integration.
  • Sharing credentials (multiple databases) via cloud storage.

Description

KeePass is a tool to store and manage passwords. Apps are freely available for

How KeePassXC works

  • KeePassXC create/open/edit/save password-databases in a single file.
  • A password-database is basically an encrypted file, where you can store your various usernames/passwords/URLs and also attachments like pictures or other important / private documents.
  • A password-database can only be opened if you know the Master-Password. The Master Password is the key to all your stored passwords.
  • If you forgot your Master-Password, you cannot access your stored passwords anymore.
  • Encryption -- either the Advanced Encryption Standard (AES) or the Twofish algorithm are used for encryption of the database in 256 bit sized increments

  • All features: http://www.keepassx.org/features/

Creating a Password Database

  • Click on "File" --> "New Database..."

  • you will be prompted to set a master key. Input your master password (the master password for all your other stored passwords). Then click "OK"
  • repeat your master password. click "OK".
  • chose a group. (Standard choices are Internet of eMail. You can also create your own groups).

  • click on "Entries" --> "Add New Entry..."

  • Input the information you need
    • Title: a short description of the entry
    • Username: your username
    • URL: on what homepage do you need the password
    • Password: your password
    • Repeat: repeat your password
    • Comment: a longer description of the entry

  • click on "File" --> "Save Database"

  • chose a location and a name for your password database. click "OK"

Best practice: Sync Database via cloud

  • Only use a cloud service if you need to sync your passwords over several devices.
  • Decide on your own:
    • Pro 'cloud':
      • all of your confidental data on all devices.
      • creates automatically backups.
    • Contra 'cloud':
      • If your cloud access is compromised or the cloud service provider is compromised: the thief owns the treasure.

  • US based cloud provider like Google Drive, Dropbox, Apple iDrive, Microsoft OneDrive:

    • Those services are very attractive to hackers.
    • The NSA has the right to get all data from US companies. After Snowden it's for sure, the NSA is not friendly.

    • Rule of thumb: Don't use US hosted / company based services for confidential data.

  • Local cloud storage provider:
  • How to:

    • On all devices where you like to sync your KeePass database file, install and configure drive.math.uzh.ch

    • Open the KeePass database file on all of your devices directly from the cloud folder.

  • Automatic merge of databases: Even if KeePassXC has a database opened, changes on a different device (e.g. phone) and sync via cloud, becomes immediately active.
    • If you work in a team: no change, everyone can open the local copy - changes will be merged.

Browser integration / MFA Setup / Passkeys

  • KeePassXC can be used from within a browser (Chrome, Chromium, Firefox, Vivaldi, Brave, ...)
  • Browser connection to KeePassXC is nice: different browsers offer the same accounts/credentials - if synced via cloud than also on different computers.
  • TOTP service (one time token).
  • Passkeys support.

Finally: no more MS-Authenticator app needed, no more single device dependency, login to any MFA protected website without a mobile phone.

Settings

kp-browserintegration.png

  • Settings > Browser Integration > Enable integration ...: Chrome, Firefox, ...

Browser Plugin

  • Install the corresponding browser plugin (links to app store: check settings dialog '5' )
  • Passkeys have to explicitly enabled in the browser plugin:

kp-passskeys.png

Regular Username / Password

  • Take care that the keepass icon on the top right is 'green' = connection to database is active.
  • Open the login page in the browser.

kp-fill.png

  • Click on the small green kp icon.
  • Choose the account.

MFA

TOTP

  • To use TOTP with Microsoft Office 365 login: Add another (than MS-Authenticator-) app, as second factor How To

kp-totp.png

  • Add TOTP functionality to individual accounts: Account > right mouse click > TOTP > Setup TOTP

  • On a MFA-TOTP secured login website, just login as usual with keepass, on the next page, where the one time token is requested, click again on the green symbol.

Hint:

  • On the TOTP setup you have to provide the 'shared secret'.

  • The shared scecret is provided by the website which hosts the login, typically where the MFA can be configured.
    • Either in plaintext like 'ABCD EFGH 1234 IJKL 5678 MNOP QRST UV89'.

    • Or as a QR code to scan. Here sometimes it's a URL or a fido string. If it is not in plaintext in the URL, hopefully the assigned app (=keepassdx) opens.

Passkey

  • Passkey / webauthn are offered as an additional way to use MFA.

  • Passkeys offers more security than TOTP and should be used when possible.
  • But: Some websites work better than others. E.g. eduid.ch is ok, gitlab is ok but with popup, Microsoft is broken for Linux/Chrome/KeePassXC, ...

Same account / different URLs

kp-addurl.png

PublicMathWiki: keepassx (last edited 2025-03-30 10:03:17 by crose)