passwort-management.html.en - passwort-management.html.en

Password Management

This page is a summary of the most important parts of the KeePassXC documentation.

It is common for digital services to verify identity by asking for a password. This page describes an approach how to deal with the amount of credentials in a way that avoids avoidable dangers and does not compromise convenience more than necessary.

For this purpose, proprietary software has been written - so-called "password managers" - to help manage credentials.

Passwords have known weaknesses, so we recommend wherever possible to protect the access additionally by a second factor. For accounts at the University of Innsbruck this is documented in detail.

KeePassXC

In this manual the program KeePassXC is described in more detail. On the website KeePassXS you can find more detailed documentation.

• The software has existed for many years and has an active community that takes care of maintenance and further development.
• KeePassXC is published as Free Software (Open Source). This means that it can be used free of charge without any restrictions and the source code is public. It can be read, analyzed and improved by anyone.
• KeePassXC can be used on all major desktop operating systems. (Microsoft Windows, GNU/Linux, Apple macOS).

Installation

Software installation from unknown sources is a security risk. Accordingly, please use the download options ("app stores") provided by your operating system. This also ensures that the program is updated if a security vulnerability becomes known.

Under Microsoft Windows, the software can be obtained from the Microsoft Store.

The vast majority of GNU/Linux distributions offer the software through their built-in package managers.

Under Apple macOS, KeePassXC unfortunately has to be installed manually. Please follow these instructions.

Setup

At the first start a new password database must be created. Choose a long password that is known only to you. It protects your access data in case your password database gets into the wrong hands.

We recommend to synchronize the file e.g. with the fileshare service. This reduces the risk of loss and if necessary the file can be used on other devices. On Android devices, for example, the file can be opened with KeePassDX.

Browser integration

By using an extension, KeePassXC can automatically enter the credentials into the correct fields in the browser. This is not only convenient, but also increases security, as fake login pages are detected and automatic password entry fails.

We recommend installing the extension for Mozilla Firefox.

For the integration to work, KeePassXC must be open in the background.

Use

For future logins to a website, you will be asked if you want to store the password in your KeePassXC file. If a password is already stored for a website, it can be inserted with a click on the KeePassXC button.

Two-factor authentication

Time-based one-time password

For systems that support TOTP (Time-based one-time password, RFC 6238) as a second factor, KeePassXC can be used to store the second factor.. If the second factor is stored in the same system as the password, special care must be taken to protect the KeePassXC database.

In addition to a QR code, a secret key is usually displayed when setting up the second factor. This can be entered in the context menu of an entry in KeePassXC under Set up TOTP. After configuring the Browser-Integration, the current one-time password can be filled into the website automatically.

Webauthn / Passkey

Recent versions of KeePassXC (>= 2.7.7) are able to store Webauthn-Credentials. This technique is based on Public-key cryptography and is phishing-resistant. The protocol is that same that is used with FIDO2 security keys.

A step-by-step guide is available in the documentation.

Share passwords

In rare cases it is necessary to have shared access to one account (and thus one password). With the KeeShare function, this can be implemented securely and conveniently.

1. Open the dialog window under Tools -> Settings.
2. There, select the KeeShare tab and activate Allow export.
3. Create a new group that will contain the credentials to be shared.
4. In the context menu of the new group, select Manage group.
5. Under KeeShare, select the type: export.
6. Select as path a location that can be accessed by all persons.

Similarly, other people can now activate the import function, create a new group, and configure KeeShare import in the settings of this group.

Reports

Under Database -> Reports the software offers evaluations on whether the stored passwords are problematic. From this you can see where a password change would make sense.