KeePassXC
KeePassXC is a free, open-source, cross-platform password manager that stores credentials in a locally encrypted KDBX database file. It runs natively on Windows, macOS, and Linux, offering browser integration, TOTP support, YubiKey/hardware key authentication, SSH agent integration, and passkey support — all without requiring a cloud account or subscription.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
KeePassXC was forked from the stalling KeePassX project in August 2016 by community developers under the 'keepassxreboot' organization. The initial project inherited KeePassX's clean, local-first architecture and open KDBX format. With no commercial entity, no investors, and no monetization, the project started with near-zero enshittification across all dimensions. The small D1 score reflects the inherited UX limitations from KeePassX and the early-stage nature of the reborn project.
The release of version 2.3.0 in February 2018 marked KeePassXC's transition from a simple fork into a feature-rich password manager. The new KeePassXC-Browser extension and SSH agent integration established capabilities that the original KeePass ecosystem lacked. KDBX 4.0 with Argon2 key derivation modernized the encryption. The small score increase reflects the slight D1 bump from growing complexity and the continued presence of a steep learning curve, while D4 gained a point as the growing KDBX ecosystem created minimal but real format dependency.
KeePassXC 2.5.0 and 2.6.0 delivered major platform expansion: Freedesktop.org Secret Service integration, OnlyKey support, 1Password OpVault import, a complete UI overhaul with themes, and Have I Been Pwned breach checking. The project gained broad institutional recognition, including EFF's Surveillance Self-Defense recommendation. The D6 point reflects the growing complexity of first-run configuration choices and security defaults, while D9 gained a point reflecting the bus-factor risk of depending on a small number of volunteer core maintainers as the project's scope expanded significantly.
The independent security audit by Zaur Molotnikov in January 2023 validated KeePassXC's cryptographic soundness. Version 2.7.0 brought Windows Hello and Touch ID biometric unlock, closing the convenience gap with commercial competitors. The CVE-2023-35866 dispute demonstrated the team's willingness to publicly challenge security reports they considered invalid. The score remained stable as new features and audits balanced against the inherent complexity of a broadening feature set.
KeePassXC reached an inflection point with the ANSSI CSPN security certification in November 2025, the first government security visa awarded to a community-driven open-source password manager. Passkey support, Proton Pass import, and DLL injection protections continued the steady feature expansion. The BSI CAOS 3.0 audit of the KeePass ecosystem reinforced the format's security reputation. The one-point score increase reflects CVE-2024-33901 adding a minor D10 point for the memory dump vulnerability, even though the team disputed its severity.
Alternatives
Open-source password manager with built-in cloud sync and a generous free tier — the main advantage over KeePassXC is seamless multi-device sync without manual setup. Moderate switch: export your KDBX database to CSV and import into Bitwarden. Tradeoff: you're trusting Bitwarden's servers (or self-hosting Vaultwarden) rather than keeping everything local.
Polished commercial password manager with excellent browser integration and family/team sharing. Easy switch: 1Password supports direct import from KeePassXC's KDBX format. Tradeoff: subscription-only ($36/year), closed source, and VC-backed — you're trading independence for convenience.
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (28 events)
Dominik Reichl Releases KeePass 1.0 for Windows
Dominik Reichl released KeePass Password Safe 1.0, a free, open-source password manager for Windows using strong encryption. Built as a lightweight tool for personal credential management, it established the KDBX ecosystem that would eventually spawn multiple cross-platform forks.
KeePassX Created as Linux Port of KeePass
Originally called KeePass/L (for Linux), a developer created a cross-platform port of KeePass using the Qt toolkit. In March 2006 it was renamed to KeePassX after becoming truly cross-platform, supporting Linux, macOS, and Windows. This fork provided the codebase that would later become KeePassXC.
EU-FOSSA 1 Selects KeePass for Security Audit
The European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA), a EUR 1 million pilot selected through a public survey with 3,282 responses, chose KeePass and Apache HTTP Server for security code reviews. The audit found no critical vulnerabilities in KeePass, reporting only five medium- and three low-risk flaws, concluding the code is of good security quality.
Community Forks KeePassX into KeePassXC
Due to slowing development of KeePassX (which had effectively stalled with unresolved bugs and feature requests piling up), a group of developers including Frank Morgner forked the project on GitHub under the 'keepassxreboot' organization. The 'C' in KeePassXC stands for 'community,' reflecting the project's commitment to active, transparent development.
KeePassXC 2.1.0 First Stable Release
KeePassXC released its first stable version, 2.1.0, inheriting KeePassX's codebase while adding bug fixes and community-requested features. The release established KeePassXC as a viable, actively maintained alternative to both the stalling KeePassX and the Windows-only KeePass.
Version 2.2.0 Adds YubiKey and TOTP Support
KeePassXC 2.2.0 was the largest release to date, closing 167 issue reports. It introduced YubiKey challenge-response authentication for database encryption and time-based one-time password (TOTP) generation, bringing hardware security key support to a cross-platform open-source password manager for the first time in the KeePass ecosystem.
Version 2.3.0 Introduces Browser Extension and KDBX4
KeePassXC 2.3.0 introduced the KeePassXC-Browser extension for Chrome and Firefox, replacing the old KeePassHTTP-based plugins with a more secure native messaging protocol. The release also added KDBX 4.0 format support with Argon2 key derivation, SSH agent integration, and a new entry preview panel. It closed over 150 issues and merged 168 pull requests.
EU-FOSSA 2 Includes KeePass in Bug Bounty Program
The European Commission launched EU-FOSSA 2, selecting KeePass among 15 open-source software projects for a bug bounty program with awards of up to EUR 25,000. KeePass was the first project in the program lineup, which ran through 2019 and was administered through Intigriti and HackerOne platforms.
Version 2.4.0 Adds KeeShare and Update Checks
KeePassXC 2.4.0 introduced KeeShare for secure database sharing and synchronization between users, a new database creation wizard, advanced search capabilities, OpenSSH for Windows support, update checks, and a QR code generator for TOTP codes. KeeShare enabled team credential sharing without requiring a cloud service.
Version 2.5.0 Adds Secret Service API and OnlyKey Support
KeePassXC 2.5.0 introduced the Freedesktop.org Secret Service DBus API, allowing KeePassXC to serve as the system keyring on Linux (replacing GNOME Keyring or KWallet). It also added OnlyKey hardware token support, 1Password OpVault import, paper backup generation, database statistics, and a significantly enhanced command-line interface with offline HIBP checking.
Version 2.6.0 Overhauls UI and Adds HIBP Integration
KeePassXC 2.6.0 delivered a complete user interface overhaul with custom light and dark themes, comprehensive password health reports with Have I Been Pwned integration for breach checking, improved YubiKey and OnlyKey support for up to four keys simultaneously, and auto-start capability. The release represented a year of development effort and significantly modernized the application's appearance.
KeePassX Officially Announces End of Development
KeePassX, the original cross-platform fork of KeePass from which KeePassXC was created, officially announced on its website that development has stopped. The final stable release was version 2.0. This confirmed KeePassXC as the definitive successor project for cross-platform KeePass users on Linux and macOS.
Version 2.7.0 Adds Windows Hello and Touch ID Unlock
KeePassXC 2.7.0 introduced biometric quick unlock via Windows Hello and macOS Touch ID/Apple Watch, entry tagging for organization, a redesigned Auto-Type dialog with multi-database search, KDBX 4.1 format support, and TOTP improvements including a countdown progress bar. The biometric support brought KeePassXC to feature parity with commercial password managers on convenience.
Independent Security Audit Finds KeePassXC Cryptographically Sound
Security consultant Zaur Molotnikov completed an independent audit of KeePassXC 2.7.4, conducted free of charge. The report concluded that KeePassXC 'provides sufficient cryptographic protection (confidentiality, integrity and authenticity) to the confidential information the user is storing in the database,' recommending use of the latest secure file format. The full report was published publicly.
Version 2.7.5 Adds Screenshot Protection
KeePassXC 2.7.5 introduced a security feature preventing screen capture on Windows and macOS (with a temporary override option), improved HTML export layout, new application logos and icons, and fixes for performance slowdowns affecting databases with over 1,000 entries. The screenshot protection defaults to blocking captures of the password manager window.
KeePassXC Disputes CVE-2023-35866 Authorization Vulnerability
CVE-2023-35866 alleged that KeePassXC versions up to 2.7.5 had an Incorrect Authorization vulnerability allowing a local attacker with access to an unlocked database to modify security settings without re-authentication. The KeePassXC team filed a request to reject the CVE, arguing that their threat model for an offline password manager means physical access to an unlocked database already implies full compromise.
Version 2.7.6 Adds Nitrokey 3 Hardware Key Support
KeePassXC 2.7.6 added challenge-response support for the Nitrokey 3 open-source hardware security key, expanded the hardware authentication ecosystem beyond YubiKey and OnlyKey. The release also added entry UUID search, improved drag-and-drop behavior, and Quick Unlock activation for Auto-Type and browser access.
Version 2.7.7 Launches Passkey Support
KeePassXC 2.7.7 introduced official passkey (FIDO2) support through the browser extension, allowing users to store and use passkeys for passwordless authentication directly in their KDBX database. The release also added import support for 1Password and Bitwarden databases, automatic hardware key detection, and improved import workflows. Passkey development had been in progress for over a year.
CVE-2024-33901 Memory Dump Vulnerability Disclosed
CVE-2024-33901 was published for KeePassXC 2.7.7, describing a vulnerability allowing an attacker with equivalent local privileges to recover passwords from a process memory dump. The KeePassXC team acknowledged the finding but disputed its severity, arguing that memory management constraints make this unavoidable in any local password manager, and that modern OS protections (Linux ptrace restrictions, process isolation) mitigate the practical risk.
Debian Maintainer Strips KeePassXC Features, Sparking Controversy
A Debian maintainer removed browser integration, YubiKey support, auto-type, and networking capabilities from the default KeePassXC package in Debian, citing attack surface concerns. The KeePassXC team objected, noting they were not consulted. A 'keepassxc-full' package with all features was later made available in Debian testing/unstable. The controversy highlighted tensions between distribution-level security decisions and upstream developer intent.
Version 2.7.9 Refines Passkeys and Snap Integration
KeePassXC 2.7.9 refined passkey management with the ability to remove passkeys from entries, improved CSV and Bitwarden importing, and fixed browser integration with Snap-packaged browsers on Linux. This version later became the basis for the ANSSI CSPN security certification.
BSI CAOS 3.0 Audit Reports Only Low-Severity Issues for KeePass
Under the Code Analysis of Open Source Software (CAOS 3.0) project, the German Federal Office for Information Security (BSI) commissioned MGM Security Partners to analyze KeePass and Vaultwarden. While Vaultwarden had two high-severity vulnerabilities requiring CVE assignments, KeePass 2.56 received only low-severity findings. The analysis reinforced the KeePass ecosystem's security reputation.
Version 2.7.10 Adds Proton Pass Import and Font Controls
KeePassXC 2.7.10 added a Proton Pass importer, adjustable application font size (a long-requested accessibility feature), improved password strength column icons, a character count in the password generator, KeePass2 TOTP configuration support, and a minimized startup command-line flag. The release continued expanding import support to compete with cloud-based password managers.
Trojanized KeePass Campaign Uncovered by WithSecure
WithSecure's threat intelligence team discovered that threat actors (attributed to UNC4696) had distributed trojanized KeePass installers via Bing and DuckDuckGo malvertising for at least eight months. The modified builds, dubbed 'KeeLoader,' retained full password management functionality but installed Cobalt Strike beacons and exfiltrated database contents. The campaign led to VMware ESXi ransomware attacks. The genuine KeePassXC project was not compromised.
KeePassXC Clarifies AI Code Contribution Policy
After community concerns about AI-generated code being accepted into the project, KeePassXC published a detailed blog post clarifying its code quality control process. The team stated that AI assists developers during review and drafting but no AI-generated code is merged without rigorous human review and maintainer sign-off. Significant AI use in pull requests must be disclosed and labeled.
ANSSI Awards KeePassXC CSPN Security Certification
France's National Cybersecurity Agency (ANSSI) awarded KeePassXC version 2.7.9 its CSPN (First-level Security Certification) visa (report ANSSI-CSPN-2025/16), evaluated by Synacktiv. The certification is valid through November 2028 and is recognized internationally by the German BSI. This marked the first time a community-driven open-source password manager received formal government security certification.
Version 2.7.11 Adds KeeShare Group Sync and Attachment Viewer
KeePassXC 2.7.11 introduced inline attachment viewing for images, HTML, and Markdown, text file editing in attachments, database merge confirmation dialogs, KeeShare group structure synchronization (previously only entries synced), and automatic password generation for new entries. The release addressed a longstanding KeeShare limitation that only entry-level synchronization was supported.
Version 2.7.12 Adds DLL Injection Protection and Bitwarden Nested Folders
KeePassXC 2.7.12 added mitigations to prevent DLL injection attacks via malicious OpenSSL config files on Windows, support for nested folders in Bitwarden imports, TOTP as an Auto-Type placeholder, and proper passkey backup eligibility flag storage. The DLL protection was a direct response to the trojanized KeePass supply chain attacks discovered in 2025.