Most people reuse passwords. They know they shouldn’t, but managing dozens of unique, strong passwords without help is impractical. A password manager solves this — it generates, stores, and fills passwords for you, all protected by a single master password.

KeePassXC is a free, open-source, offline password manager. Unlike cloud-based alternatives like 1Password or Bitwarden, your passwords never leave your machine. There is no account, no subscription, and no server that could be breached. Just an encrypted file on your disk.

This guide covers setting up KeePassXC on macOS.

Why KeePassXC

There are many password managers. Here’s why KeePassXC stands out:

• Offline by design — your database is a local file, not stored on someone else’s server
• Open source — the code is publicly auditable, no hidden backdoors
• No account required — no email, no subscription, no cloud sync
• Cross-platform — available for macOS, Linux, and Windows
• KeePass compatible — uses the .kdbx format, supported by dozens of apps
• Browser integration — auto-fill passwords in Safari, Firefox, and Chromium-based browsers
• TOTP support — store two-factor authentication codes alongside your passwords
• Passphrase generator — create strong, memorable passphrases with the built-in generator

The trade-off: you are responsible for backing up your database. There is no “forgot my password” option and no cloud sync unless you set it up yourself.

Installing KeePassXC on macOS

Download the latest .dmg from keepassxc.org. Open the disk image and drag KeePassXC to your Applications folder.

On first launch, macOS may block the app because it’s not from the App Store. Go to System Settings > Privacy & Security and click Open Anyway.

Alternatively, install via Homebrew:

brew install --cask keepassxc

Creating Your Database

Launch KeePassXC and click Create New Database.

1. Name your database — something simple like “Passwords” works fine
2. Set encryption settings — the defaults (AES-256, Argon2id) are strong and recommended. You can increase the transform rounds under Encryption Settings for extra protection, but the defaults are fine for most users.
3. Choose a master password — this is the most important password you’ll ever create

Choosing a Good Master Password

Your master password protects everything. It should be:

• Long — at least 16 characters, ideally more
• Memorable — you’ll type this daily, so don’t make it impossible to remember
• Unique — never used anywhere else

A good approach is a passphrase — four or more random words strung together:

correct horse battery staple

Add some variation (numbers, capitalization, symbols) to make it even stronger:

Correct-Horse-Battery-Staple-42

Write it down on paper and store it somewhere safe until you’ve memorized it. Then destroy the paper.

Optional: Key File

For additional security, you can add a key file — a small file that acts as a second factor. The database can only be opened with both the master password and the key file.

If you use a key file:

• Store it on a USB drive or separate location from the database
• Back it up — if you lose the key file, you lose access to your database
• Never store the key file in the same folder as the database

Organizing Your Entries

KeePassXC organizes passwords in groups (folders) and entries. A good structure might look like:

Passwords
├── Email
├── Financial
├── Social Media
├── Shopping
├── Work
├── Servers
└── Recovery Codes

To create a new entry, select a group and press Cmd+N or click the + icon:

• Title — the name of the service (e.g. “GitHub”)
• Username — your login name or email
• Password — click the dice icon to generate a strong password
• URL — the login page URL (used for browser auto-fill)
• Notes — any additional info (recovery codes, security questions)

Generating Strong Passwords

Never invent passwords yourself. Use the built-in generator for every new account.

Click the dice icon next to the password field, or go to Tools > Password Generator. You can choose:

• Random password — a string of random characters (e.g. k7$mQ!9xPn@2vL)
• Passphrase — random words separated by a delimiter (e.g. timber-ocean-giraffe-puzzle)

For most accounts, a random password of 20+ characters with upper/lowercase, digits, and symbols is ideal. You never have to remember these — KeePassXC fills them in for you.

For passwords you occasionally type manually (like Wi-Fi), use a passphrase instead.

Browser Integration

KeePassXC can auto-fill passwords in your browser through its browser extension.

Setup

1. In KeePassXC, go to Settings > Browser Integration
2. Enable KeePassXC-Browser integration
3. Check the browsers you use (Safari, Firefox, Chrome, Brave, etc.)
4. Install the KeePassXC-Browser extension from your browser’s extension store
5. Open the extension and click Connect — KeePassXC will ask you to confirm the connection

Usage

When you visit a login page:

1. The KeePassXC-Browser icon shows a number badge if matching entries exist
2. Click the icon or press the keyboard shortcut to auto-fill
3. If multiple entries match, you’ll be asked to choose

For this to work, the URL field in your entries must match the website. KeePassXC matches by domain, so https://github.com/login will match an entry with URL https://github.com.

Storing Two-Factor Authentication (TOTP) Codes

KeePassXC can generate time-based one-time passwords (TOTP), the six-digit codes typically handled by apps like Google Authenticator.

To add TOTP to an entry:

1. Right-click the entry and select TOTP > Set up TOTP
2. Enter the secret key (the text code shown when setting up 2FA on a website — usually available as an alternative to scanning the QR code)
3. Click OK

Now you can view the current code by right-clicking the entry and selecting TOTP > Copy TOTP or pressing Ctrl+T.

A note on security: Storing TOTP codes in the same database as your passwords means both factors are in one place. This is less secure than a separate device but still far better than no 2FA at all. If this concerns you, use a separate TOTP app for high-value accounts (banking, email).

Backing Up Your Database

Your database file is everything. If you lose it, you lose all your passwords. Back it up regularly.

Where is your database? By default, wherever you saved the .kdbx file. A common location is ~/Documents/Passwords.kdbx.

Backup strategies:

• External drive — copy the .kdbx file to a USB drive or external SSD periodically
• Second machine — keep a copy on another computer you control
• Encrypted cloud storage — the database is already AES-256 encrypted, so storing it on iCloud, Dropbox, or a NAS is reasonable — your master password protects it even if the cloud is compromised

What to back up:

• The .kdbx database file
• The key file (if you use one) — store it separately from the database
• This guide doesn’t help if you forget your master password — consider storing a hint in a sealed envelope in a safe place

Migrating from Another Password Manager

If you’re switching from another password manager, KeePassXC can import from:

• CSV files — most password managers can export to CSV (1Password, Bitwarden, Chrome, Firefox, LastPass)
• KeePass 1.x databases (.kdb)

To import: Database > Import > CSV File. Map the columns (title, username, password, URL) and review the result.

Important: After importing, delete the unencrypted CSV file securely. It contains all your passwords in plain text.

Tips for Daily Use

• Lock your database when stepping away: Cmd+L or set auto-lock in Settings > Security (e.g. after 5 minutes of inactivity)
• Use the search — press Cmd+F to quickly find any entry
• Enable clipboard clearing — KeePassXC can automatically clear copied passwords from the clipboard after 10 seconds (Settings > Security)
• Keep the app running — the browser extension only works while KeePassXC is open and unlocked
• Update regularly — KeePassXC receives frequent security and feature updates

Quick Reference

Further Reading

• KeePassXC Official Documentation
• KeePassXC User Guide
• KeePassXC-Browser Extension

• security
• passwords
• privacy