KeePassXC security audit published, recommends this security setting

Martin Brinkmann
Apr 16, 2023

KeePassXC is a popular password manager for Windows, Mac and Linux that uses the KDBX file format from the password manager KeePass.

The developers of KeePassXC have published the results of a security audit on their website yesterday. The audit was conducted by Zaur Molotnikov, who is a Munich-based software engineer. Molotnikov's CV is listed on his website.

The audit was conducted free of charge, and while there is some rumbling about potential conflicts of interests on Hacker News, it is irrelevant for the purpose of the article that you are reading now.

Interested users may check out the full audit report here. The author makes several suggestions to the KeePassXC development team and also to users of the application. A core suggestion is to make sure that the latest database format is being used.

How to verify the KeePAssXC database format

keepassxc encryption

KeePassXC users have two options during the creation of a new database in regards to the format. The application supports KBSX 3 and KBDX 4, with version four the more advanced format.

The makers suggest to users to use the latest format, by marking it as recommended. This is also the recommendation of KeePass. In fact, the only reason for selecting KDBX 3 is backwards compatibility.

KeePass users, regardless of which port they use, often use different applications to bring support to their other devices. There are several Android apps available, and if one of these does not support the KDBX 4 database format, the less secure database format three needs to be used.

Long-time users of KeePassXC may also use the older format. The new format includes major security improvements, such as support for Argon2 or improved header and data authentication.

KeePassXC users may verify the used database format in the following way:

  1. Open KeePassXC and unlock the password database that you want to check.
  2. Select Database > Database Security.
  3. Switch to Encryption Settings.
  4. Check the Database format option.

If you see KDBX 3, the old format is used. Switching to the new format is a matter of a few clicks. You may copy the database file on the computer's hard drive first for backup purposes. All data should remain accessible though and the process is quick.

  1. Select KDBX 4 (recommended) from the menu.
  2. Select OK.

That is all to it. The new database format offers better security and should be used, unless compatibility stands in the way; this is actually true for all applications that use the KeePass database format to protect user secrets.

Now You: do you use KeePassXC, KeePass, or another program?

KeePassXC security audit published, recommends this security setting
Article Name
KeePassXC security audit published, recommends this security setting
KeePassXC users may verify the database file format that the password manager uses and upgrade it, if an older, less secure version is still used.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Techie said on April 17, 2023 at 3:25 pm

    Thanks for the share. I use keeweb as most of the work happens within the browser.

  2. Vadx said on April 17, 2023 at 1:36 pm

    I chose keepass because I can keep the file local. No cloud involved and with the browser extension it’s simple to use.

  3. Mike Lippert said on April 17, 2023 at 12:50 am

    I have used KeePassXC for years now. It is exactly what I want in a password manager. My passwords in a local file completely under my control.

    Good to know about the DB format, since my DB was created years ago, I’ll have to check that I’m using the latest version.

  4. Devastator said on April 16, 2023 at 11:32 pm

    And they publish those news after 3 months.
    Thats makes no sense.

  5. dave said on April 16, 2023 at 10:19 pm

    I’ve used KeePass for about 16 years now and I’m still discovering and utilizing features. I still prefer it over KeePassXC, even on Linux, due to those features I’ve come to rely on. But I’m sincerely grateful for projects like these.

  6. Haakon said on April 16, 2023 at 9:37 pm

    Me also with Argon2d (KDBX-4 – recommended).

    I forgot what the default is, but I think I chose Twofish over AES or ChaCha.

    I thought I should leave the rounds, memory and parallelism settings at default (10, 256, 2).

    Thanks Martin!

    1. Haakon said on April 16, 2023 at 9:46 pm

      Oh yeah. My password is 22 characters long, a obscure lyric with a case, numeral and character mixture I can remember, and have remembered, and at this point it’s as much muscle memory as well when I type it in.

  7. Ben said on April 16, 2023 at 2:15 pm

    The info in the article is too shallow.

    1. Martin P. said on April 16, 2023 at 9:13 pm


      What’s missing then?

      1. TXNerd said on April 17, 2023 at 4:51 am

        I tend to agree… the entire article is to inform to use KDBX4 format. Nothing else beyond the default format for the DB.

    2. David said on April 16, 2023 at 6:14 pm

      The level of information in this article is fine. A link to details is provided for those who want to know more than the takeaway: “use the KBX4 format”. If the link were not provided, I might have agreed with you.

  8. ard said on April 16, 2023 at 8:12 am

    yes, I do use KeepassXC. thanks for the details of the test. checked the format and luckily I am already using the newer “4”format. thanks

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.