Password Managers with KeePassXC: Migration, 2-Factor Auth, and Pro Tips

I’d far rather be happy than right any day, Douglas Adams, The Hitchhiker’s Guide to the Galaxy

Password managers

Password managers are used to keep all your passwords safe. They store and manage all your passwords, so you don’t need to try to memorize a bunch of unique, complex passwords for all of your personal and work accounts. You only need to remember one password, the one to your password manager. They can generate complex passwords for you. You can also set your password manager to log in to sites automatically.

KeePassXC

KeePassXC is a free cross-platform password manager.

1. Installation. KeePassXC. macOS: brew install ‐‐cask keepassxc. Debian, Ubuntu: sudo apt install keepassxc. Arch: sudo pacman -S keepassxc
2. Export LastPass Vault’s data. A. Using Firefox, go to LastPass: Advanced, Export, LastPass CSV File and save it as a CSV file. B Import it in KeePassXC: Database, Import, CSV File. Database Name: Passwords. Save it (Passwords.kdbx) in Google Drive/Dropbox/etc. Import CSV Fields. Check column association (Username: Column3, Password: Column 4, URL: Column 5, etc. it may vary).
3. Use it in your favorite browser. Launch KeePassXC, select the Settings option or the cog wheel icon from the Tools menu, and then, Browser Integration, Enable browser integration. In the General tab: Enable integration for these browsers: Chrome, Firefox, Brave, etc. Open your browser, install the extension KeePassXC-Browser, and connect it to KeePassXC. Give the connection a unique name, then click on Save and allow access.
4. Use KeePassXC in your phone, too. Install the Keepass2Android Password Safe app. Open file…, Google Drive/Dropbox/etc., Select Passwords.kdbx, Type your Master Key.

Set up 2FA TOP with KeepassXC.

Smartphone-based apps like Google Authenticator are convenient, but they come with serious risks —especially when it comes to device loss. If someone hasn’t backed up their codes or enabled syncing, they could find themselves locked out of everything.

Using a desktop-based 2FA manager like KeePassXC definitely gives more control. You can store and back up your TOTP secrets as part of your encrypted password database.

That said, for even stronger resilience and convenience, some people combine both: they store the TOTP secrets offline (on a piece of paper) or on KeePassXC securely (save the one-time backup codes, too) and use a mobile authenticator for everyday access. It’s a bit of extra setup, but worth it if your accounts are mission-critical.

To use a QR code file for two-factor authentication (2FA) in your system and integrate it with KeePass, you’ll typically be scanning the QR code to extract a secret key used for generating Time-based One-Time Passwords (TOTP). KeePass supports TOTP generation directly, so once you have the secret from the QR code, you can store it securely in your KeePass database.

When you’re in the Google Account security settings and setting up 2-Step Verification, after selecting the authenticator app option, you should see an option to “Can’t scan the QR code?” or “Enter setup key”. This will reveal the secret key. Then, you can jump to step 4.

• Step 1: Install Required Tools. ZBar is an open source software suite for reading bar codes from various sources.

  sudo pacman -S zbar # Install the zbar package (Arch).
  sudo apt-get install zbar-tools #  Ubuntu, Debian, or similar.
  nix-shell -p zbar # NixOS (temporary shell)
  # NixOS (permanent installation)
  # Add to your configuration.nix:
  environment.systemPackages = with pkgs; [
      zbar
  ];
  # Then, rebuild your system.
  sudo nixos-rebuild switch
  

• Step 2: Scan the QR Code

  zbarimg qrcode.png # Decode the QR code
  # Example Output
  QR-Code:otpauth://totp/Example:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example
  

• Step 3: Extract the Secret Key, e.g., JBSWY3DPEHPK3PXP
• Step 4. Add the Secret to KeePassXC. Launch KeePassXC, open and unlock your database, right-click on the entry you want to add the 2FA, go to the TOTP tab. Click “Add”. Paste the secret key (JBSWY3DPEHPK3PXP) into the field.

Using Your TOTP Codes

• To view your TOTP Code, right-click on the entry, select TOTP, Show TOTP. The current code will be displayed with a countdown timer.

• To transfer it to Mobile Authenticator. Select the entry that contains the secret key, go to TOTP, Show QR Code. Scan this QR code with your mobile authenticator app.

Pro Tips and Best Practices

1. Export your KeePassXC database regularly and store your backups securely.
2. Print and save backup codes and secret keys provided by online services.
3. Test your backups periodically to ensure they work (mission-critical).
4. Consider setting up multiple ways to access your accounts: primary (KeePassXC on your main computer), secondary (Mobile authenticator app), and backup (offline, print your secret keys and backup codes).
5. Use a strong master password for your KeePassXC database. Enable key file authentication for additional security. Store your database on encrypted storage.