Password Management for Tor Users — KeePassXC Guide

Cloud-based password managers like LastPass, 1Password, and Bitwarden store your encrypted vault on their servers. While the vault is encrypted, these services know your email address, IP addresses, device fingerprints, and when you access your passwords. For Tor users maintaining anonymous identities, this metadata is a significant liability.

If a cloud password manager is compromised — as LastPass was in 2022 — attackers obtain encrypted vaults that they can attempt to brute-force offline. The breach also exposed customer email addresses, billing information, and vault metadata. For anonymous users, even the existence of an account is a data point that should not exist.

KeePassXC stores your password database as an encrypted file on your local device. There is no account, no cloud sync, no server, and no metadata leakage. The database file can be stored on an encrypted USB drive, backed up to encrypted storage, or synced between devices using OnionShare or any file transfer method you trust.

Install KeePassXC from your distribution's package manager or download it from keepassxc.org. On Tails and Whonix, KeePassXC is pre-installed. Create a new database with a strong master password — at least 20 characters using a passphrase format (e.g., four or more random dictionary words).

Enable the key file option for two-factor protection. KeePassXC can require both your master password and a separate key file to unlock the database. Store the key file on a different device or USB drive than the database. This way, compromising either the database file or the key file alone is insufficient to access your passwords.

Configure KeePassXC's password generator to create strong, unique passwords for every account. Use 24+ character passwords with mixed case, numbers, and symbols for anonymous accounts. For Tor hidden service credentials and cryptocurrency wallets, use the maximum length supported by the service.

Tor users often maintain multiple online identities that must never be linked. KeePassXC supports groups and tags to organize passwords by identity. Create separate groups for each pseudonym — for example, one group for your activist identity, another for your journalist identity, and a third for personal accounts.

Consider using entirely separate KeePassXC databases for identities that must remain compartmentalized. If one database is ever compromised, the other identities remain protected. Store each database on a separate encrypted volume or device.

KeePassXC also supports TOTP (time-based one-time passwords) for two-factor authentication. While storing 2FA codes in the same database as passwords reduces the security of 2FA to single-factor, it is more practical than using a phone-based authenticator for anonymous accounts that should not be linked to a phone number.

Strong passwords protect your accounts, and strong infrastructure protects your services. AnubizHost offers Tor-optimized VPS hosting on offshore servers in Iceland, Romania, and Finland. Deploy any privacy-focused service — password sync servers, encrypted file storage, or communication tools — on infrastructure that respects your anonymity.

Need a private Bitwarden/Vaultwarden instance accessible only as a Tor hidden service? Deploy it on AnubizHost with full root access, NVMe SSD storage, and DDoS protection. Your self-hosted password vault, accessible only through Tor, with no third-party data exposure.

Pay with Monero, Bitcoin, or other cryptocurrencies. No KYC, no ID verification, no personal data collected. Protect your credentials and your infrastructure simultaneously with AnubizHost's Tor hosting plans.