KeePassXC

[nfraprado]

Objective

The tests were chosen to evaluate features or menus on the KeePassXC that seemed less intuitive to use or to find.

Requirements

Environment

• Where the tests should run? Latest release, version 2.6.2
• Preparation: A database should be provided with a (simple) password already configured, like 123, and containing a few entries, some of which should contain frequently used passwords, like 123.
• Instructions to get this interface: "Create new database" > "Continue" > "Continue", enter 123 password and "Done". Then inside the database, click the plus icon, choose some Title, enter a password and click "OK". Do this a few (3-5) times.

User profile

Mainly users new to the program or that haven't used anything other than the basics.

Test design

Tasks

1. Change the database password
2. Generate new random password
3. Use the Auto-Type feature
4. Check leaked passwords with Have I Been Pwned

Scenarios

1. You accidentally exposed the current password for your database, and to prevent possible leaks you need to change it. Expected behavior: "Database" > "Database settings" > "Security" > "Change Password", enter the new password twice and "OK".
2. You want to create a new account on a website, and to make it very secure, you need to generate a new random password for it. Expected behavior: Click on the plus icon (or "Entries" > "New Entry...") then on the Password field, click on the dice icon and click on "Apply Pasword" and "OK".
3. You were creating a new account on a website and you noticed that it doesn't allow you to paste the password from the password manager into the field, so you need the password manager to type it in for you. Expected behavior: Select password entry and click the keyboard icon (or "Entries" > "Perform Auto-Type") Note: The user should be instructed to open a second window with a browser or terminal to act as the website being inputted into
4. You learned that an online service you use suffered a big password leak, and since you learned from a friend that KeePassXC can give you this information, you need to check if one of your passwords were part of the leak. Expected behavior: "Database" > "Database Reports..." > "HIBP" > "Perform Online Analysis".

[nfraprado]

Users tested

5 users:

• 1 with no previous password manager experience.
• 2 users of other password managers, but with no previous experience with KeePassXC.
• 2 KeePassXC users.

Results

Task 1

4 of 5 participants succeeded.

What went well?

After the users reached the "Database Settings" screen, they easily found where and how to change the database password.

What were the challenges?

Almost all users were expecting to find it under the "Settings" menu displayed as a Gear icon on the top bar, but that shows global application settings instead.

On top of that, opening that menu makes the options on the "Database" drop-down menu, which contains the "Database Settings" menu, unavailable. That made it a lot harder for users to reach the right menu after entering this one, since then they first needed to understand that they needed to leave it and only then go to the right one.

Additionally, there was a bit of difficulty in finding the "OK" button, as it was all the way at the bottom of the screen, and users expected to find it where the "Cancel" button right below the password fields was.

Conclusions

The Gear icon should also lead to the database settings.

The application settings shouldn't disable the "Database" drop-down menu.

Task 2

5 of 5 participants succeeded.

What went well?

As soon as the users reached the "New Entry" screen they found it easy to create a new entry, including clicking the little die icon to generate a random password.

What were the challenges?

A few users clicked on the Die icon on the top bar to generate the random password, but that screen doesn't allow the user to save the password to a new entry, only to copy it to the clipboard and to exit the screen. The users that entered this screen would generate the password, copy it to the clipboard, notice there wasn't a way to save it, then exit and go to the "New Entry" menu, where they would finally discover the little die icon on the password field to generate a random password for the new entry.

Conclusions

The "Password Generator" screen under the die icon should have a button to save the generated password to a new entry.

Task 3

4 of 5 participants succeeded.

What went well?

The Keyboard icon on the top bar was very intuitive for the Auto-Type function. It was also easy to find this feature right-clicking an entry.

What were the challenges?

The users generally weren't expecting the program to automatically change to the last focused window, and would try to focus the field on the browser themselves after starting Auto-Type.

Conclusions

None.

Task 4

4 of 5 participants succeeded.

What went well?

After the users finally reached the "HIBP" screen, which shows a "CAUTION" note explaining the risks of the feature and asks for confirmation from the user, they understood they had found the feature.

What were the challenges?

The users weren't expecting the program to have this feature at all. After explaining that it was present, the feature was always searched for first under the Tools drop-down menu.

The users took a lot of time to click on "Database Reports", as it seemed something more like passive statistics for the database. In this screen, the name "HIBP" wasn't informative, but users tried clicking on it as there were only 3 options. The users only understood they were on the right screen after reading the "CAUTION" note.

Additionally, users had a bit of difficulty exiting this screen, as the "Close" button was all the way down at the bottom of the screen.

Conclusions

The "HIBP" screen should be moved under the "Tools" drop-down menu, as well as be renamed to something more immediately recognizable not only for those who are familiar with the "Have I Been Pwned" service. Something generic like "Password leaks".