I've been banging the drum of password managers since making poor sign-up decisions in the past and finding my primary email address appear in no less than four known leaks on haveibeenpwned.
It feels as if as a society we are moving in the right direction, a lot of people around me have at least heard of online password managers such as lastpass, and we all get the bombardment of offers from web browsers (Chrome, Firefox) on desktop and mobile to save our passwords for future use, meanwhile 1Password is becoming a staple in commercial organisations.
There is a certain level of discomfort, though perhaps overly cautious, in asking a commercial company to look after something as precious as your passwords. The reality is that they are using the same underlying protections as any password manager through encrypting your database of passwords with a secure master key such that the data itself is meaningless and whether or not it is stored locally or on the cloud is irrelevant.
For me personally, I feel comfort in storing the database itself locally and having the transparency of knowing exactly how it is used. Though this isn't without issue: I'm still at risk of a bad acting interfacing application, and additionally backing up is now my responsibility. Another consideration to what I present here is that it is a free solution, which is not always true of the cloud options.
For the last couple of years I have used a KeePass v2.x database on my Personal Macbook using the KeePassX application. This has amassed an impressive collection of credentials over the years, with me adding new credentials whenever either I forget my password or discover an insecure old password was used. My master key is long, but memorable to me, especially as I need to use it often.
On occasion I have accessed the database by copying the kdbx file to my work PC via Google Drive and decrypting locally, which as described above is secure as the database is encrypted and inaccessible without the master password. Keeping the database up to date across the two devices via Google Drive is tricky (without additional software installation, anyway), so I have generally adopted the idea that my Macbook database file is the master and everything else is just a copy (so no adding credentials away from my Macbook!).
The reality of not always having my Macbook available when I either need to sign up to a new service, or retrieve credentials (the forgotten my password option a nasty solution with regards to my 'master' Macbook database mantra) is what pushed me to find a good synchronised solution. There are four endpoints which require access to my password database:
- Personal Macbook
- Personal Windows Desktop PC
- Personal Android Phone
- Work Windows PC
On all endpoints I need to not only read the database but be able to write new credentials and have them synced. Use on my work PC is somewhat of an outlier nice-to-have for the odd task that needs completing at lunch - when considering synchronisation consideration must be given to any security restrictions.
I already use a password manager on my work PC for all my work related passwords - this should stay put, I have no business for these passwords away from that PC. For this I use the KeePass Password Safe for version 2 databases, which is compatible with my existing KeePass 2.x database I use on my personal MacBook.
So of my end points I have, at least, file compatible solutions for Windows and Mac. The next tasks are to find a compatible Android solution and a sync method to connect them all together.
Accessing the KeePass 2.x database from my phone is something I've thought about a lot for a while now. It may be an unfair stereotype, but for non-mainstream apps visions of clutter and free ads come to mind and introducing my database of secrets into this ecosystem can make my hands sweat.
What appears to be the standard go-to on Android is the KeePass2Android app, with 4.5 rating from 27000+ ratings at the time of writing its clearly tried and tested. However while browsing all options I came across KeePassDX which is equally well rated although from fewer installees. The two are probably equally good candidates but it was my reading of the FAQ of the latter which made me decide to pursue it as the natively programmed option which didn't try to be anything other than a password manager (no online options/cloud integration).
Now that all platforms can open the password database file we come to the challenge of how to synchronise between them. Perhaps the obvious option is Google Drive through my existing use of the service for moving the database between home and work. Google Drive is massively popular and extensive documentation exists should one choose to go this route - I can't think of any particular disadvantages, save perhaps having to have a Google account.
That said when researching KeePass 2.x options on Android a popular pairing appeared to be with a Syncthing. Self described as a continuous file synchronisation program, Syncthing is open source and uses an open protocol to synchronise files between two or more computers.
I found installation easy with the built in native wrappers (Mac: syncthing-macos, Windows: SyncTrayzor, Android: Syncthing). Setting up connections is simple, you simply provide the ID (which is quite long, a QR code is provided as a companion) of the device you want to share with, and on said device you confirm that the connection should be made. By setting my phone as an 'introducer' meant saved me the setup between my Macbook and Desktop even easier.
With regards to my work PC, I chose to not use Syncthing as this requires additional software installation of open source software - which I can accept at home but would not be my call at my organisation (maybe one day Syncthing will become as everyday in business as 1Password). Also I like to air gap work and home as much as possible, and an auto-syncing folder just seems to be asking for issues. Due to the infrequent use as I talk to above, I have decided to keep the Google Drive read-only solution. Any three of my other devices could do the upload of the most up-to-date synced database to the Drive.
A service with centralised storage such as Google Drive might quickly become attractive again when you consider sync between two or more devices not on at the same time. The example being I update some credentials on my Macbook then turn it off, and load up my desktop and am shocked to see its not there. That said, updates in this manner don't occur too often, and certainly turning on my Macbook to do a quick sync is hardly pressing.
But we are in fact immune to this issue altogether, if you include a common device in your share network... your mobile phone. My phone is universally on 24/7 - it acts as a server in this scenario, which means my updates always sync between the other connected devices. It is however probably worth checking the sync has completed with your phone before turning off the writing device.
That's it, a couple of hours of Googling, some easy installation on all three devices and I can finally reset my Spotify password that I realised I'd forgotten when I tried to sign in on my new Windows Desktop. Rabbit hole, maybe - but result achieved.
Top ^