Password Management
The virtue of being forgetful
I suck at passwords. To be fair, so does everyone else. Everyone else being bad at passwords doesn’t help me, though. It only increases my awareness every time I hear about the latest data-breach, password leak, or programming error.
The thing is, I know what I should be doing, but the one-two punch of laziness and procrastination constantly seem to beat me into submission.
I know I should be:
- using a password of good complexity and high entropy.
- using a completely different password for each login.
- expiring passwords occasionally.
The problem is that doing those things is hard. I rely on muscle-memory helping me with passwords that I have to use multiple times every day. I have trouble remembering my anniversary date, much less the complex password for a website I log into once per quarter (October 25th in case my wife is reading). I can measure some of my password ages in years.
Sure, I can abuse the “Forgot Password?” button on any of the myriad of sites I might visit and forget about, but that wreaks havoc when I have accounts tied to apps. Particularly mobile/phone apps.
Luckily, there is a solution.
Password Managers
I avoided using a password manager for a long time. I’m not really sure why. Partially out of paranoia and FUD, and probably a bit of worry in giving up control over so many logins. The trick was to realize that I’d be able to replace all of my usernames+passwords with a single master password.
I had a couple of convenience factors that I needed to be available before I could make the switch, though:
- Ubiquity
I need a client across any OS I might be using, including my phone - Integration
As much as possible, integrate with my browser or at least be easy to get my passwords - Free Software - because duh
There are several well-regarded options for password managers out there, including popular ones like LastPass and 1Password but they’re not Free Software.
KeePassXC
After a big of digging I finally heard enough good comments about KeePassXC that I figured it was worth a shot. After about two months of using it, my main thought is: why on earth did I wait so long to do this?
The project is Free Software (GPL) and was forked from KeePassX due to stalled response from its single maintainer.
It keeps your passwords in a local encrypted file (AES, Twofish, ChaCha20). They’ve got clients for all the major OS and there’s an iOS app (MiniKeePass (iTunes), also GPL). There’s also a browser extension that communicates with the client allowing access to passwords right in the browser, securely. If the URL is listed with my database entry, it prompts to fill in the username/password for me when I visit the site.
It’s now trivially easy for me to make all of my passwords quite complex (or at least with a nice high entropy of at least 90bits or more). If I’m really concerned about possibly having to manually enter the password somewhere else, I can make arbitrarily long and random passphrases as well (i.e., cold riverbank outcome shrubbery display stoplight upfront).
What’s great is that thanks to my new Nextcloud server, I keep the password file there to sync with all of my machines (even my iPhone). It’s also wild to see just how many logins/passwords you accumulate in your digital life (I’m up to about 65 unique entries at the moment - and most of those would have been variations or the same password not too long ago!).
KeePassXC Browser Integration
The most important part of making this a frictionless adoption is having integration with your browser. Luckily the KeePassXC team have created browser extensions for both Chrome and Firefox to make it trivially easy to use. With the extension installed you can just visit a site and if you have an entry for it in KeePassXC it will prompt you to automatically fill in the username and password.
There’s a Chrome extension as well as a Firefox extension available. They both allow for encrypted message passing between the browser and the KeyPassXC application. This is similar to having the browser remember passwords for you but with the benefit of being cross-browser compatible if you need that sort of thing as well as allowing you to store arbitrary passwords for things not related to a web login.
The extension also offers to add usernames/passwords for you if it’s for a site that is not currently in the database, which is a nice touch.
Easy on the Brain
Ultimately what this means is that my cognizant load can be reduced by quite a bit. I only need to remember one good passphrase/password. In the case of my phone, I can even let biometrics manage that for me. All while my actual passwords can be much more complex and safer.
If you want to take a huge burden off your digital life while making your world more secure at the same time, I’d highly recommend checking out a password manager (seriously, KeePassXC has been great but go with whatever you’re comfortable with).
Addendum
It was pointed out to me after publishing this by @older@mastodon.host on Mastodon that KeePassXC is one of the tools that the EFF recommends for Surveillance Self Defense (this entire site is well worth a read).
