Monday, January 29, 2018

Password Management

I've long maintained that the only sites that really need strong passwords are emails (because they let you reset other passwords) and financial sites.  I've memorized long random passwords for those sites, and I have a few similar passwords I use for the rest of things.  I've never been too concerned about sharing passwords between other sites, because I literally don't care about the security of those accounts.

That being said, sites are increasingly instituting arbitrary restrictions that are intended to make things more secure.  This means I need variations of my common passwords for every permutation of rules, and then variations of those for when I'm required to change them.  Having to try all these permutations has finally made me break down and start using a password manager.

It's probably no surprise I didn't just go with LastPass, and not just because of my general aversion to the most popular choices, but as I've heard the company they are owned by is shady.

Password Manager

There are a lot of password managers, but if you're looking for open source, and managing your own password file, the clear choice is KeePass.  However, as is an open source tradition, you can't just go with KeePass; you have to follow the forks, to find the version that is currently up to date and being maintained.  That version is KeePassXC.

If you go with KeePassXC you'll have a client on every device you want to use it with.  Then you'll have a password file, which is the encrypted file holding all your passwords.  In theory if your master password for that file is long and secure you won't need to worry about keeping that file too safe (don't post it publicly).  I'd recommend getting to at least centuries on the 10k/second tier of zxcvbn.

You can also use a keyfile, which is a random file you'll need in addition to a master password to decrypt your password file.  This adds some security, but keep in mind that if someone gains access to a device with your password file, they also probably gain access to the keyfile.  It mainly helps if you are worried about your password file getting intercepted during syncing between devices (you wouldn't sync the keyfile, you'd move it manually to new devices).

Syncing the Password File

This felt like it was going to be the hardest part, but it turned out to be the easiest.  Certainly, the biggest convenience of LastPass is that someone else manages the password file for you.  A lot of people use Dropbox to sync the KeePass file, and I was ok with this (as the file is encrypted so you aren't really trusting Dropbox with anything), but I hate the idea of installing Dropbox's bloated, always running, client on every device.

Luckily I found Syncthing.  Which is essentially an open source, bit torrent based, version of Dropbox.  You install it on all your machines and then point it to the folder you want to share and it keeps it synced.  My biggest issue was having to enable discovery on every device so that they would share the list of devices they are sharing with too.  This makes sense to have turned off if you were sharing with other people, but if you're only using it in a closed personal ecosystem it's much easier to have it enabled.

I was slightly worried about the password file becoming out of sync, getting written to by two different computers and getting corrupted.  But my mild stress tests have been unable to make this happen.  I've been using this set up for half a year now without issue, so I'm comfortable recommending it.  That being said, Syncthing does allow you to maintain history files (where it keeps the last few versions of the file every time it overwrites it), and I still have that enabled on my PC.

Browser Integration

KeePassXC uses a protocol called KeePassHTTP to share passwords externally.  This basically just sets up a server and allows http requests for your passwords.  This is risky because there could be external requests.  KeePassXC only allows localhost requests, which should mitigate that risk.  If you're still worried you can disable that and use autotyping where you place the cursor in any text field and the it types the password in that field.

Just searching for "KeePassXC Firefox" or Chrome shows the extensions for either.  I've been happy with both of those, although they do feel like the weakest link.

On Android the app Keepass2Android works well.  If you search for the site in the app it then gives you another keyboard to choose from which only has two buttons "User" and "Pass".  Pressing those fills in that info for the site you have selected.

The closest thing to a problem on the phone is that it takes a few seconds to unlock the file.  This is important though, it should take at least half a second to unlock your password file on a fast PC.  If you make it faster to open, it'll be easier to brute force.