Managing my passwords with KeePassXC
The benefits of using a password manager have been enumerated plenty of times,1 but here’s the basics again (to save you some clicks):
- If you use one password for everything, you’re Doing it Wrong.
- If you use an easy-to-remember password, you’re Doing it Wrong.
- If you’re carrying around a little book or file with all your hard-to-remember passwords in it, sorry, but you’re Doing it Wrong.
To Do it Right, you need a password manager. I’ve been using KeePassXC for about a year now to manage my passwords, along with a portable install of KeePass and KeePass2Android on my phone. When I first started shopping for a password manager, I looked for one that was secure, able to be used on all my devices, and was relatively easy to use. KeePass and friends have been all three of these.
There are other options for password management, such as Firefox Sync, Google Passwords, or LastPass, BitWarden, or any number of other third-party services or programs. I chose KeePass because it’s open-source,2 has a lot of ports and implementations of its format, and keeps my data with me. The other options I’ve listed will store your database on their servers, meaning you have to trust them to keep your data safe. I’d rather trust me with all my passwords.
KeePass took a little setting-up to be able to use it properly, and some of the steps were a little advanced, but it was well worth it down the line. Here’s what I did to set up my password management.
1. KeePassXC at home
First, I installed KeePassXC on my computer with a
sudo pacman -S keepassxc. 3
After that came the most time-consuming part of this process came: I transferred all my passwords to the KeePass database. It took quite a while, and it took even longer because I generated new passwords for each site using KeePassXC’s password generator. I put them all in a file called, boringly enough,
2. KeePass2Android on the phone
The next step was installing KeePass2Android. You can get it from the Google Play Store.5
On the first screen, you’ll be able to open a file, and you can pick from where. I used the Dropbox (KP2A folder) option. That made KeePass2Android create a folder in my Dropbox,
Apps/KeePass2Android, where my passwords files live. If you want to make it easy on yourself I’d recommend creating the folder on your computer and moving your database into the folder, so that you can just select it when you’re setting up KeePass2Android.
After that, you’ll need to input your password and point to your key file, if you use one (and I use one). I had to manually copy the keyfile over to my phone using Syncthing, though if I do it again I’ll probably use adb.
Regardless, once you have everything set up you can use KeePass2Android by opening copying and pasting passwords, or by setting up Autofill (for Android 8+).
KeePass Portable at work
I’m lucky in that my workplace allows arbitrary executables to run, as long as they don’t require Admin permissions (my other job does not allow this, and I’m stuck typing passwords from my phone). This was probably the most complicated to set up, in that I needed to download and place correctly an extension to the KeePass executable.
First, download KeePass Portable from their website and place it where you want. I put it on my work computer’s hard drive, but you could put it on a thumb drive as well. 6
To let KeePass find the database in my Dropbox folder, I use KeeAnywhere, an addon that leverages KeePass’s own ability to use networked databases to enable compatibility with popular cloud hosting providers. I chose to use the Dropbox provider, which has access to my entire Dropbox, since my password database is in
To install KeeAnywhere, just download it and extract the file to the Plugins folder in your KeePass installation.
KeeAnywhere is fairly simple to set up: you just need to sign in to Dropbox (which I did by typing in my secure password by hand from KeePass2Android on my phone) and allow access to KeeAnywhere. After that, it’ll save and load the database from Dropbox like it was a normal file.
KeePass also has a lot more options than KeePassXC, so I change some things there to make it safer and easier to use.
After I have everything set up, this system is a breeze to use. There are a few pain points to navigate but I think it’s a price well worth the value of having safe passwords.
KeePassXC and KeePass: the computers
Both KeePass and KeePassXC are fairly similar: Navigate to a webpage, hit the system-wide keyboard shortcut (the default is
Ctrl-Alt-A), and the program will try to find your login information. You can configure both programs on what to do if none is found. I have them pop up a search bar to try and find the password (KeePass uses an extension for that), but there are other options as well.
KeePass2Android: the phone
I use Android 8’s Autofill feature to easily fill in my passwords. I open, say, my banking app, long-press on the Username field, and click “Autofill” on the pop-up. If the app name is already saved in the KeePass database it’ll automatically fill it in, and if it isn’t it’s easy to find the entry and save the database. Every so often I have to manually sync the database, but it works without thinking 99% of the time.
If Autofill doesn’t work, KeePass2Android also ships with a keyboard that can auto-fill passwords based on app or website visited. For typing, it’s a pretty clunky keyboard, but there’s an option to auto-switch back to the default keyboard after a password is filled, which is okay.
Obviously, this system trades convenience for safety. Some of the frictions I’ve come up against are as follows:
- Finding and remembering all my logins, then changing them, took quite a while in the initial setup stage.
- Transferring the key file between devices, while keeping it off the Internet at large, proved a little complicated.
- I have to type a keyboard accelerator to fill in my passwords. When I used Firefox Sync, the login would be pre-filled on the page when I loaded it. If this is a deal breaker for you, there are add-ons for Firefox and Chrome that have this functionality.
- If I’m somewhere where I can’t use KeePass, such as my other job (where I can’t execute arbitrary binaries8), I have to open KeePass2Android on my phone and manually type in the long, complicated password on the computer I’m using. Apparently, there is an add-on to KeePass2Android that will act as a keyboard to type it for you, but it requires another app that requires a patched Android kernel which isn’t supported for my phone. Plus it seems like a lot of extra work for not much of a benefit.
For me, none of these costs outweigh the benefit of using a password manager like KeePass. I used to use pass, which is also good, but it was a little more of a pain to use so I switched.
I use a two-factored approach to my security with these programs: I use a long password to secure my database, and I also use a keyfile. A keyfile is just a file that KeePass and friends can use to encrypt your database, along with a password. I have a file that only exists on my phone, my USB drive, and an SD card, that makes it easy to restrict access to my account in case of device theft. If any of my devices got stolen or compromised, I can easily and quickly generate a new master key on my database with a new keyfile to restrict access from my compromised devices. It makes me feel better, anyway.
Another note on security: as I was writing this, I read this article about the relative safety of using password managers.9 It’s not great news, and I really hope that KeePass’s developers work to rectify the issue soon. I also hope that the other programs’ developers make sure they don’t have the problems listed within the article, namely the memory exposure.
This is how I use password management to keep my digital life safe, while still being easy-to-use. KeePass’s website has a lot more programs, apps, and extensions that interoperate with its database, so it should be easy to find a workflow for you.
These were all found on the first page of a DuckDuckGo search, by the way. The benefits are, seriously, numerous. There’s literally no one saying you shouldn’t use one, not even anti-vaxxers.↩︎
To be fair, BitWarden is also open-source, and there are options to self-host the software if you want to do that and know how. I don’t want to bother self-hosting software, and besides, I don’t have a server.↩︎
BTW, I use Arch (actually Manjaro, but who’s counting?)↩︎
If you’re following along at home, it doesn’t matter right now where you save the file. You’ll move it later when you install KeePass2Android on your phone.↩︎
Ideally, it’d be available from F-Droid, but there are others from there that I might check out later.↩︎
As I write this, I’m actually thinking it’d be a good idea to put all of my portable apps on a thumb drive I keep at work, just to make it a little harder for an attacker to get my info.↩︎
When I get home, I’m going to see if I can symbolically link the password database from one folder to another, so that I can use two separate folders and further secure my files.↩︎
Arguably, this is a much better security practice, but I’ll take what I can get from my employer.↩︎
KeePassXC has since come out with their own article responding to the ISE study.↩︎