Keeping Passwords Save With KeepassXC

2021-10-25

If you’re like most people, you might distrust password managers or you might think of them as a necessary evil. After all, nobody can remember dozens or even hundreds of passwords, but on the other hand nobody likes entrusting sensitive information to a third party. And that’s already where most people get it wrong.

Password managers like the ones built into your browser do not actually transfer passwords to a third party. That would be pitifully inadequate. Instead, they encrypt password lists with a secure cipher, likely AES256, before transferring them across the network, for example to a cloud storage location. This can be considered safe practice, as AES256 is virtually immune against brute force attacks. So, the information is safe as long as a safe key was chosen.

workplace

Can you trust browsers to keep your passwords safe then? In principle yes, but this is a slightly more complicated question. It depends how you use your browser. Any password manager is definitely much better than reusing passwords or using weak passwords for the sake of convenience. These practices are intrinsically and inevitably insecure. A password manager lets you generate and remember an arbitrary number of sufficiently secure passwords and it very likely beats the “black book” paper equivalent kept in a locked drawer.

However, the typical browser password manager has its weaknesses. First and foremost, it is the absence of a master password that allows access to all other passwords. While Firefox offers this as an option (and lately also Microsoft’s Edge browser), Chrome completely lacks this feature. This means that anyone who has access to your browser or to your online account also has access to all of your passwords, since they are unlocked by default. Even if someone does not have access to your browser or to your online account, the generated key used to access the encrypted password file is stored locally on your computer. It could be stolen by anyone with the requisite technical knowledge and physical access to your device.

Think about the scenario where all passwords are synced with your mobile devices. Are all these devices protected adequately?

Standalone password managers, such as Keepass, Bitwarden, Enpass offer superior security without any additional cost other than the inconvenience of installation and configuration. Let’s take KeepassXC, for example, which is free, open source, and available for all operating systems. KeepassXC and its .NET-based cousin Keepass give you complete control about where the encrypted password file is stored. It also lets you decide what authentication to use to access passwords. Anything from a simple master password to multi-factor authentication is possible. You could even use a military-grade hardware key.

Obviously, when using a single master password, the protection is only as good as that password. Given the way encryption works, it is better to use a longer easy-to-remember passphrase than a shorter hard-to-remember password. Keepass includes configurable password and passphrase generators to quickly create new passwords when needed. There are extensions/plugins for all popular browsers that autofill forms from an unlocked database. Keepass comes with an autotype obfuscation feature to defeat keyloggers and clipboard spying. It is safer than typing passwords manually. You can also use it outside of the browser, for example for logging into databases, terminals and remote machines using the clipboard.

KeepassXC offers advanced synchronisation capabilities to keep multiple copies of the password database on multiple devices in sync. You can configure synchronisation via popular cloud services such as Google Drive, Dropbox, OneDrive, etc. via HTTP, HTTPS or FTP. Or you could synchronise databases using your own servers with secure protocols, such as SCP, SFTP or FTPS. You can set synchronisation up pretty much any way desired. Syncs can be triggered manually or automatically. Other password managers such as Bitwarden and Enpass use proprietary servers for synchronisation which means no setup is required.

KeePass has been audited in the European Commission’s Free and Open Source Software Auditing (EU-FOSSA 1) project. No security issues were found. KeePass is recommended Switzerland by the Swiss Federal Office of Information Technology, Systems and Telecommunication (FOITT/BIT). It has received the Certification de Sécurité de Premier Niveau (CSPN) French by the French Network and Information Security Agency.

Last but not least, KeepassXC provides an implementation of the freedesktop.org DBus-API for secrets, which can be used on Linux computers as a drop-in replacement for the system keyring service such as gnome-keyring. It provides the keyring with all passwords stored in a given KeepassXC database. While it offers increased convenience, I am not sure if this procedure can be recommended from a security point of view, since the keyring is available to every application on your computer including -possibly- malware.

security open source linux