It’s not uncommon nowadays to have to manage multiple logins to such places as shopping sites, banks or social media. So most of us resort to a variation of one of two strategies – using the same (or similar) passwords across multiple sites or taking advantage of utilizing a password manager in order to create unique (and hopefully complex) passwords for each site or account. It is this latter approach that I want to discuss here for those fellow paranoids like myself.
Password Managers
Having to manage access to multiple vendor sites as part of my work and also to a good extent for personal use, I’ve tried out a few of the password managers out there over the years. Most folks have heard of some of the major players in this field such as 1Password, Dashlane, KeePass Password Safe and LastPass. They all perform equally well at storing and encrypting one’s passwords, so, for the most part, deciding which one to use comes down to a combination of the feature set and price offered by each vendor.
Now, to be clear, each password manager listed above offers a free option which I found to be quite sufficient for such basic tasks as generating unique and complex passwords, encrypting and storing them in the cloud and filling in login pages with your credentials. The only exception being KeePass Password Safe which is completely free. What I always found somewhat concerning was the fact that all my passwords were stored in one of these vendors’ cloud databases. So I was having to rely on their security practices to keep my password data safe and away from prying eyes or malicious parties.
And this is where KeePass comes in.
KeePass Password Safe
Before getting into the specifics of how I use KeePass Password Safe to store and share credentials across devices, I wanted to provide a bit of background on this application. Out of the other solutions mentioned above (1Password, Dashlane, KeePass and LastPass), KeePass is the only completely free password manager (why pay if you don’t have to, right?) and also is open source (OSI certified). I like the quote they have on their website from Bruce Schneier:
As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn’t just a business model; it’s smart engineering practice. Bruce Schneier, Crypto-Gram 1999-09-15
So if you are anything like me and are concerned about your password data being stored in somebody else’s cloud, then the following solution might appeal to your heightened sense of security. Why the concern? After all, a cloud-based password manager is easily shared across devices and platforms and the database is backed up in the vendor’s cloud space. Well, let’s put on our hacker’s hat and think like one of them who are always on the lookout for a potential score of people’s credentials which could literally be the “keys to the kingdom” when it comes to personal, medical and financial data. This brings to mind an old story of a bank robber who was asked why he robbed banks. His reply – “well, that’s where the money is!”
So if you are a hacker trying to score a huge load of passwords, your natural targets would most likely be cloud-based providers whose business it is to store password data accessible from the Internet. I am not saying that these services like Dashlane or LastPass are easy pickings for crooks, but they sort of have a target painted on their back for these sorts of attacks. You might recall from a few years back (2015) a data breach suffered by LastPass. And that was the second time they were hit (the first was in 2011). There were others like OneLogin, so these concerns about cloud-based password managers are not without precedent.
So is it possible to have our cake and eat it too? In other words, there is always a trade-off between security and convenience. While using an online password manager is convenient, using a locally stored and controlled password database is more secure for the simple reason that unless one of the security agencies is after you, your data would be much less likely to be targeted than one of the online password vendors. The trade-off, in this case, is the sacrificed convenience in the ability to easily share your passwords across devices.
Proposed Solution
I do not by any means claim to have come up with this idea as I learned it from one of many online security sources (can’t recall which one). What I can tell you is that I do sleep better at night using this solution as it adds an extra layer of protection (and control) to using a cloud-based only password manager. Did I mention that I am also able to share my passwords across devices?
So you start off with the base of KeePass Password Safe (see link above) as your password manager. It creates a locally stored database which supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. This database consists of only one file, so it can be easily transferred from one computer to another. So, at this point, you have the security aspect of your password manager covered, but remember, we also want the convenience of being able to share our passwords across devices! And manually moving the database file from device to device is not going to be very convenient. Not to mention having to sync your changes between devices can quickly get out of control if you make changes on each device.
Fortunately, KeePass is quite extensible by virtue of its plugin architecture which significantly expands the program’s functionality. The list of available plugins is quite extensive and can be found here. They span various categories such as Backup & Synchronization & IO, Integration & Transfer, Utilities, Import, etc.
Here we will be focusing on the Backup & Synchronization & IO category of plugins which enable KeePass to access various cloud storage providers such as AWS, Box, Dropbox, Google Drive, HiDrive, hubiC or OneDrive among others. I am using OneDrive, so that will serve as an example for synchronizing the KeePass database and making it accessible to other devices. For this purpose, the plugin I am using is KeePassOneDriveSync. Once installed, the plugin configuration options are fairly straightforward.
In this configuration window, you can right-click on an entry to get a context menu with options for that specific KeePass database.
Conclusion
With the above setup, which is not limited to OneDrive only, one can have a centralized password database made accessible by storing in the cloud but outside the password manager’s vendor’s cloud. There are two additional benefits to using this approach. In addition to storing your password database with an online storage provider, you also have a local copy in case the online version is inaccessible for whatever reason. Also, even though online password manager providers only have access to your encrypted data, which is useless without the master key, I still feel better about not having to worry an insider threat or potential breach because these can be such attractive targets. Furthermore, I don’t have to worry about Microsoft (in case of OneDrive) or another cloud storage outfit scanning and accessing my data.
Ultimately, this is a very personal choice as everyone has a different approach to securing their passwords in terms of how paranoid they are or the practicality of their chosen method. I wanted to share what works quite well for me since it provides sufficient security with the ability to use my passwords pretty much anywhere such as on home PC, work PC or a mobile device. Please feel free to chime in with your comments below!