Password Manager Primer
I want to focus this article on the “what’s” and “how’s” and so I will leave most of the “why’s” to the first half of this New York Times article .
Introduction
A password manager is little more than a piece of software that provides a user interface over an encrypted database file, allowing you to add, edit, delete, organize, browse, search, and utilize records that consist primarily of login credentials. Password manager databases are encrypted using one or more strong cryptography algorithms with an “access key” that is usually a password that is sometimes accompanied by a key file (a good practice).
Password managers enhance your online security in many ways, but two of the most important ones are:
- The use of long and random passwords
- That are not shared between systems
The advantage of #1 is that long and random passwords are hard to “crack” and the advantage of #2 is that you remove the risk of loss if and when a password is “cracked” or (more likely) stolen from one of the sites that you use or via a successful phishing attack . For example, if your LinkedIn password is the same as your online banking site, a breach of your LinkedIn account can compromise your finances.
Choosing a Password Manager
There are many good password manager options and the one that you choose is less important than that you use one. I would avoid “cloud-based” ones because I don’t want the associated third-party risk, but even those likely lower your risks far more than not using a password manager at all.
I have been using a password manager for a very long time and as of this writing, my password manager database has 1,782 entries. I started with the Ked Password Manager and used it for many years. In late 2010, after buying my first Android smartphone, I moved to the KeePass file format and began using KeePassX and my own kpcli , which I wrote because there was no “kedpm -c” style CLI interface for KeePass files. I still use those programs today, and on my phones/tablets, I use KeePassDroid and KeePassium .
Having written kpcli and studied the KeePass file format(s) for more than a decade now, I am very comfortable with storing my private information within those encrypted files. Because I have used it for so long, I am very accustomed to the KeePassX user interface and prefer to stick with it, but KeePassXC is newer, under much more active development, and available for Linux, macOS and Microsoft Windows. For someone starting today, KeePassXC is probably the best choice, followed by KeePass if you only care about Microsoft Windows support.
As I wrote this article, I watched several YouTube videos on the topic of choosing a password manager and I found this one to be entertaining and informative: Just use KeePass.
Choosing a Master Password
Rather than me rehashing the concepts, please read this article: https://blogs.iuvotech.com/pssw0rd-correct-horse-battery-staple
Adding a key file to a strong master password is also a good idea.
Synchronizing Across Devices
Personally, I only make edits to the KeePass file that is on my home Linux workstation and it syncs that file to my personal Google Drive and to my Microsoft OneDrive. Then, my phone and tablet routinely sync those files down to local storage so that I will have access even if I have no mobile data availability. I use FolderSync for that.
Getting Started and How To Videos
This is a somewhat random collection of YouTube videos that I pulled together…
- Secure Password Management with KeePass on Any Device
- How To Setup KeePass & Sync Across All Devices
- The ULTIMATE Guide to KeePass
- Complete Guide: KeePassXC
- Introduction to KeePassXC
- Using a password manager // What everybody should know about using KeePassXC
- The Password Manager Security Experts Use