Open in app

Sign in

Write

Sign in

Personal Password Management

Daniel Gilbert
8 min readAug 19, 2024

--

Introduction

There are many different methods for managing passwords. Ultimately, the decision comes down to usability and trust. If you’re cool with cloud solutions, you’ll have much more convenience, but just know that you’re outsourcing your secrets to a third party, and that could potentially come at a great cost. In this article, I’ll cover the (mostly) offline solution that I use in case it’s something you want to try for yourself.

It’s worth noting that I’m gonna cover more than just password/MFA management. I feel this is necessary because as an individual, I think you need to understand the risks and solutions associated with the entire privacy problem as it relates to passwords/MFA.

If you’re just interested in the advice I give on password management software and strategies, skip to the relevant sections.

The Premise: Trust No One

Okay, maybe trust some stuff, but vet whatever you’re gonna trust. Keep in mind, if you’re using an offline password manager, but your host OS is capturing your data, it defeats the purpose, at least for those threats. Even if big tech or the government have your secrets, this may not concern you because you trust them. I personally like to limit access to my data wherever possible. This includes limiting big tech and the gov. I mainly wanted to mention this, because technology is applied in layers, and if any layer is compromised, it has the potential to spy on you.

Technologies that are open source make it more difficult for vendors to hide features that will spy on you, because anyone can get access to the code base. This doesn’t mean that a vendor can’t “accidentally” push a bug in their software that leaks data and then patch it soon after like nothing happened. All I’m saying is that if the community has eyes on the code, these things are more conspicuous.

Password/MFA Environment Considerations

Hardware, Firmware, and OS

Like I said in the previous section, if any layer is compromised, you’re potentially gonna have your secrets leaked. Trustworthy hardware, and the firmware loaded into it, is probably the most difficult to come by. System76 makes some great hardware, and provides open-source firmware via coreboot. Frankly, I just use a Dell laptop. Sure, it may have firmware that can spy on you, potentially, but I don’t think the gov would burn that exploit on someone strategically insignificant like me. As for the host OS, it’s easy to have much more control by selecting a Linux distribution rather than Windows. I like Debian, but others have their preferences. However, I’m aware that there’s a learning curve, so it is what it is. That said, just know that Windows seems to track basically everything that you do while you’re on your computer. macOS is no better.

Phones

Unless you’re using a phone running GrapheneOS or a similar alternative, just accept that your phone will track everything you do, and spy on you without your consent. Phones by Unplugged are on the horizon, but I’m suspicious of those because they are closed-source. Pine64 has much more promising products that appear to be open, but I saw a recent demo, and it appears more development is needed before they will be ready for public release. Basically, your current options are: spend time configuring GrapheneOS on a compatible device, or just stay jacked into the matrix 24/7 with your stock iPhone, Pixel, etc. Despite my experience, I choose the latter for now, and all the security implications that entails.

Password/MFA Management

The Tool I Use

KeePassXC. Open source, and supported on Windows, macOS, and Linux. COMPLETELY OFFLINE. This tool, from what I understand, will not send your data to anyone. It is trusted by the privacy community, and has also been vouched for by privacy expert Michael Bazzell. If you run Linux, I recommend using apt to install the appropriate package, per the official KeePassXC documentation. I’m not an expert on snap or flatpak, but I’ve heard people voice security concerns about those options with Linux packages in general, so I try to avoid them in favor of .deb packages or apt when possible.

Once you’ve installed the tool, using it is pretty straightforward, and there is plenty of documentation on how to use it, so I won’t cover that here.

It should be noted that I’m covering the tool that I use. If you need something a bit more flexible, there are other options, such as Bitwarden. Do your research, and use what works best for you.

The Strategy

I like to keep two password databases, using the maximum strength encryption, which only slows down opening the databases by 5 seconds. Not too bad. The reason I have two databases is because I need one for my passwords, and the other for MFA, one-time codes, and digital copies of important documents. If the latter information was not kept separate from all your passwords, a compromise of that single database would be completely devastating.

As for whether to use passwords or passphrases to lock the databases, I leave that up to you. Same with whether to enforce MFA to access your databases using a hardware token such as a YubiKey or OnlyKey. On one hand, a hardware token would increase security, on the other, it can possibly lock you out in rare scenarios where you lose access to the hardware token along with your backup hardware token. Think of this…. Something weird happens. You end up MIA for a long time. All your physical belongings are gone. All that’s left is your memory. Maybe you have a secret, free cloud account somewhere, or maybe you don’t. Let’s say you do. And let’s pretend the account doesn’t have MFA, and contains a copy of both your KeePassXC databases with portable executables or installers for the software in case KeePassXC disappears. You log in after you’ve lost everything, assuming the vendor didn’t delete your account for inactivity. You regain access to all your accounts, including the MFA tokens for everything, and maybe even digital copies of all your important documents, such as your passport and birth certificate. Just a scenario to consider.

Backups

I’ve heard of weird glitches from KeePassXC updates that have resulted in deleting/corrupting the password/MFA safes. So, it’s important to always keep at least one backup, preferably more.

Your backup solution doesn’t have to be sophisticated. You can literally copy the database files to any digital media, including USB drives, which I recommend. You want to keep these relatively up-to-date. Everyone is different, but I like weekly backups. You can create backups for different threat scenarios. For example: one for primary storage failure, one for natural disaster, etc.

In addition there’s the whole cloud scenario I mentioned previously, which I recommend you setup. Google Drive is very reliable, and I think they’ll keep the account active for about a year or two even with inactivity. Yes, the supply chain / tech stack is Google, which is known for spying, but your databases are encrypted, at least for now. Something to keep in mind. I think Proton has drive options too. I originally chose Google Drive because it’s based in the US. However, given how much better Proton respects user privacy, I am considering switching…

Phone Access

There are a limited number of apps that facilitate access to KeePassXC databases on your phone. The one I use is Strongbox for iOS. It’s free, but you can pay for biometric support, which I think is worth it. As for Android, I’ve heard that KeePass2Android is the preferred option, although I’ve also heard reference to KeePassDX. Granted, I haven’t used either of these, so your mileage may vary.

Once you have the app, you’ll need to get a copy of your KeePassXC databases onto your phone. There are many ways to do this. However, if you have that emergency cloud account setup as described in the previous section, you can simply copy the databases from there into your phone’s storage. From there, you can access the database in Strongbox, etc. I recommend making the database read-only, so you don’t risk a scenario where you modify an entry on your phone, and it doesn’t get merged with your other database copies.

To prepare for the scenario where you need to create an account on your phone, I recommend creating two additional databases: a temp passwords database, and a temp MFA database. These should be clearly labeled, and you can keep their passwords in your main database. The purpose of these is to store temporary credentials that you later merge into your main databases.

Additional Strategies

Something to keep in mind, is that if your database gets cracked via quantum computing, or whatever — all your passwords, etc. will be exposed. This is why some people prefer to keep their data completely out of the cloud. If the attacker can’t touch the files, they can’t crack your database. However, you can take a hybrid approach. Consider this. Memorize (and safely record in a secure location if possible) hard-to-guess prefixes and suffixes to prepend and/or append to all of your passwords. This way, even if someone does crack your password database, they won’t have access to your actual passwords. They will only have partials. So like, if your suffix is “abc123”, then all your passwords will be like “Password1abc123”, “Password2abc123”, etc. But in your password safe, only “Password1” and “Password2” will be exposed :). Just remember to keep things as simple as possible. You may feel clever now developing a complex scheme, but if you disappear temporarily or lose part of your memory, it may be difficult to recall more complex schemes. Everything is about trade-offs and weighing the pros and cons of any relevant solutions, given your life requirements, preferences, or your particular use cases.

Wrapping It All Up…

  1. Weigh different password management solutions with your needs for usability and what you are willing to compromise on in terms of trust.
  2. Take the entire technology stack into consideration when trusting a solution.
  3. Consider using a particular technology stack / environment to limit secrets being leaked.
  4. Implement a trustworthy solution that works for you.
  5. Separate your passwords from your MFA secrets so that a single compromise will not wipe you out.
  6. Make multiple frequent backups of your password/MFA data.
  7. Preferably, keep one set of those backups in a free cloud account for worst-case scenario as well as easy transfer between your computer and your phone.
  8. Configure your phone to access copies of your password/MFA data, and ensure that you are able to add info for new accounts on the fly.
  9. Consider additional strategies such as going completely offline, or adding prefixes and/or suffixes to your passwords.

Conclusion

Well, we’ve reached the end of this article. I hope you’ve learned something. If not, there’s a whole internet out there waiting to be learned from :). Also, I highly recommend Michael Bazzell’s privacy ebooks, such as “Extreme Privacy”. He goes into much more depth on other topics. However, I’ve taken what I’ve learned from him and applied my own twist on things in this article.

Passwords
Password Management
Security

--

--

Daniel Gilbert
Daniel Gilbert

Written by Daniel Gilbert

4 Followers
5 Following

Persistent ethical hacker. Wants to achieve the impossible. Likes deep conversation. Also working on my health, fitness, and overall preparedness.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams