You don’t have to trust Google, Microsoft, or the pope to have your passwords “auto-filled”
Having one login password for every website you use is not the smartest idea, we all know that. However, having two or three passwords, one for sensitive logins like banking or email accounts, and others for random less trustworthy logins is not the ultimate solution. Since an exposed password will compromise all the logins sharing the same password.
The ultimate solution is to have a separate, randomly generated password for every login.
If you have the memory to do that, WOWWW…. For me, I struggle to remember my birthday already 😂 so I have to use a password manager .
There is nothing wrong with using Google’s password manager, Microsoft, Apple, 1password, Bitwarden, or whatever. People have been using them for long, with zero problems till now.
However, maybe I am a security freak, but I don’t want to trust my passwords to an entity, regardless of their promises &/reputation.
If you are like me, I will share with you how I mange my passwords, without relying on an online password manager, and also without sacrificing usability.
-
I use a local password manager on my computer:
keepass is a way to store your passwords locally, encrypted with a password or a key file. Here I just stick with a password, which is the only password I memorize.
keepass is a very old opensource project, that has not seen any development for so long. However, it’s methodology is used in many forks, here I use keepassXC, which just has a more modern UI, and nice auto-complete features.
You can validate that you can trust any keepass fork by running them in a sandbox, or monitor their network activity, they should not have any.
-
I save the encrypted passwords file on a cloud storage drive (ex: google drive or Dropbox):
Although google now has my file, it’s meaningless for them, since they don’t have the encryption key. The general idea of this way of managing passwords is that no entity is going to have the passwords database file + it’s key.
-
I use a local password manager on my other devices (ex: phone, tablet):
Now the phon’s local password manager will use the phone OS files manager app to read the passwords encrypted file. The guarantee that this app does not steal your passwords is that it has to work offline, and only offline.
Now what I have is a cross-platform system, that works as good as the local password managers work. Which is nothing less than what any online password manager can be.
More details, so that you can have a smooth ride implementing your system:
-
As I mentioned, I use keepassXC. I made it start automatically when I turn on my computer. The below suggestions are based on a Ubuntu20 OS.
-
To download keepassXC for ubunto:
sudo snap install keepassxcor get your right download from https://keepassxc.org/download/ -
It is very useful to make a hotkey to auto-fill passwords, for me it is alt+shift+space. You will find the option to set a hotkey combination in the app’s settings.
-
When you save a password with any keepass manager, provide the url to the login in the dedicated field, so that it gets suggested to be filled when you click the keepass hotkey. Otherwise, you will have to search for the password in the database.
4. KeepassXC can’t read the url to suggest the right login information in a browser window. , this can be solved by:
-
Using their browser extension, it connects to the main app.
-
or use an extension to put the url of the website in the tap header, which keepassxc can read.
for me, I use the latter since it is more secure.
-
I use a FUSE system to mount my google drive
-
You can find how to mount google drive using Ocamlfuse here https://www.omgubuntu.co.uk/2017/04/mount-google-drive-ocamlfuse-linux
-
I added the mount line to the .bashrc so that it gets mounted whenever I login
-
you may want to set
mv_keep_target=truein~/.gdfuse/default/configso that when you add a password, the file gets modified, instead of making a new file with the same name. This is to avoid confusing the other keepass managers in other systems (like the phone)
-
-
Of course, you have to save your database on the cloud drive (like google drive), I suggest making a separate directory for it.
-
By default, you will have sections for putting organizing your logins, use them they will make life easier later.
8. Lastly, of course, make it suggest a bloody complicated password for every login you are going to add.
-
-
I use keepassium on my iphone and ipad https://keepassium.com/:
-
For android, you can find other keepass managers, they are everywhere 😅.
-
The app works completely offline, it uses apple’s file manager to read the passwords database file from google drive. so it can not leak your passwords.
-
The app free version gives enough, it restricts the auto-fill a bit, but it is OK for me.
-
Once you give it the database, you have to unlock it with the master password of course.
5. It can store the database offline when it can’t reach google drive (very useful when there is no internet connection)
6. Sometimes when you write to the file from other sources, like computer, it gets confused and thinks that the original file is no longer there. No worries just add the file again.
7. I store the master password on my iphone’s keychain, as a precaution if I forget it. it doesn’t compromise safety as it is a password without the encrypted file. Just like having a key without knowing which door it opens.
Having a secure system like this does not mean you are 100% safe, passwords can be leaked by fake logins, reading your clipboard (things you copy), key-loggers, ..etc. So don’t put your guard down because you are using a password manager.
Finally, you can implement the same concept in any different way. Just remember, don’t give the encrypted database and its password to the same entity.
-