Jorisvandijk.com

Living on Linux

My password management

In a previous post I talked about password managers. I ended the post saying that if there's interest, I'd gladly talk about my solution. Within a few minutes of posting that, I got a message on Discord that there was indeed interest, so I guess I'll oblige.

Hosted by others

Most people that use a password manager get one that is hosted for them by a company. Password managers like Lastpass and Bitwarden come up a lot. And while they might provide good solutions, I felt that I wanted more control over how I use my password manager.

Password manager

Gnome Secrets

Not hosted at all

So I use KeePass. KeePass is an open-source and free password manager. This means that one could have a look at the source-code to check if there wasn't, say a backdoor by which one could access your passwords. Also, it's free. I'm Dutch - I like free. What KeePass really does is creates a standalone database file which is "encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish)", according to the KeePass website.

Clients

A great thing is that because of the way KeePass works, is that is is possible easily create a client that handles these database files on any system. That's why there are so many KeePass applications one could use. They're made for Windows, Android, Linux and even IOS.

One of the things services like LastPass charge you for is to be able to use their password storage safe on your phone. This means that you have to pay a premium in order to access your accounts when you're not on your pc or laptop, but on a phone. How many times have you wanted to shop at amazon on your phone, but in order to log in you'd need the password? Many times I'd guess as we're all using our phone on the internet more than our dedicated internet machine at home.

Safety

Another thing that bothers me about using services with a centralized way of storing passwords is that they are way more vulnerable to attacks. Hackers just target a service and go ham on it. Search online and you'll be able to find many examples of password managers being breached. I am not saying KeePass isn't vulnerable to attacks, I am saying big services supplying a mass-solution are more vulnerable.

Single file

Thirdly, I like that in the end, KeePass is just a file. A single file. It's not even a big file. It's just a single file. A big positive of this is that you could easily back it up to a usb drive, or burn it to a cd. Or, well... You could do what I do. I host this single file on a private Git repository.

My workflow

What I am doing is just Git pushing the entire password safe, the file, to a private (read hidden) repository on a public Git repository host. This means that the file itself can only be accessed if you're logged in as me, using my SSH credentials. If you're not, you simply cannot find the file. The Git host cannot access the file either. They know where it's located, but they do not know the password to the encrypted file itself.

On my system I then just have a folder in which my password safe/file is located. If I make a change to this file, I will Git push that change to the server. In doing so both my local file and the one on the Git repository are up to date. And added advantage is that I can also access this file from another device, say a smart phone.

Software

On my Linux machine I'll use Gnome Secrets to access the KeePass file. On my Android phone I'll use AuthPass in combination with MGit, to keep the file up to date. If I were to use Windows, I could use one of the many clients provided for that OS.

Conclusion

The point is that it's just one simple file that I can access with one long-ass password across many devices, which I keep up to date using Git. It is, in my opinion, the best way to handle passwords across many devices. It may seem a little convoluted, but trust me, it works a treat. I would not, could not use any other way to manage my passwords.