Long while back, I normally just remember my passwords. In my head. Completely in memory with something memorable. Like a psychopath. But not anymore. I got into using proper password managers after so much Youtube "sponsors" explaining about different password managers and why they're so great. Easy to store, easy to manage, and, what pulled me in was the fact that I don't need to remember every. Single. Password. Just one. The master password. But little did I know, that would be my downfall. Read on.
After being hooked and did a bit of research of what password managers offer the best solution (and free), I decided to try out LastPass, way back in 2018. I have to say, it was intimidating the first time I used it. The user on-boarding experience was smooth but wasn't sure exactly how each of the Lastpass feature worked until I actually used it on a few sites. It's like pop, there's my username and password automatically filled in for me. So yeah, autofill is a nice feature. So much so, that I enjoyed it way too much by changing all of my passwords and scramble them so much that I don't need to remember a single one, except for my master password. I thought, "This must be it. The ultimate way to be a power Internet user." Until I changed to a different device and was offline, that's when it started my downhill.
My job involves me to login to servers (locally or remotely), firewalls and other services. I don't necessarily have to be online to access them as I can just access them physically. But when the network goes down and I'm locked out of my servers, I can't login because, well, LastPass can only be accessible online. Only when I get the network back up, I can then access my password. This woke me up to a few things:
- An inaccessible password DB is a useless password DB. If I kept a local copy, I could access it anywhere and everywhere .
- I could try to remember the most critical passwords by heart at least.
- Passwords doesn't need to be so jumbled up.
So this sets me up to go on another quest for a better password manager to fit my needs.
I tried Keepass. It was good! Then I found plenty of other forks of Keepass and found KeepassXC much better. Active in development and consistently releasing new features. Having a local password database that's offline fits my requirement and I wasn't comfortable with just a single file that I would soon lose it if I can't find it or access it if my entire machine goes down. So backing up and syncing it is the next critical step. Others suggested Google Drive but I don't want to because "Google" and 15GB diskspace would have me worry every month. Dropbox and other online cloud storage solution all either costs more or doesn't fit my requirement. That's when I found Syncthing.
Previous to Syncthing, I experimented with Nextcloud. It was nice. Had a nifty plugin for accessing Keepass DB in the browser for a self-hosted instance. But the problem was that I was paying for my VPS every month for something similar as other online solution. Well, at least I can mark Nextcloud experience into my resume. Then I moved to Syncthing. Here is a list of reasons on why its better:
- Don't need a server
- It's free
- You can rely on your multiple devices to back up and store your files
- The amount of diskspace you want to store between each devices is dependant on the amount of diskspace you have and own.
- The devices to sync don't need to be online. They can sync as long as they are in the same network.
Which makes this the clear winner. I set it up on my Android, my laptop and my home desktop. This way I have files synced and backed up across all 3 devices (and more if I get more). And since I get the files to my phone seamlessly synchronizing, I can then open my files on my phone as easily with its app counterpart, like Keepass2Android. It's not the prettiest but it does the job.
I used Keepass a bit and moved to KeepassXC primarily for the reason of TOTP. When I was using Lastpass, I took advantage of using Lastpass Auth. It was fine and I liked that it had the ability to backup my TOTP to my LastPass account but still, I didn't like that it was still relying on Lastpass. KeepassXC and Keepass2Android has the ability to generate and store TOTP offline on your devices. And instead of 2 apps, its now in 1 app for desktop and mobile. Another win! 🎉
For anyone who wants to use this same stack that I do on managing passwords, you will face some file conflict. This is because Syncthing doesn't look at the content of the Keepass DB file and just the binaries of when it changed. So when Syncthing doesn't know what to do on which change is the latest, that's up to us to merge the changes. KeepassXC has the option to merge the 2 database files into one by opening and unlocking the original Keepass DB file and then navigate to Database > Merge From Database...
Then merge the conflicted database. Done!
I made a vow to not just leave it to a password manager to remember my passwords. Instead, I started to slowly change my passwords to passphrases. Keeping another copy of the password DB in my head as well. Of course, its still a burden to remember 100's of passphrases on every service and application I used everyday but I still try to remember them. I mean its not difficult to generate a passphrase.
Or something like that. Of course, relevant XKCD comic.
Thanks for coming to my TEDTalk!
Now tell me about your Password Manager of choice and why.