Password Manager Setup

With data breaches being a regular news item these days, it has become common for people to ask #infosec professionals about securely using and storing #passwords. And, of course, it can be a fun topic to digress into in Slack channels, during meetings, etc. In fact, I just got asked about this last week while hiking in the Swiss Alps!

TL;DR - My Setup

Before we get into it, here’s my setup:

• KeepassXC installed on my computers. This runs on #Linux, #macOS, and #Windows.
• KeepassDX on my Android devices (availabile on F-Droid or the Play Store)
• I have a medium-level password
  • not a dictionary word, but not 22+ characters, either
  • I allow the database lock to time out relatively quickly so plaintext passwords are not accessible
• On some computers, the browser extension, allowing for automatically populating my credentials
• The KeeShare feature, which allows for seamless sharing of passwords with others (e.g. spouse) in a self-contained database integrated into the application UI.
• I run my own #NextCloud server, which provides me with file synchronization services, as well as making the database Internet-accessible for mobile devices. #self-hosting
• Finally, in order to protect the passwords across multiple devices and a personally-operated cloud service with no dedicated security team^[1], I use a #Yubikey challenge-response security setting on the database, which effectively requires three things in order to get my passwords:
  1. a specially-configured device must be present,
  2. knowledge of the password, and
  3. the password database itself.

Personally, when asked, I usually say that what I do is not what the average person should do and proceed to recommend commercial tools such as 1Password, Bitwarden, etc. I used to recommend LastPass, due to its ease of use, especially with sharing to family members, but I just cannot recommend them in good conscience any longer.

Now, onto my setup for the masochists out there:

KeepassXC

First, the password manager itself: KeepassXC is itself a fork from the original Keepass and has all kinds of features, but the ones important to me are:

• Accepts hardware multi-factor
• Can share databases with others and have them invisibly merged with your other databases (this is called Keeshare)
• Browser integration for automatically populating credentials in login pages. I didn’t use this for a long time, as this is the key weakness in most password managers, but it’s darn handy and KeepassXC manages this granularly, so you can to manually enter very sensitive passwords.
• Can manage passkeys. I don’t currently use this, but it’s a good future-proof feature

Image: Two new Yubikeys. Always make backups of the key configurations.

Settings

An important thing to note is that there are two sets of configuration settings:

• The application has settings which are unique to the specific installation. Changing one of these does not affect the installation on other computers.
• There are also settings for the password database itself, which remain with the database, meaning that if you are syncing across devices, these settings will remain consistent.

There are a lot of options, and some features have to be enabled in the settings before they work (e.g. Keeshare), which is a nice attack surface-reducing design choice. Create the database with a reasonable password

1. Enable the Browser integration, check the box next to your browser type, and install the relevant extension
2. A 10 second timeout on the clipboard is a bit short, so I like to extend it to a couple minutes
3. Keeshare has to be explicitly enabled
4. Configure challenge-response for the Yubikey
   1. Setup Yubikey Authenticator
   2. Connect your Yubikey, click on “slot 2”, click challenge-response and create the key.
   3. Copy this key into the Keepass database for future reference
   4. Configure additional Yubikeys as backup

And that’s about it. With the database syncing through Nextcloud, I have a very secure credential management system.