With all the password-manager-related conversation fluttering about, I realized that I haven’t talked much about my password manager setup, and that I really ought to fix that. 🧵
(1/7)
#KeepassXC #Keepass2Android #SyncThing #Yubikey #PasswordManager
I first found out about security keys when I was required to use one for a previous job. Thinking about two-factor auth, I found it to be a fairly low-friction option, and much more resilient than something like TOTP or push authentication. They typically support a pretty diverse set of authentication options, including some that are backwards compatible. (I’m looking at you smarcards.)
TOTP requires storing a shared secret. Push authentication requires an external service. A security key is just…there. There’s effectively no way to extract its secrets, and an attacker would physical access or executing a USB person-in-the-middle to use it without your knowledge. In the modern threat landscape, it seemed like one of the best options out there.
(2/7)
When I left that company, I decided to get a couple of Yubikeys for myself and play around with them more extensively. As mentiond, I was surprised with the relative flexibility, and as the years have moved forward, I noticed that a larger number of services will allow me to use my security key to authenticate.
When I started thinking about moving my password manager off of external hosting, I looked into options that would let me leverage my security key. I landed on KeepassXC, which supports security keys via HMAC-SHA1 Challenge-Response. Making this even better, I could set the OTP secret to be the same thing on two different keys, meaning either one would be capable of unlocking my password database. There were a number of other reasons KeepassXC met my needs; platform availability and feature set were the primary ones. It also has a sharing functionality, meaning I had a way to get my passwords into a different database that I didn’t have access to.
(3/7)
So how do I get this password database where I need it? I landed on SyncThing for that. Fundamentally, I just needed to be able to get the latest version of the file to my laptops and my phone, and wanted to do so in a way that would be secure and reliable. I’d need to host my password database somewhere, so I could just connect all of my devices to that server.
A bonus of this setup is that the server itself doesn’t need the KeepassXC. The database is just a file. Even if my server were compromised, an attacker would need both my passphrase and one of my YubiKeys to open the file.
(4/7)
Actually making all of this happen was a bit painful, I'll admit, which is why I don't just recommend this solution for everyone.
• You need an always-on machine to host the password database.
• You need security keys, and the technical know how to program two of them with the same secret using Yubico's software. (As a bonus, you can use these for direct and secure authentication to a ton of different sites and services.)
• You need to install KeepassXC, or another compatible client, on all of the devices where you want access to your passwords. Not all clients support opening a database with a Yubikey; I landed on Keepass2Android for my phone.
• You need to install SyncThing on all of the devices where you want to access your passwords. Or maybe not, if you're okay with manually copying files.
• You need to actually get all of your passwords and important stuff into the password database. This is honestly a huge lift if you haven't done it before. I want to say it took me about a week.
(5/7)
The neat thing is: Once you get this set up, it “just works” 99.9% of the time. I don’t think I’ve had to troubleshoot my setup in over a year now. The worst possibility is that you update your database on two different devices and there’s a sync conflict, but SyncThing will even handle that with some level of grace.
On my laptops, I have KeepassXC launch when my computer starts. I plug in my Yubikey and enter my passphrase once. The application minimizes, and a browser plugin handles password entry as needed.
On my phone, I have Keepass2Android unlock the database once. My Yubikeys have NFC, so I don’t even need to plug it into my phone to decrypt my password database. That app also has an option for “Quick Unlock” where you can enter the last three characters of the passphrase to unlock after the first time; this is what I do the vast majority of the time. If the database file is updated, I need to do a full unlock again, but that’s not a huge inconvenience.
(6/7)
And the KeepassXC database format is flexible enough that I have the option to store basically anything that’s a file. I can create custom fields where the typical “username and password” fields don’t quite fit the bill, and can attach scans of documents where that might make sense.
Summarizing: This setup is a huge initial investment, but it feels like one of the most secure possible methods of doing password management while keeping you in the driver’s seat.
(7/7)
Ryan Clough 