How I Manage Passwords with KeePass25 Mar 2017
Several weeks ago, I wrote a blog post about how horrible it is to have to deal with the various password restrictions websites use. Of course, that post was influenced by Jeff Atwood’s post, Password Rules are Bullshit. While writing the post, I did some research on what makes a good password. And after writing it, I spent several weeks thinking about my own password management strategies.
July 2020 Update
I wrote this blog post back in 2017, and a little bit has changed since then! I used to manage my passwords with KeePass, but more recently I've been using Bitwarden. My reasoning for using a password manager (described below) is largely unchanged – I simply like Bitwarden better than KeePassXC now. You can read my comparison between Bitwarden and KeePassXC here.
Really, the password problem boils down to this:
- The longer a password is, the more secure it is. Ideally 16 characters or longer.
- Don’t use the same password on different websites.
- A password must conform to the rules of the website it’s used for (length limits, character requirements, etc).
- Oh, and humans can’t remember 20 different passwords that change every 6 months.
In a world where I have accounts to dozens of different websites that I’m actively using, a password manager really is the only good solution (other than Sign In with Google) anyone’s come up with so far. Although I’ve spent years avoiding any kind of password manager (putting all your passwords in one place just seems like a bad idea (it is a single point of failure, after all)), I think I’m finally giving in. Sigh. (Really though, if you do it right, the benefits outweigh the risks.) After researching the different password manager options available, I settled on KeePass because:
- It’s open-source.
- It doesn’t rely on browser extensions (which appear to be relatively vulnerable).
- It works on pretty much anything (I need something that supports both Linux and Android).
- It can sync via Dropbox.
- It can generate pseudo-random passwords.
- It stores passwords in an encrypted file, in an open format, that I own & control.
- It’s free.
I put some thought into getting everything set up nicely, and tried out a couple different applications. KeePass is open source, and there are several different options for post platforms listed on its download page. Here’s what I’m using:
- KeePassXC has a much nicer interface on Linux than the original KeePass (and reads/writes the same file format).
- Keepass2Android has a really rich feature set (including fingerprint unlock) and syncs to Dropbox.
- Dropbox to sync.
To get started, I installed KeePassXC on my computer and created a new password database file in my Dropbox folder. I’m adding passwords to it (and changing them to new, pseudo-random passwords) as I visit the websites I use. After a couple weeks of this, most of my passwords will be in KeePass!
That one website that requires your password to be 12-14 characters with at least one letter and one number but no symbols? Handled. Somebody got hacked? OK, just generate a new password. Nothing new to remember. Password strength? 24 characters of pseudo-random letters and symbols, where websites allow it. New password every 6 months? Not a big deal. I think this is going to work well.