How I store my passwords

People around me sometimes get their accounts stolen because of weak passwords, lack of two-factor authentication and whatnot. I use KeePassXC and Syncthing to create strong passwords, store them more securely and also sync them across my laptop and phone. Let me talk about these two tools and give you some tips on how to keep your accounts secure on the internet.

Last update:

Time to read: 3 minutes.

KeePassXC and Syncthing logo.

What is KeePassXC?

It’s a free (as in freedom) and open source password manager for Windows, Mac and GNU/Linux. Its homepage can be found here. A really handy tool for two main reasons:

It’s only a local file

When you create a database for your usernames and passwords, it generates a .kdbx file. Right now, new databases will be encrypted with Argon2 by default; a secure, modern and widely-used key derivation function. You only have to remember a (preferably also really strong) master password. General rules apply for master passwords, so keys containing lower- and uppercase letters, numbers, symbols in 20-30 characters should be strong enough. Don’t use that master password you chose for the KeePass-database anywhere else.

This way, the database is only on your computer and on the devices you manually transfer that file to. There’s no registering to a third-party service on the internet; you basically nullify your chances to be a victim of a security incident involving one of these password manager services. Not long ago, there was an incident over at LastPass that could have leaked your password hashes too. It might happen again with other services. Best to keep your credentials safe in a local database.

It has a browser extension to autofill your passwords

My tip is to ditch your browser’s save password function, because in any browser, they can be exported into a single CSV file that stores the credentials in plaintext. Anyone with physical access to your computer (you left it alone in a library while you get a cup of coffee) can steal your passwords in a glimpse.

I’ve already talked about the KeePassXC browser extension in a previous post. In short, if you install that extension, open your database and enable browser integration in KeePassXC’s settings, you can access/update/autofill your credentials just as easily as you would with your browser’s built-in password storage function. I think it’s real handy.

Other reasons to use KeePassXC (in no particular order of importance):

  • The ability to use TOTP (in oversimplified terms: Google/Microsoft Authenticator or Aegis) codes without the need of an app (although, it’s a safe practice to keep those codes in a separate database, so the two-factor nature of the authentication method is kept intact).
  • It can enable you to use randomly generated passwords everywhere, so if your password gets leaked in a data breach of some company, your other accounts are kept safe. You can generate those password with KeePassXC’s built-in generator, so you guarantee the safety of every single password you wish to use. I don’t even know my passwords for the majority of the services I use online; KeePass remembers them for me, they are impossible to remember anyways.
  • A .kdbx file can be read with any other KeePass-compatible application (like KeePassDX for Android).

What about Syncthing?

Syncthing is a file synchronization software that runs on basically any operating system. I use it to sync some of my pictures and my KeePass-databases between my laptop and phone. For an easily understandable guide on how to configure it, check out the official getting started guide.

Verdict

With the combination of these two very handy tools, I minimized my chances to be a victim of account stealing. These are also free to use, but require some amounts of configuration. However, I don’t have to pay for these garbage-tier centralized password safe services’ premium plans like what LastPass offers.

I know though that I’m still not 100% secured against any and all attacks (as that is impossible to achieve), but I have full control above my credentials with this method. For the other kind of attacks, I use my knowledge about general internet security to aid me. As I always say to my friends:

Common sense is the best antivirus; you don’t need anything more.

I hope this little introduction helped you in keeping your accounts secure. If this post helped you or if you have any questions, leave a comment below. See you soon!

Comment section by Cactus Comments.