How to: set up a sane and future proof password and secrets management system
Listening to all the issues and problems besetting popular 'password managers' on various podcasts, not least their creators selling up and handing the software over to 'big tech', not least the task of juggling compatibility with the various desktop and mobile browsers, not least the navigating of new methods of ID and 'web 3.0'... I was struck that my chosen system is still the best way forward.
For me, anyway, if not perhaps 'normobs'. I'm a firm believer in keeping things simple. And also in using 'open source' software where possible as it avoid commercial outfits trying to shoehorn in extra features that 'make them money'.
So. Here's what I've done since 2010 - and have set up for my family and friends. No need to have a piece of software from the exact same company that runs on every platform, no need to juggle syncing between devices. You just have one 'encrypted blob of data' in the cloud. I keep it in Google Drive, but it could equally well be Microsoft's OneDrive or similar.
In this, I keep all my (currently over 900 different) passwords, all my secret reference information, everything I don't want outsiders to ever see, and all I have to remember is the one master password for the 'encrypted blob'.
KeePass is the encryption system I use, see here for more on this. My 'blob' is in a folder on my Google Drive, to ensure that it's available whatever I'm using and wherever I am. Developers have built applications for Mac, Windows, Android, and iOS (and more), often free or shareware - and as long as the platform in question gives access to Google Drive (usually including an offline mirror of the encrypted blob) then the appropriate client lets me see and edit all my passwords and secret information.
The clients also handle the updating of the 'blob', so if I make a change in (e.g.) Keepassium for the iPhone or Keepass2Android on any of my Android phones or Strongbox on the Mac (etc, you get the idea), then the software auto-merges the change into the master blob in the cloud.
[Example screenshot from (here) Strongbox, one of the several KeePass clients on the Mac]
It's at this point that you point out that these KeePass clients don't leap in to auto-insert passwords in the way that the likes of LastPass and BitWarden do. This is, on the whole, true, but I'd argue that:
- I'd rather have a rock-solid cloud-based solution that's not dependent on some commercial company that can be bought out and radically changed.
- Each of the clients do allow for one-tap/click copying of relevant passwords or information, ready for similar one tap/click pasting into a password field on a site, for example.
- The very act of looking up details for a site or system acts as a refresher in what a password is, so that it burns itself just a little bit in your brain. So that if all else fails and you're somewhere, at a strange computer and your phone is lost, you'll still have a fighting chance to log into something. If, like me, you set passwords based on a site's function then this is actually practical. So, for example, Keepassium is reminding me that my password for SeeTickets.com is 'SeeHarryStyles22'. [OK, so it's not really but that's the sort of system I use when making up passwords.]
It's also true that some of the KeePass clients for various platforms do have shareware-style fees, usually for extra features, but for most people it should be enough to get going completely for free, and then build up extra clients and platforms as needed.
The very fact that I've had to write 1000 words explaining my system tells that it's slightly 'home brewed', but it's worked for me for years and I'm pretty confident that nothing major is going to shake any of this for the next decade.
There's something to be said for stability!!