When “civilians” asks me what the most important thing they can do to protect the security of their home computers, I always answer the same way – make sure you patch and do so automatically! However, as Windows 10 finally has started defaulting to this behaviour (and they seem to be taking security way more seriously at Microsoft these days), my next favourite recommendation for folks is that they invest energy in a password vault.
For the uninitiated, a password vault is a piece of software that stores the passwords you use on various services and then encrypts them with a master password so that they are safe. “Since I use password123 as the password for all of the sites I visit, why would I need that”, you might be saying. Arrrrggggghhhh!!!!
You should use a unique, long, complex and randomly-generated password for every site you visit! How can anyone who is not superhuman do that? Well, it’s a bit circular but see above – a password vault. The good ones will even help you generate passwords and give you a health report on the ones you store in it, indicating that they might not be long enough, etc.
Ah, but my fellow paranoids might be thinking that this puts all of your eggs in one basket. And if you store them in the cloud (someone else’s computer) then OMG! Doomsday scenario! Well, I have a plan for that (no, I’m not secretly Elizabeth Warren)! Be all self-hosted with it!
So, how do I recommend setting things up? First things first, you need a place to store the password file. You could put it on your local hard drive but that would make it difficult to use it across your multiple devices (most everyone has a smart phone these days and you want to be as secure on that device as you are on your home computer). As I always recommend, put that file on a server in a country that has strong privacy laws and isn’t part of the dreaded Fourteen Eyes. Switzerland is a good choice and there are Swiss owned VPS providers who will give you a small virtual server for a reasonable monthly fee.
I recommend the open source project “NextCloud” as a good self-hosted service to run for this purpose. It is incredibly flexible and has a very active community around it creating all sorts of plugins, etc. You can buy space on a public NextCloud server but that would defeat the whole purpose of having the control of the server yourself and putting it in a country that is safer. There is a great tutorial on DigitalOcean for setting up NextCloud on an Ubuntu LTS release that I’d recommend you reference. While you are at it, take a look at their “initial Ubuntu server setup” for some other security recommendations. Add to it a LetsEncrypt certificate with automatic renewal set up and you have a pretty decent platform for storing your files.
OK. There are two ways you can get your password file to/from the server. You can either share it directly from your NextCloud server using WebDAV or you can just install the NextCloud desktop client software (available for pretty much every operating system) to sync a local folder with a folder on your NextCloud server. Typically I use the sync solution for desktops/laptops and the WebDAV solution for my mobile devices.
Now, you have a place to store files but what file are you going to store there? More specifically, what password vault software do I recommend if you want to go the self-hosted route. Well, I really really really like KeePassXC as my password vault software and file format of choice. It’s well-written, free, open source, what isn’t there to love about it!
To set it up, install the software on your desktop/laptop and create a new password database in your directory you are syncing to NextCloud. Make sure you pick a complex, random, long password that you can remember without writing it down as the master password for the vault. If you want to get even more secure, check out the Yubikey option for two factor authentication for your vault. You can also set up the browser extension for it if you want the convenience, but keep in mind it does increase your attack surface so you might just want to go old school and copy paste the credentials from the KeePassXC client software.
For Android and iOS, I use the app “Strongbox” and, as I mentioned above, use WebDAV over https as the way I read and write the file from my NextCloud server. The end result is that I have a single, secure password file that, even if my NextCloud server is compromised, is encrypted and would be a nightmare to try and hack your way into given the length, complexity and randomness of my master password.
KeePassXC has some really nice features you probably want to start leveraging right away. It has a great random password generator so that you can create crazy complex passwords that are unique for each service you use. In addition, it has a “Health Check” report that you can run to check up on your stable of credentials to make sure you aren’t re-using any of them or have some that are not complex enough.
In addition there is an integration with “HaveIBeenPwned” that allows you to check to see if any of the credentials you use have been exposed in a data breach. It does so by sending a secure, cryptographic hash of part of your password to the service so your risk is minimal other than your IP address being exposed to the service. All in all, I trust the author of the service and think it’s a great thing to do periodically.
Finally, I recommend taking a look at the security settings in your KeePassXC client or your Strongbox app. There is a feature that clears your clipboard and logs you out of the application after a period of inactivity. That’s literally the first thing I turn on when I install either of the applications because it keeps you from having your device stolen and being logged into the most secure thing you probably have.
All in all, I hope you enjoyed this post. I really do think that password vaults are an incredibly important development in the field of cybersecurity and would encourage everyone to use them, even if you want to go with a commercial one that you don’t have to self host.
I also recommend pass/gopass as solid alternatives to KeePass – if you like the command line. (There are apps and browser extensions.)