Managing passwords with KeePassX and Syncthing
Improve your operational security by moving to a locally-stored password generation and storage utility.
I’ve been trying to improve my digital operational security for the past three or four years, and this has included a lot of tutorial, forum, and Reddit browsing. The amount of information you can find on ways to keep yourself safe online is daunting, but one of the most challenging aspects of this effort is the separation of good advice from bad (and believe me, there’s a lot more of the bad than the good). I was really curious about what programs or strategies others were using, particularly when it came to their rationale. This might be “the way” to do it, but why is that so? “Because it just is” doesn’t count as an acceptable answer.
I therefore thought I would write up some basic tutorials about software I use, on the off chance that someone in need stumbles across them and finds them useful. You can sometimes find good explainers on Reddit when someone asks “What [thing] do you use?” I find them pretty informative, and I wanted to provide the same sort of utility here.
A note on password managers
The note here is to use one. Using strong passwords that are unique to everything with a distinct login is a major step towards improving your digital opsec. Recycling passwords across services can quickly get you into trouble, particularly if you’re unaware that you’ve been pwn3d by an adversary who will continue to leverage your vulnerability for an indeterminate amount of time. Furthermore, using strong passwords (and here I’m talking about strings of random alphanumeric characters salted with special characters) with high complexity reduces your vulnerability to dictionary and rainbow table attacks; basically, you want to do the opposite of this.
What I used before: LastPass
I jumped on the bandwagon and used LastPass, both because it was (and still is) pretty popular and because I liked the customizable options the end user had on security settings: whitelisting login from select countries; adjusting the number of rounds PBKDF2 hashing is conducted to generate login credentials; personal login/logout and two-factor authentication options. I felt like it was a decent menu. The browser plugins were also helpful, providing prompts for autofilling credentials and building a password generator into the autofill popup GUI. It was a nice touch.
It never really stopped being a good utility, even though I gave them up. They were hacked twice, in 2011 and 2015, but the nature of the 2015 breach and my confidence in the way LastPass handled password hashing led to a quick change of my master password … done. With the 2FA I had included from the beginning also enabled, I wasn’t worried about it too much.
What I use now: KeePassX and Syncthing
I’ve recently made the switch to using a local password manager, KeePassX. In reality this was a personal preference, in that for a while I’ve generally favored exercising more control over my data and the owners of that data; my assumption of that control has been incremental but steady. This was another step in that direction. I realized that I felt more comfortable storing my passwords on a local database that I could personally back up and retain, one that neither resided in cloud storage nor was secured by a third party. After trying out a few different managers, reading about security concerns, narrowing selections to include only open-source software, et cetera, I decided to go with KeePassX.
By way of providing a few additional notes: see this page for a decent introduction to installation and use, as well as this Ruby script for converting the LastPass .csv export file into the .xml file required by the KeePassX import function.
Once I decided on eschewing a cloud-based password manager for one stored locally, I realized that I’d need a way to provide password access while I was away from my main machine. Keeping them on a dedicated flashdrive seemed a little too risky for me (even if encrypted, I thought I would feel vulnerable if the drive was lost), and I didn’t want to sync them with something like Dropbox else I would return to “square one.” Using something like Syncthing would provide the best of both worlds.
Available through Synaptic (apt-get install syncthing), one can run it from the terminal (which you can initialize by just typing syncthing or nohup syncthing & if you wanted the daemon to persist after closing the terminal–not something I would recommend following the whole “forgotten background processes can present security challenges” bit, and in which case I think you’d have to use ps ax | grep syncthing to find its PID and kill it). The web interface can be accessed at http://127.0.0.1:8384, or if you prefer an actual desktop GUI it can be installed with apt-get install syncthing-gtk. While I won’t be providing a configuration tutorial for it, resources can be easily found online. Web interface access can be HTTPS-enabled for entering Syncthing login credentials, and all traffic between associated machines is secured using TLS. I also like that it has a few different settings for versioning methods, which is important for a KeePassX database that you may want the freedom to update from your different machines. With Syncthing running, any upate made to a KeePassX database file will be propagated to the other associated machines and an older copy can be retained on those machines. I think this series of options makes for a powerful utility.
Verdict
I’m generally happy with this setup, and I have no major complaints (the only issue to date is that the Syncthing client can be a little flaky at times with establishing and maintaining connections to associated computers). I would recommend giving it a shot if you wanted to move from cloud-based password management to a solution that you locally controlled.