Remembering long complex passwords makes Password Management a must. Over the years we all tried the black notebook, remembering them in our head, using some sort of notes in our wallet, Word or Excel files. All with the lack of being encrypted, portable, easy to manage and easy to use in dally life. In this post I write about my current solution working on Windows, Android and best of all, free of charge.
Since the end of last decade I realised I had too many passwords written here and there, or even stored in non-encrypted mails. That is nowadays no way safe enough. Then I sat down study what the future bring us, and how can we make our everyday life smart in password management, without being charged monthly.
Like most other people in the modern world I have a lot of laptops, smartphones and are buying new ones now and then. So a the requirement must be future proof, portable and non internet connected for safety of the best. No clouds needed.
Testing Passbolt, Microsoft Authenticator, Google Authenticator, Bitwarden among others they are not the solution for me. I ended up testing Keepass which comes in different flavours and for double verifying I ended up on FreeOTP and 2FAS AUTH. I very much like FreeOTP but my backup and restore fails so I stick with the latter.
Password Management on my Windows laptop
I use KeePass Password Safe PORTABLE version. This gives me the freedom to run it on whatever machine I use directly from USB-stick or copied to a folder. I can use it even on company PC, locked with group edit without the possibility to install of any software.
It also give full management and easy viewing and generation of very long complex passwords for each login.
The datafile are highly encrypted using Advanced Encryption Standard (AES / Rijndael) 256 bits and are portable.
Only disadvantage is it not fully intergraded into the browsers login and password pages directly, but a smart extension in both Firefox, Opera, Edge and other browsers fix this. Search in browser extension for “KeePassHelper Password Manager”. Its a smart add-on that takes 5 minutes to setup: You will need a plug-in in keepass called keepasshttp to do the service. This plug-in is not update for version 2.x so you might see a warning at first launch. So far I got no troubles with that.
Keepass comes in a sort of a forked version named keepassXC. Some find the design more modern and works completely integrated in Firefox browser among others but its not portable. It uses same database type of files so you can easily move the data between you computers though.
Your master password should by printed and stored in fire- and intrusion hardened safe.
Google Android Smartphones setup for passwords
On my Samsung Smartphone I have tested several password management tools and for over a year been very pleased with KeePassDX. It never let me down, have very good help instructions and even the Samsung xCover 5 are among the first generation of Biometrics safety that do not work 100%, the KeePassDX have very good workaround and make it works like a charm.
Just switch on the autofill option and MagicKeyboard so it flows nearly automatically.
Two-Factor (2FA) / Multi Factor (MFA)
For my two-factor authenticator I use 2FAS Auth app on my smartphone. I harden it with extra PIN in settings and long password when I do backup.
Backups are never stored in any cloud. They are with me only, and on the main smartphone, a spare one and 3 medium like USB-stick in a safe just in case everything disaster strikes. If you run your own company or are in charge you should frequently have a backup stored in remote places.
For adding a new 2FAS you simply open the app, press add new, then accept the camera for this time use only, point it to the QR-code, and you done!
Very good practice to verify the new Time-based One-Time Password (TOTP-code) by adding it on the site you supply.
Make sure two-factor login are two-factor and not pseudo
You might find a widget or plug-in for the two factor app to put in your browser. That makes your smartphone a server and you sending data over the Internet if its on your laptop. In my opinion it makes it less secure, and the idea of two-factor are also semi-compromised this way. To keep it real two-factor the login should not be from you smartphone browser and on something external. Its a balance of safety and convenience, and still much safer than not having it.
In daily operation I take the time to look at the 2FA-app on my smartphone and remember the six digits for a few seconds. It also keeps training my short time memory, so fine with me.
I recommend you to use 2FA everywhere possible. In case your password should be stolen, hacked or in any other way become compromised, using two-factor minimise the risk down to nearly zero. Yes studies says so.
The change of getting knocked down as person are possible but very little compared to all the million of hackers around the world using bots (e-robots) and AI in order to high jack your account on a server.
Downloading password managers
Downloading any apps should not be from the homepages but from Google App Store or Microsoft Store. Then you are sure to get the right versions (beware ghost and copy fakes apps) and they are scanned for virus as well.
Password Management in Everyday use is easy
In everyday use I like to make it as smooth as possible. After some test, I decided to use my laptop as a kind of master. Mostly because its easy to write and copy / paste when you have hundreds of passwords to manage. Also just for a few sites and logins you can make subgroups, tags, icons easily.
It will take you some time to collect all your notes from the black books and old documents, and you might also need to try over from scratch finding the structure that suits you and your family.
Distributing data to other items is easy: on my Local Area Network (LAN) via encrypted Wi-Fi, I use Total Commander to copy the master file. This way its never on the unsafe Internet; on Samsung and other items I simply import it.
You may do a merge of data if you like, just remember to clean up.
Do I care about what the password are? Nope, and gone are the 123myname or 321mydogs name. But I need to remember long passphrase for the datafile only.
Password philosophy
- A good policy is to make a new long password now your are updating them anyway.
- Long is at least 21 characters.
- Also use different password for each account. A must nowadays, and your tools does this smart.
- Change your passwords at least twice per year
- Going even better: buying your own domain and make a catch all email, then use first part of the site you add like part of the password. This way you can easily spot when that specific company database have been hacked, and you don’t compromise your other accounts, Example: people often use something like “yourname@google.com” as login account. Having your own domain it will looks like: “foreigndomanname@youremaildomain”.
- For the master password make something long like Combinng three random words to create a single memorable password (for example CupFishBiro)
Cloud based password
I like some cloud based password managers you ask:
- Number 1 choice Mozilla Firefox browser! It have and outstanding build in password manager system. Only disadvantages you must use a domain at every entry which makes it no-go on your smartphone for Wi-Fi and must social media apps.
- Norton Password Manager
- Apple Passwords, iCloud Keychain, Built in your gadget: from iOS 18, iPadOS 18, and macOS Sequoia.
- 2FAS PASS is not cloud based but if you like to use it on Windows it actually sends data over the Internet using your smartphone as master like Apple.
Don’t forget to give a beer to those spending hours doing programming for free 🍺
You should also read my post: 10 Easy tips for making Internet security effective on Windows 10/11, Android and Linux
Happy Password Management 🙂
