This reference is written for all skill levels. Password managers shouldn’t be complicated or scary, and everbody should be using one.

Do I really need a password manager?

Short answer

Yes.

Long(er) answer

Yes. These days, everyone should be using a password manager. The full reasoning behind why can get highly technical, but it should suffice to say that security researches almost unaimously agree that passwords are too weak [citation needed].

What should a password manager do?

You should only have to remember one password ever again.

A password manager should, at a minimum, do the following things.

  • store your secrets (like passwords) in such a way that only you decide who has access to them.
  • make it easy to add and retrive secrets. For example, being able to automatically fill in your username and password on a website is a standard feature of most managers.
  • keep your secrets synced between your various devices. When you change your email password, you should be able to retrive it on your laptop, smartphone, and anywhere else you need it.

In order for a password manager to be effective, you must rely on it completely. Keep EVERY password within the manager. Make every password on every website you visit as random as possible.

All of your passwords will look like VmQ';Zzd?7[3k}"? and r9AK>6oHVVTuC_$[. You should only remember one password - the master password that unlocks your manager.

What is KeePass, and why is it better?

There are a LOT of password managers out there. You may have heard of…

A more complete list can be found on Wikipedia. The password managers you’ve probably heard of have problems. Some of them have been hacked before. Most of them use proprietary (read: untrustworthy) methods to store your passwords, and therefore rely on trust.

KeePass is DIFFERENT

KeePass isn’t a “cloud” service. It isn’t proprietary. At the core, KeePass is an Open Source specification for data storage that relies on mathmatically proven strong encryption.

Here are a few things to know about using KeePass.

  • Your secrets are stored in an encrypted file. It’s just like any other file; you can put it on a flash drive, send it in email, or make backup copies in Dropbox.
  • Because the structure of this file follows a publically published format, anyone can write a program that reads and understands your secrets, but ONLY if you divulge your master key. This is GREAT because security researchers and programmers and even hackers can all study how these files and programs work. Mistakes and vulnerabilities cant be covered up or ignored.
  • Your master key can be
    • a password
    • another file, called a keyfile
    • both

Caveat

In order for KeePass to keep your passwords synced between your phone, laptop, etc., you will need to use a file syncing tool like Dropbox or Google Drive. This is OK because even if Dropbox gets hacked or an evil employee wants all your passwords, they are protected by encryption using a master key you never shared. Setup instructions for this can be found below.

How to use KeePass

Please follow the instructions for the section that applies to you.

All Platforms (Everyone)

  1. Create a Dropbox account at Dropbox.com *

* You can use whatever cloud sync provider you like, but this tutorial will use Dropbox as the example. This is because Dropbox is widely supported as the sync provider on every platform that runs KeePass, and it is also well trusted by the security community [citation needed].

Windows

  1. Download and Install Dropbox for Windows. a. Remember the location you chose for the Dropbox folder.
  2. Download and Install KeepassXC for Windows (choose “installer”)
  3. Create a new KeePass database by running the newly installed KeePassXC program.
  4. Choose the location for the file to be the Dropbox folder.

MacOS

  1. Download and install Dropbox for MacOS. a. Remember the location you choose for the Dropbox Folder
  2. Download and Install KeePassXC for MacOS (choose “binary bundle”)
  3. Create a new KeePass database by running the newly installed KeePassXC program, which will be in your applications folder.
  4. Choose the location for the file to be the Dropbox folder.

iOS

  1. Install Dropbox from the App Store.
  2. Install KeePass Touch from the App Store.
  3. Open KeePass Touch
This article is a work in progress.
Problems?  Fact checks?  Please open an issue and reference this post
https://github.com/subdavis/blog/issues