Friday, April 7, 2017

Host Your Own Cross-Platform Password Manager With KeePass [XDA Spotlight]

If you’re signed up for a bunch of different online websites and services, then you likely juggle a ton of different passwords for many different places. It’s commonly known that having the same password for multiple accounts is significantly less secure than choosing a different password for each account. Unfortunately, with this variety and increased security comes the burden of memory. This is precisely why password manager applications have grown in popularity over the years. Currently, there are many cross-platform, cloud-based password-storing solutions, however, few can boast the security of a personally hosted password database, and an open source base, as KeePass can. And it’s totally free.

A popular open-source password manager originally made for Windows, KeePass has many variants which facilitate its cross-platform abilities – all of which utilize the encrypted .kdb or .kdbx file extension for password databases. KeePass2Android is a free application which brings KeePass’ core features to the Android world – chief among them, the ability to privately host your own key database, on your own computer or server.


KeePass Features and Setup

While KeePass was originally made for Windows, Mac/Linux users can download KeePassX for the same functionality. To see a full list of KeePass variants, visit the official website.

Just like other password-keeping programs, KeePass and its variants have certain requisite features. 256-bit encryption, multi-level verification options, password generating, fingerprint lock, and cross-platform support are among these central functions. Multi-level verification is achieved through the use of “key files” which can be created from most any file. Simply select your file of choice during the database setup and it will be changed to the .key file extension, which denotes its ability to decrypt your database (in combination with your password). This feature, coupled with the user’s ability to host an encrypted database on their own PC, server, or cloud storage service, are what set KeePass programs apart.

Hosting the database on a cloud storage platform is as simple as downloading KeePass (or a variant) on a PC or Mac, creating a new key database, and saving the database to any cloud storage of your choice. The same can be done for key files, as well. Now an app such as KeePass2Android on your Android phone can easily access the most up-to-date password database, and do so with two-factor authentication – so long as an Internet connection is available. Without an Internet connection, the app will show the most recent locally-cached version of your database, and update next time it goes online.

If you’d like to utilize your PC, Mac, or server as the database host, then you will have to download a program like FreeSSHD for Windows or configure the built-in SSH server in Mac OS. Both are quick setups, which utilize encrypted transmissions through Secure File Transfer Protocol (SFTP), and both are free. If you’re unfamiliar with how to set up SFTP on Windows, follow this link for a quick setup guide. For instructions tailored to Linux machines, visit this link. On Mac, simply open the “sharing” tab in System Preferences, and enable “remote login.” Once the SFTP server is set up, you may save your database and key file anywhere on the device and use KeePass2Android to access it via SFTP (or other protocols) when needed.

Auto-fill Lacking

While KeePass2Android does offer auto-fill features just as its desktop counterparts do, its recognition of websites is not yet functional enough to offer passwords quite as fluidly as it should, though hopefully the Autofill Framework in Android O will solve this issue for all password manager apps once and for all. Once logged into the database and with it running in the background, the app should recognize websites for which the user possesses login credentials, and offer these to the user from within the notification center as illustrated below.

As it works right now, unfortunately, it requires a few steps more than simply swiping down the notification center and tapping your credentials. KeePass2Android includes a device keyboard which can be set as your default, or activated only when needed. If not set as the default keyboard, then the steps to “auto-fill” are as follows:

(When on a website asking for login credentials, and the database has been previously unlocked)

  1. Tap in the entry field and switch to the KeePass2Android keyboard (if not already the default)
  2. Hit the password-keeper button on the keyboard and tap “select entry”
  3. Select the relevant credentials in KeePass2Android (the app will auto-switch back to the website)
  4. Tap in the entry field again, the keyboard will come up, but only with the buttons “username” and “password”
  5. Tap the “username” button to fill the username field
  6.  Tap the “password” button to fill the password field

In totality, these steps are a minor inconvenience in the endeavor for security, but still an issue of fluidity which apps like Lastpass have avoided. It is important to bear in mind the scale of the team behind a company like Lastpass – which offers premium enterprise-level password-keeping solutions – versus the developer(s) behind KeePass2Android. This is especially important considering that this relatively easy-to-fix annoyance is the only feature Lastpass truly has over KeePass2Android. This caveat aside, Keepass2Android is every bit as packed with features and functionality to fine-tune your preferred level of security, plus the added ability to utilize a key file, and host your own password database.


A More Personal Alternative

Using KeePass2Android in tandem with KeePass or KeePassX is a breeze. Adding passwords on either program elicits almost immediate database updates across both, though a manual refresh is required. Best of all KeePass2Android gives you access to all of KeePass/X’s core features, as well as a few extras. Such features include: allowing users to create new databases, generate secure passwords, utilize “key files,” and access databases through FTP, SFTP, HTTP/S, local storage, and cloud storage, among others.

There is one important note about using a key file, however. Though it may certainly improve the level of security on your database, this additional step of authentication is diminished greatly if the key file isn’t saved exclusively to external media. Ideally, the key file would reside on a USB flash drive, essentially creating a mobile, physical key to decrypt the user’s key database. This file can otherwise be stored in cloud storage, or anywhere on the device being used to access the database – the location of which is mapped by the user each time the database is opened.

Unfortunately, no matter where this file is saved, it takes on the “.key” file extension – an inconsequential change when stored on a separate USB drive, but a dead giveaway when stored locally or on cloud storage, as is necessary for mobile devices. Technically, you could purchase a micro-USB or USB-C to full-size USB (USB-A) adapter, and use this to plug in your key file every time you need to access a password, but this is obviously quite impractical. However impractical this may be, it would offer a level of physical security that is unsurpassed, and nevertheless available as an option when using KeePass2Android.


Conclusion

The combination of KeePass desktop clients and KeePass2Android gives users great password-storing functionality. While providing the best that password managers have to offer in terms of features and customization. This open-source setup ensures great cross-platform support as well as one of the most unique security features provided – its seamless integration of personally-hosted password databases. The option to store databases on more widely accessible cloud platforms such as Onedrive, Dropbox, and Google Drive round out the strengths in user-friendliness. The main complaint in this area being KeePass2Androids failure in creating a properly functional auto-fill – something we hope to see remedied in the near-future with the release of Android O. With this fixed, though, the case to use any other password-keeper becomes quite a tough one to build.


Are you using KeePass or one of it’s variants? What do you use for password keeping? Please share in the comments below!

HostGator Web Hosting

0 comments:

Post a Comment