Happy World Password Day

1 minute read

I’ve been asked fairly often, for decades, what I recommend for a password manager. For as long as I can remember, the quick answer is KeePass.

The longer answer is you should have three things in your checklist when picking a password manager, no matter when you’re reading this:

  • Is it fully open source? If it’s not fully open source where you can look at all of the source code (ensuring there are no backdoors), don’t trust it. If it’s brand new and open source, that could mean there are bugs and/or backdoors, so you want to only use something that’s been used by the masses for many years and/or that’s been audited by multiple independent third parties who were motivated to find issues.
  • Are you the only person that can access the encrypted database of passwords if you use it?
  • Is there a way for it to work seamlessly across your devices (desktop, tablet, phone, laptop etc) (I use a private version of Nextcloud for this)

If you’re using KeePass, you will have one master password, so if your database is ever leaked or stolen, the attacker will try to guess/brute force your password, so this password should be at least hundreds of bits of entropy, or 5 diceware words.

To learn about entropy, and really nerd out on passwords, check out The Diceware Passphrase Home Page.

Once you have KeePass installed, any time you ever get prompted on a website or app again to create a password, go to KeePass and click on the dice symbol and make sure it’s at least 200 bits of entropy. I couldn’t tell you my password for any given website as my passwords are too long to remember, and too long to hack, I only have to remember my KeePass password.

Screenshot of KeePass, highlighting the dice icon and where to find the entropy

As of writing this, I often use KeePassXC, and in my browser use the KeePassXC-Web browser plugin so I can easily just click on that web plugin interface that links to my keepassxc instace to securely retrieve my password for any given website.

If you want to get really extra, also check out the Keepass TOTP/2fa/mta features with something like a Yubikey.

Leave a comment