What is Keepass?
Keepass is a password manager that doesn’t include any native way to sync it accross devices. But that also improves it’s security, since nobody will get their hands on your password database, even in it’s encrypted form. It’s also open source and free, and as of writing this, the EU also has invested a lot of money into a bug bounty program for it. There’s also other clients than just the first C# implementation, and I personally prefer to use KeepassXC due to it being better integrated to the linux ecosystem.
Why use a password manager
Because it’s more convenient once you’ve got it setup. You only need to remember one password for pretty much anything, you can store the related emails and usernames in it and have it autofill right into your browser.
Now if you actually care about security, then that’s of course a benefit of using a password manager also. Just automatically generate strong passwords, so that even if one of them gets leaked somehow the scope of the breach will be hugely limited due to no password re-use, which is almost bound to happen if you’re trying to keep all of your passwords in your memory only.
Synchronizing your database
Now you might just take the easy route and go with a cloud storage service such as Mega, Google Drive or Dropbox. But with all of those solutions, you’re basically handing off the database to those companies, even if it’s just the encrypted one. If we have an imaginary scenario, where someone did find a way to crack an encrypted Keepass database, and the company you used to sync wasn’t really that trustworthy, then you could be in a lot of trouble.
Now I agree that the scenario that I mentioned is unlikely to ever happen. But there are other things to consider as well, such as cost, and if the company you’re giving your data to does shady analytics about every single thing that they possible can *cough* Google *cough*.
The main reason for using a hosted cloud service though is that I just want to be in total control of my own data. There are a few possible options that you could go for. One of them is making your own cloud storage, by setting up a small VPS and Nextcloud on it for example. Or even hosting it from home if your ISP is flexible and you can manage it.
With syncthing, you don’t need to setup a server. Your devices just syncronize with each other whenever they are on the same LAN or connected to the internet. Sycnthing is quite cross-platform, and it’s also fully open source.
Syncthing is mainly a command line tool. But for windows users, command line tools can be frightening, so if you see yourself as a non-power user, you should rather just install SyncTrayzor.
Once you have it downloaded on your devices, you’re going to have to link them up using the ID’s of the devises. Or if you have a phone client, you can probably just scan a QR code and be done with it. There’s lots of neat features, which are already well documented such as the Introducer or Auto Accept features. Because they are so well documented, I’m going to skip telling you about then and instead tell you about the feature which I think is one of the most important ones, while not being really well executed. It’s the .stignore file.
Specifically, the following syntax:
#include g.stignore. If you place that one line into an .stignore file, and have a g.stignore file, you can basically sync your ignored files.
That way you can for example outright exclude .log files (
*.log), or some specific temporary files that are generated automatically.
The bad part of this is that you need to write the
#include g.stignore on every new device into the .stignore file.
But that’s still way better than having to rewrite the whole .stignore file on each device each time you want to update your ignored files.
If you have a central server that you trust, Nextcloud is also a really neat alternative. There is also a KeePass addon for keepass, but I wouldn’t trust it enough myself, and just use Nextcloud for synchronizing the files.
Nextcloud at least avoids the problem of giving access to your files for a huge service provider like Google, who is bound to have backdoors for NSA and the like. In addition, nextcloud seems to fair better than Syncthing with file conflicts at least from my own experience.
Also, please make sure that your master password is like over 40 characters, including numbers and special characters, at least if you’re going to be storing all of your passwords in your password database. Because if someone manages to crack that one password, it’s game over for you. And if someone gets their hands on the database, you can assume that they will at least give it a try, since a database of passwords is a really high value target for hackers.