Until we can finally get rid of passwords by means of some form of public/private key cryptography we will need to juggle too many passwords.
Currently I have over 540 passwords and other secrets stored in my password manager. While I understand that I am a special case here, I still believe that most people will need to keep way more passwords and other secrets around than they can be possibly remembered or they will reuse few easy to crack password variants. This puts them at risk of data loss, phishing attacks and other harms.
Requirements of password manager
We all need a password manager that has the minimum following properties:
- be accessible at all times (including in off-line situations),
- be reasonably secure against theft,
- resilient against loss,
- trivial to set up,
- quick to access and use,
- free (including not getting locked in).
Existing solutions
Today you can use web services, that are often paid and may try to lock you in or may not work off-line. Or you can build your own solution based on tools KeePass or pass (GPG + Git).
The problem with web solutions is that they are complicated to set up: require accounts, passwords, recovery kits, applications and what not. Them being on-line have massive attack surface (over the internet) and act as massive honey pots/all eggs in one place. Or require complex juggling of database files, key files, git repositories or other file synchronization tools.
For the expert
Personally I use pass
command with GPG key for encryption and Git for synchronization between few of may devices.
I have used KeePassXC with Dropbox before, but that was causing synchronization conflicts.
While this works fine for me and is powerful in may ways, there is no easy solution that I can recommend to my friends or family.
For the people
The main issue that these existing systems try to address is multi device synchronization. But from my experience this is not required (only convenient). As long as I can see the password I can just type it in and be done.
If we could store the password DB in out mobile computers, that we carry around with us all the time in secure and resilient way, that should be already a major upgrade for most people.
Existing solutions
Take a project like KeePass DX and simplify the work flow. The main problem I have with KeePass applications for mobile devices is that they require you to align three things:
- the database file location,
- the location of the key file (optional but probably require to be secure against password cracking/phishing, since any app can leak the DB file, especially if "cloud" storage is used),
- the password itself.
If any of these things is wrong you can't access your passwords. Whet makes it worse is that you can set this up for someone, but sooner or later they will click the wrong thing or the OS update will change file access URL, or it will expire or they will forget the password and all data is now inaccessible.
Proposed changes
To eliminate the moving parts imagine this simplified work flow for Sam:
Setup
- Install the application form the app store (e.g. I can send a link via chat to the app).
- The application generates random recovery password.
- This password is presented to Sam in form of password words, serial key or something that is easy to write down.
- Sam is asked to write it down on piece of paper that they need to then store securely at home (e.g. in safe).
- Sam is then asked to retype the password to verify it is correctly written down.
- Once this is verified the app asks for fingerprint authentication.
- The password is stored in OS secret store protected with this biometric authentication and device secure element.
- New KeePass compatible DB file is created with the password in application private storage space (so not accessible by other apps).
Note: Alternative OS authentication method can be used, like pin number, face ID or whatever the OS supports.
Use
- Open the app.
- The app pops up fingerprint authentication.
- After Sam authenticates the password is retrieved from the device secret store and used to decrypt the internally stored DB file.
Now, you use it the same way you would use stock KeePass DX.
Import and Export
In order to allow Sam to migrate data to new device or to off-site backup the app would need to allow:
- Exporting the KeePass compatible database to external storage by asking Sam for new password, optional key file and file location and name.
- Importing data by merging with existing records from KeePass database file on external storage, giving file location, password and optional key file location.
This is important as we don't want to lock the data in the application/device.
Backups and restore
The app would allow for existing application backup tools (e.g. default Google cloud backup) to back up the internal database along with the app itself.
Because the password to that file was protected by secure element on the original device, restoring it form backup would not itself allow for access to the data.
So on first run of the application:
- The application would not be able to retrieve the database file password from the OS secret store (new device).
- It will ask for the recovery password that Sam has written down on the first use.
- It will pop up fingerprint authentication and store the password like with first use.
- Continue as normal from now on.
This way we can make sure the passwords are not lost in case of device loss or breakage and are still safe to be stored in the backup.
Conclusion
Given this can be implemented, it should help people secure the digital (and physical) lives with ease while preserving their freedom.
I have created a Feature request on KeePassDX GitHub repository with the proposed solution.