My Password Managers
I’m not going to waste much time debating if you should have a password manager, there’s plenty of sites which have done a much better job than I ever could over the last decade plus. Nope, I’m just going to review my history with these systems, and why I recently made a change.
Password managers, then, are a single application or site which requires one master password for itself and then you put all of your passwords and other information in to it. You just need to remember one difficult secret. But all of your information in one place??
Many of these systems actually hold this information on their servers (your app may or may not keep an encrypted local copy), which means if your machine is compromised, you have some security and accessibility there, but it also means the company needs to keep their servers secure, and if you don’t have internet, you might be a bit stuck. The upside is that most have browser integration making logging in very simple in real-world work and often they also have mobile apps.
So why would you want this? Mainly so you can conveniently use complex passwords, passphrases, multi-factor autonetication, and all that other login safety goodness, and be safer online. No bad thing.
My Previous Setup
My previous setup had sort of evolved over the previous 12+ years.
KeePass Vault File
I started using KeePass a long time ago. It’s basically a local, encrypted database file (.kdb). There no webservice behind it. I’d copy the file now and then to Google Drive to drop on another machine. Later, also onto smartphones using a compatible app.
At some point I moved to KeePassX. This used the same encrypted file, it was just a new client, open source, from some new devs. However, eventually this was discontinued in late 2021.
However, before that I’d already moved to KeePassXC, another KeePass compatible app, with some newer options and other bells n’ whistles.
For the latter two of these, I’d also use a browser extension to call the database, so I could autofill website logins in a browser, which was convenient. Well, it was mostly convenient except for the Firefox Snap in Ubuntu, since the Snap was sandboxed meaning it couldn’t call the external KeePassXC app. Fortunately I don’t use Ubuntu on any of my day to day machines.
Essentially though this .kdb and .kdbx file with all my data was the same encrypted file I’d been using for quite a while.
Bitwarden
I first signed up for Bitwarden a couple of years ago. Originally I was trying to get family to use a password manager, with varying degrees of success, and I just kept a few of my own common ones in there so I knew how it worked so I could answer any questions, and I continued to use the KeePassXC file, because it worked and still seems pretty safe.
There were a few reasons I chose Bitwarden, so in no particular order:
- Open source, so in theory anyone can look at it, and people can (and have) build their own compatible version of this.
- Decent local clients, web browser extensions and mobile clients.
- Easy to use really.
- Free, but paid tiers for additional functions - this is important as I like to know where companies make their money.
The one chink in my system is that the KeePassXC file is just that, a single file, which means that when I want it on my phone, I need to copy to GDrive, then download to phone and open it with KeePassDX. That’s fine until I need to make a change, then I have to copy it all the way back. Most of the time, that wasn’t an issue as I generally don’t make changes in that direction, but I got caught out twice not following my own system, and ended up having to do password changes on a couple of accounts. Not terrible, but I don’t want to be on the road when this happens.
There are ways to automate this, but it seemed to me like this is incurring a lot of moving parts when for my scenario something with a web backend would be the better solution.
So now I’ve moved the contents of my KeePassXC file over to Bitwarden. Bitwarden does have some import options for various competiting products, but for me the simplest way was to export from KeePassXC as an unencrypted .csv file and then import it into the Bitwarden site or local app. Obviously you want to delete that .csv file, and not back it up anywhere!
The import worked really well, all the logins and notes carried over, including the groups/folders I’d been using. There could be issues if you have attachments, but I don’t have any these days, so not a problem for me personally.
After doing a side by side check, all entries were present and correct.
Last parts of the workflow were to check browser integration, and the mobile app.
Browser integration is handled by a simple extension for all the usual browsers and where this is different for me, is that for KeePassXC it’s accessing the local file via the app, whereas with Bitwarden it’s simply accessing the webside data.
For mobile, Bitwarden has an app for Apple and Android and it’s been working completely as expected.
So there we are, all cut over with hundreds of entries (literally). I also signed up for the 10USD a month plan. I don’t really need it, but I now have these:
- File attachments
- Emergency access
- Security reports and more
Why pay if I didn’t need to? It’s only 10USD a year, the security reports are interesting, and I want to support both the company and the open source side of Bitwarden. The ’emergency access’ might be interesting to try.
So there we are, all cut over. I still like the idea of KeePassXC/DX, it’s a fine solution, but for now, I’ll be on Bitwarden.