MANAGE YOUR PASSWORDS
Take control of how your passwords are synched and where they’re stored
It’s time to take control of your security
Everyone needs a password manager. You simply can’t get by online these days relying on a handful of easily guessable passwords—just take a trip to https://
haveibeenpwned.com to confirm your trusted passwords of yesteryear have almost certainly been exposed by now.
The value of a password manager can’t be overstated, whether it’s generating unique, random, lengthy passwords that are almost uncrackable, or storing them securely in a vault protected by strong encryption and—if you’re diligent—extra layers of security. But it’s not necessarily all good news. Where is your password vault stored, and who can access it?
Services like LastPass and 1Password that make it easy to sync and access passwords between mobile, desktop, and browser store your encrypted vault on their own online servers. They argue their “zero knowledge” model, where they have no access to your password or the keys that encrypt your file (which is done locally on each device), keeps them nice and secure. Great, but that’s an awful lot of trust you’re placing in their hands— they’re not immune to attack, and while LastPass maintains no encrypted vault data was compromised when its security was breached in 2015, hackers were still able to access the files, putting any vaults protected by weak passwords at risk.
So, how do you ensure your passwords can’t fall into the wrong hands? You could go old school and use a single password manager app on your PC, where the vault is encrypted and stored locally (perhaps backed up to a USB key, stored in a fireproof safe). That’s almost watertight, but at what cost? Convenience, for one: Copying passwords by hand on your phone or using the clipboard to transfer passwords from app to browser is slow.
The solution lies somewhere between foolproof security and the convenience of being able to sync and access passwords on the go. Over the page, we reveal how to find the perfect balance, with the help of one of three password managers.
What should you look for in your finely balanced password manager? First, it must be cross-platform—apps for Windows, macOS, and Linux, plus browser add-ons, and mobile support on iOS and Android. Second, you need full control over where your passwords are stored— whether your own hosted server or choice of cloud storage provider. Third, we want better transparency from our password managers, which is where open source comes in. And fourth—not mandatory, but preferably—support for additional forms of authentication to protect your password vault, such as 2FA or key files.
THREE OPTIONS HIT THE SPOT We’ve settled on three potential solutions. The first is KeePass, the open-source desktop password manager. If you already store all your passwords in a KeePass database, it makes sense to continue using this feature. Check out the box opposite for the quickest way to get a multi-platform, cloud or network-synched password setup using KeePassXC.
If you plan to store your database online for always-accessible synching, we strongly recommend making use of KeePassXC’s additional security options to protect your file if the server it’s stored on is compromised. You can pair it with a physical YubiKey, or create a special key file that’s required alongside your password to open the file, so even if your password is subsequently discovered, the vault remains off limits.
To add a key file, choose “Database > Change master key,” click “Add additional protection,” then “Add Key File.” Click “Generate” to create the file—we suggest saving this in a different location from your password file. One option would be to store it on another cloud platform (for example, Google Drive if your main file is synched via OneDrive).
BUILD ME UP, BUTTERCUP Our second solution is Buttercup ( https://
buttercup.pw). It checks all the platform boxes, with support for Firefox and Chrome browsers. Unlike KeePass, which relies on third-party mobile support, all Buttercup apps are native (and completely free). Like KeePass, there’s no proprietary server on which your password vault is stored, but support for synching via the cloud is baked into Buttercup’s DNA.
This is evident from the moment you download and install the Windows client. On first launch, you’re invited to click “Add archive” to set up a new vault. From here, you can create a new archive—which you store locally—or choose “Connect Cloud Sources” from the pop-up menu to create an online archive for synching purposes.
The Windows desktop client supports just four services: Dropbox, OwnCloud, NextCloud, and WebDAV (which includes Box among its supported clients). Google Drive is conspicuous by its absence, despite the fact it’s an option in both the browser add-on and mobile apps—as a workaround, if you have Backup and Sync installed on your computer, generate a new local archive, and save it in your Google Drive folder to make it accessible to your browsers and mobile devices.
Next, enter a master password to protect your newly created archive— the usual caveats apply: Make it as long as possible, and try to avoid making it obvious. That said, it’s the one password you need to remember going forward, so don’t make things too difficult for yourself. Click “Confirm” and retype the password before clicking “Confirm” again.
One of Buttercup’s neat features is that it makes it easy to manage multiple vaults at the same time—you can create more than one and switch between them easily. Use this to segregate passwords from each other—you could, for example, keep all your online passwords in one vault synched to your cell phone and browser, while offline passwords remain stored on your PC only.
CREATING & MANAGING PASSWORDS
By default, the desktop application is designed primarily to organize your passwords into folders (or groups), plus create new passwords from scratch. Here, only title, username, and password fields are provided—if you plan to manually create web logons, you need to click “Add new field,” enter “URL” for the “Label,” then type the web address into the “New Field” box to convert it into something that works with the Buttercup mobile app or browser add-on.
Look out for the magic wand button next to the password feature—clicking
this enables you to generate a random password of 10–50 characters. This can be random characters or words— choosing characters enables you to select what types to include, from alphanumeric to spaces, dashes and underscores, and symbols. Click “Generate” to keep generating passwords until you find one you like, then click “Use this” to record it.
If you’re migrating from another password manager, you may be able to import your passwords into Buttercup to save time having to recreate them from scratch. Choose “File > Import,” where you’ll find options covering 1Password (.1pif), KeePass (.kdbx), LastPass (.csv), Bitwarden (.json), and previous Buttercup installations (.csv). 1Password and KeePass users are prompted for the master password from the original vaults.
EXTEND TO MOBILE AND BROWSER
Most of your logins will, of course, be linked to websites—while we’ve shown it’s possible to set these up in the desktop application, a far better option is to install the browser add-on and/or mobile apps. These work in a similar way. First, click “+” to add a new archive or link to an existing one. If you select “System > Enable Browser Access,” you can link your browser add-on to a password file stored on your PC; otherwise, it’s a case of selecting your chosen cloud provider (including Google Drive, of course) to log in, browse, and select the archive file.
After entering your master password, you’re prompted to give this archive a name—this is purely for identification purposes, so doesn’t need to match its file name. Now your archive is connected to all your devices, you can update it from browser, mobile, and desktop, but sometimes changes are slow to appear— to force a sync in the desktop application, for example, choose “View > Reload.”
When you next log into a website using your browser, Buttercup pops up a prompt
to save the username and password into its archive: Click “Save” and a new tab opens with the new entry details showing name, username, password, and URL. Review and edit these if necessary, then select your archive followed by a group (this is mandatory, so consider creating one in the desktop application—“Web passwords, for example”—if necessary), before clicking “Save New Entry.”
Once your entries start to build up, it’s time to take advantage of Buttercup’s password-filling features. Look for the Buttercup logo appearing next to login boxes in your browser—click this and you should see the relevant username and password appear, enabling you to click to quickly populate the boxes. Alternatively click the “…” button to reveal options to copy username or password to the clipboard, plus reveal the password behind its mask. If you’re signing up to a website for the first time, right-click inside the password field, and choose “Buttercup > Generate password” to create a strong random password.
When it comes to mobile use, iPhone users can configure Buttercup in the same way as Strongbox (see boxout on previous page) to automatically fill passwords in any app as well as your browser. While a little rough around the edges, Buttercup has most bases covered, but if you want the best of all worlds—and are prepared to work for it—read on.
SE CURE WITH BITWARDEN
Our final solution is our current go-to password manager: Bitwarden ( https://
bitwarden.com). This open-source multiplatform offering is the closest to LastPass and its ilk, and works in a similar way, with your passwords hosted on its own servers by default. But what sets it apart is the fact it’s possible—if tricky—
to host your own Bitwarden server, so all your passwords are stored on a trusted device at home.
The official guide for installing a fullblown self-hosted Bitwarden installation is found at https://help.bitwarden.com/
article/install-on-premise/— but this is geared toward large organizations, and comes with some overblown system requirements. It’s also a complicated setup, but thankfully some enterprising folk have developed a prebuilt version. Bitwardenrs is written in Rust, and is both relatively simple to set up (at least initially) and undemanding on your system: 10MB RAM and negligible impact on your CPU.
For this to work, you need to employ the services of Docker. Ideally, you’ll set this up on an always-on 24/7 device—the box on the left reveals how to do this on a QNAP or Synology NAS—but you can also install it on your PC. You need a 64bit CPU, 4GB system RAM, and hardware virtualization enabled in the BIOS. You can run Docker on any modern version of Linux, but our instructions focus on Windows 10 (in particular, Windows 10 Pro, Education, or Enterprise 64-bit).
INSTALLATION STEPS
If your PC fits the bill, type “Windows features” into the “Search” box, and click “Turn Windows features on or off,” then enable both “Containers” and “Hyper-V” before clicking “OK” and rebooting when prompted. Now install Docker Desktop via https://hub.docker.com— click to sign up for a Docker Hub account if you don’t already have one. At the quick-start screen, download and install Docker Desktop for Windows (all 835MB of it). When prompted, leave the default boxes checked (Bitwardenrs/server is a Linux container) and click “OK” to complete the installation. If prompted, update
Docker. Once done, make sure Docker is running (look for its Notification area icon), then open a Powershell window before issuing the following command:
$ docker pull bitwardenrs/server:latest
This downloads the images required to run Bitwardenrs. The next command creates a quick and dirty Bitwarden install that has no security, but works instantly: $ docker run -d --name bitwarden -v / bw-data/:/data/ -p 80:80 bitwardenrs/ server:latest
That’s it for basic setup and configuration. If you now open a web browser on your PC or any device on your local network and type “http://192.168.x.y” (substitute “x” and “y” for your PC’s IP address), you should find yourself at the Bitwarden web vault, where you can create your account and log into it. One note: Chrome refuses to connect to the web vault in this configuration (see https:// github.com/bitwarden/web/issues/254).
LINK TO BITWARDEN
Assuming you’re happy to access the Bitwarden server exclusively over your home network insecurely, then you’re done with setup and configuration. This configuration allows you to access your vault securely when outside your home network (just don’t explicitly log out of Bitwarden while on the road), but you won’t be able to sync any new logins you create with the server until you’re back inside your network (simply select “Settings > Sync > Sync vault now” to force a manual sync if it doesn’t happen automatically for any reason).
If you want external access to the server, you first need to configure a domain to point to your Bitwarden server—one simple solution is to make use of a free dynamic DNS service, such as No-IP ( www.noip.com). You also need to implement HTTPS security with an SSL certificate—see the final box for details.
In the meantime, existing Bitwarden users should start by transferring their passwords from the cloud to their new server: Log into https://vault.bitwarden.
com, select “Tools,” and click “Export Vault.” Read the warning, leave “.json” selected, and enter your master password again before clicking “Export Vault” again. Save the file somewhere secure, then log out, and close the browser tab.
Type your server IP address along with any required port number—you should see the same interface as found at https://
vault.bitwarden.com, but this is pointing to your local server. Log into your new account, and this time select “Tools > Import data.” Select “Bitwarden (json)” as the import file format, then click “Browse” to select your exported file, followed by “Import.” Wait while it’s uploaded, and your passwords imported. Once done, you are ready to start configuring your apps and browser add-ons.
If necessary, click “Settings” to log out of your web-hosted Bitwarden account. At the login screen, click “Settings,” where you’ll see the fields required to access your self-hosted environment (if left blank, Bitwarden defaults to its online servers). You only need to fill the top field: Enter “http://192.168.x.y:4000” or whatever your IP address/port number combo is, click “Save,” and log in as normal.
From here, Bitwarden should largely behave as normal—we recommend visiting “Settings > Two-step login” in the web vault to set up 2FA using an authenticator app such as Google Authenticator or Authy for extra security, but otherwise you’re done. You have the flexibility of an online password manager with the security of knowing exactly where your passwords are stored.