Without proper tools, it is difficult to use complex and unique passwords on all websites, which lowers the security of accounts and thus one's data. The solution for those who are not into brain jogging may be a password manager.

A password manager stores the login details for all websites, apps or other access points and helps log onto them automatically. At the heart of a password manager is a password database, which is usually encrypted with a master password. The password and optionally a second factor are required to access the database. But an additional PIN or biometric authentication, such as fingerprint or facial recognition, can also sometimes be used to unlock the password database.

Passwords should not be used more than once

One way to protect passwords and reduce the attack surface is to use unique passwords for each website. If possible, passwords should be unpredictable, contain special characters and be long so that they cannot be guessed or tested by any tools or hackers. Should a password fall into the wrong hands, a possible same email and password combination could be misused on multiple websites. As an additional protection, most providers today rely on a second factor for the login, which defuses the relevance of the password a little bit. The second factor includes, for example, own authentication apps (Authenticator), the phone number, SMS or email address as additional confirmation for the login process.

Password manager in practice

However, a password manager not only helps with remembering passwords, but already with creating a new user account by generating a secure password and storing it in the database together with the login information (username). Ideally, a password manager can be accessed from different devices: computer, tablet or smartphone: once stored, passwords are available from all devices.

There are a number of different password managers, I have tested the following: LastPass, Bitwarden and KeePass. Another species of password managers are today's web browsers. As an example, current browsers usually have an integrated password manager.

Integrated password manager of the browser

Web browsers, such as Microsoft Edge, Google Chrome or Firefox, include their own password manager. The passwords are stored locally and synchronized via the manufacturers' cloud services. Those who accept that their passwords are synchronized via the cloud provider will quickly and easily get a ready-made solution for their web credentials by accepting password synchronization.

Google Chrome will allow adding passwords and notices from non-web pages in the future (enable in Chrome Flags: Add Passwords in settings: chrome://flags/#add-passwords-in-settings).

A dedicated password manager can, in addition to website credentials, also manage other passwords or credentials and use them away from the browser automatically, depending on the solution, even without the dependency on a cloud provider.

LastPass

LastPass is one of the most popular cloud-based password managers, which offers good integration for all kinds of browsers for Android, iPhone (iPad), Windows and Linux. The password data is stored encrypted on a server, the decryption happens locally on the client.

If you want your passwords to be as simple, secure and available on all devices as possible, LastPass is the right choice, although you need to pay for LastPass Premium for mobile devices. Premium is required for the LastPass app for mobile devices or extended functions.

But even without Premium, LastPass offers a lot, especially on the PC there is no restriction for the normal user.

Advantage:

• easy setup and connection to the existing cloud service
• good integration for common operating systems and browsers
• Access to passwords via the browser without a client program

Disadvantage:

• dependence on a cloud provider
• paid premium version required for use on mobile devices.

KeePass

KeePass takes a different approach and stores the passwords in a file and can thus be used completely without the Internet or the need for a cloud or server service. Even though KeePass originally started as a classic Windows program, there are now apps for all sorts of platforms and thanks to the built-in synchronization features, the password file can be synchronized with other versions. For the actual synchronization of the password file, NextCloud, SFTP, WebDav or PCloud can be used, in addition to Dropbox or Google Drive.

Current KeePass version, see: http://keepass.info/

Advantage:

• Decentralized setup: Simple local program, no cloud or server service required at all
• Universal and flexible due to a variety of installation options, options and plugins
• Only the password file and the master password are needed to access the passwords.
• The password file can be opened by any KeePass client.
• KeePass clients are available for all major operating systems including browser integration.
• When synchronizing between multiple devices, each device has a copy of the password file and thus has no dependency on another service or service to access the data.

Disadvantage:

• Synchronization between multiple devices requires central storage from a cloud provider or a shared folder on the Internet or local network.
• No ability to share individual passwords or folders with others. Passwords can be shared with others only by sharing the complete file with all entries and the master password.
• The KeePass-2 client has a cosmetic problem. KeePass-2 is a classic Windows program, which makes it look really old compared to cloud solutions.

The next article in this series describes setting up, browser integration and syncing a central KeePass database via Dropbox or Google Drive and using it simultaneously on Windows, Android and Ubuntu. Details on how to set up and use KeePass: KeePass HowTo, Synchronize Dropbox and Google Drive; RDP.

Bitwarden Vaultwarden

Bitwarden is the open source alternative to LastPass. Bitwarden, unlike LastPass,can be self-hosted. Compared to KeePass, Bitwarden offers the ability to share passwords or individual folders with others, which requires a server to operate.

Advantage:

• Ability to self-host the solution or use it as a ready-made solution from the cloud provider.
• access to passwords via browser without client program and without the need for a local file
• Good integration for common operating systems and browsers

Disadvantage:

• Although the password database is also downloaded offline and the passwords are thus available offline, anyone who logs out of the server service can no longer access the data without the Internet and without a server service, which could lead to problems in the case of self-hosted systems and without appropriate precautions in the event of an error.
• If you want to host Bitwarden yourself, you need a server or computer that provides the server service including an SSL setup with appropriate certificates, which can be implemented relatively easily today thanks to Docker .

Conclusion

Since I don't want to make access to my passwords dependent on a cloud provider, LastPass and synchronization via a browser are eliminated as possible options for me: Bitwarden and KeePass remain. Even though Bitwarden is certainly much more modern than KeePass, there are still a few small details that I like better about KeePass, even the fact that I would have a server for Bitwarden and already have the program set up. The main argument for Bitwarden for me is the sharing of passwords with others. However, I don't really like this argument, because I think that passwords are something personal. Whoever has the need to share a password with someone else should, in my opinion, think about whether it would not be better to create separate user accounts for the person. If in exceptional cases a password still needs to be shared with others, this could still be done via a separate entry in the personal passwords: Everyone writes down the password themselves: I don't see any real disadvantage there.

Based on the fact that the Bitwarden server is available on the Internet and at least the login page can be accessed by anyone, I think thatthe attack surface on the KeePass password store is somewhat smaller compared to a self-hosted Bitwarden server .As with other server services, Bitwarden should certainly be regularly updated and backed up: which generates additional effort. But not only in operation, alsoin terms of redundancy I see slight advantages with KeePass .If you synchronize the KeePass file between different devices, you build up additional redundancy. Although this does not replace a backup, only one working device is needed to access the data: No internet, no running services on any server; see also: KeePass HowTo, Synchronize Dropbox and Google Drive; RDP.