Considering the crazy number of services we subscribe to nowadays and the fact that seemingly everything online needs an account, it's very tempting to just use the same password everywhere. I mean how many passwords is one supposed to remember?! Top that off with totally arbitrary password requirements enforced by each service: must be 8 characters long, must have a special character, must have a number, password must not contain your username... It's exhausting! So much so that there's even a game about the absurdity of password requirements. Fair warning, it'll make you tear your hair out.

No wonder people have been gravitating towards password managers! But now there's another problem we have to deal with: how do we sync our passwords across all the devices that we use? The solution: cloud based password managers. You've probably heard of some of them and are probably even using one right now. Services like LastPass, 1Password, NordPass, all do the same thing with some variation in features and pricing.

The Danger

Like everything that's on the internet, cloud based services are also prone to being attacked (hacked). However, unlike something like Instagram, where the worst thing that could be stolen are blurry pictures of your ex's face (ok, it could be worse), having a password manager hacked essentially means that ALL your passwords are now compromised. This includes bank accounts, credit cards, email, social media, and everything under the sun that you require a login for. This might probably sound unlikely and far-fetched. But, it's not far-fetched. It isn't common either, but it only needs to happen once to have user data for thousands of people leaked to malicious actors.

Here are incidents of attacks on cloud based password managers in the past:

• In 2022, LastPass was hacked with multiple attacks unfolding over months. You can read more about this here.
• Norton Password Manager was hacked as recently as January 2024, with nearly a million users target. Read about it here.
• Bitwarden was targeted in 2024, where hackers pushed out fake updates that injected data stealing malware into people's computers. Read about it here.

There have been quite a few of these incidents, but I won't go into details here. The fact remains that password managers are prone to being hacked and data that is hosted online is always vulnerable.

It's not that the companies designing these password managers are actively making bad software. It's just that it only takes one little mistake from a developer somewhere to expose a security vulnerability in a cloud service. The worst part of this is that users end up paying for these mistakes.

The Solutions

The fundamental problem here is not password managers, but passwords themselves. Any security that's knowledge based is generally easier to crack than security that's possession or identity based. So, we need additional "factors" in our authentication.

Multi Factor Authentication

Using multiple "factors" for authentication is called Multi-Factor Authentication (MFA). Typically, most services implement 2FA or two factor authentication. Now you'll ask me: "what exactly is a factor?" I'm glad you asked (it's ok if you didn't, you can stay)! Broadly speaking, a factor indicates the type of authentication that's being used:

• Knowledge : you know some secret code (password, PIN) that nobody else knows
• Possession : you own something unique that nobody else does (house keys, cell phone number)
• Inherent : you have some unique physical features (fingerprint, face, iris) that identify you
• Location* : you are in some specific unique location (office building, home)

Note that I've put an asterisk for location because that one is typically never used on its own. It's used in addition to the above. The most commonly used 2FA is knowledge and possession. You know your password (knowledge), and you have an authenticator app that generates some unique codes that only you have (possession).

MFA is a critical step in securing yourself online and making sure that even if your passwords leak, getting access to your account will require additional factors that the hackers probably won't get.

The Knowledge Factor

The reason I say that passwords are the problem is because the knowledge factor is inherently very easy to crack. People can be psychologically manipulated (social engineering) into giving up knowledge. I also think that door locks which solely rely on a PIN for unlocking are totally vulnerable to being hacked. Just use a physical key!

FIDO2 security

(F)ast (ID)entity (O)nline 2 or FIDO2 security is a recent method of authentication that uses a hardware key to provide access to your online services. It's kinda like your car keys or your house keys. It's a physical USB thingy that you plug into your computer to "unlock" your accounts. Now we've come full circle! We went from physical keys, to passwords, to cryptographically generated one-time codes, back to a physical key... It's poetic...

Local Password Managers

Coming back to passwords. I know it's difficult to move away from them, but at least you could be a little more secure than cloud based password managers. Personally, I use KeePassXC to store all my passwords. It has browser integration and uses an extension for Chrome, Firefox, and all the usual suspects. The difficulty is in synchronizing everything.

KeePassXC basically creates an encrypted file that contains a database of all your passwords. This file can be locked using MFA. So you can use any combination of the following:

• Password: you enter a password to unlock this database file
• Key file: you need another "key" file which you can carry around on a USB stick or provide to the program to unlock your database
• FIDO2: you buy a (expensive) hardware key which you need to plug into your computer every time you want to open your password database.

Personally, I just use the password and the key file. Just make sure your keyfile is not on the same computer as the database. Seriously, flash drives are super cheap and your key file is barely a few kilobytes. Buy a pack of 10 and have your key on 2 of them. Keep one at home and one on your keychain.

Syncing between devices

KeePassXC is available for all desktop operating systems. If you want your database on your phone, you can get KeePassDX for Android (free) or Strongbox for iOS (paid), and just use the same database file on your devices. The tricky part is getting your keyfile onto them. Lots of flash drives nowadays have a USB-C port so it's easy enough to pair with your phone. KeePassDX and Strongbox also allow you to use biometrics to unlock your database, so that's another option.

Now all you gotta do is get the database file to synchronize between all your devices. Since it's already encrypted and secured with 2FA, you can literally just put it anywhere and it'll be impossible to crack without your master password and key file. If you're in the Apple ecosystem, put it on your iCloud. You can also use Dropbox, Google Drive, OneDrive, or Syncthing (more on this in a later post) to sync it between your devices and you've got a fully synchronized, secure password database.

Is this completely, 100% secure? No. Someone could steal your flash drive and hold a gun to your head and ask for your password. There's always that. But they need to know the password, AND get your flash drive to be able to open your database. Top that off with physically gaining access to your devices in order to get to the database file.... Yeah it's quite secure.

Go ahead and try it out. It's a bit of work to set up, but you'll breathe easier knowing that your passwords are safe. Also, make sure to setup 2FA for everything that supports it! It's a hassle for sure, but it's totally worth it.