My KeePass setup

I have a confession to make: I haven't been very good with my passwords in the last few years. Between jumping from the Apple ecosystem to the Android ecosystem (mainly because I was a poor student in Germany and because Tachiyomi is only available on Android), my accounts are all over the place.

This changed a little bit when, while spending a chill day at the beach, unbeknownst to me, a literal cyclone was hitting my home state, which prompted a rogue wave to rush into our plastic beach table and washed my cell phone away.

Financially, I was bothered by it but didn't really think much about it. It was a cheap midrange from Samsung I bought for around 260 EUR.

Security-wise, I also didn't really care much because I had a strong, non-obvious PIN and my SIM card also had a PIN on it, but being the paranoid I am I realized that my security was enforced by obscurity sometimes, which does not settle well to me.

Enter 😍 KeepAss 😍, the new love of my life.

My Stupidly Simple New Password Manager Setup

It works like this:

I have KeePassXC installed on my MacBook Air
I have StrongBox installed on my iPhone
I have a free DropBox account installed on both devices which syncs the Passwords.kdbx database file between the two.

This file is encrypted with a password, but it also works with private keys or even a YubiKey.

Aaaaaaand, that's it. Dead simple. Costs me a total of zero of my hard-earned Brazilian Reais.

Questions:

Q: Why KeePassXC on the MacBook air and not StrongBox as well?

A: Both are free and opensource, but I like the idea of having a multi-platform client, as I run Linux sometimes. Although the offerings from StrongBox are stellar. Also, the phone I'm currently carrying is my old one, and a new A54 is in the mail. I don't want to feel too accustomed to StrongBox on the iPhone as I'll very soon have to move to KeePassDX for Android.

If you run on the Apple side only, I highly recommend buying the lifetime StrongBox Pro... it's 90 USD and 100% worth it. It's much more intuitive than the other offerings and is very friendly to use any cloud you want to (with the usual password auto-fill/face recognition niceties that anyone might expect).

Q: What's the attack vector like?

A: I am working on the basis of "one password to rule them all" type scenario. Every single account I have, including my phone password and its PUK are stored into the Passwords.kdbx database which is synced using my DropBox. From this database, I can recover literally every single other login that I have (you can store files/recovery codes within KeyPass entries, so 2FA is below this database in terms of security hierarchy).

Even the DropBox, cell phone and laptop passwords are managed by Passwords.kdbx, and I regularly back it up to a thumb drive which is completely offline and stored somewhere safe.

This way, I only really need to remember one password: the one that decrypts Passwords.kdbx, which only exists inside my head. And naturally, I can't lose Passwords.kdbx, otherwise I'm completely fucked 😀

Also, banking stuff generally requires face identification using the cell phone's camera, so it's another layer of added security, and I naturally use 2FA for everything (for ProtonMail I also have a mailbox password, managed by, you guessed it, Passwords.kdbx).