Arthur pulling sword from stone


Password security

Use the password and security features of your device and software; many people don't even bother to set a password !

It's especially important on smartphones, because a lot of smartphone apps don't even have a "log out" feature. They assume that if you have the phone and were able to log in once, a while ago, you must be the account owner, no account password needed.

But some passwords are fairly easy to bypass; don't expect them to protect you from every threat:
Computer Hope's "How to clear an unknown BIOS or CMOS password"
Mark Wilson's "How to crack Windows and OS X passwords"
Hack Cave's "Hack Windows 10 Login Password In 2 Minutes [Works For All Windows Versions]"
Hack Cave's "Hacking/Bypassing Android Password/Pattern/Face/PIN"

Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable.
Qualities of a good password, from most important to less important:
  1. Unique (not used anywhere else, doesn't appear in any breaches).
  2. Long (at least 16 chars, probably).
  3. Complex (not just lowercase and numbers).

Good things along with the password:

Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let everything get shared, but if Facebook or Google ever deactivates your account for some reason, you've lost access to those other sites too. Similarly, don't use a Microsoft login to your Windows PC, use a local login.

Really, you should have only 2 or 3 passwords you remember; the rest should be in a password manager. And in general, length is more important than complexity (but having both is even better).

Leo Notenboom's "12 Steps to Keep from Getting Your Account Hacked"

Password Manager

I recommend a local-only password manager application, not storing data in the cloud, and with no browser extension or browser integration. I use the KeePass family of applications.

On Linux, consider running the password manager either in a container (snap or flatpak) or in a security context (Firejail or AppArmor).

Reasons to use a password manager:
Password Bits' "25+ Reasons Why You Need a Password Manager"

Some passwords they can't apply automatically: your PC's BIOS and OS login info, encrypted boot drive's password, game-console password, phone password, ATM and credit-card PINs. You can store those passwords in the password manager, but not drag/copypaste them out to apply them. [Except see InputStick, which lets a password manager on your phone drive a keyboard on your computer.]

A quirk: every now and then, I find I have to type a password manually. Maybe I'm reading it out of the password manager in my laptop, and typing it into someone's phone. In that case, having a long password that mixes lots of letters and numbers and special characters is a real pain. And having similar-looking characters such as "1" and "l" and "0" and "O" is a pain. So I try to avoid generating passwords with that last problem. Some managers have a setting to control this. Maybe also group the types of characters together inside the password: start with N uppercase letters, then M lowercase letters, then P special characters.

Arguments against password managers:
Stuart Schechter's "Before You Use a Password Manager"

Dan Goodin's "'Severe' password manager attacks steal digital keys and data en masse"
Martin Vigo's "Even the LastPass Will be Stolen, Deal with It!"
Linus Sarud's "Thinking outside of the password manager box"

With enough effort, and maybe good starting guesses, password manager databases are crackable. See for example: My "keepasscrack" project
devio's mod0keecrack
ElcomSoft blog
ISE's "Password Managers: Under the Hood of Secrets Management"
Ruby Devices' "How to Hack KeePass Passwords using Hashcat" (not sure works on KDBX 4)
But of course you could store the database inside an encrypted Veracrypt container or something, to add another layer of protection.

Features to consider:

Don't use a browser's password-saving features: the security level is unknown, there are exploits of it for tracking purposes (Gunes Acar's "Web trackers exploit browser login managers"), it's not cross-browser, features will be minimal, maybe hard to back up and restore. Use a dedicated password manager application.

Don't use your OS's "keyring" features: it's not cross-platform, maybe not sharable across multiple machines, maybe hard to back up and restore, probably has a primitive UI. Use a dedicated password manager application.

Wikipedia's "Password manager"
Slant's "What are the best offline password managers?"
Alan Henry's "Five Best Password Managers"
How-To Geek's "Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password"

Some free password managers:

KeePass (many forks: I use KeePassXC on Linux, Keepass2Android Offline on Android)
Bitwarden (uses server, either cloud or self-hosted; 2FA requires paid ?)
Blur (more than just a password manager)
Dashlane (free plan limited to 50 passwords)
LastPass (not open-source)
MYKI (not open-source; must have phone for login ?)
Password Safe (pwsafe / pwsafe)
gopass (more team-oriented)

I don't want a manager with a browser add-on that watches every web page I load; that increases the attack surface of both apps. And an offline manager is more secure.

I chose KeePass.


Some strange things on Android: there is no "log out" in the Yahoo Mail app; you have to "remove" your email account, and then when you add it back later, you're asked for your phone's PIN, not your Yahoo Mail password. Similar for GMail app, but even worse: removing your GMail account could affect many other services on the phone. ProtonMail app also has no logout; after password is given at installation time it never asks for password again. Reddit app has a "log out" button, but then when you log back in, it doesn't ask for a password, you're just back in ! The Tripadvisor, AirBNB, and FaceSlim apps do have a proper sign-in/sign-out behavior. The WhatsApp app has no sign-out at all. I guess you could use the browser and web sites instead of installing these apps, but then you lose a lot of functionality and nice UI.

Reasons to use a password manager on a smartphone, despite the app issues I listed:
From /u/VividVerism on reddit:
Logging into web pages. Signing into apps for the first time. Signing into apps after deleting data and/or reinstalling and/or factory reset. Banking apps and similar high-security apps that do require a password either to log in or confirm a purchase/transfer/etc. Storing Wi-Fi passwords. Having your passwords handy for manually logging into sites on computers you don't own, or while traveling. Storing things other than passwords, such as credit card information, social security numbers, or library card information. Installing plugins to let you transfer passwords via QR code or to plug your phone into a computer via USB to type your passwords for you. Using the TOTP features to generate 2FA codes instead of a dedicated app. Storing passwords for any new accounts you set up on your phone. Keeping a database backup with you.

I'm probably missing a few use cases. In short, yes: there are plenty of reasons a password manager can be useful on a phone.

Don't let Windows store passwords and apply them automatically. If someone cracked your Windows password, they would get automatic access to those things. I set my backup application to not "remember" me, so I have to log in to it manually every time I run it. If you have an encrypted external hard disk, don't let Windows hold the password and apply it automatically (auto-unlock); you should type it in manually each time you plug in the disk drive.

Don't let your browser store passwords and apply them automatically. The quality of their security is unclear, and that method works only inside that browser. Not sure how backup and restore would work. Much better to use a dedicated password manager application.

Passwords, from article by Jacob Bernstein in The New York Times, June 24 2012:

... it is less clear to cybersecurity experts that having a password with extra numbers or special characters actually makes customers safer.

"People's choice of passwords is not the real problem today", said Dr. Joseph Bonneau, a University of Cambridge researcher who studies cyber security. "The real problem is typing in passwords to the wrong Web site, which is stealing them."

So why are Web sites suddenly requiring users to add special characters or numbers ? "It's security theater", Dr. Bonneau said. "So people feel safe. It makes the Web sites seem like they're taking things more seriously, when in fact most of them have no control if you have malware. In absence of a way to tackle bigger problems, it's easy to add restrictions. They don't want to seem less secure than competitors."

New feature idea: ability to store and apply name+address info, credit-card info, bank-acct info:

Does any password manager support this already ? Maybe an idea for one to do:

New feature idea: ability to store and apply hierarchical info:

Does any password manager support this already ? Maybe an idea for one to do:

Some sites, such as, "contain" a second level of information, such as a list of virtual credit-cards. It would be nice to have one entry (e.g. for that then contains N sub-entries (e.g. one for each virtual credit card). I'd like to have an easy way to paste a credit card's info into a web page.

Similar for a bank where you have multiple accounts: one entry for the bank site, then a sub-entry for each account, and an easy way to paste an account's info into a web page.

Maybe in a current password manager, you can do something similar by using Groups. I have a Group for each person in my family. Suppose I also had a Group for "my cards" ? Then each entry in the Group would be for one card inside my account.


I chose:

General choices and use:

On Linux:

Tried various versions, ended up with Keepassxc (2.3.1+dfsg.1-1) from Mint's Software Manager:
Installed and ran Keepass2 password manager (2.3.8) from Mint's Software Manager, opened the database I brought over from Windows, works. But the usual key-shortcuts (Ctrl+F, Ctrl+U, Ctrl+V) don't work in Keepass. Looked at updating from 2.38 to 2.39, and the procedure looks ugly. Had to do "sudo apt-get install xdotool" to get auto-type to work.

Later tried FlatPak version (2.3.3) of KeepassXC. There is a Search field in upper-right but no way to limit search to just Title field, Ctrl+F and drag-and-drop a password don't work, Ctrl+U and Ctrl+V do.

Also there is a Snap version of KeepassXC. web page says install via "sudo snap install keepassxc", but had to do "sudo apt-get install snap" first, and then "sudo snap install keepassxc" failed anyway, said "sudo: snap: command not found".

Installed Keepassxc (2.3.1+dfsg.1-1) from Mint's Software Manager; there is a Search field in upper-right but no way to limit search to just Title field, Ctrl+F puts focus in the Search field, Ctrl+U and Ctrl+V work, drag-and-drop a password doesn't.

Installed Keepassx (2.0.3-1) from Mint's Software Manager; Ctrl+F makes a Search field appear but no way to limit search to just Title field, Ctrl+U and Ctrl+V work, no way to drag-and-drop a password.

Someone on reddit said to install "mono-complete" and then try Portable 2.39.1 from It looks to be Windows-only, but after extracting it, run "mono KeePass.exe". But most things don't work: Ctrl+F, Ctrl+U, Ctrl+V, drag-and-drop.

Ended up staying with Keepassxc (2.3.1+dfsg.1-1) from Mint's Software Manager. Not happy: search is awkward, drag-and-drop doesn't work, no plug-ins. But one bonus: TOTP works. And someone on GitHub says searching will be fixed/better in next major release, 2.4.

Added "ppa:phoerious/keepassxc" to PPAs in Software Sources app.

So I chose KeePassXC 2.x, and use just the application, there are no browser add-ons for it.

Later I installed Eric's "Add URL to Window Title" browser extension. This is not KeePass-specific; it modifies tab titles in the browser so they include URL as well as human-readable title, which is useful for "global auto-type".

To enable "global auto-type", go to Tools / Settings, go to Auto-Type tab, click mouse into "Global Auto-Type Shortcut" field, then type ctrl+shift+A. Save. Later, if you want to disable it, put mouse in field and type Esc.

I auto-type username and password from KeePass application into login web page.

Turns out there are several ways to do auto-type:
I think if you have bookmarks only in KeePass, there is no point to using global auto-type, and no point to using the Eric's "Add URL to Window Title" browser extension.

In KeePassXC, you can see which accounts are/aren't using TOTP by going to the main table view of accounts, and sorting by "TOTP" column.

In KeePassXC, you can see which passwords are being used in multiple accounts by going to the main table view of accounts, right-clicking on "Password" column header and un-checking "Hide Passwords", and then sorting by "Password" column.

Someone says their KeePassXC started behaving a bit erratically when they put some large documents into the database and it got near 50 MB in size. Sizes below 20 MB at least work fine.

Bug reports: keepassxreboot / keepassxc

KeePassXC can supply SSH keys to an SSH agent:
[I got this working, but later decided it wasn't worth it, I only have one SSH target I use, easy enough to copy and paste the password.]

See instructions in setevoy's "SSH: RSA keys, and ssh-agent for SSH keys and their passwords management"
Also setevoy's "KeePass: an MFA TOTP codes, a browser’s passwords, SSH keys passwords storage configuration and Secret Service integration"

Jack Wallen's "How to integrate SSH key authentication into KeePassXC"
VaLouille's "How to use KeePassXC with ssh-agent to secure private key access"
Marco Sarti's "Managing credentials with KeePassXC"
kvaps' "Store SSH Keys Securely"
Carl Tashian's "SSH Agent Explained"

  1. Set keys for a remote host:
    1. Maybe pick a free remote host for testing. ? I tried but it didn't work right.
    2. On CLI, run "ssh remote_username@remote_host" to connect to remote host. Get warning that this is an unknown host, want to connect ? Type "yes". Get prompted for password. Type password. Get logged in. Type "exit" to get out.
    3. See that SSH has updated ~/.ssh/known_hosts to include an encrypted entry for that remote host.
    4. Run "ssh remote_username@remote_host" to connect to remote host. Get prompted for password. Type password. Get logged in. Type "exit" to get out.
    5. Now create keys to use with that host. On CLI, "ssh-keygen -t rsa". Get prompted to pick base filename for the key files (default: id_rsa gives files ~/.ssh/ and ~/.ssh/id_rsa, but it's clearer if you pick another name NAME_rsa). Get prompted to pick a passphrase for the private key. I just hit Enter, no passphrase. Files ~/.ssh/ and ~/.ssh/NAME_rsa will be created.
    6. Copy the public key to the remote server: "ssh-copy-id remote_username@remote_host". Type password to log in.
    7. Run "ssh remote_username@remote_host" to connect to remote host. You should not be asked for the password. (Fails on, still wants password. Works on another system.) Get logged in. Type "exit" to get out.

  2. Set KeePassXC as a key server (is that the right term ?):
    1. In KeePassXC, go to Tools / Settings / SSH Agent and check "Enable SSH Agent". Click Okay button. Quit KeePassXC and launch it again.
    2. On CLI, run "systemctl status | grep ssh-agent" to see if ssh-agent is running. It should show that "/usr/bin/ssh-agent" is running.
    3. If not running, do "eval $(ssh-agent)" ?
    4. Run "ssh-add -l" or "ssh-add -L" to see all keys available through ssh-agent. The key created in the previous section should NOT be present.

  3. Store private key in KeePassXC:
    1. In KeePassXC, create an entry "NAME SSH" or something (name doesn't matter).
    2. Leave the username field empty (important).
    3. If the key is passphrase protected, put passphrase in the password/repeat fields.
    4. Go to the "Advanced" section of the entry and upload the NAME_rsa file as an attachment (file is the public key and file NAME_rsa is the private key). You probably have to navigate to your home directory and then type ".ssh/NAME_rsa" in the filename field, it won't show dot-directories.
    5. Go to the "SSH Agent" section of the entry and select the private key NAME_rsa in the Private Key / Attachment drop-down list.
    6. Click the "Add to Agent" button. (Fails if you still have GNOME Keyring installed.)
    7. Check the two check-boxes for "add key to agent when database is opened / unlocked" and "remove key from agent when database is closed / locked".
    8. Check the check-box for "Require user confirmation when this key is used". Not necessary, but it will help show that the key is coming from the right place, later.
    9. Save the entry.
    10. Run "ssh-add -l" or "ssh-add -L" to see all keys available through ssh-agent. The key created in the previous section should be present now.
    11. Rename files ~/.ssh/ and ~/.ssh/NAME_rsa to same names with ".saved" appended. Do that for all *_rsa* files in ~/.ssh directory.
    12. Run "ssh-add -l" or "ssh-add -L" to see all keys available through ssh-agent. Should see no keys.

  4. Log in to remote host using key in KeePassXC:
    1. Have KeePassXC running.
    2. On CLI, run SSH to connect to associated server.
    3. Run "ssh remote_username@remote_host" to connect to remote host.
    4. The key stored in KeePassXC has the server name encoded inside itself, so the appropriate key will be found automatically.
    5. You'll see a "okay to use key ?" dialog. [A bit strange: it will say "id_rsa" although that is not the name of any file or key ?] If you set a passphrase on the key, you'll have to type it. Click Okay.
    6. Get logged in. Type "exit" to log out.

I think there are four cases when you try "ssh remote_username@remote_host":
  • If ~/.ssh/*rsa* files don't exist, and KeePassXC is not running:
    you'll be prompted for the password.
  • If ~/.ssh/*rsa* files don't exist, and KeePassXC is running:
    you'll see a "okay to use key ?" dialog, click Okay, key from KeePassXC will be used.
  • If ~/.ssh/*rsa* files do exist, and KeePassXC is not running:
    you'll be logged in with no dialog and no password prompt.
  • If ~/.ssh/*rsa* files do exist, and KeePassXC is running:
    you'll see a "okay to use key ?" dialog, click Okay, key from KeePassXC will be used.

Dialog not shown if you un-check "Require user confirmation ..." in KeePassXC entry.

I think the advantages/disadvantages of the cases are:
  • If you store everything in KeePassXC, it's encrypted and password-protected.
  • If you store everything in ~/.ssh/*rsa* files, you don't have to type password each time you do SSH, but an attacker only has to copy those files to get access.
  • If you have neither ~/.ssh/*rsa* files nor KeePassXC, you have to type a password every time you do SSH.

KeePassXC can act as a "secret service" that supplies a password to an app or service over D-Bus:
[Got it working a bit, but haven't found an app that uses it, no naming standards, etc.]

See instructions in setevoy's "What is: Linux keyring, gnome-keyring, Secret Service, and D-Bus" (also here)
Also setevoy's "KeePass: an MFA TOTP codes, a browser’s passwords, SSH keys passwords storage configuration and Secret Service integration"
Later: setevoy's "Linux: gnome-keyring setup as Freedesktop SecretService"

Set KeePassXC as a key server:
  1. In KeePassXC, use Group / New group to create a new top-level Group called "SecretService". Quit KeePassXC and launch it again.
  2. In KeePassXC, go to Database / Database Settings / Secret Service Integration. Click radio button for "Expose entries under this group" and select group "SecretService"". Click Okay button. Quit KeePassXC and launch it again.
  3. Someone says: in that group you've exposed, "never clone an entry there, libsecret will crash somehow!"

sudo apt install libsecret-tools

secret-tool store --label=SecretToolExample UserName username1 service secret
# it will prompt for the password you want to save
# should show up in KeePassXC group "SecretService" with Title "SecretToolExample"
# but instead shows up in Mint's "Passwords and Keys" app (Seahorse) under Passwords / Login
# retrieve the password
secret-tool lookup username username1 service secret

# get PID of process acting as secrets server:
qdbus --session org.freedesktop.DBus / org.freedesktop.DBus.GetConnectionUnixProcessID org.freedesktop.secrets
ps -f --pid THEPIDHERE

# this should NOT remove the data (under ~/.local/share/keyrings),
# but back it up first anyway
apt remove seahorse
apt remove gnome-keyring		# doing this removed skypeforlinux !
# gnome-keyring-daemon process still running; reboot
# [Much later, I re-installed Skype, which re-installed gnome-keyring,
# which seems to take priority over KeePassXC's secret service,
# can't get any info out of KeePassXC.]

# get PID of process fails; expected to see KeePassXC
# In KeePassXC Tools / Settings / Secret Service Integration I see no groups "exposed"

dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply  /org/freedesktop/DBus org.freedesktop.DBus.ListNames | grep 'org.freedesktop.secrets'
# gives nothing

sudo aa-disable /etc/apparmor.d/usr.bin.keepassxc
# NOW I can see keepassxc running as server

secret-tool search Title test1
# gives password and then core-dump !

# capture DBUS debug log output
dbus-monitor "interface='org.freedesktop.Secret.Service'" "interface='org.freedesktop.Secret.Collection'" "interface='org.freedesktop.Secret.Item'" "interface='org.freedesktop.Secret.Prompt'" > dbus.log

# if no server is running and I run
secret-tool search ... service secrets
# I get
secret-tool: ...ServiceUnknown: The name org.freedesktop.secrets was not provided ...

# all of these should result in entry found:
secret-tool search Title test1		# gives entry, then core-dumps
secret-tool search username user222		# gives nothing
secret-tool search Username user222		# gives nothing
secret-tool search label user222		# gives nothing
secret-tool search Label user222		# gives nothing
secret-tool search Password pass222		# gives entry, then core-dumps
secret-tool search URL		# gives entry, then core-dumps
secret-tool search URL service secret		# gives nothing
secret-tool search URL service secrets		# gives nothing

# all of these should result in entry found:
secret-tool lookup Title test1		# returns password
secret-tool lookup username user222		# gives nothing
secret-tool lookup Username user222		# gives nothing
secret-tool lookup label user222		# gives nothing
secret-tool lookup Label user222		# gives nothing
secret-tool lookup Password pass222		# returns password
secret-tool lookup URL		# returns password
secret-tool lookup URL service secret		# gives nothing
secret-tool lookup URL service secrets		# gives nothing

# if in KeePassXC, in a SecretService entry's Advanced tab, you add a new unique
# attribute such as "attr111" with value "value111", later you can do:
secret-tool lookup attr111 value111		# returns password

# these work
secret-tool store --label=test4 UserName user444 service secret  # set password to pass444
secret-tool store --label=test5 UserName user555                  # set password to pass555

# list all aliases
dbus-send --session --type=method_call --print-reply --dest=org.freedesktop.secrets /org/freedesktop/secrets/aliases org.freedesktop.DBus.Introspectable.Introspect

# the devs for secret-tools told me to try the newest version, but
# I can't figure out how to get it.  They say there's no standard for
# field names.  Searching by password is not supposed to be possible.

# what apps use libsecret ?
# network manager applet, disks utility
# I don't use the others.
# But I can't see anything on my Mint 19.2 system that is using it.
# Could install KeePassXC browser extension (Keeshare) to put info into
# web pages, but I don't want to do that, I like auto-type.
# Apps I'd like to have using libsecret: MEGAsync client, Skype, Thunderbird,
# VeraCrypt, OpenVPN client, Windscribe client,
# network manager (nm-applet, NetworkManager, NetworkManager.conf)

Other URL protocols:

In an entry, the URL can be of form:
cmd://bash -c "ls >/home/user1/111.txt"
cmd:///bin/bash -c "ls >/home/user1/111.txt"
cmd:///home/user1/tor-browser_en-US/Browser/start-tor-browser SOMEONIONADDRESS
Cmd is hard-coded into KeePassXC; all other protocols are just handed to xdg-open.
KeePass Help Center's "URL Field Capabilities"
Config file is ~/.config/keepassxc/keepassxc.ini

I want the ability to store an Onion URL in KeePassXC and launch Tor Browser if I say "open URL". There is a Tools / Settings / Browser Integration section, which knows something about Tor browser, but I don't think that's what I want. Only way to do what I want is to write the URL as a cmd:// URL ?

On Windows:

I installed KeePass Password Safe 2.x.

KeePass Plugins and Extensions

Firefox add-on to support global auto-type and maybe allow additional checking: Eric's "Add URL to Window Title"

/u/Rafficer's "How to set up automatic login with 2FA and Two-Password mode with KeePass 2"

On Android:

I installed Keepass2Android Offline.

Connect cable to PC and copy KeePass database file to phone to get the file into Internal Storage / Android / Data, then have Keepass2Android Offline access it from there.

I worry that having the database on my Android phone means that any malicious app could copy it and send it to a server. Which defeats my "never put the database in the cloud" policy. One tactic that may help: rename the database file from "KeePassDatabase.kdbx" to something like "garbage.txt". KeePass doesn't care what the name is. Maybe avoid names that would trigger anti-virus or compression software, if you're using those.

Use KeePassXC as a "Bookmark Manager":

Instead of storing bookmarks in the browser, where potentially a malicious extension or a security hole or the browser vendor could grab them, store them in KeePass.

I have a top-level group for each person in my family. I added another top-level group for "MynameBookmarks".

Limitations: JavaScript bookmarks ("bookmarklets") have to stay in the browser. Also Firefox "keyword" bookmarks such as being able to type "w michigan" in the address bar and having it automatically do a Wikipedia seatch on "michigan".

Exporting bookmarks from Firefox to KeePassXC:

  1. Export bookmarks from browser (Firefox) to an HTML file:
    ctrl+shift+O, Import and Backup / Export bookmarks to HTML.

  2. Copy or rename HTML file to input.txt.

  3. Hand-edit input.txt to delete first lines, from file start through "</H1>".

  4. sed 's/ ICON="[^"]*"//' <input.txt \
    | sed 's/ ICON_URI="[^"]*"//' \
    | sed 's/ ADD_DATE="[^"]*"//' \
    | sed 's/ LAST_MODIFIED="[^"]*"//' \
    | sed 's/ LAST_CHARSET="[^"]*"//' \
    | sed 's/<DT>//' \
    | sed 's/<\/DT>//' \
    | sed 's/<DL>//' \
    | sed 's/<\/DL>//' \
    | sed 's/<HR>//g' \
    | sed 's/<p>//' \
    | sed 's/<H3 PERSONAL_TOOLBAR_FOLDER="true">/<H3>1/' \
    | sed 's/<H3 UNFILED_BOOKMARKS_FOLDER="true">/<H3>1/' \
    | sed 's/<H3>/"/' \
    | sed 's/<\/H3>/"/' \
    | sed 's/<A HREF=/,/' \
    | sed 's/">/","/' \
    | sed 's/<\/A>/"/' \
    | sed 's/  / /g' >output.txt

  5. Hand-edit output.txt to copy "groupname" to beginning of each bookmark's line.
    Format of each data line: "groupname", "url", "title"
    Remove any stray junk, blank lines, bookmarks that are JavaScript bookmarklets.
    Can't have any leading spaces on lines.

  6. Quit KeePassXC and save a backup copy of the KeePass database file.

  7. Launch KeePassXC and open your normal database.
    Select Database / Import / CSV file.
    Choose the output.txt file.
    It will say creating a new DATABASE.
    Select a temporary name and password (you will delete this database later).
    Get to an "Import CSV Fields" dialog.
    Set the pull-downs to match the CSV file: 1st column is Group,
    2nd column is URL, 3rd column is Title, other columns are "not present in CSV file".
    Do the import.
    See the new database.
    Tweak any group names.
    Maybe move them all under a single new top-level group called "Bookmarks" or something.
    Save the database.
    Quit out of KeePassXC.

  8. Launch KeePassXC again.
    Open your normal database.
    Select Database / "Merge from database".
    Select the new temporary database.
    Enter the password for that database.
    Groups get merged into your normal database.

  9. Make sure the data is there in KeePassXC, tweak names, test.

  10. Delete the new temporary database file.

  11. Delete the bookmarks out of Firefox.

Two-Factor Authentication (2FA)

Some sites offer two-factor authentication: you can't log in unless you possess both knowledge (username and password) and a particular device (phone or dongle or token).

[Some additional pieces that really are just more types of knowledge: secret code to generate a TOTP, code-card, signature, security questions/answers, recovery codes.]

[Some additional factors that could be used to make multi-factor authentication: what you are (biometrics), where you are (location), what you can do (whistle a tune or write a signature ?), what time it is, some confirming authority (another person who is authenticated already). In fact, I wonder why no sysadmin-type services support location as a factor: let me set my account to "allow login only from IP addresses 23.n.n.n/8" ?]

Forms of 2FA, from best to worst:

If you have to use a phone-based method, I would choose one that doesn't depend on the cellular network, which can fail or be unavailable. Also, I'd rather not give my phone number to companies. Instead of SMS, use a TOTP app such as Google Authenticator, if supported. Save the secret seed (the long string you type in at the beginning) and any recovery codes, so if you lose the phone, you can install them on another phone.

All of the TOTP apps are compatible: Google Authenticator, andOTP, Authy, Authenticator Plus, more. I switched from Google Authenticator to andOTP because andOTP is open-source and not-Google, and Google Authenticator is specific to the phone (number) it is installed on. Also andOTP has a password protecting the app. Still I don't put sitenames and usernames and passwords into the app, so if someone gets the database they don't have enough info to find the accounts.

Some systems call themselves two-factor but really are just two-step, they don't require that you have a device such as a phone. They just send a code to your email or ask you more questions or something.

What sites support what kinds of 2FA ?

Anticipate problems:

With two-factor, check ahead of time to see what happens if: In some cases you'd have to contact each site/company and answer security questions to get them to set a new password and security ID on your account. This could be a real pain if you change phone number or upgrade to a new phone or laptop; you'd have to contact all of the sites/companies you use. Some systems have a way to print out verification codes to use if your device fails; don't skip this step when turning on two-factor security.

Eric Ravenscraft's "What Happens If I Use Two-Factor Authentication and Lose My Phone?"
Jack Stuart's "How my personal security backfired on me"

(Found these instructions for VeriSign VIP Access: "You need to save the VIP.tok from \Application Data\VIPAccess. You also need to save the registry keys HKLM\Comm\Security\Crypto\UserKeys\Microsoft Enhanced Cryptographic Provider v1.0\VipAccessKeyContainer and HKCU\Software\VIPAccess".)

None of the phone-number-specific solutions seem to work for cases where multiple people would be sharing the same account, or where you switch around a lot and carry only one of your multiple devices (phone, tablet, laptop) at a time. If you use a computer (non-phone) app, how would that work with multiple computers (home desktop, work desktop, laptop) ?

Scams still are possible:

Note that any two-factor that requires the user to type in a code still is vulnerable to phishing or scamming. A keylogger could record the code as it is typed in, or the user could be typing it in to a bogus web page, or the user may be fooled into reciting the code to a "tech support" scammer on the phone. Time-based two-factor is less vulnerable, since the thief would have to use the code within 60 seconds or so. Tokens or software that connect directly (USB, NFC, etc) to the computer/phone probably are less vulnerable than typed codes.

Note that software TOTP two-factor still is vulnerable to a breach at the server. If the company loses its database of passwords and two-factor secret starting codes, the hacker can get into your account. But software two-factor TOTP does defend against you reusing passwords across multiple sites, and against a keylogger listening to your typing (the hacker would have to use the code within 60 seconds or so), and against brute-forcing.

Convenience vs Security, limited by Choice:

Choice: Many sites only support SMS 2FA, or use a custom code-card, or have some custom 2FA app. And U2F is not widely supported as of 1/2020, I think. So you can't just pick one strategy and use it everywhere. Which is a pain.

Convenience: I use good passwords and software TOTP, and save the TOTP secret and recovery codes. But I store all of that stuff in one password manager database. That's very convenient: find one entry in the database, hit one key-combination to open URL, another key-combination to apply username and password, another key-combination to apply TOTP, and I'm in. But it's not very secure; if someone cracks that database or I leave it open, they get everything. It's not really two-factor. Tradeoffs:

I do everything inside KeePassXC. It's less secure but vastly more convenient.

It's not true two-factor, but still it adds some security:

Security: Would be best to: But that's less convenient: any time I want to log in to site X, I have to find X in both the EVERYDAY password manager and in the hardware token (maybe a browser extension could do this for me, but I don't like browser extensions, I want to keep some distance between password manager and apps). And any time I update a password or something, I have to update 2 or 3 places.

What I want is a password manager that can: I don't think a password manager with all of those features exists today ?

Alternative idea from someone: instead of storing recovery codes and security questions/answers etc in a second password manager database, store them in encrypted attachment files stored inside the (only) password manager database.

Lucian Constantin's "5 things you should know about two-factor authentication"
Stuart Schechter's "Before You Turn On Two-Factor Authentication ..."
Wes Siler's "Traveling With Two-Factor: How To Access Your Accounts Abroad"
Emily Price's "Always Carry Your Google Account's Two-Step Verification Codes With You"

Need US phone number while living outside USA:
I'm a US citizen residing in Spain. Some US sites support only US phone numbers, either for registration or voice call or SMS.

There are many services that will give a temporary phone number for receiving an SMS message. But I need a permanent number.

Google Voice only gives numbers if you're in US and already have a US phone number, I think. And is not free. Someone said "you can buy already-verified Google Voice accounts online. You'll need to use a VPN showing your location in the US though." But I don't know if that's a good idea.

See Virtual phone numbers section of my Computer Security and Privacy page

Hardware 2FA device possible features:

Hardware 2FA devices:

It seems U2F is the newest, best protocol, but not supported everywhere quite yet.
Nick Parlante's "The Unofficial FIDO U2F FAQ"

USB is needed for PCs; NFC is needed for phones.

Kim Schulz's "Security keys - everyone should have at least one!"

Question about a hardware device: can you get N clones of the same device, or is each device unique ? Having N clones would be more convenient: register once on each account, and then all N keys work for that account, and one key could be kept in deep storage (safe-deposit box) to guard against catastrophe. But maybe a "clone" capability represents a vulnerability, or prevents audit trail. With unique devices, you'd have to register all N of them with each account, and I think you'd have to retrieve a key from deep storage to register it on a new account. [I'm told: clones are explicitly outlawed in the U2F standard, and there is a counter in each key that can be used to detect duplicates, and maybe invalidate the key. So not possible. But then I'm told there may be a dodge around this: Dmitry Frank's "Reliable, Secure and Universal Backup for U2F Token" ]

Mid-2020 apparently KeePass does not yet support using U2F FIDO to unlock password database.

Important places to use two-factor authentication:

Downsides of two-factor authentication:
Russell Brandom's "Two-factor authentication is a mess"

My experience with Symantec VIP hardware token starting 2/2018:

Got it for free from my main bank. Push a button, it generates a 6-digit number, which changes every 30 seconds or whatever. This is called a Time-based One Time Password (TOTP).

For my bank, activated it online by logging in, going to a Security page, and then giving serial number of token and current 6-digit number. Then when logging in, just add the current 6-digit number to the end of the password. If I lose the security token, I can call the bank and answer lots of questions, and they'll deactivate it for login.

The Symantec web site says one of the sites that uses "Symantec VIP" is PayPal, but the PayPal site seems to say only SMS is supported, not the hardware token. Same thing with EBay USA, Symantec claims support but then token is not supported by the site.

Fidelity funds does support this token, but the Fidelity retirement unit where I have an account does not support it.

My credit union does not support two-factor of any kind.

None of my three email providers support this device; 2 of 3 support no hardware devices at all. Facebook and reddit don't support this kind of device. Transferwise doesn't support hardware devices. IDrive doesn't really do two-factor. Veracrypt doesn't do two-factor.

Maybe login to the KeePass password manager can be set to use TOTP, via "OtpKeyProv" extension ? But I don't want to do this. If I lost the security token, I'd have no way to recover, other than having previously saved a copy of the database that did not require the security token.

/u/Rafficer's "How to set up automatic login with 2FA and Two-Password mode with KeePass 2"

A way (using Linux) to make a software-TOTP equivalent of a Symantec VIP hardware-TOTP token:

Chef-Koch's "How To use TOTP with your PayPal account".

The "This credential expires on this date" feature is worth noting.

Couldn't get it to install properly, using "sudo pip install .". Then did "sudo apt install" and that seemed to work. Did "docker run --rm kayvan/vipaccess provision -p -t VSST", and got "Command 'docker' not found". Dev said do "pip install setuptools". Got further, to some error about "oauth bdist_wheels". Did "pip install wheel".

From home directory, did ".local/bin/vipaccess provision -p -t VSMT". Worked ! Copied "otpauth://totp/VIP%20Access:VSMTXXXXXXX?digits=6&secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&period=30&algorithm=SHA1&issuer=Symantec" Put info (including expiration date) into my Keepass password manager, went to PayPal and activated TOTP using Symantec VIP 30-second, logged out of PayPal and back in using TOTP, worked !

Patrick Lucas Austin's "How to Boost Your Game Console's Security"


This page updated: October 2019

Search my site