- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Password safe in the cloud? ^
You might ask, “It isn’t a bit risky to store your password safe in the cloud?” The short answer is “Yes.” The long answer is “Yes indeed!” So why would the security-minded admin want to sync KeePass to the cloud? Well, sometimes you have to take risks if you want to improve your productivity. More and more of the services I use on Windows I also need on Android, and vice versa. Because I currently have 100+ different passwords for different services, no other convenient way exists to manage my passwords. I also like that I can always bring my passwords with me and easily access them everywhere in an emergency. (Another solution I am currently considering is the use of a master password tool. I will cover this topic in my next post.)
You can take a few security measures to help you remedy the risk. A very secure master password is one. Another is to use a key file for your KeePass database. Of course, this only makes sense if you don’t store the key file on your cloud drive; you have to copy it manually to your phone. Another option, one that Keepass2Android supports, is to store the key file on a second cloud drive on which you (I hope) use another password.
If someone manages to download your KeePass database from your cloud drive, he would still need the key file from the second cloud drive and your master password. This doesn’t completely eliminate the risk because KeePass could contain security holes that an attacker might be able to exploit, but you have to draw the line that separates security awareness from paranoia somewhere.
Sync KeePass to Dropbox ^
I have been using KeePassDroid, the most popular KeePass-compatible Android app (according to the Google Play statistics), for quite a while. I recently moved to Keepass2Android, mostly because it allows me to sync the KeePass database with my cloud drive more conveniently. Keepass2Android supports Dropbox, OneDrive, Google Drive, SFTP (SSH file transfer), FTP, HTTP (WebDav), and HTTPS (WebDav). In addition, you can load the KeePass database from a third-party Android app. Of course, you can also store database files locally on your phone. In this case, you might prefer Keepass2Android Offline, which doesn’t support cloud syncing.
Supported cloud drives
I always feel somewhat queasy when I allow an Android app to access Dropbox. It is not just that you have to trust the developer of the app. The app might contain vulnerabilities that another app could exploit. Keepass2Android has a nice feature that can ease your queasiness a little. You can restrict the password safe app to just one folder on your Dropbox where you store your KeePass database. This feature isn’t available for the other cloud drives.
Merge KeePass database ^
After you give Keepass2Android access to your cloud drive, you can browse your folders for the KeePass database. How is this different from just opening the database from your cloud drive app with KeePassDroid? The main point here is that Keepass2Android will always get the latest version of the database from the cloud when you open the app. Of course, this is only possible if you are online. If not, Keepass2Android will get the database from its cache. If you want to open the latest KeePass database in KeePassDroid, you first have to navigate to the database file in the cloud drive app.
Another difference is that Keepass2Android automatically uploads changes in the database to the cloud drive. This can cause syncing problems if you changed the KeePass database under Windows. Before Keepass2Android saves the database to the cloud, it first checks if the database has been modified and, if it detects changes, it asks if you want to merge the two databases. Because KeePass has a similar feature, you can, in theory, use the KeePass database from two different devices simultaneously. In practice, this can mean that you lose changes if you edit the same entry on both devices before the databases are synced.
Merge KeePass database changes
It therefore makes sense to ensure that changes to the KeePass database are automatically saved. In Keepass2Android, this is the default setting. In KeePass, you can work with triggers to enable auto-save. First, you have to copy this XML file to your Windows clipboard. Then, you open the Triggers dialog window from the KeePass Tools menu. On the Triggers window, you have to click Tools and then Paste Triggers from Clipboard.
Auto-save for KeePass
Keepass2Android has a few other noteworthy features. If you have previously used a password safe app on Android, you’ll have noticed that it is not as convenient to use as under Windows. The auto-type function of KeePass allows you to automatically send username and password as simulated key presses to the dialog window of the application that requires authentication.
KeePass can identify the application window by its title. This way, you can enter username and password just by hitting the auto-type hot key. The common way in Android is to add username and password to the notification bar, where you can copy one after the other to the clipboard and then paste into the application. This means you have to switch back and forth between the app and the password manager several times.
Keepass2Android also supports the clipboard method but you can avoid this cumbersome procedure if you use the app’s keyboard. After you tap the KP2A key on the Keepass2Android keyboard, the password manager opens a dialog window. You can then either open Keepass2Android to select an entry or let the password tool search for the app that wants you to enter your credentials.
Keepass2Android keyboard and auto-type
After you find the right account entry, a KP2A bar appears below the authentication window with keys for the user and the password. This is not as convenient as with KeePass under Windows, but it is better than KeePassDroid’s solution and offers some protection from key loggers. Unlike KeePass, Keepass2Android cannot identify websites in browser apps. I guess this is not possible in Android because the URL doesn’t appear in the title bar of the browser app.
Another noteworthy feature is QuickUnlock. Keepass2Android locks the database after a configurable timeout period, and you have to enter your master password again if you need the credentials of another account. If you enable QuickUnlock, you can just enter a configurable number of characters from the end of the master password. The default setting is three characters, which is a bit short for my taste.
Note that QuickUnlock is only available after you unlocked the database with the complete master password when you first launch Keepass2Android. The app will remind you that QuickUnlock is enabled in the ongoing bar. Once you closed the database manually, you will have to enter the complete password to open it again. Also note that changing the keyword length for QuickUnlock takes only effect after you closed and reopened the database.
Keepass2Android has a few features and settings I didn’t cover in this review. Check out this comparison table between Keepass2Android and KeePassDroid for additional differences.
What’s your favorite password manager? Do you store your password safe in the cloud?
In my next post, I will discuss a password management solution that doesn’t require you to save passwords in a database and, therefore, also frees you from syncing your password safe.