I recently had a colleague ask which password manager app I use. My answer kinda surprised me. Ever since Microsoft Edge moved to using the Chromium engine I have almost exclusively used Edge for all my browsing, even on my phone. I still keep Chrome and Firefox for troubleshooting in cases where web sites or web apps don’t work well in Edge. I used to also use Internet Explorer for that purpose, but Windows 11 effectively killed that off.
One interesting thing that happened is that Edge has become more granular in it’s security controls. You can even set permissions on a per-site basis. As a result of this added security focus it now also checks your saved passwords for weak passwords and against lists of leaked passwords on the dark web.
But even more background. Once in a while I’ll find out some site I have an account on has been hacked. One day my identity theft monitoring service sent me an email saying that my email address and password, which I used on several sites, had been leaked. So I signed into Edge to start the process of changing my passwords. Since I religiously save passwords in Edge so they sync to all my devices I went into settings > Passwords to find which sites I had saved with the leaked credentials. At that point I realized there’s actually a built in scanner that checks your saved passwords against lists of exposed credentials and lets you know which ones need to be changed.
This was helpful, as it highlighted the sites I needed to secure. Also, the interface lets you view the saved passwords after entering your password or pin. You can then click a link to change the password, which opens a new tab at the URL of the site. I had the option enabled to suggest strong passwords. As I started to change my password I saw the prompt to suggest one. So I clicked it and got the usual computer generated password. It then saved the password in the browser so now anywhere I use edge I don’t know the password but it is auto completed for me. After that I was hooked so I went through and did the same thing for every site I log into with the exception of sites that I access via an Android app. For those I just created my own new passwords.
And like that, Microsoft Edge became my password manager. But that’s not all. I still needed a way to manage those new passwords that I use with my apps. Enter KeePass2. Keepass2 is a free, open source secure password manager. It lets you create an encrypted password database that you can sync across your devices. The bonus is you can do this without having your passwords stored in the cloud where you are relying on a third party to keep that data safe from hackers. So you don’t have to worry about seeing a headline one day that LastPass, for example, was hacked and everyone’s credentials were stolen. The specific version I use is called Keepass2Android and can be found on the google play store at Keepass2Android Password Safe – Apps on Google Play. It supports biometrics, so you can use your fingerprint or face or whatever your phone offers to unlock it and it even supports Yubikey (TOTP), in cae you want to use a physical token to unlock it.
But it really isn’t fun tapping usernames and passwords into a smartphone. This is where Keepass excels. There is a Windows application that you can download from Downloads – KeePass (www.keepass.info). You create a database and a key file. During the process you even drag the mouse and click to “draw” random bits of information to randomize the key file and make it more secure. Once the database is created you can enter all your credentials into the app and save it. This is where the beauty is. You can then share the database file via dropbox, google drive, etc. So, in my case I created my database in my dropbox folder. I then store the keyfile in a different location and when I open Keepass I tell it where to find the database file and where to find the key file. I then login with my password or token. Conversely I install the dropbox app on my phone and tell it to keep the database file local on the phone and I copy the keyfile to the phone. Then I tell keepass2android where the files are and use my password or token to log in.
Using this system I can enter my passwords on my computer, and access them on my phone. But I could also put them on a laptop, tablet, another computer, etc. Where this comes into play is with apps. The Microsoft Edge app for Android does a good job suggesting to use your saved passwords, but there come times where you’re using an app to access a site instead of the website. In that case, it becomes easier to find the password for that site using a password manager like KeePass2Android. And since it’s a local database, even if you don’t have a signal you can access your passwords. And with KeePass you can enter other things besides passwords, so you could use this “vault” to store other private information like account numbers, access codes or in my case, the combination to my bicycle lock.
Tell me what do you use to manage your passwords?
