How I securely sync my passwords (and why you should, too)
With a uber-geeky bonus: How I synced my Enpass passwords over my Synology NAS using WebDAV
You need a password manager that syncs
Let’s begin with what I hope will be a useful review.
You should be using a password manager. What’s that, and why? A password manager simply holds all your passwords and makes them easily available to you. You need one because (a) you need to have strong passwords, or else your web accounts (which can contain really sensitive info) can be easily cracked; (b) passwords, to be strong, must be different on every site and very complex (and so hard to memorize); (c) you can’t possibly memorize that many strong passwords; (d) copying and pasting passwords from some plain-text repository, let alone typing them in, is a pain nobody needs.
Password managers solve all these problems for you. They (a) check that your passwords are strong; (b) make it super-easy to generate strong new ones; (c) make them all available if you simply memorize one strong password; (d) auto-fill your passwords in forms on all your devices.
But in our multi-device lives, there’s yet another problem: you need to sync your passwords across your desktop, laptop, and mobile devices. It’s a royal pain, isn’t it? Of course it is. How do you do it? Well, let’s talk about some suboptimal solutions, to help explain why I went to some rather great lengths.
You could shuffle a document back and forth between devices, e.g., by email or a messenging app. But that’s a royal pain.
If you’re more clever, then you’ll have a single document that is accessible using all devices. For example, maybe you keep yours in a Google Doc. That would be a bad idea, because Google employees could easily see your passwords, and if anybody else got a hold of the document, they can just make a copy and you’d be none the wiser. You really need an app, not a document.
This is why password managers apps work on computers as well as handheld devices, on multiple platforms. The one I use, Enpass, is open source software (UPDATE: oops, no it’s not: discussion.enpass.io/index.php?/…) that works on pretty much every consumer platform. But how do the passwords get synced? Each instance of the app, on your different devices, has its own copy of your password data. Well, the even cleverer solution then is to sync your passwords “in the cloud.” The password manager software company will hold your passwords for you, as a service, on their servers. That’s “the cloud” in action. Then, if you’re on your desktop PC and you update your password manager with a new password, the change is quickly reflected on your phone, where you can use it quite easily. Neat!
Your password manager should use zero-knowledge encryption for syncing, at least
Here’s the thing. The cloud is kinda evil. I know that’s a cranky sort of thing to say, but I’m getting old and therefore I’m permitted to say cranky things.
I am only slightly joking. The evilness of the cloud is actually rather well demonstrated by the situation with password managers.
Suppose your passwords are sent, via an encrypted connection, to the company’s servers. Suppose they’re even encrypted there, making it especially difficult for anyone to hack your password collection. But you still have to trust two things: the honesty of the password management software company, and their own security practices, which ensure that external forces cannot hack into their (encrypted) database.
There’s a very cool bit of tech you can look for in password managers that solves the latter problem very handily: zero-knowledge encryption. Basically, the company stores a completely encrypted copy of your passwords on their servers. They couldn’t read it even if they wanted to, because they don’t have the key to unlock it. Only you can unlock the data file, because only you have the key. Neat, huh?
(It’s called “zero-knowledge,” obviously, because the company doesn’t know anything about the information stored on their servers. They know it belongs to your account, but that’s it. All cloud services should use zero-knowledge encryption, but very few do. Ask yourself why they don’t.)
Now, this is probably adequate security for most people. But it’s not good enough for me. I don’t want the password manager company to touch my passwords. They’re very valuable, right? You still have to trust the company; there’s all sorts of things that could go awry, or they could intentionally update the software in a way that would undo the encryption. (Or maybe just for select users that the government asks to spy on. If I lived in China or Saudi Arabia or were a spy or government whistleblower, I’d worry a lot about this.)
Use FOSS and self-host, if you want to be an uber-geek
One of the great things about FOSS (that’s geek-speak for “free, open source software”) is that nobody has ultimate control over it, because anybody can fork it, i.e., make their own copy and take development in a different direction. That’s because the license specifically permits that, and the development happens all out in the open. If the project is big enough, then there are at least several (sometimes, hundreds of) developers looking at new code being checked in. If somebody checks in something that’s dangerous or privacy-violating, the FOSS developers (a notoriously privacy-jealous bunch) will put a stop to that noise in short order.
So if you want to use zero-knowledge encryption in your password manager, great, but make sure the software is FOSS, because then it becomes even harder for people to play tricks with the software.
You know what would be even better, though? If you never have to transfer your encrypted password file to somebody else’s server in the first place. In other words, host it your own damn self.
But how, you ask? Well, there aren’t very many solutions that are available to the non-geeky. In fact, I’m fairly sure all of the self-hosting solutions push the needle fairly high on the geekometer.
If you want to self-host and you want your password database to be accessible to all your devices, regardless of where you are, what does that mean you have? A server. There are a couple ways to set up your own server.
One is to use your desktop computer (or even an old laptop) and plan on leaving it on all the time. You could install NextCloud on the machine, which transforms it into a server. Like, wow, that’s cool. If you’re a geek. But because geeky things are now cool, that’s just cool, period.
Another is to use a NAS, or some other dedicated server, i.e., a computer that is specifically set up to talk to other computers over your LAN (local-area network; your home or office network) and over a WAN (wide-area network; here, the Internet).
Bonus: How I set up my Enpass passwords to sync over my Synology NAS using WebDAV
I’m not going to give you all the steps in detail.
(1) You need to get an SSL certificate for your server, i.e., the thing that allows you to use https: and not just http:. Why? Because you’ll be using WebDAV to update information on your NAS, and WebDAV (being an Internet protocol) needs to be made more secure by encryption. While your data should be encrypted by your password manager, another layer of encryption is important. So get this done. By the way, Synology comes with a self-signed certificate, which will make Enpass complain. You’ll have to check a box saying that you want to ignore this complaint. But you shouldn’t do that.
By the way, if you don’t have a permanent URL for your NAS (for this, you’ll have to use DDNS), you’ll have to solve that problem first. You can’t use an IP address.
2. Set up a WebDAV server on your NAS. In other words, a server process on your server device. WebDAV, as Everipedia puts it, “is an extension of…HTTP that allows clients to perform remote Web content authoring operations.” In other words, it allows software to update data files remotely, if the software is given permission and the data files are set up to be updated using the protocol.
On my Synology device, the steps I followed are these (great tutorial here):
- Install the WebDAV Server package, located in the Package Center.
- Open the WebDAV Server interface, enable both HTTP and HTTPS, and assign them the ports 5005 and 5006, respectively.
- Create a ‘webdav’ user (see the above-linked tutorial for important details; make sure you get the permissions stuff right).
- Create a ‘webdav’ group as well (ditto).
- Create a ‘webdav’ or ‘upload’ (or whatever) folder. You’ll specifically need to grant read/write permissions to the ‘webdav’ user for that folder.
- To confirm that your new webdav user can use the folder, drop a picture, say kitten.jpg, into the webdav folder. Then go to https://your.nas.address:5006/webdav/kitten.jpg. Note: use https, not http, use the ‘5006’ port number, and use the name for the directory you created before. If, when you try to pull that address up in a browser and you’re prompted to log in, groovy, you’re halfway there. Then put in your webdav user credentials (not your admin credentials), and you should be able to see the picture. If you can, coooooool. Again, the above-linked tutorial has other things you can try to confirm your connection.
- Next, open Enpass (or another password manager that supports WebDAV). In Enpass, go under the gear menu > Vaults > Primary (or whatever you want to sync via the NAS). Then you’ll be able to choose from a number of sync options. Choose “WebDAV”. You’ll next have to put in your ‘webdav’ user authentication info, and for the address, you’ll want to use the address given above. I further made an Enpass directory inside that, and tacked that onto the end of the URL, so I got something like this: https://your.nas.address:5006/webdav/Enpass/. This is important to get right. Then press “Connect” try it out. With luck, you’ll be connected.
- To test that things are syncing, open a copy of the password manager on a different device and repeat the previous step. Make a small change in one copy, press the sync button/icon in the upper left (which has changed to a “server” icon, which I thought was a nice touch), go to the other copy, press the sync button there too (because you’re impatient), and then see if the change is reflected in the second copy. If it is, you’re done.
That’s how I got it to work. And now…all my password info (and a lot of other data) is out of the public cloud, in a private cloud consisting just of my family’s devices. Pretty freaking awesome.