How to manage accounts and passwords in an effective way amoung several devices

This is my first blog, after 20 years in software development I thought it might be overdue to share some of my gathered knowledge or best practices.

I want to talk about 2 things, first how to handle accounts and their respective passwords and second about how to store the secrets in a central, convenient way.

Best practice for registering new accounts

Today, handling all the accounts and passwords has become a very crucial part of our life. Especially when you have a lot of accounts, some of which may be very important, such as email and bank accounts.

An account is often (99%) linked to an email address, and it is common to have multiple email addresses for different purposes. I have several email addresses that I use for different purposes.

I have one main email address that I use only for official accounts such as banks, stock exchanges, Amazon, PayPal, or government accounts. By “official accounts,” I mean accounts where I have to provide my passport ID to validate my identity. For these accounts, I can assume that they will not sell my email address, which would otherwise result in more spam or even malicious emails.

Next, I have several sub email addresses that I use for accounts where I just want to check what is going on. These could be accounts where I will login only once or where I will stay longer. At the time of registration, I do not know how long I will stay on the website or whether it is a trustworthy site. To protect my main email address, I use these sub email addresses on such websites to register. This has helped a lot in reducing the amount of spam I receive on my main email account every day. It has also helped me identify websites that may not be keeping my data private. Sometimes, I have noticed that the amount of spam emails has significantly increased after I registered on a certain website. By knowing which email address I used for that website, I can easily identify the source of the new spam emails.

In terms of passwords, I differentiate between important and unimportant accounts. For important accounts, I use strong, individual passwords. For unimportant accounts, I use a strong default password that I can easily memorize. I consider an account unimportant when there is nothing to lose if the website is hacked.

By following these strategies for managing accounts and passwords, I am better able to protect my important information and reduce the risk of spam or malicious emails.

To sum that up I created the table below

When an unimportant account becomes important you can always update the used password to an individual. But initialy it helps to have have one default password, which is easy to memorize, to start with.

How to store secrets in a central, convinent way

Today, we often have multiple devices such as laptops, smartphones, tablets, and desktops, and it can be convenient to access our account data in a central way so that whenever the data is changed, it is automatically available on all of our devices. To achieve this, I use a combination of KeepassXC and cloud storage.

KeepassXC is a useful tool because it is cross-platform and can be used on all operating systems (OS), including Windows, Linux, and MacOS. It is also compatible with the original KeePass format, which means that the archive files can be used with other tools that are compatible with KeePass, such as Keepass2Android for Android smartphones and tablets.

Now that we’ve discussed the benefits of using KeePassXC, let’s talk about how to ensure the security of the KeePass archive when storing it in the cloud. One concern might be that it is risky to expose all of our secrets in a single file in the cloud. While it is true that there is a risk that the cloud provider could be hacked and the attacker could download the KeePass archive, there are several measures we can take to mitigate this risk.

First, it is important to use a very strong master password for the KeePass archive. This should provide sufficient protection for the data, even if an attacker were to obtain the file. Additionally, we can obscure the file name to make it less clear to the attacker that it is a KeePass archive. For example, instead of calling the file “MyKeepassArchive.kdbx,” we could name it something like “sys_settings.bin.”

Another mitigation strategy is to use a key file in addition to the strong master password. The key file, which is not stored in the cloud and is managed locally, must be used in conjunction with the master password to open the archive. By using an additional locally-stored key file, it becomes almost impossible for the attacker to access the data, even if they manage to obtain the file and the master password

The image below shows my setup.

Hope that might be helpful for some people.