= Keepass = <> * Background information: https://www.heise.de/news/Open-Source-Adventskalender-Der-Passwort-Manager-KeePass-6288780.html == Description == KeePassXC is a tool to store and manage passwords. It is freely available for * MacOS/Windows/Linux - !KeePass: https://keepassxc.org/. * Android: [[https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free|KeepassDX]] * iOS - https://keepassium.com/ == How KeePassXC works == * KeePassXC create/open/edit/save password-databases in a single file. * A password-database is basically an encrypted file, where you can store your various usernames/passwords/URLs and also attachments like pictures or other important / private documents. * A password-database can only be opened if you know the Master-Password. The Master Password is the key to all your stored passwords. * If you forgot your Master-Password, you cannot access your stored passwords anymore. * Encryption -- either the Advanced Encryption Standard (AES) or the Twofish algorithm are used for encryption of the database in 256 bit sized increments * All features: http://www.keepassx.org/features/ == Using KeePassXC on the Thinlinc terminals == * Start KeePassXC: * Ubuntu / Thinlinc: Applications > Accessoires > KeePassXC * command line: keepassxc * You can use the same password database on different computers if they have KeePassXC installed. * When opening KeePassXC with a database, you will be asked for the master password of the file. * When a password database is open, KeePassXC "locks itself" after a certain amount of time. After that you have to unlock the file again with your master password. * You can hide/view usernames and passwords by clicking on "View" --> "Hide Usernames" and "View" --> "Hide Passwords" * You can right-click on an entry and choose "Copy Username to Clipboard" or "Copy Password to Clipboard". You can then paste the password. After a few seconds, the password is no longer stored in the Clipboard. == Creating a Password Database == * Click on "File" --> "New Database..." * you will be prompted to set a master key. Input your master password (the master password for all your other stored passwords). Then click "OK" * repeat your master password. click "OK". * chose a group. (Standard choices are Internet of eMail. You can also create your own groups). * click on "Entries" --> "Add New Entry..." * Input the information you need * Title: a short description of the entry * Username: your username * URL: on what homepage do you need the password * Password: your password * Repeat: repeat your password * Comment: a longer description of the entry * click on "File" --> "Save Database" * chose a location and a name for your password database. click "OK" == Best practice: Sync Database via cloud == * Only use a cloud service if you need to sync your passwords over several devices. * Decide on your own: * Pro 'cloud': * all of your confidental data on all devices. * creates automatically backups. * Contra 'cloud': * If your cloud access is compromised or the cloud service provider is compromised: the thief owns the treasure. * US based cloud provider like Google Drive, Dropbox, Apple iDrive, Microsoft !OneDrive: * Those services are very attractive to hackers. * The NSA has the right to get all data from US companies. After Snowden it's for sure, the NSA is not friendly. * Rule of thumb: '''Don't use US hosted / company based services''' for confidential data. * Local cloud storage provider: * https://drive.switch.ch - Switch Eduction cloud service - '''switchdrive''' * [[drive.math.uzh.ch]] - I-MATH * How to: * On all devices where you like to sync your !KeePass database file, install and configure [[drive.math.uzh.ch]] * Open the !KeePass database file on all of your devices directly from the cloud folder. = Browser integration / MFA Setup / Passkeys = * KeePassXC can be used from within a browser (Chrome, Chromium, Firefox, Vivaldi, Brave, ...) * Browser connection to KeePassXC is nice: different browsers offer the same accounts/credentials - if synced via cloud than also on different computers. * TOTP service (one time token). * Passkeys support. Finally: no more MS-Authenticator app needed, no more single device dependency, login to any MFA protected website without a mobile phone. == Settings == {{attachment:kp-browserintegration.png}} * Settings > Browser Integration > Enable integration ...: Chrome, Firefox, ... == Browser Plugin == * Install the corresponding browser plugin (links to app store: check settings dialog '5' ) * Passkeys have to explicitly enabled in the browser plugin: {{attachment:kp-passskeys.png}} == Regular Username / Password == * Take care that the keepass icon on the top right is 'green' = connection to database is active. * Open the login page in the browser. {{attachment:kp-fill.png}} * Click on the small green kp icon. * Choose the account. == MFA == === TOTP === * To use TOTP with Microsoft Office 365 login: [[MFA/Microsoft_Authentication#Add_third_party_TOTP_app|Third Party]] {{attachment:kp-totp.png}} * Add [[https://en.wikipedia.org/wiki/Time-based_one-time_password|TOTP]] functionality to individual accounts: Account > right mouse click > TOTP > Setup TOTP * On a MFA-TOTP secured login website, just login as usual with keepass, on the next page, where the one time token is requested, click again on the green symbol. Hint: * On the `TOTP setup` you have to provide the 'shared secret'. * The shared scecret is provided by the website which hosts the login, typically where the MFA can be configured. * Either in plaintext like 'ABCD EFGH 1234 IJKL 5678 MNOP QRST UV89'. * Or as a QR code to scan. Here sometimes it's a URL or a `fido` string. If it is not in plaintext in the URL, hopefully the assigned app (=keepassdx) opens. === Passkey === * [[https://en.wikipedia.org/wiki/WebAuthn|Passkey / webauthn]] are offered as an additional way to use MFA. * Some websites work better than others. * Passkeys offers more security than TOTP and should be used when possible.