Manage Your Passwords without relying on a Service

Posted on July 6, 2024 by Tylor Kobierski

There are a lot of password management services which hope to manage randomly generated passwords for you: Bitwarden, Lastpass, OnePassword ,etc . They could be convenient in your particular use case. But you don’t really need any of them. I don’t use any. I in fact, do not use anything of the sort. My password management system syncs across all my devices at my house. As a side benefit, you can also use this system to passively share virtually anything across your devices. It does require you to use two programs instead of one, but with this setup, you can easily handle everything securely and locally, without having to expose your password database to a centralized service (or, managed by a service you yourself set up).

Why have a password manager? By having a password management database:

  • It’s very easy to make maximally strong passwords for whatever purpose you wish.
  • You never have to remember those passwords.
  • You never “have” to share the same password across multiple sites. You can just memorize 1 password that unlocks all your passwords.
  • You can easily update any passwords if the site you’re using has experienced a data breach.

So let’s go through the process of setting up a synchronizable password database!

0.1 Set up Syncthing

The basic idea of this setup uses two components: A P2P means of continuously synchronizing files across devices, and a password manager that is locally managed. We will accomplish this using Syncthing and Keepass, two open source projects that can run basically anywhere you’d really want them to.

0.1.1 Installing syncthing

You’ll want to start out installing Syncthing on all the devices you’re interested in syncing with. On your Windows desktops, I would go with SyncTrayzor, which wraps the Syncthing interface into something that can be managed from your system tray. On Arch, I use Syncthingtray from AUR to do the same thing on my KDE desktop. On Android, you can install Syncthing from the store. On iOS, Möbius serves the same purpose, though I do not own an iPhone or really interact with the Apple ecosystem much at all so I can’t say much on how well it works or its quality.

0.1.2 Configuring syncthing

The syncthing interface

I reccommend starting with configuring one of your desktop or laptop machines. Syncthing generally works with a web interface running off localhost, and these instructions are geared toward that. If you use the tray options or the phone apps, it’s neatly packaged there so you can just open it up. On each of your devices, you’ll want to do some simple set up on the settings page (located under “Actions” on the standard web interface):

  1. In the “General” tab: Set your device name, and disable anonymous usage reporting if you so wish.
  2. In the “Connections” tab: Disable global discovery. If you want to use it, it would allow your devices to discover each other on the greater internet using Syncthing’s global discovery server. As you may imagine, while it’s a neat idea, I’m not interested in relying on it. If you think it sounds cool, you could run your own discovery server, too.

On Android, the options are the same, but it’s all done through its own interface, so the look and structure is slightly different.

0.1.3 Connecting all your devices together sharing a single folder

I share a single folder distributed across all my devices, linking them all together so that as I update one device, the changes will sync across all my devices. You could also configure this in numerous other ways: if you have a home lab or your own server somehwere on the internet, you could set up syncthing on that, and have each device sync to that, acting as a central repository. All my devices are connected to my router/NAS/homelab in one way or another, which is where they sync.

To start, set up the folder you wish to synchronize on one of your devices from the “Folders” section of the dashboard. Give it a label and and ID that you would like, and keep the shared folder ID consistent across your devices. Choose a path you’d like to hold your password database in.

No matter how you wish to configure your synchronization topology, you have to introduce your devices to each other and tell them what folders they should synchronize. To do this:

  1. Pick one of your devices. In the “This Device” section of the dashboard, you’ll see a row named “Identification”. Copy that identification code, or keep it open to use the QR.
  2. On the other device, go to the remote devices section and click “Add Remote Device”.
  3. In the “General” tab, type in the identification code from step 1, or scan in that QR code.
  4. In the “Sharing” tab, share the folder you wish to synchronize between the two devices.
  5. Save the remote device.
  6. On the other device, you’ll need to accept the connection.

You’ll now have a folder that can synchronize between two devices. Repeat the process with as many devices and folders as you want to link together.

0.2 Set up Keepass

Keepass gives you a way of generating, storing, and retrieving passwords and TOTP tokens across a variety of devices. The original version is a Windows program. I use KeePassXC to keep consistent across all the desktops and laptops I own, and I use KeePass2Android to handle my database on my phone. KeepassXC also has a Firefox add-on I like to use to easily input my passwords, which incentivizes me toward that, though there is no need to use it. There are quite a few versions out there. The database format is the same, so just pick something that works for you.

For the purposes of this article I’ll just go over setting up a database in KeepassXC. Create a new database. Follow the reccomended settings.

When you get to setting your credentials do two things: Give your database a password, but also generate a keyfile. Save both of these items to your designated Sync folder.

Once your key file is distributed across your devices, copy that file out of your sync folder, and delete it out of the sync folder. You can now start adding your passwords and TOTP tokens into Keypass.

Also, set up your browser integration. This makes it way easier to input your passwords and TOTP tokens. Just make sure that you set a URL with your password entry. Not only will it not appear otherwise, but it will ensure that you can fill your password if you’re on the appropriate page.

0.2.1 Pulling your TOTP keys out of Authy

I previously used Authy to manage my TOTP keys in addition to using Keepass, but when I learned that they were phasing out the desktop application, I decided to get my keys out of there. If you also did this, follow this tutorial to extract your keys from Authy. Once you have the seeds, you can associate them with your password entries. If you have a browser add-on and your password entries are appropriately configured to recognize the password belongs to a specific login page, you’ll be able to fill in your token with a single click. Pretty nifty.

0.2.2 Dealing with conflicts

Sometimes you’ll make edits on two or more devices, resulting in two divergent databases. When a conflict results, syncthing will leave two versions of the file: the original with its original name, and the conflict database file with one of the device’s names appended to it. Go to one of your devices, open up KeepassXC with your normal database, then click on the Database menu, then click on “Merge from database”. You can then merge in the conflict file into your normal database and delete the conflict file!

0.3 Conclusion

You should now be able to synchronize a password database across a ton of different devices that connect to your local network, and, should one of those devices malfunction, restore those passwords by syncing any one of your devices to another device. It’s a little more initial work than relying on a service to do this for you, but you can do it at no cost to yourself and with very little in the way of maintenance, since each piece of this setup is quite easy to update.

I hope this tutorial has been helpful. As always, write to me on the fediverse at @tmk@social.lugal.io if this article has been helpful to you, or if you have feedback!