No, you should not make your passwords complex and super long! This will only lead to you forgetting the password and then later reset to one that you will actually remember – which, of course, we know will be super dumb and easy to crack.

Instead, you should go for passphrases. These are basically passwords, but longer and easier to remember. For example, a passphrase can be:

pancake lord on moon vacation three times left turn

According to Security.org’s password check, this would take a computer of today’s capacity about 1 unvigintillion years to crack. How many years is one unvigintillion? I don’t know, but I do know that I definitely won’t be around by then.

A screenshot of Security.org's password check

The reason for it being hard to crack this passphrase, isn’t the complexity, but rather its length. The longer the passphrase, the more possible combinations any brute force attempt needs to perform.

But, you ask, what about the required password complexity of sites, operating systems and the like? The lowercases and uppercases, special characters and such?

Well, that’s where password managers come into the picture! You see, there’s a lot of password managers out there and chances are you’re using a web browser with one built-in, right now! There are even services that let you store and access your passwords in the cloud for convenience, for example when you’ve lost access to your computer or device.

With a password manager, you can generate a super random and hard to remember password that fulfills any uptight requirements of an account registration. The point is that you will never need to remember it, the manager will!

The problem with most built-in managers though, is that they are exposed to the internet, meaning that if the client or browser is compromised – so are your passwords. The same goes for any online service that promises security – it’s all fine and dandy and cherries until the service is hacked and your passwords are stolen. This happened a while back with LastPass where, even though encrypted, users’ vaults were stolen and could potentially be cracked. This is exactly why centralization is bad – it gives hackers a single point of entry for thousands if not millions of users.

Now, how to avoid this? Well, firstly you should avoid centralization. But you cannot avoid hackers on the internet unless you go offline, of course. It might sound like a bummer, but that’s why I’m writing this post, you see!

Here’s where KeePassXC comes in. KeePassXC is an excellent password manager and vault that is secure, open source and totally free. KeePassXC is an application only, meaning no servers to connect to – all it needs is the database to keep its records. Already here, we’ve eliminated one potential threat in that we’re not exposing our passwords to the intertubes. The database can be safely stored where ever you like, for example in your home folder or on an encrypted drive. You can have multiple databases, for example one for private passwords and another for work related passwords (which I would recommend.)

So it’s easy to get started, just download and install the application. For Ubuntu/Debian users, I strongly recommend to install the PPA and use APT to install, instead of snap.

After installing and running it for the first time, you can create a new database. Set a passphrase, one that you can actually remember, because if you forget it you lose access to the database. I also recommend that you create an encryption key which can preferably be stored onto a physical drive for added security.

Screenshot of the database view of KeePassXC showing different entries

Once the database is up and running, all you have to do is store all your passwords. As you can see in the above screenshot, you can even use it for two-factor authentication. You can associate the entries to their respective sites and applications, organize them in groups and add icons to the entries.

I would however recommend that you install a browser extension, otherwise you would need to go back to the application every time you need to log onto a site. There’s an official extension for the most popular browsers, called KeePassXC-Browser. Once installed and configured (and the main application running in the background) it will ask for database password and fetch the associated entry when autofilling the login forms on a site.

A word of warning though: It’s known not to work with snap installations of browsers, which is the default installation method in Ubuntu. Be sure to use the APT version of both the web browser and KeePassXC and you should be good to go. Oh, you might have to add a permission entry in AppArmor if you’re getting “Cannot connect to database” errors, though.

Also, you might want to have some sort of cross-device sync. I know, this contradicts what I mentioned earlier with having the database offline, but the alternative would be manually copy over database and encryption key to every device each time you’ve added or updated an entry. Not too convenient. As long as you don’t use a centralized service, I believe you’re good though. For example, using a Nextcloud instance, you can sync between selected devices. As for mobile applications, for Android, there’s KeePassDX that’s fully compatible and also can use Nextcloud mounted storage to access the database. This is the one I’m using and can recommend.

All in all, I’m really satisfied with KeePassXC knowing that I’m in total control over my password vault and that I’m one step further from allowing Big Tech to have control over my online life.

(I just realized it’s been over a year that I’ve written anything on this blog. You may also have noticed that it looks a little bit different now. This is because I intend on making this blog a part of a bigger website – a homepage, if you will.)

Why Aegis?

I’ve been jumping between different two factor authenticator (2FA) apps the past year or two. I had earlier for a long time settled for Authy, mostly because I wanted to get away from Google and Microsoft. This app seemed robust enough, had some customizable logos for the connected services and also employed a backup feature – which at the time was MIA over at Google’s and Microsoft’s departments. It also had a desktop version that was synced, which at least at the time seemed like a good idea.

As the months passed by I started slowly to realize the flaws in Authy. Not only could you actually not customize the logos yourself, but the search engine used was simply a Google image search wrapper; meaning that logos showed up that either aesthetically didn’t fit or was totally unrelated to the service you tried to configure for. I tested this theory by simply searching for some random crap and Authy downloaded the image without hesitation.

Not only that, I realized that while it’s nice to have the OTP’s synced between devices, it did this through centralization. This, in my opinion, isn’t secure at all and could potentially invade my privacy.

Enough about Authy. I’ve moved on, and so should you.

A screenshot of a phone running Aegis So what makes Aegis any different? Well, first and foremost, it’s completely free (as in libre) and open source software not developed or run by a for-profit corporation.

This means that not only is the code available for anyone to examine and contribute to (which, contrary to popular beliefs is actually very important for security applications), it’s also available to download without the involvement of Google as it’s available through the F-Droid repository.

Second, it has all the features needed for a proper 2FA application and some quality-of-life improvements over its competitors, which I’ll get into shortly.

The only real downside for Aegis is that it’s not available for iOS. But if you’re using iOS, you’ve got other problems to attend to. Yes, by all means, please be offended.

Features

Customizable views

This is one of the most important features for me, as I’ve got almost all my accounts configured with 2FA and will be picking up my phone several times a day to fetch their one-time codes.

Since Aegis allows you to pick your own icons, or even download icon packs from them, the account is instantly recognized through its branding. And for a better overview, you may also configure how the codes are displayed in different sizes: normal, compact, small and tiles. I personally like the setting “small”.

You can also separate the codes between groups. Say you want to have your work OTP’s in the same app as your private, you can create a group for those and have those filtered out by default. This is especially useful if you have two or more different accounts on the same service.

Security

The configurations are safely stored on your device with encryption, which can be unlocked by a password or by using bio-metrics such as fingerprints and/or face unlock. It also allows for a separate encryption password for the backups, should you want an extra layer of security.

Aegis can also be configured to disallow screenshots from being taken, should you ever have been infected by malware that tries to steal your OTP’s. You can also configure to have the codes be hidden from prying eyes until you tap on them.

These are just a few of the security settings I figured was worth mentioning.

Backup, import and export

Another key feature is being able to restore your 2FA configurations should your device ever be lost. Instead of having the vault sync using a centralized service, you can configure continuous backup instead.

Since the vault is encrypted, this means you can put your backup wherever you want. You can use your device’s automatic cloud backup as well as backup through Storage Access Framework in Android, perfect if you’ve got a personal Nextcloud server.

If you’ve got multiple devices, these can be synced using the import/export functions of the app. You can also use the import function to fetch configurations from other 2FA apps, but unfortunately it does not support Authy (this isn’t Aegis fault though, it’s simply because Authy doesn’t support export at all.)

Final words

I mean, there isn’t much else I can share with you guys. It’s only a 2FA app, after all.

It works securely and with personal customization, it’s open and free and has awesome features. So if you’re ever in need of two factor authentication, look no further than Aegis.

Category: Android

KeePassXC for all your password needs!

Aegis – The go-to 2FA for Android