After years of being a netizen, I now have hundreds of online accounts. In the past, I tried to ensure the uniqueness, yet easy-to-remember, passwords everywhere by using an “algorithm” to derive strong passwords for each site. Unfortunately, my algorithm couldn’t work everywhere due to differing, or even conflicting password requirement of different websites (for example, some websites require using a symbol, but some don’t even allow one – in the most extreme case, some websites only accept digits in the password field!). Also, I wrote all passwords in a spreadsheet which is itself password-protected. In addition, I saved the passwords in the browser by default for convenience as well, which is Google Password Manager in Google Chrome, and Google services on Android.
Over years, the spreadsheet has been difficult to maintain, with different passwords generated over years. In some situations, I forgot to enter the password into the spreadsheet at all. I regularly change passwords every few years but some accounts are seldom used that the password hasn’t been changed for 7 years or more already, for example, my Apple ID. My latest password generation algorithm is already 3 years old, and I think it’s now time to replace my passwords, however, I have already run out of ideas which work for most websites, and passwords flying round everywhere, in my spreadsheet, on Google and on Microsoft, isn’t a good idea to manage. Therefore I have decided to use a password manager.
Criteria of a password manager
The ability to control my own data is an essential requirement for me. In the past, I made a mistake of choosing Microsoft Authenticator for my time-based one time passcode (TOTP) application, which doesn’t allow me to export the secret out of the system unless I root my Android device, and it doesn’t even allow me to merge the accounts on two different devices. It has forced me to reconfigure the two-factor authentication (2FA) for some services, and now I have moved to Aegis, which is open-source software.
Passwords, especially for those accessing critical infrastructure like e-mail and banking, are something which I can’t afford to lose, so it is important to get things right at the beginning. Therefore, I only consider solutions which are fully open-source, and if it relies on a server, that can be self-hosted.
Passbolt
After some market research, I decided to install Passbolt on my own server. The reason I chose Passbolt was because it uses PGP encryption, something that I am familiar with. I naïvely thought that my password manager would be integrated into the local PGP infrastructure, for example, GnuPG on Linux and OpenKeyChain on Android, that I could easily use my existing tools like KGpg to manage its security, but it turned out differently.
However, the installation wasn’t an easy process on a server with existing services.
I have two servers, one is a high-performance primary server where I host most of my services, including this blog, and the other is a storage server where no public facing services are hosted. However, the storage server has PHP, Apache and phpMyAdmin installed, after my public facing server was cracked. I removed phpMyAdmin from that server and changed the configuration such that MySQL root access using password is only possible when connected from my storage server.
Of course I didn’t want to install the password manager server on a machine with plenty of public facing service on it, so I tried to install it on my storage server, but it turned to be a difficult process.
Installation
I followed the official documentation for Debian. However, the script refused to install the software saying PHP is already installed, you must execute this script on a vanilla server. Of course I was not going to pay for another VPS and went through the hassle of setting up domain names and SSL on a new machine. I had to purge everything related to PHP on the server in order for the script to install the package.
The script downloaded things like MariaDB, PHP, Nginx, etc., and during the post-installation process, it asked if I wanted to create a database, which I responded yes, and if I wanted to configure an Nginx website, which I responded no because I already had Apache running with SSL working. I then configured Apache to serve Passbolt on a separate port, with the existing SSL certificate.
Unfortunately, the website didn’t work. It throwed HTTP 500 due to rewrite loop. After investigation, I found out that the Debian package had an .htaccess missing from the source repository! I downloaded it from source, the website worked, and I reported a bug.
I could then continue to complete the installation. There were no problems in the server configuration, it worked like a breeze. During the process, it generated a PGP key pair for the server itself, asked for e-mail configuration, and an initial admin account. Afterwards, I was prompted to download the browser extension and sign in.
Unfortunately, I had hit another issue. I tried to use my existing PGP private key, which I had been using for 7 years for secure e-mail communication, but Passbolt refused my key as it required at least 3072 bits in my key. The primary key was only 2048 bits, however I had an encryption key of 3072 bits as well. As there is no way to upgrade a PGP key, I had to generate a new one, which already defeated one of the major reasons I chose Passbolt. After I generated one, it told me to download a “recovery kit”, presented as a .txt file, but it was actually an ASCII-armoured PGP private key file, which could be imported into my GPG keyring.
I then generated a key, but Passbolt also refused it as well, because it had an expiry date. Such a basic feature in information security isn’t even supported. A properly implemented system would check users’ public keys periodically and send reminder emails to users to renew their keys when close to the expiry date, and would renew its own key as well.
Nevertheless, I signed the newly-generated key using my old PGP key, intending to use them in parallel. I also enabled the option of 2FA in the admin panel as well.
Usage
Account set up
With Passbolt set up, and my newly-generated private key saved in my keyring, I exported the passwords from my Google account and imported in Passbolt. The import was smooth, and all my passwords appeared in Passbolt. I then installed the Android app on my phones as well. In order to set up the Android app, I had to use a QR code from the browser extension. Unfortunately it wasn’t possible to sign in with just my server address, email and my private key. I couldn’t even set up the app from another Android phone. Honestly if the private key is the key to security, what is the point in requiring a browser extension? Of course, after scanning the QR code, I was asked to supply the “recovery kit” (i.e. the private key) and the 2FA code as well.
Afterwards, I tried to sign in on another browser. I downloaded the extension and entered the server address into the address bar. It told me to check my email. OK, that’s a problem. What if you had put the password of the email service in Passbolt and did not remember it?! I ended up using another device which was still signed in to the email service, and copied the link out. Again, I was asked for the “recovery kit” and the 2FA code.
Interface
The only interface for Passbolt which is complete in supported features is the server website, which cooperates with the browser extension. The use of it is compulsory. The Android app is so limited that it can’t even move an entry between folders.
Chrome extension
I would describe the product as simply not yet fit for production use. It didn’t even allow me to enter multiple URLs for a single password entry. When I wanted to change my passwords, it had an option to generate a new random password, and it would told me that I would have a chance to save it afterwards, but it didn’t always appear. On some websites, it prompted me to save the password after form submission, and on others, it simply did nothing, and I ended up having to reset the password. This is a basic usability issue which makes the product simply not fit to use at all.
Also, it doesn’t prompt me to save manually-entered passwords without a corresponding entry.
Android app
The Android app supports biometrics as an alternative to entering the private key password every single time. However, basic features such as export, and moving entries, are missing, and I have to use a browser to do such tasks.
The autofill works mostly in apps after I set it as the preferred autofill provider, however, no matter I tried, it didn’t work in Chrome. It turned out that the “accessibility” and “draw over other apps” features were needed for it to work in Chrome.
Features
The kinds of secret supported in Passbolt are extremely limited. It only supports passwords and OTP, compared to other apps which support API keys and bank cards in addition. Also, it only supports one URL per entry as well, which means I can’t have it autofill multiple websites which share a single identity.
Bitwarden
I finally decided to give up Passbolt as it was clearly not fit for production use, also, having to overcome so many hurdles such as email confirmation to set up a new device, was clearly an overkill for personal use. I finally turned to Bitwarden, which is the most popular free password manager (in free beer, and also in free speech). It can be self-hosted, however, it also offers a free cloud version for personal customers, and a premium version at an affordable price of US$10 / year for a personal account, so I decided to go for the cloud for simplicity, knowing that I can always move it to self-hosted if I have any doubt.
Account set up
In Bitwarden, your master password is your key. Therefore, it is the only piece of information needed to get into your vault. For additional security, Bitwarden has also the option of enabling 2FA as well. It is a simplier model to use compared to PGP-based encryption used in Passbolt.
The use of a browser extension is highly recommended, but it is not compulsory. Your vault can be wholly managed from the web interface without the use of an extension. Of course, by using the web interface on a cloud platform, you need to trust the provider that the web interface does not send your secret out of the browser, so if you are really paranoid you can choose the route of self-hosting instead, but I trust the audit and all the penetration tests ever done against such a popular provider, as it is fairly trivial to know if any secrets are leaked from the browser. All the browser extensions and platform clients are, nevertheless, open source software.
Chrome extension
The Bitwarden Chrome extension works much better compared to Passbolt. I haven’t found any major usability issue yet and it works as well as the in-built password manager of Chrome. It prompts me to save manually entered passwords. It also allows me to add multiple URLs and how precise the URLs are to be matched, such as the major domain, the host, or even the whole URL.
Unlike Passbolt, Bitwarden prompts me to save newly-generated passwords right away when changing passwords on websites, so the problem of losing passwords mentioned before doesn’t exist.
Android app
The Bitwarden Android app is also feature complete. It can be used to manage the vault, change account settings, or even delete account. It also contains more features than Passbolt, such as locking with PIN, and inline autofill (with a supported input method).
Linux app
Bitwarden also offers desktop apps for Linux, macOS and Windows. I have only tried out the Linux app and it looks feature complete as well, apart from browser integration which isn’t supported.
Conclusion
I have exported my data from Passbolt in Bitwarden format and imported to Bitwarden. However, the OTP wasn’t transferred and resulted me having to use a recovery code. Fortunately I only added one OTP into Passbolt.
I have since then removed Passbolt from my server, and revoked my PGP key for its use, and I am now using Bitwarden which is production-grade quality. Unfortunately Passbolt is just too immature, and it does not provide my expected integration within the wider PGP ecosystem. In an ideal world, the Android app would interact with OpenKeyChain, while the browser extension would talk to GnuPG. None of these has happened. If in the future, a password manager is designed to work with existing PGP tools installed in a system, I will consider it again.