On 5/23/25 5:38 PM, mo wrote:
> Hi I'm currently using the KeePassXC desktop application with the database
> stored on a USB drive to manage my passwords. However, this setup has
> become inconvenient when I travel and forget to bring the USB, or when
> sharing updated login information with others, as I need to manually update
> their USB drives each time.
>
> Consequently, I'm looking for a reliable online password manager with
> robust login security. Proton Pass seems promising, but I'm unsure about
> the strength of its login security features. Enpass also looks good.
If you are looking for an 'online' password manager, my preference is
for a self hosted in network vaultwarden [0]. Inorder to access the
password manager you have to VPN in. You can also set your client to
'cache' the database.
Any other thirdparty password managers essentially have access to your
password which imho is not good.>
> Could you please advise on the most secure method for password storage
> login? I understand that TOTP and text-based MFA are not the most secure
> options.>
> Is multi-factor authentication (MFA) using a hardware key like a YubiKey
> considered the best approach?
>
> Additionally, I'm curious about creating my own encrypted hardware key
> stored on a USB drive. Currently, the key file I use with KeePassXC is
> unencrypted. If someone were to obtain the USB and know my master password,
> they could access my password storage. How can I encrypt this key file with
> its own unique password? My goal is to require someone to have the USB,
> know the password to decrypt the key file on the USB, and know my online
> database master password to gain access>
> Or is using a non-encrypted key file on a USB drive sufficient for
> security?IMHO the key file is enough security. Something you know (master
password), and something you have: a separate key file. Obviously this
makes it such that a compromised usb key means both the key file and
database are compromised.
A happy medium that is available for keepassxc users is getting a fido2
key and making that the 'separate key' i.e your usb storage contains the
database, the fido2 key is a separate hardware 'key' and your master
password decrypts it all. [1]>
> Also, is there an online password storage solution that asks for both a
> master password & key file in order to login?
>
> Thank you for your guidance
-Eldo
[0] https://github.com/dani-garcia/vaultwarden
[1] https://keepassxc.org/docs/#faq-yubikey-why-hmac-sha1.
