- Last update:

On Storing Passwords In A Safe Way

My journey towards increased security

🕒 5 min read

Category: Computers

Tags: password, security

It's been a while since I last wrote here... Let's fix this with a new article on an important topic.

Storing passwords

For a very long time I have stored my passwords within Firefox, synced "in the Cloud" through my Firefox account. This solution offers four main advantages:

While this solution had seemed like a good one for a while, I recently thought I could do better than putting my trust in a company - even though Mozilla is respectable and trustworthy. Eventually, every big company gets hacked and I don't really know how they encrypt my data on their servers.

Moreover, I wanted to be able to safely backup my passwords somewhere (offline, if need be, or elsewhere). My past solution had a flaw: were I to lose my laptop and smartphone (theft, apartment burns dowm, earthquake, whatever), I'd have no way to recover my passwords since I don't know any of them, not even my Firefox password (what good would it be for anyway, since two factor authentication is enabled and my two only trusted devices would be lost).

Side note on this topic: I always randomly type my passwords as I create accounts. I don't use services that generate them for me (like Dashlane or Lastpass to mention a few). I don't trust these programs to store my passwords (we'll see why in a bit). Nonetheless, I always make sure to include capital letters, numbers and special characters, with a length greater than 8.

With this all in mind, I needed to find a solution that could fulfill the following requirements:

Market analysis


Apparently a great tool, I've read a lof of good reviews. Advocated by the famous website Have I Been Pwned. However, since this is proprietary software, it is de facto a no-go for me. Plus it's a paid service.


A tool initially made for Windows.



Pass (Linux CLI)

A tool for Linux (CLI) based on GPG. Convenient on a laptop, not very much on a mobile phone. However, I tend to trust a CLI tool more than Keepass. One of the reasons I guess is that it's on the official Linux distributions repos.

In case of phone loss, here is a nice way to restore the code on your phone by generating QR codes from what's stored in pass:

sudo apt install qrencode
find .password-store/ -type f -iname "*.otp.gpg" -printf '%P\n' | sed -n 's|\.gpg||p' | while read f; do pass "$f"; done | while read s; do qrencode -o - "$s" | display; done



Dashlane and Lastpass

Proprietary software: no go.

One cool feature Dashlane offers that is worth mentioning though: setting an emergency contact for your important accounts in case of a critical matter. I wish other tools offered the same feature.


Seems like I'll either go with either Keepass or Pass. I'll update this article as I become familiar with either of them.

Update January 2019: I've been using pass for a few months now and am very satisfied so far.

Another topic: two-factor authentication

For this one, I felt that storing my secrets on my phone (Google Authenticatgor to name it) only sounded a little too much like a Single Point of Failure. Should I ever lose access to my phone for any reason, I'd be locked out of services with two factor authentication enabled. Time had come to find a way to save a backup of these secrets.

To do so, I developed my own solution: gauth2. It is forked from another project (gauth). I improved it and redesigned it a bit. I also added some features.

How does it work? Well, it is a web app that stores in one's browser (in the LocalStorage, to be precise) one's secrets and generate One Time Passwords based on these secrets. The secrets can even be encrypted with a password, to prevent someone with access to the browser from stealing the secrets. It also allows secrets to be exported and imported for more convenience. I am very satisfied with it so far. This, on an encrypted laptop, coupled with Google Authenticator, is a pretty solid combination.

Hope this helps. Cheers!

Online resources