Sunday, March 12, 2017

Bonds and the Upsides/Downsides of Interest Rate Changes

Scope Of This Post

One discussion I keep having with people centers around the hypothetical scenario of a person buying bonds and then interest rates change.  In particular, people seem to be worried about buying bonds and then interest rates increase (especially an unexpected increase since expected increases are supposedly already priced into bonds).

My assertion is that although an investor would have benefited from delaying purchase of bonds until after the (unexpected) increase in interest rates, an investor holding pre-existing bonds is not necessarily worse off when interest rates increase.

For most of my post, I will be talking about interest rates changing but inflation staying constant.  Also, the characters in my stories like to buy 3-year bonds and only 3-year bonds.  So, when my story involves "interest rates changing from 5% to 6.9%", I'm specifically talking about the interest rates for 3-year bonds only.  I know the world has more than 3-year bonds, but I'm keeping my stories short and simple.

I will also ignore callable bonds, TIPS, taxes, and default risk; I believe those concepts do not change the conclusions about the benefits/harms of interest rate changes on bond holders.

I welcome comments and especially corrections to the assertions I make in this post.


A Very Brief Review of Bonds And Some Shorthand Notation

I will try to use standard bond terminology, but I will also use some custom notation to tersely describe bonds with different coupon rates and times until maturity.

When I say, "2 of Bond{5/100,3y}", that will mean I am talking about holding 2 bonds that have a $5 annual coupon, and have a $100 redemption payment in 3 years.  A holder of 2 of Bond{5/100,3y} will receive:
  • 2*$5 coupons ($10) 1 year from now
  • 2*$5 coupons ($10) 2 years from now
  • 2*$5 coupons ($10) 3 years from now
  • 2*$100 redemption payments ($200) 3 years from now

Once we simplify things by ignoring that bonds have different maturities and credit risks, we can see that bonds compete price-wise so that their yield-to-maturity (YTM) is equal to the market interest rate, regardless of coupon rate and face value.  Some simple example relationships between price and yield-to-maturity...
  • If a Bond{5/100,3y} is priced at face value ($100), then the yield-to-maturity (YTM) is 5%.
  • If the market interest rate is 5%, then a Bond{5/100,3y} will be priced at $100.
  • If a Bond{5/100,3y} is priced at $95, then its YTM is 6.9%.
  • If the market interest rate is 6.9%, then a Bond{5/100,3y) will be priced at $95.
Thus, in a interest rate environment of 5%, a Bond{5/100,3y} will be priced at $100, but if the interest rate increases to 6.9%, the Bond{5/100,3y} will drop in price to $95.  If YTM is an interesting new concept to you, or you wonder why price depends on YTM so heavily, I would recommending googling and reading up on: "time value of money", "internal rate of return", "bond pricing", and "bond yield to maturity".

Super-DUPER Fun Fact: When someone accuses you of being a "fat cat, clippin' your coupons!", they are not talking about clipping coupons to save money at the grocery store.  They are referring to many years ago when bond owners would clip physical coupons from their bond certificates so they could exchange the coupons for payment.


Interest Rate Hikes Help Those Who Can Invest In The New Bonds

My basic assertion is that a bond holder benefits from an increase in interest rates as long as that bond holder is able to reinvest at that higher interest rate.  As a rule of thumb, someone maintaining or increasing his bond holdings will benefit, and someone who is heavily decreasing his bond holdings over time will be hurt.

This assertion comes from the fact that a bond holder's future cash flows from a particular bond are unchanged by changes in interest rates.  If you buy and hold a Bond{5/100,3y}, you're going to get the same coupon payments and redemption payment regardless of changes in interest rates.  And if interest rates have increased, that means your coupon and redemption payments are able to buy BETTER bonds with BETTER returns than you could before.  Your cash flows have remained the same, and the returns on investing those cash flows (in new bonds) has increased.

People often object along the lines of, "but let's say that interest rates increase from 5% to 6.9% and my holdings of Bond{5/100,3y} decreases in price from $100 to $95; surely I am poorer after the increase in interest rate".

I will say yes, you are worse off if you immediately need to liquidate your bond holdings, but you are better off if you can use your coupon and redemption payments to purchase bonds at the new 6.9% YTM.

It's kind of like asking "would you rather have $100 and 5% returns on bonds or $95 and 6.9% returns on bonds?".  It depends on when you want to cash in on your bonds.


Example1: Larry, Who Reinvests Everything

Let's do an example with Larry and see how Larry's life is affected by changes in interest rates:
  • Larry holds 1 Bond{5/100,3y}.
  • The market interest rate is 5%
    • Larry's bond holdings are priced at $100
    • Larry plans to reinvest all of his coupon and redemption payments (always in 3 year bonds).  Thus, his holdings will grow at an annual rate of 5%.
    • As the years go by at this interest rate, his holdings will be valued at: $105.00, $110.25, $115.76, $121.55, ...
  • Suddenly interest rates change to 6.9%.
    • Larry's bond holdings are now priced at $95
    • Larry continues the plan of reinvesting everything, thus his holdings will grow at an annual rate of 6.9%
    • As the years go by at this interest rate, his holdings will be valued at: $101.56, $108.56, $116.05, $124.06, ...
  • 20 years pass at the 6.9% interest rate, and Larry finally sells his bonds to buy an abandoned coal mine to live in.
  • Note that after at least three years pass, Larry is richer in the 6.9% interest rate scenario than the 5% interest rate scenario.  This happens whether he holds onto his Bond{5/100,3y} for a while, or trades it immediately for a fractional 0.95 of a Bond{6.9/100,3y}.
I feel it is uncontroversial to say that Larry benefited from the increase in interest rates.  Larry should welcome an increase in interest rates even after he first bought bonds, as that increase gets him closer to that sweet, sweet abandoned coal mine.  It is only if Larry had to liquidate his bond holding after the interest rate increase but before three years had passed, then Larry would have been hurt by the interest rate increase.


Example2: Moe, Who Was Happy With Beans But Got More


For another example, let's pretend Moe holds 1 Bond{5/100,3y} while interest rates are at 5%.  Moe is different from Larry; Moe needs $5 per year from this bond holding to spend on food and clean drinking water.
  • Moe holds 1 Bond{5/100,3y}
  • The market interest rate is 5%
    • Moe's bond holdings are priced at $100
    • Moe plans to spend all his 5% coupons on food/water and to use all redemption payments on repurchasing 3-year bonds.  Thus, his holdings and his spending will stay constant.
  • Suddenly interest rates change to 6.9%.
    • Moe's bond holdings are now priced at $95.
    • Moe continues his plan of spending $5 per year on food and clean drinking water.
    • Moe decides to sell his 1 Bond{5/100,3y} at $95 and purchase a fractional 0.95 of Bond{6.9/100,3y} for $95.  This bond trade is not necessary, but it makes the example much simpler.
    • Moe is now getting annual $6.56 coupons (0.95 * $6.90 = $6.56), but only needs $5 per year.  Moe can now start getting growth on his bond holdings by reinvesting part of the coupon payments.  Moe also has the option to upgrade his lifestyle by increasing his spending.  Hopefully people won't think Moe is "putting on airs" when he buys a tin cup and spoon.  It's okay to enjoy the luxuries in life.
 I feel it is uncontroversial to say that Moe benefited from the increase in interest rates.  Even if Moe had been slowly eating into his principal, Moe would still benefit from the increase in interest rates.

For instance, imagine an alternate Moe, who has annual expenses of $10 per year, which he finances through coupon payments and selling of pieces of his bond.  If the interest rate stays at 5%, he'll run out of money in ~14.1 years.  The interest rate increase to 6.9% lets his money last ~15.5 years.  Alternate Moe also benefits from the interest rate increase.  If Alternate Moe's annual expenses are greater than ~$23.10, he'll start to get hurt by the interest rate increase.


But Larry/Moe Would Have Been Even Richer If...

A possible objection to my examples is that Larry (and Moe) both suffered an initial $5 loss as their bond holdings went from $100 to $95.  If only Larry had the $100 in cash, and bought the bonds AFTER the interest rate increase, then this alternate Larry would not suffer any loss at all and is always in a better position than the original Larry.

Yes, Original Larry is worse off than Alternate Larry, but both of them benefited from the increase in interest rates.  Larry might feel bad that he could have ended up even richer if he had just been able to foresee the unexpected increase in interest rates, but maybe Larry should focus on his improved situation for 3+ years from now.  I would also urge Larry to not try to "beat the market" in his predictions of interest rates.
 
Again, when Larry is holding his Bond{5/100,3y} at a market interest rate of 5%, he should welcome an increase in interest rates rather than worry about his exposure to interest rate risk.  If interest rates increase, Larry's bond will be worth fewer dollars, but Larry will be better off.


Example3: Groucho, Who Couldn't Afford His Tin Roof

Interest rate increases are not good for everyone. This example has someone who is hurt by an interest rate increase.
  • Groucho holds 1 Bond{5/100,3y}
  • The market interest rate is 5%
    • Groucho's bond holdings are priced at $100
    • The weatherman forecasts that it will start raining in one year.  Groucho wants to buy a $105 tin roof in one year so he'll be able to stay dry while sleeping.
    • Groucho's plan is in one year to collect one $5 coupon and then sell his bond for $100.
  • Suddenly interest rates change to 6.9%.
    • Groucho's bond holdings are now priced at $95.
    • At this interest rate, in one year Groucho will be able to collect a $5 coupon payment and sell his bond for $96.56 (that's the price that at that time gives his bond a YTM of 6.9%); at that time, Groucho will only be able to buy a roof that costs $101.56.
    • Alternatively, Groucho could right now exchange his 1 Bond{5/100,3y} for a fractional 0.95 of Bond{6.9/100,3y}.  Then, in one year, he'll collect a $6.56 coupon and be able to sell his fractional bond for $95.  He'll still end up with $101.56.
  • A year passes at the 6.9% rate, and Groucho buys a $101.56 roof.  But, as we know, roofs below $102 are a bit leaky, and Groucho is not able to stay dry at night.  As a direct result, he dies from several diseases.
I feel it is uncontroversial to say that Groucho was hurt by the increase in interest rates.


Example 3 Addendum: Groucho Was Not Foolish

I've gotten feedback that Groucho comes off as foolish, since he gambled on a 3-year bond, and died as a result of the gamble.  I will flesh out Groucho's story some more, to show that Groucho was not necessarily foolish in his purchase of a 3-year bond.

Let us go back in time to just before Groucho buys 1 Bond{5/100,3y}, and let's imagine that Groucho has $100 in cash.  Also, Groucho's labor income perfectly matches his ongoing expenses, so this $100 is his only way to prepare for a purchase of a roof in one year.  Imagine that Groucho has the following investment opportunities available to him:
  • Groucho could keep the $100 in cash for the whole year, but that would only leave him with $100 to buy a leaky roof.  This strategy seems guaranteed to end badly (leaky roof).
  • The market is offering Bond{1/100,1y} for $100.  Groucho could buy one of these 1-year bonds and have $101 in one year, regardless of changes in interest rates.  This strategy also seems guaranteed to end badly.
  • The market is also offering Bond{5/100,3y} for $100.  Groucho could buy one of these 3-year bonds and have $105 or more in one year as long as 3-year interest rates don't increase.  Also, interest rates can rise up to 1.65 percentage points, and Groucho will still end up with a $102 leakproof roof or better.  This strategy has a chance of working, but Groucho is exposed some to interest rate risk.
  • The market is also offering Bond{6/100,30y} for $100.  Groucho could buy one of these 30-year bonds and have $106 or more in one year as long as 30-year interest rates don't increase.  A $106 roof sounds really nice, but if 30-year interest rates increase by more than 0.3 percentage points, Groucho will end up with a <$102 leaky roof.  This strategy has a chance of working, but Groucho is heavily exposed to interest rate risk.
  • Groucho could keep the $100 in cash, and maybe later buy some bonds once interest rates increase.  Unfortunately, the longer Groucho waits, the bigger the interest rate increase would have to be in order to end up with $102 or more dollars at year's end.  This strategy has a chance of working that depends on Groucho being smarter than the market (ugh).  Groucho would be exposed to a "reverse" interest rate risk of sorts.
So, what should Groucho do if he wants to maximize his chances of a leakproof roof?  Among this simplified list of opportunities, buying a Bond{5/100,3y} for $100 seems like Groucho's safest option.  Yes, Groucho would be "gambling" by buying a 3-year bond, but it would be silly to prefer guaranteed failure over a "gamble" that might succeed.


But What About Inflation?

The previous examples all assumed no inflation.  If the previous examples were altered to include a constant 1% inflation (that was already expected by the market), that would change the expenses for Moe and Groucho, but the conclusions of who was helped and hurt by the change in interest rates would remain the same.

If interest rates increased unexpectedly from 5% to 6.9% only because of an unexpected increase in inflation from 0% to 1.9%, that would hurt all bond holders.  But it's the unexpected increase in inflation that is the villain, not the increase in interest rates.  Increases in inflation always hurt holders of fixed-rate securities.


But What About Bond Funds?

The previous examples had characters that held individual (or even fractional) bonds, and sometimes chose to reinvest coupon payments and/or redemption payments in new bonds.  The stories do not change if the characters instead held bond funds that initially held 3-year bonds.

In each of the examples, the fate of the characters were always unchanged when they swapped out a bond for another bond of the same maturity.  The only thing that mattered was whether the characters decided to buy or sell bonds and at what times they did it.  It's the same thing with an ever-replenishing bond fund: the constant swapping out of bonds doesn't matter; the timing of your buying or selling that bond fund matters.




But What If Interest Rates Go Down?

If interest rates decrease, then the prices of current bonds will go up.  Pre-existing bond holders will be able to sell their bonds at a profit (and perhaps reinvest in something else) or stay in bonds if they wish.  As we've previously shown, (ignoring transaction costs and taxes) it does not matter if the bond holders keep their old bonds or swap them for new bonds of same maturity.

The downside of an interest rate decrease is that further investment in bonds will now give a lower return than before.  It might be proper to increase your allocation of other asset classes to best suit your desired risk-and-return profile.

The possibility of interest rates unexpectedly going down is not an argument against holding bonds now.  A decrease in interest rates helps people currently invested in bonds and hurts people who want to invest in bonds in the future; you can be both types of people at the same time.


It Sounds Like Interest Rate Risk Isn't Really A Risk?

No, there are definitely bad possibilities that can arise from changes in interest rate.  The longer the maturity of a bond, the worse it will be hit by an interest rate increase.  This interest rate risk is part of why long term bonds are often priced to have higher YTM than short term bonds.  So, the increased YTM creates a temptation to buy a bond that you'll need to sell before the redemption date.

Imagine a Bond{4/100,1y} and a Bond{5/100,30y}, both priced at $100.  Like Groucho, you'd love to have $105 in one year for a tin roof.  Unfortunately you only have $100 dollars right now.  The 1-year bond is guaranteed to leave you $1 short.  The 30-year bond will let you have your beloved $105 tin roof as long as interest rates don't go up before you sell the bond.

Are you nervous?  You can live with a $104 roof...but you'd really love to have a $105 tin roof, BUT if interest rates go down even a little bit, then the 30-year bond could let you have a ridiculously luxurious $110 roof, BUT BUT that 30-year bond could easily lead to a roof below $102 WHICH MIGHT KILL YOU.  Will interest rates go up or down?  Why does this 30-year bond have to be so sensitive to changes in the interest rate?!?!?

That's interest rate risk.  Quite the roller coaster if you're hoping to sell some bonds way before their redemption date.


SO INTEREST RATE RISK IS LIFE AND DEATH?!

Well, if you're Groucho.  Re-reading the Larry and Moe examples might make you feel better.  Even Alternate Moe, who was aggressively liquidating ever increasing portions of his bond holdings, benefited from an interest rate increase.  But, thank goodness Alternate Moe was holding 3-year bonds and not 100-year bonds.

In general, if you're holding and buying N-year bonds, it takes N years or less to start to benefit from an interest rate increase.

Also, the word "risk" is heavily associated with "possible losses", but if you hold onto a bond until maturity, that bonds is going to give you the same cash flows no matter what interest rates do.  So yes, there's risk in terms of uncertainty of how much you can sell your bonds for in the future, but a change in interest rates doesn't cause a loss of any future coupon or redemption payment.

Perhaps it is better for Larry and Moe to think of interest rate risk as mostly just a source of uncertainty.  Groucho can definitely think of interest rate risk as a source of potential losses.

Reminder: I'm ignoring default risk and inflation risk.  The possibilities of very real losses on bonds mostly come from those two risks.


Does Anyone Smart/Experienced Agree With Your Thesis?

I think so.  Part of the purpose of this post is to test that I have properly understood what I have read about bonds.  (Reading something and seeing if you feel like you understood it is not a good enough test.)

Here are some pieces by smart/experienced people that I believe are consistent with what I've been saying:
  • Why rising rates are good for long-term investors
    • "While bond prices take a hit initially when rates rise, income reinvested at higher yields not only helps to recover bond losses, but can also compound into a significant portion of a bond fund's long-term total return."
    • "Market expectations of a rate rise are already priced into the yield curve and, thus, reflected in bond prices. It's the surprise to expectations that moves rates and bond values."
  • For bondholders, rising interest rates can have an upside 
    • "Conventional wisdom holds that interest rate increases are bad for bond portfolios. But in fact, depending on your time horizon, you can benefit from rising rates."
    • "A helpful rule of thumb is that if your time horizon is longer than the duration of your bond fund, you stand to benefit"
  • Fear of interest rate risk creates opportunity costs   

Friday, December 16, 2016

Password Manager Versus the Alternatives

Scope of this Post

This post will show how using a password manager compares in security and convenience to the other major ways of managing account credentials: the password manager is the winner in both categories.  This post will also cover some common objections to using password managers.

The bottom line is:
  • The case for password managers is strong.  Security experts use and recommend them.  The biggest choice is which password manager to use, whether to use browser integration, and whether you want to use a physically secure notebook for some of your accounts.

Note: by "password manager", I mean a standalone program dedicated to managing account credentials (username, password) and stores them in encrypted form, protected by a master password.  Web browser password managers will be addressed in their own section.

Also, I'd like to recommend 2FA for all accounts you have that are of even mild value. The security benefits are large and the inconvenience is small, regardless of whether you choose to use a password manager.

Convenience of Password Managers

Bottom line: once you've set up a password manager on your mostly commonly used devices, using the password manager is extremely convenient and useful.  In some ways, it's quicker and more convenient than going without a password manager and having all your passwords be simply "a".

Reliable Access to Your Passwords

One of the biggest fears I had about a password manager was the possibility that I'd be cut off from my password database at times that I needed to log in to one of my accounts.  So far, this feared scenario has never happened, and it seems it will be very rare in the future.

First of all, it's actually rare for me to log in to an account from a device I don't use regularly.  I sign in to accounts from my work PC, my home PCs, and my smart phone.  The only exception since I started using a password manager was one time (over a year ago) where I logged in to my medical services account at a doctor's office.

Secondly, your smart phone can access and use your password database at basically any place or time.  When I wanted to log in at my doctor's office, I enabled mobile data, opened the password database on my phone, and then manually typed the username and password on the doctor's computer.  If you anticipate not having internet access on your phone during a need to log in somewhere, then have a local copy of the password database on your phone, and update it from time to time.  (If you are changing credentials or creating new accounts very frequently, that sounds like even more of a reason to use a password manager, not less.)

Thirdly, if for some strange reason you won't have access to your password manager via any of your devices, you can always remember or write down a few passwords.  Or, you can ask for a password reset using access to your email (your email password will be one of the few passwords I recommend you remember or write down in a safe place).

Speed and Ease of Logging In

Many people resist using a password manager because they believe that a password manager results in extra time and effort to log in to their accounts.  I was also worried about this when I was trying out KeePass, but this worry quickly went away as I found that logging in to accounts was faster and less effort than before.

If you've set up browser integration for KeePass, then providing your credentials for an account can be instant (auto-fill) or a few clicks away (KeeFox icon, click credential).  Usually I set up KeePass such that it times out after 4 hours of KeePass inactivity, or 2 hours of computer inactivity.  This means I usually have to enter my master password 0-2 times at work, and then 0-1 times at home.  Typing your master password up to 3 times a day is relatively painless.

I would say that logging into accounts using a password manager is overall quicker and more convenient than manual entry even if all my passwords were a single character.

When logging in to something on your PC but outside of a browser (like logging in to Skype or Steam), password managers still have hotkeys and features to make it quick to paste your username and/or password anywhere you want.

Account Management Is Much Nicer

One of the benefits that I anticipated but underestimated was how nice it was to have a single, up-to-date place that listed all of my accounts, with optional note-taking.  I don't need to manage, sync, and migrate web browser bookmarks to all my accounts, nor do I need to remember what URLs I need to go to in order to sign in (ex: Exactly which webpage or even website do you go to in order to log in to your CitiGroup Mastercard?  In KeePass, you just double-click on the URL portion of the appropriate entry.  It's extremely hard to find my 401k login page without the aid of a bookmark or password manager entry, even though I know exactly what website to go to. And the list goes on...)

I don't need to remember which usernames and how many usernames I have with each account provider.  It's just surprisingly nice to have a place where you can see your accounts and all the relevant information about them (and complete history if you so choose).

It is easy to foresee that a password manager makes the headache of remembering passwords much, much less painful, but it also reduces the pain of generating strong, unique passwords.  The pain of changing an account's password and remembering the new password is 99% gone.  Using a password manager has majorly reduced my account-related stress level.  I feel like I am in firm control of my accounts, rather than overwhelmed by them.

I also put stuff like my car's lock box combination in my password manager too, because I have forgotten that in the past.  Password managers can be used to store more secrets than just account credentials.

Security of Password Managers

Many people have security concerns about password managers, and it is good to be careful with your approach to passwords.  The following discussion will discuss reasons why password managers are overall a huge improvement in account security compared to the feasible alternatives.

A lot of security objections to password managers seem to come from a double standard, and any shortcoming compared to magical absolute security is sometimes claimed to be a deal breaker.  Keeping our focus on password managers versus their feasible alternative helps promote a fair evaluation of what choice we make for dealing with passwords.

Unfeasible Alternatives

There are a few major alternatives I consider to be as secure or slightly more secure than using a password manager, but are unfeasible for most people:
  • Keep a paper notebook with your credentials locked up in your safe (or a locked drawer) at home.  All passwords are strong and unique; you only remember the absolute minimum of passwords; perhaps you have a few passwords written down in your wallet.  This alternative is unbearably tedious and restrictive to most people.
  • Magically remember all your credentials, with every password being strong and unique.  This alternative is basically impossible for most people's combination of memory and number of accounts.  If you think you can do this, I urge you to consider the possibility that you are overestimating the strength/uniqueness of your passwords and the ability of your memory.
  • Remember a few of your credentials (with strong, unique passwords); frequently use password resets for the rest (like every time you log in).  I think most people would find this unbearably inconvenient, and there will be accounts where the password reset strategy won't work.  There might be also some security risks of this approach that I haven't thought of yet.
To repeat: the alternatives listed above have small security advantages and huge usability disadvantages compared to a password manager.  If you come away from this post thinking that password managers are unacceptably risky, then you're basically left with the passwords-in-a-safe-and-wallet approach.  It's okay to choose that option.  My biggest warning is that it is very easy for human-generated passwords to not be as strong as you think they are.  Use some trusted source of randomness to help make sure your passwords have enough entropy.

Also, it is okay to do a hybrid approach where the most crucial account credentials are kept in a physically secure notebook at home and the password manager holds everything else.  It might be acceptable to you that you can log in to your crucial accounts (ex: financial institutions) from home only.

The Very Similar Alternative, Web Browser Password Manager

Web browsers like Chrome and Firefox have password management features, including having remembered passwords stored in encrypted form, possibly protected by a master password.  As I understand it, there are a few shortcomings of browser password managers versus standalone password managers:
  • If you're not using a master password (I believe Chrome uses your Google password by default and that Firefox uses no master password by default), then your passwords are being stored in a format with no security.
  • It's painful (much time, many operations) and less secure to use those passwords outside the browser.  Once you've laboriously dug into the browser password manager and copied the appropriate password, now you have the problem that the password is now in your clipboard history, which is not catastrophic, but is a security risk.
  • Makes it painful to use other browsers.  I use both Firefox and Chrome, and I don't want to be locked in to a particular browser, nor do I want to have to constantly sync stuff between browsers.
  • So far, browser password managers do not help you generate strong, unique passwords.  This is a big deal.  Humans need assistance in order to generate strong, unique passwords.  Lack of help also means you will be tend to make your passwords less strong and unique.
  • Browser password managers lack a lot of other nice features for managing your accounts, like versioned history, notes, icons, folders, and so on.
If you are using a browser password manager appropriately (using a strong master password; your accounts have strong, unique passwords; you're aware of the security risks) and you find the inconveniences acceptable, then I'm not going to yell at you that you need to change your ways.  The reason I have a bunch of posts pushing a standalone password manager is that it allows humans to safely store and use strong, unique passwords.  You don't have to accomplish that goal exactly like I do it.

Beyond the technical shortcomings, a big reason why I don't recommend using a browser password manager is that these shortcomings seem to lead humans to not use strong, unique passwords.

Much Less Secure Alternatives

My judgement is there is only one remaining category of notable alternatives to password managers: alternatives that are viewed as usable/convenient but are much less secure.

Simple File Containing Passwords

You have some spreadsheet, Word doc, or plain text file with account provider info, usernames, and passwords.

The comparison to a password manager is pretty straightforward: it's basically a poor password manager missing out on several important security and convenience features.  If your simple file contains password hints instead (and let's be generous and assume these hints don't significantly assist an attacker), it's very hard for you to also be achieving strong, unique passwords.

Remembering Many Passwords

You try to remember many or all of your passwords.  Due to the limitations of human memory, there will be some combination of reused and weak passwords.  Perhaps you have a tiered system where a password is reused across accounts of similar importance and security precautions.  For instance, throwaway accounts get one password; stuff like Twitter and Facebook get another; Amazon and eBay another; financial institutions and email get another or maybe each get their own.

This alternative is a clear loser in susceptibility to all of the biggest account security risks compared to properly using a password manager.

Password Generation Scheme

You have some algorithm where the the account provider name, some secret text, and maybe the username are combined to generate a password for an account.  For instance, the common secret text might be "4secretthing", and you combine that with the first four letters of the account provider name such that your passwords will be "AM4secAZretthing", "EB4secAYretthing", "GO4secOGretthing", for Amazon, eBay, and Google, respectively.

Simply put, this approach doesn't even work.  You can not have a single scheme work across accounts or over time.  Account providers have all sorts of password requirements that will contradict each other.  The most notable example is some airlines and banks will give you a user id that is a number and let you choose a 4 digit PIN/password.  Many of the following are from the results of a Google image search for "password requirements".
  • Provider 1
    • Length: 6 to 10 characters
    • Letters and digits: allowed
    • Special characters: not allowed
    • Can't contain two separated numbers
  • Provider 2
    • Length: 8 to 20 characters
    • Lowercase letters: at least 1
    • Uppercase letters: at least 1
    • Digits: at least 1
    • Special characters: at least 1 of "!@#$%^&*()+?"; others are forbidden
  • Provider 3
    • Length: exactly 8 characters
    • Letters: at least 1
    • Digits: at least 1
    • Special characters
      • at least 1 of "@#$"; others are forbidden
      • not allowed in first or last position
    • No character can be the same as an adjacent character
    • New password can not be too similar to previous password.
      • New password that contains 3 characters in common with old password at same spot is unacceptable.
  • Provider 4
    • User id: a long number
    • Password: 6 digit PIN
  • Provider 5 and Provider 6
    • User id: a long number
    • 4 digit PIN
  • Provider 7
    • Length: exactly 8 characters
    • Letters: at least 2
    • Digits: at least 2
  • Provider 8
    • Length: exactly 12
    • Letters: at least 1
    • At least one digit or special character ("!#$%").
    • At least 6 characters must occur only once.
    • Can not contain any string that is also contained in the username (I wonder exactly how strict this is).
    • No common/sequence strings like "abcd", "1234", or "2468" (again, exactly how strict is this?)
Yes, there are some weird ones in there, but it is very common to encounter contradictory requirements on password length and special characters.  It's also not unusual to encounter a prohibition on having recognized words anywhere in your password, or a prohibition new passwords being similar to old ones.  I also have a few accounts that have weird username requirements (or long user ids that are assigned to me).  One scheme will not work for all of your accounts.  Three schemes still won't work for all of your accounts.

One scheme won't even work for one account.  You need to be able to change your passwords and PINs.  What do you do when LinkedIn forces you to change your password because of a security breach?  What do you do when LinkedIn rejects your new password for being too close to your old password?

With contradictory password requirements and changing passwords over time, you are back to remembering a lot of passwords, which doesn't work out well either.

I also worry about the strength and uniqueness of passwords generated by manual algorithms.  I have a few other worries as well.  Perhaps in the future I will elaborate on these worries.  In the meantime, I think this post does a good job of pointing out the shortcomings even when you have software do the generation for you such that each password is strong and unique.

Password Managers Are Not Perfect, But They Seem To Be The Best We Have

Password managers are not the perfect solution that eliminates 100% of risk.  What they do is substantially reduce your overall risk; most of the major risks are reduced; some of the smaller risks stay the same, and some risks are increased.  The big security gains in the most important areas outweigh the small security reductions in other areas.  There is no perfect solution, password managers just happen to be the the best option.

It seems like a lot of security experts consider password reuse and phishing to be the two biggest account security risks for individuals.   Proper use of a password manager solves the password reuse issue in a very direct manner.  A password manager can also reduce your vulnerability to phishing, because a password manager makes it easier to default to the https version of websites and a password manager won't be fooled by familiar-looking websites with familiar-looking URLs.  So, you'll be less likely to visit a phishing site and you'll have more warning signs and countermeasures if you get there ("Why doesn't my password manager say I have a login for this site?  Am I at the right place?").

For offline and online guessing attacks (which are still major risks), proper use of a password manager is again the clear winner in terms of you actually using strong, unique passwords that are resistant to these attacks.

The biggest downside of a password manager is you are putting many eggs in one basket.  If combining your eggs in one basket means you can protect your eggs a lot better, then perhaps one basket is the proper choice.  Just like storing valuables in a safe rather than scattering valuables around your house is a good choice.  The following sections will further illustrate why the one-basket downside of using a password manager is not much of a downside.

What If Bad People Get Their Hands On Your Password Database?

This is often one of the first questions raised once someone hears about password managers.  My password database file is encrypted with a high-entropy, unique master password.  My password database is also configured to take a lot of operations for each password guess such that guessing attacks are massively slowed.  Even with a massive password cracking cluster of today's GPUs, my master password should remain unguessed during my lifetime.  When technology changes enough to merit a password upgrade, I'll do that.  I change my passwords every 2 years anyway, so the strength of my master password is overkill by several orders of magnitude.

So, basically if some bad people get their hands on my password database file, I'll probably be fine.

My password database is stored on Google Drive.  If bad people got it from Google Drive, most of the time that means my Google account was compromised.  If bad people have control of my Google account, they can do a lot of damage without my passwords because my gmail account already tells them about my important accounts and lets them do a lot of password resets.  2FA can help a huge amount in this scenario (regardless of password manager or not).  So in a scenario that bad people compromise my Google account, they probably won't crack my password database within my lifetime, and even if they do, that does not cause huge additional damage.

Another possibility is bad people getting their hands on the unencrypted contents of my password database through password-manager-targeting malware on my computer or some exploit of my browser integration with my password manager.  Yes, it would be bad for malware or an exploit to expose my passwords to bad people, but if you have password-gathering malware on your computer, bad people are going to get a lot of your passwords (or account access through stored authentication tokens) regardless of whether you use a password manager.  Again, the additional damage from a password manager is not huge (and the benefits of 2FA are huge).

Why Should I Trust The People Behind The Password Manager?

For the same reasons that you trust Google, Microsoft, and/or Linux to a large extent.  Specific to KeePass, it's a long-lived, reputable, open-source password manager that has undergone serious security audits and has received recommendations from many security professionals and organizations.  If you really want a password manager where a company's financial future depends on providing a secure product, you can choose something from Norton, 1Password, and so on.

Expert Opinion On Password Managers

Using a password manager increases some very particular risks, but my semi-informed impression is that using a password manager is overall a huge decrease in risk versus the alternatives.  This endorsement of password managers also seems to be the judgment of the computer security experts.  Some very notable examples are Bruce Schneier, Troy Hunt, Per Thorsheim, National Cyber Security Centre of the UK Government and many other organizations.  Almost every article I read about password managers includes a recommendation to use them.  Even when I do Google searches for stuff like "password manager malware" and "password manager disadvantages", the people that discuss particular risks of password managers almost always still recommend using a password manager.

The times that people do recommend against password managers (one, two)...
  • Sometimes the option they recommend is the physical-notebook-in-a-locked-drawer option.  If that option is not acceptable for you, then a password manager is the next best choice.  Also, as I've said before, it is okay to do a hybrid approach of a physically secure notebook for some accounts, and a password manager for the rest.
  • Sometimes the option they recommend is the password generation scheme.  This doesn't work (see Password Generation Scheme section above), and plenty of other security experts disapprove of this methodology.
  • If you look closer at some of people that an article portrays as against password managers, a lot of the time they are just recommending against web-based password managers, or they recommend not using browser integration, or they advocate being careful about which password manager you choose, but they are still advocating using a password manager.
  • One anti-password-manager person (Simon Edwards) poses the question: if you were a bad person, would you go after a cloud-based password manager service, or would you go after popular websites?
    • Bad people have answered this question: they overwhelmingly go after popular websites.  I believe I would be in good company with plenty of security experts by asserting that Simon Edwards presents an inaccurate view on the prevalence of various dangers for users.
    • Not all password managers are cloud-based.
    • Even when LastPass was hacked, the bad people only got the encrypted password databases, and LastPass quickly noticed the breach.  With a good master password, your password database would be secure for a very long time, and a password manager makes it much less painful to go through your accounts and change passwords, quickly making your old passwords useless to the bad people.

Parting Thoughts

The case for password managers is strong.  The biggest choice is which password manager to use, and exactly how to use it (ex: browser integration? where to put password database? put some account credentials in a physically secure notebook instead?).

I encourage questions and counterpoints from readers.

Also, if I personally know you, it is likely that I will agree to sit down with you and help you start using a password manager if you ask me for help.  My post on how to get set up with KeePass on multiple devices is a good start.

Wednesday, December 7, 2016

Account Security Risks and Reasons to Use a Password Manager and 2FA

Scope Of This Post and Some Basic Recommendations

I consider switching to using a password manager to be one of my best life decisions in terms of costs and benefits.  The security and convenience benefits are immense, and the costs (setup effort) are small.  Yes, using a password manager made managing and logging in to my accounts much easier, faster, and less stressful, but this post will focus on security issues.  My thanks to Troy Hunt for influencing me to make the plunge.

Without a password manager, it borders on impossible for a human to do passwords correctly.  By "do passwords correctly", I mean having strong, unique passwords for all of your accounts.  To illustrate why it is good to have strong, unique passwords, I will go over several of the account security risks most humans face, with special emphasis on passwords.  Maybe this will directly persuade some people to start using a password manager, but also it will establish some background for another post that will discuss why password managers are big security improvement over the alternatives and are overall the best choice.

For generating strong passwords (with the goal of surviving offline attacks), I recommend:
  • For passwords you want to remember, such as your Google password and master password: choose 6 random words from the Diceware word list (pdf).
  • For passwords managed by your password manager (you don't have to remember them and it's very rare to actually type them): have your password manager randomly generate at least 16 random lower case letters, upper case letters, and digits.

Also, I highly recommend enabling 2FA on all of your accounts of even mild worth.  A very common form of 2FA is that when logging in from an unrecognized device, the login attempt will also require a verification code sent to the account's associated email or phone.  This additional layer of defense may protect you even when bad people know your password, and 2FA is only a minor and rare inconvenience.

Risks from Password Reuse

Imagine that you use the same password for your bank and LinkedIn account.  One day, LinkedIn gets hacked, and your LinkedIn password is now in the hands of bad people.  Perhaps you don't care very much about your LinkedIn account, but the bad people use your personal information and LinkedIn password to log into your bank account, which you probably do care a lot about.  Or maybe you're a Dropbox employee and bad people use your LinkedIn password on your Dropbox employee account to get onto the Dropbox corporate network and get their hands on more sensitive databases.

I consider this the biggest risk for most people because:
  • Humans reusing passwords is very common, and bad people rely on this.
  • The risk remains, perhaps unknown to you for a long time.  Once one account provider is hacked and one of your passwords is out there, it's out there forever.  Your hacked password will always be in password dictionaries that bad people will use when guessing passwords.
  • You have a weakest-link-in-the-chain effect.  It only takes one security vulnerability at any of your shared-password accounts to put all of those accounts in jeopardy.
  • Many security precautions are defeated by the bad people using your password on the very first try.  It doesn't matter if your bank is unhackable and they rate-limit login attempts if the bad people already know your bank password from LinkedIn.  If you're lucky, you have 2FA with your bank and the bad people can't log in from an unrecognized device.  Even 2FA can be defeated if your associated email account has been compromised (perhaps aided by password reuse?).
Many bad people are smart, or at least use smart tools.  A bad person knowing one of your passwords is now much closer to guessing similar passwords of yours.  I know friends who use a password scheme where the combine some word with the name of the service, like using "amazondaisy" for their Amazon account and "yahoodaisy" for their Yahoo account.  Even if a password scheme is more sophisticated than that, it still makes bad people's job much, much easier, and I still consider that as password reuse.

Note that a website getting hacked is just one of many ways that bad people can get one of your passwords.  Password reuse increases the probability and magnitude of damage from all the types of attacks by bad people.

So, this section is a bit different in that its focus is on the implications of something account users do, rather than describing particular attacks from bad people.  I give password reuse it's own specific section because it is so damaging to account security, and it leads to a very simple recommendation: use unique passwords for your accounts.

When reading sections below on risks, remember that password reuse magnifies the damage/likelihood and 2FA reduces the damage.

Phishing

Phishing is where someone tricks you in to providing sensitive information for them, like your Yahoo username and password.  Often, this is done by impersonating an acquaintance of yours or impersonating an account provider.  These attacks can also be part of an attempt to get you to do something (like visit a particular malicious website) that will infect your device with malware.

Malware and Exploits

If a device of yours gets infected with malware, that has many nasty consequences, including keylogging of account credentials, thus putting in jeopardy any accounts you log into using the infected device.  Malware may also extract stored credentials that are not protected by encryption.

I'm uncertain how sophisticated malware is these days with respect to extracting account credentials from things like remembered passwords in your web browser, or encrypted password database files used by password managers.

There are also vulnerabilities in software that can be exploited by bad people.  For instance, imagine a vulnerability in your web browser that a malicious website can exploit to do things to your browser/system or gain access to sensitive information.

So, malware is very scary/bad in that getting hit by malware can possibly do a lot of damage to you across many of your accounts.

Snooping/Interception

Imagine you are at a Starbucks or an airport and your device is using their wifi for internet connectivity.  If the wifi is unencrypted and bad people are listening (perhaps they left a small wifi snooping device there), they can see all of your traffic.  If you log in to a site over http, bad people will be able to see your password.  Even if the website remembers you and you don't have to log in, it is still possible for people to hijack your session (if it's using http) and communicate with that website as if they were you (one, two, three).

A lot more could be said about public wifi (or any potentially untrustworthy network), and I won't say more than try to use https (which provides encryption and authentication) as much as possible.

Like phishing and malware, snooping/interception is an attack where password strength does not help you because the bad people don't have to guess it.

Offline Guessing Attack (Account Provider Hacked, Bad People Get User Database)

This attack is where the bad people have somehow hacked your account provider and the bad people now have the provider's user database with password info.  It's possible for such a breach to remain unknown for a very long time.

If the user database has all the passwords in plaintext, then it doesn't matter how good your password was (but you still remember the consequences of password reuse and 2FA though, right?).

If the user database instead has hashed (and hopefully salted) passwords, then the strength of your password matters greatly.  You can read about hashed passwords here, but to put it very shortly:
  • Hashing a password transforms the password into a (big) number which we'll call a hash.
  • The reverse of this transformation is very hard to do.  The easiest way to figure out a password from the hash is to guess a password, then hash the guess and see if the two hashes match.
  • Good hashing algorithms will give very different numbers even for very similar passwords.  This property makes it so people do not get feedback on whether their guesses are close to the original password.
  • Salts make it so that the hashing process is unique to each user.  The bad person must customize his hashing for one user, and then start over from scratch when guessing passwords for another user.  Without salts, a bad person could pre-generate a bunch of guesses and hashes, and very efficiently look for matches with any user in the database.
With a database of hashed passwords in their possession, bad people are capable of a very high number of guesses per second, as in a single computer with a decent video card may be able to check tens of billions of password guesses a second.  A bad person with some affordable hardware can guess all 8 character passwords in ~5 hours (assuming each character has 95 possibilities).  It's possible that the guesses per second is slowed down by things like key stretching, but you might be horrified about how frequently account providers do not follow best security practices.  For perspective, 90% of the 6.5 million LinkedIn password hashes were cracked in 6 days.

Not only can bad people make password guesses very quickly, they can also make them very smartly (one, two, three, four, five).  I find that most people and even several security experts underestimate the sophistication of password cracking tools.  If you have a password generation trick, like changing a letter to a digit or rotating a word, that is entirely anticipated by password crackers.  If your trick is ten times smarter/better than that trick, it's still probably anticipated by password crackers.  Even a ridiculously long password that relies on some pattern or known phrase can be defeated by the sophistication of password cracking tools, such as the 42 character long "MrobidAngel_90MrobidAngel_90MrobidAngel_90" or "sonsofanarchymotorcycleclubredwoodoriginal".

Think very seriously for a moment: if someone had presented you those two passwords and asked whether you think their password tricks were good enough to stand up to a password cracker for a long enough time, what would you have said?  Perhaps it is hard to have an accurate gut feeling about the current state of the art of password crackers.

Things might seem hopeless with 42 character passwords being cracked, but the problem is they lacked entropy (randomness).  Humans are really bad at randomness; you need to rely on a computer to help generate sufficiently random passwords.  A future post will go into more detail, but I suggest the password generation methods at the post of this post.

Online Guessing Attack (Bad People Repeatedly Try Logging In As You)

This attack is where bad people don't know your password yet, and they try logging in as you with your account provider with different password guesses.  Since each attempt requires a response from the account provider over the internet, the password guessing process is orders of magnitude slower than an offline guessing attack.  The account provider can take security precautions like rate-limiting login attempts or even locking out accounts with suspiciously high amounts of recent failed logins, but these precautions are not always done.

Like the offline guessing attack, password strength matters, but the password does not have to be nearly as strong to withstand the same level of malicious effort due to reduced guessing speed.  Guesses will still be smartly chosen though.

Targeted Attack

This type of attack includes things where someone calls up the phone company pretending to be you so they can switch SIM cards and then they start receiving all your calls and texts, and then they use this ability to then further impersonate you and gain control over other things.  It might sound like something that only happens to celebrities or millionaires, but it will sound a lot more mundane and plausible once I call it "identity theft" which happens all the time to "nobodies" like Michelle Brown, where someone impersonated her to in order to spend tens of thousands of dollars and lots of other illegal things that has caused Michelle Brown a lot of suffering.


Your accounts are at risk from more than just the highly automated and mass operations of bot nets owned by the Russian mafia.  There are bad people willing to spend some effort on an opportunity to abuse your bank accounts, your credit, your identity, and so on, especially if they already have some toehold in your life like access to one of your accounts.  If you Google search for "amazon account hacked", you'll see plenty of stories of accounts being compromised because a bad person called up Amazon customer support and fooled the support people into giving the bad person access to the victim's account.

As far as passwords are concerned, you will benefit from strong passwords (that are unique! have I mentioned the perils of password reuse?) in that compromising one of your accounts is less likely, and that you are better guarded against their follow-up online guessing attacks that target you more specifically.

Also on the mundane side, this category includes your roommate or coworker finding your sticky note with a bunch of passwords on your desk, which brings up the issue of password storage.  Keep your passwords secure in an password manager, physical safe, or your wallet (yes, it's okay to have passwords in your wallet; you keep all sorts of valuable, sensitive stuff there).

Parting Thoughts

In basically all of the risks, password reuse makes things many, many times worse, and 2FA can limit damage when an attack succeeds.  Password strength only matters for some of the attacks (guessing and targeted attacks), but golly, those attacks do happen plenty.  Considering that password managers help you with both the uniqueness and the strength of your passwords, password managers can massively decrease your exposure to all of these risks.

For a vivid horror story to haunt you, let's talk about the Yahoo breach, where stuff like email addresses, hashed passwords, and security question answers for 500 million accounts were stolen in 2014...and it was two years before Yahoo found out about it (2016).  They suspect a government like Russia or China did it.

That's really serious.  What if you use your Yahoo email address when you sign up for all of your other accounts?  Many accounts give full control to reset passwords and change all sorts of security options to anyone with access to your email.  In that case, it's the ability of your hashed Yahoo password to endure 2+ years of offline guessing that is only thing standing between you and massive agony.

(Update: Yahoo has made another breach announcement that a different attack in 2013 compromised user information such as names, phone numbers, birth dates, security questions, and hashed passwords for ~1 billion accounts.  Wow, double the accounts and an additional year of going undetected.)

A future post will go more into comparing using a password manager versus alternatives, both from a security and convenience perspective.  Spoiler: using a password manager is the winner in both security and convenience for most people.

Sunday, December 4, 2016

Steps to Set Up KeePass

Scope of this Post

The following instructions are for how to set up the KeePass password manager on your Windows PCs, iPhones, and Android devices.  This post also covers the one-time process of creating a password database and putting it in Google Drive.

If you are hoping to use KeePass on Linux or MacOS, I haven't done it myself, but you might have success using KeePassX, KeePassXC, or one of the KeePass packages that has made it into Mac OS X and several Linux distribution software repositories.  See this page for download options.  Also, there's the option of running KeePass under Mono on your MacOSX/Linux system.

If you use the following steps, you'll be able to access your always-up-to-date password database from all of your devices that you've installed KeePass on.

This post assumes you are comfortable using KeePass Plugins and also browser plugins which make using KeePass extremely convenient.  Future posts will cover if you want to be paranoid and trust only KeePass itself and Google.

The most notable links, folder locations, and component names are bolded.

Note that the version of KeePass we'll be using is KeePass2, so don't be afraid when folders or apps talk about KeePass2.



Installing KeePass Program and KeePass Plugins on Your Windows PC


You do these steps for each Windows PC where you will want to use KeePass.
  • We want to put the KeePass program on our PC.
    • Go to the KeePass downloads page and download the latest "professional edition" installer.  Do not worry; "professional edition" does not require any money or registering.
    • Run the installer; this installs the KeePass program on your computer.
  • We want to install the KeeAnywhere plugin for KeePass so that the KeePass program can directly open and modify password databases on Google Drive.
    • Choose to download the latest .plgx file from this KeeAnywhere page.
    • Place the .plgx file in the KeePass plugins folder on your computer.  That folder is probably C:\Program Files (x86)\KeePass Password Safe 2\Plugins
    • If the KeeAnywhere link above is no longer valid, check the KeePass plugins page for KeeAnywhere, or your "backup and synchronization" plugin of choice.
  • You might also want to install an icon downloader plugin, which makes it easy to add icons to your entries.





One-Time Process of Creating a Password Database File and Putting it Google Drive


You'll probably only use one database file, and you only need to do these steps once per database file.
  • Create a new database file locally on your PC.
    • In KeePass, create a new database by going to Main Menu → File → New...
    • The file name and location you choose is not important, because soon we'll be uploading the file to Google Drive and then deleting the local copy.
    • In the "Create Composite Master Key" window...
      • You only need to provide a master password.
      • Do try to set the master password to a good password.  I suggest six random words from the Diceware word list (word list pdf).  It's okay for a password to be only lower-case letters if it is long enough (and random enough, but let's talk about that later)
      • Clicking the ellipsis button ("•••") will make the master password visible so you can check it.
      • It is okay to write down your master password on a slip of paper in your wallet.
      • You can always change your master password later.
      • Press "OK" once you've put in a master password.
    • In the new "Create New Database - Step 2" window...
      • General tab...
        • You can leave name and description blank.
        • Might be useful to fill in default user name
      • Security tab: to make the database harder to crack, click the "1 second delay" text to increase the number of key transformation rounds (and thus increase the security of your password database).
      • Advanced tab: uncheck the "limit number of history items per entry" option
      • Press "OK"
    • Do a save (Main Menu → File → Save; Ctrl+S; click the floppy icon).
    • The database (.kdbx file) has been created locally on your computer.  Close the database in KeePass (Main Menu → File → Close).
  • Put the database file in Google Drive
    • Go to Google Drive and upload the database.  The exact location is not important.
      • You can drag-and-drop from Windows File Explorer to the My Drive section of the web page.
      • Or, on the Google Drive page, you can right-click and use the "upload files" option.
    • In Google Drive, right-click on the database file, and choose to rename it to something like this: YourName.kdbx.kdbx
      • The ".kdbx.kdbx" is not a mistake.  Currently there is an issue with the iPhone Google Drive app where a single ".kdbx" makes things not work.  If you ever want to access your database from an iPhone, use ".kdbx.kdbx".
    • In Windows File Explorer, delete the local database file that is on your computer.  We don't want to later get confused about which database file we're accessing.
  • Be sure to remember/record your Google password outside of your password database.  If all your devices are
  • Increase the security of your Google account by enabling 2FA.
    • If you already have 2FA enabled, then good job.
    • If you do not have 2FA enabled (or don't know if you have 2FA enabled), then you can start the process here, and there are some help/faq pages.



Getting KeePass to Use the Password Database on Google Drive

You do these steps for each Windows PC where you will want to use KeePass.
  • In KeePass, go to Main Menu → Tools → KeeAnywhere Settings...
  • If a "Donate to KeeAnywhere" window appears, select "Don't Show this message again" and then press the "Close" button.
  • In the KeeAnywhere Settings window...
    • Go to the "Add..." dropdown and select Google Drive.
    • Log in to your Google account.
    • Press "OK" in the KeeAnywhere Settings window.
  • In KeePass main window, do a Main Menu → File → Open → Open from Cloud Drive
  • Select the appropriate account from drop-down at top, and then select your database file, and press okay.



Getting PC's Firefox Browser to Use Your Password Database

Note: I find the KeeFox add-on for Firefox to give a better experience than the existing Chrome extensions.
  • Install KeeFox from the KeeFox website.
  • I will later update with more details...
    • You get a new Firefox tab that has KeeFox instructions which you should follow
    • You probably have to close KeePass for a bit, launch KeePass, fill in some verification code, then you’re great.



Getting PC's Chrome Browser to Use Your Password Database

You do these steps for each Windows PC where you want to have Chrome browser use your password database to auto-fill username and password fields.
  • Install Chrome extension "CKP - KeePass integration for Chrome"
    • In Chrome, click the ellipsis button in top right of browser window
    • In the menu, select "Settings"
    • In Settings tab, select "Extensions" at top left
    • In Extensions list tab, scroll to the bottom and select "Get more extensions"
    • In the search text field, type "KeePass" and press enter
    • Click the "add to chrome" button for "CKP - KeePass integration for Chrome"
  • Configure Chrome extension
    • Click the icon, login to google, and select the password database file in google drive; you can choose to have the browser remember this.
    • Once you give permissions to the extension to auto-fill credentials for a site, it will automatically fill them in the future (as long as the extension has the database open).
    • Note that this extension directly gives you read-access to your password database on Google Drive independently of the KeePass program.



Installing and Using KeePass App on Android

  • On your Android device, go to Google Play Store and install KeePass2Android.
  • To open your password database, you can:
    • Launch KeePass2Android, “open file”, “google drive”, and select your kdbx file on google drive
    • OR, go to google drive (in the google drive app or web browser), then select your kdbx file, then choose to “open with” KeePass2Android.



Installing and Using KeePass App on iPhone

  • Make sure the database file on google drive ends in “.kdbx.kbdx”
  • On your iPhone, go to the App Store and install MiniKeePass
  • If you have Google Drive app on your iPhone...
    • go to the Google Drive App
    • select the database file
    • choose MiniKeePass from the “Open With” options
  • Alternatively, I believe you can use the web-browser-interface of Google Drive
    • Go to drive.google.com in your browser
    • Navigate to the database file and select it
    • Choose MiniKeePass from the “open with” options
    • If that doesn’t work, try another browser (you probably have Safari and Chrome on your iPhone).



Some Very Brief Notes on Using KeePass

Usually you can have your browser auto-fill usernames and passwords from the password database, but if you ever need that stuff outside the browser, or one webpage is not working well, then you can use these KeePass keyboard shortcuts to quickly copy credential information (once you've selected/highlighted an entry)…
  • Ctrl+b to copy the username to the clipboard.
  • Ctrl+c to copy the password to the clipboard.
  • Ctrl+v for the delicious Auto-Type feature (for a demo, see 5:18 mark of the youtube video discussed below)

Note: for passwords for your various accounts, use the password generator and I would suggest at least 16 chars using at least lowercase letters and digits, which would be strong but fairly quick to type.

For further details on KeePass, see the online KeePass documentation.

There's also some youtube videos on setting up and using KeePass.  For instance, this video starts out with installing KeePass to a USB drive (which is different from what this post helps with) but also covers...
  • 2:15 mark: creating a password database file
  • 3:36 mark: password generation and creating entries
  • 5:18 mark: using KeePass to Auto-Type both username and password into your browser (note that Firefox and Chrome extensions have even more convenient and quick ways of entering credentials)
  • 5:50 mark: If you fill in the URL entry, KeePass can launch that webpage in your browser (also double-clicking on an entry's URL column launches the page in your default browser)


Commercial Password Managers That Are Alternatives to KeePass

In case you instead want a password manager made by a commercial entity, I'll list some of the major ones.

Often, commercially-supported password managers will have a free version for use on one device, but if you want to be able to sync across multiple devices, you'll have to pay.  You might want to check out the details of several commercial password managers before choosing one.
It might also be possible to get around the sync shortcomings of some of the free versions by using the Google Drive Application to sync a local folder with a Google Drive folder.