I’ve been a fervent advocate of password managers for years. You can ask pretty much anyone in my family or amongst my friends, there was a time where I had to ask the question “By the way, what do you use to store your passwords?”. This was usually followed by a 20 minutes speech about how unsecure their digital life was and a desperate attempt at convincing them that MUST use a password manager. That was, of course, I didn’t faint learning that my friend or relative is using the same 7 letters password for absolutely EVERYTHING, “oh and it’s hunter2, I don’t mind telling you, I have nothing to hide”. Yes, that happened.

For the past four years or so, my password manager of choice has been LastPass. I’ve been a happy Premium member ever since, and even though it’s had a few hiccups (in 2015 and in 2017), they’ve been pretty transparent about the situation each time and I chose to keep trusting them. I used to log into my account using two-factor authentication: my Master Password and a Yubikey, and it’s been working flawlessly for years. However, after a long consideration, I’ve recently chosen to say goodbye to LastPass and continue my journey with another solution. Here’s why.

A WW1 tank painted pink stays a WW1 tank

You see, the problem with computer security is that you always have to find the proper balance between how safe you need to be and the convenience of day to day usage. My setup was somewhat secure, but the convenience wasn’t there anymore. I usually have to log into my LastPass account several times a day, as I’m using several web browsers, with sometimes several profiles per browser. Therefor, since LastPass automatically logs out whenever a new session is opened somewhere else, I also had to use my Yubikey multiple times per day, even per hour. In the end it was starting to become a burden. Besides LastPass has made some changes to its UI, and is focusing more and more on being as easy to use as possible, and in a way as “opaque” as possible. While I’m all for it, as it draws more and more people to being safer on the web, it can result in really annoying results under the hood. Often, the browser extension does not catch the proper fields for the username/password combo. Or when I’d use the password generator, it didn’t necessarily register it properly. It has some difficulties dealing with websites which make use of AJAX requests. It often saves uselessly complicated URLs that are generated during the signup process, making a lot of its database entries dirty. If you’re not tech savvy, it’s still an amazing product, and it’s way better than using nothing or that old post-it note that’s on your computer screen. But for me, what was once a really good tool to use had become a burden. It was time for something new, or in this case something old.

Enters KeePassXC

KeePass Password Safe has been around for 13 years. The interface shows its age, but its ease of use and the security features it offers has been proven multiple times. Besides the usual username/password combo, you can specify custom fields, and even attach files to your password database. Speaking of which, KeePass uses AES, TwoFish or ChaCha20 as cipher for the database, and the passwords it contains are protected in memory. It does pretty much everything LastPass does (or the other way around depending on your point of view), albeit with a less fancy UI and a less “automated” process.

The particular flavor of KeePass I’m using is called KeePassXC. It’s a community-driven fork of the now defunct KeePassX, which was aimed at being a multi-platform version of KeePass. So it works perfectly on Windows, MacOS and Linux. Exporting the database from LastPass and importing it into KeePassXC demands a bit of work, as you have to use a cumbersome CSV file (which you must not forget to destroy!) LastPass export tool provides you with. LastPass’ “Secure Notes” are stored in an XML-like format, and you’ll probably have to rewrite them manually inside KeePassXC after the import. But after that tedious task is done, using KeePassXC is really easy, and it works flawlessly. Whenever you need to retreive a password, simply switch to the app and hit Cmd+F, type in the first letters of the entry you’re looking for and a simple Cmd+C / Cmd+V does the trick. It litterally uses less than five seconds. If you’re using a browser extension, it can even automatically fetch your credentials and is therefor as fast as LastPass, if not faster.

The setup I’m using now is as follows. The password database file is stored on my Google Drive. This allows me to have a silent synchronization between my different devices, and provide me with an online backup. I’m using both my Master Password (with a 100+ bits entropy) and a key file (which is stored locally, not on Google Drive) to unlock the database. It can communicate automatically with my various browsers thanks to two extensions: chromeIPass and PassIFox. The database file and the key file are backed up on a Network Attached Storage drive, and two offline copies.

Is everything right?

So I’m finally happy again. The main “problem” I have with KeePassXC is its UI. In these days of Flat UI and Material Design guidelines, the software feels really dated. It also lacks some basic features such as showing which fields can be displayed in the entries columns, and my biggest gripe: custom fields do not show straight away when you search for a specific entry. Let’s say for instance you create an entry for a credit card. It contains several custom fields such as the card number, its expiration date and the CCV. KeePassXC won’t show those fields unless you go and edit the entry to display the custom fields, or you right click and select one of the “copy attributes” options. It would have been much better if each entry could be displayed in its entirety on a single pane, minus the protected fields of course.

I should give an honorable mention to KeeWeb, a web app (available as an Electron desktop app as well), which tries to rejuvenate KeePass in that regard. But it poses even more security problems than KeePass does. I won’t go into too much details in this post, but the flaws are easy to guess.

All in all, I feel much better using KeePassXC than I was using LastPass. Of course, this solution is not the most secure there is, especially by storing the database file on the cloud. I could fix this issue by using a self-hosted cloud service like OwnCloud or Bitorrent Sync. But once again, the balance between security and day to day usage would have been lost. I’d love for KeePassXC to support TOTP so that I could use again my Yubikey and get rid of the keyfile, but so far I feel confident in that solution.

By the way, what do you use to store your passwords?

Cover image: Victoriano Izquierdo

October 6, 2017 | Thoughts.

Ever since last summer, the first thing I do whenever I install a new app on my phone is to go into its settings and completely turn off push notifications.

When Apple came up with push notifications back in 2009, they were a godsent. No longer did we have the need to check our phone to see if a new email had arrived! Whenever something important happened, a subtle Ding! or a quick vibration alterted us of an incoming tweet or appointement. It was a great way for the user to stay in touch with their digital world.

The problem is that now, each and every app thinks it’s the most important thing and you HAVE to listen to what they say. Congratulate Helen for her new job! Marc is tweeting about #takeaknee! Don’t forget to check on your Happy Dragon’s Eggs! Tom has posted for the first time in a while! It has become so dominant that now it feels like notifications are nothing but noise. So much so that people have started to develop new diseases such as Phantom Vibration Syndrome. How often do you think you get a new notification and reach for your phone, but it turns out that it was just your brain tricking you. There are even people who are experiencing anxiety related to notifications. The constant flow of information has become overwhelming, and it just won’t stop. And now, you can also get push notifications from websites. While I love the technology behind it, it’s unfortunately so badly used by web developers around the globe. Each and every website wants your authorization to notify you about the latest trend in whatever they’re talking about. It’s presented as a way to deliver a better service, but let’s not kid ourselves: it exists for the solely purpose of making you come back there, and present you with just a few more ads.

Last year I bought myself a Pebble. It’s a great little gadget that goes around my wrist and vibrates whenever I get a notification. Thanks to it, I can’t miss a single email, phone call or text. It’s also nice because it’s discreet. It’s been a year since my phone last chimed, and now that it’s always on silent mode, it doesn’t bother my coworkers when I’m in an open space, or my family during our sunday lunch. I’ve started to look less at my phone, because since it’s connected to my watch thanks to Bluetooth, I won’t miss a notification as long as the phone is less than 10 meters aways from me. But I’ve realized that it was at my own expense. The problem is that I started the bad habit of constantly having to look at my watch. Whenever my phone needs my attention, I get these three taps on my wrist that remind me it’s there, and it needs me to take care of it. While fun at first, it started to feel like a dog collar, and that Bluetooth link started to feel more like a leash than a usefull tool.

So I’ve decided to turn it all off. The only notifications I’ve kept on my phone are Emails, and everything that’s directly aimed at me (Telegram, Twitter DMs and SMS). That’s it. LinkedIn is quiet, Instagram as well, and I’ll check on my Amazon deliveries whenever I damn please. On my desktop, I’ve disabled all notifications as well. Now I take a glimpse at my Dock every once in a while, and whenever I see a Slack or Airmail badge, I’ll see what it’s about only if I have nothing more important to do. I often completly shut down email and open it right before lunch, or a moment before leaving the office. I won’t interrupt a coding session just to see if my Aliexpress order has shipped or if someone has replied to a Github PR. And it feels wonderful.

Turning off notifications has been a great thing to do. I feel like I’m more in control over my digital life. I get less interrupted by all this noise, and in the end much less stressed about this constant flow of notifications. I feel happier, but not less “connected”, I just chose to open an app because I feel like it, and not because an algorithm has decided it’s a good time for me to do so. A recent article from Wired reports that in 2013, “Apple proudly announced […] that 7.4 trillion push notifications had been pushed through its servers“. Where is the limit between information and spam?

I hope this trend will develop and people start cutting off notifications more and more. Unfortunately, now that Apple has added SIM support for its Apple Watch, the “notification machine” has become independant, so people will get even more reminders to check on their phone. My advice is try it for a week, and see how much you miss having a device constantly buzzing in your pocket. I bet you’ll feel much better, even after day 3.

Cover image: Gian Prosdocimo.

September 26, 2017 | Thoughts.

Last week we launched the new website for 18-55 Productions!

18-55 is a video production company, based in Bordeaux. They work with various brands such as DC Shoes, Orange, or even Electronic Arts amongst many others. Their goal was to get a website that could put a focus on the content (their productions) and at the same time show that they also act as a platform for different type of professions revolving around their line of work. That’s why they’re surrounded by various artists, photographers, writers and videographers which allow them to quickly put up a team of talented people for the projects they’re working on.

Their second desire was to get a back-office which would allow them to add/remove content quickly and easely. WordPress was the obvious choice, and together we came up with a minimalistic design based on a grid of squares which allowed them to reorder the whole site as they please. They were immediately thrilled by this approach and after a few exchanges between their CEO, the Production Manager and myself we agreed on this design. All in all I’m really happy with what we came up with and so far the feedback after launch is rather positive.

Thanks a lot to 18-55 for their time and dedication to this project!

February 21, 2017 | News, Projects, Webdev.