Password Managers - KeePass2Android
KeePass2Android is a free and open source password manager for Android.
App versions
Users can choose between two versions of KeePass2Android the default and nonet. The former can request access to the network while the latter does not.
Permissions
Default
The default version asks for a number of optional permissions for network, notifications sensors, as well as contacts and location. The last two should preferably be disabled as their usage is unclear.
Nonet
The offline version only requires access to notifications and sensors.
Database creation
Users need to create a database in the KDBX3.1 format using AES-256 bits for encryption and AES-KDF for key derivation with 500000 transformation rounds. Others encryption algorithms (ChaCha20 256 bits, Twofish 256 bits), key derivation functions (Argon2d, Argon2id), and tuning parameters (transform rounds, memory usage, parallelism) are available. Switching the encryption to ChaCha20 or the key derivation to Argon2d or Argon2id will change the database version to KDBX4.0.
Authentication
Then they have to choose a master password and optional additional protections such as a key file or a challenge response with hardware authentication devices. These information need to be properly remembered and stored. Without them it would be impossible to decrypt the vault and access its content.
Master password
They should create a secure master password difficult to guess but easy to remember preferably using the built-in generator.
Keyfile
They may add a static keyfile with random data generated by the application to increase security. The file should be without an extension or end with .bin otherwise it could be modified unbeknownst to the user. Any change in its content and consequently its hash value would render it useless.
Hardware Key
They may also make use of physical keys like YubiKeys for HMAC-SHA1 challenge-response.
Add Entry
Once created users can now add new entries by adding a title, username, password or passphrase, tags, expired date, notes, additional attributes and attachments.
Templates
Or use custom entries templates for credit/debit card, email, ID card, membership, secure note and WIFI.
Attachments
Text files containing PGP, SSH keys and images for important documents can be added. But files with complex format like PDF and ODT should be avoided or have their textual and image information extracted. Users should be mindful of the size of the documents. The heavier the database, the longer it will take to be decrypted.
Password & Passphrase generation
Passwords or passphrase should be generated using the application builtin functionalities. Users may choose their own custom settings and make use of the predefined profiles.
Passwords
The default password profile simple12 is composed of 12 characters A-Z a-z 0-9 excluding look-alike; special12 adds special characters and brackets; password64 is composed of 64 characters A-Z a-z 0-9 - _ {}()[]<> space, special and extended special with at least one of each group.
Passphrase
For the passphrase the default profile passphrase7 is made of 7 space-separated lowercase words and passphrase5plus has 5 space-separated titlecase words plus a password of 2 characters 0-9 and special excluding look-alike with at least one of each group.
Form filling
Clipboard
Users should be careful when copying data from an entry. The clipboard is shared will all apps and despite a timeout of 5 minutes may not erase itself correctly on some devices.
Autofill
They could use the autofill service to fill forms. Before first use it needs to be enabled in the application and the operating system settings sub-menu passwords, passkeys and account. Once set up users should see a popup appear for entry selection in apps and website with a corresponding entry.
Keepass2android keyboard
Users who do no not trust their default keyboard can make use of the keyboard of the application for password entry.
Application Timeout
To avoid letting the application opened when unused it will lock itself after 5 minutes of inactivity. User should disable QuickUnlock as it only block the UI and not the database and instead fully authenticate.
Syncing
The default version can open and sync databases with online services while the offline one cannot. Since the vault is a single file users should simply put it inside their shared cloud folder.