Password Managers - KeePassDX
KeePassDX is a free and open source offline password manager for Android.
App permissions
The password manager is kept simple and only requires optional permissions for notifications and sensors.
Database creation
Users need to create a database in the KDBX3.1 format using AES-256 bits for encryption and AES-KDF for key derivation. Others encryption algorithms (ChaCha20 256 bits, Twofish 256 bits), key derivation functions (Argon2d, Argon2id), and tuning parameters (transform rounds, memory usage, parallelism) are available. Switching the encryption to ChaCha20 or the key derivation to Argon2d or Argon2id will change the database version to KDBX4.0.
Authentication
Then they have to choose a master password and optional additional protections such as a key file or a challenge response with hardware authentication devices. These information need to be properly remembered and stored. Without them it would be impossible to decrypt the vault and access its content.
Master password
They should create a secure master password difficult to guess but easy to remember preferably using the built-in generator.
Keyfile
They may add a static keyfile with random data generated by the application to increase security. The file should be without an extension or end with .bin otherwise it could be modified unbeknownst to the user. Any change in its content and consequently its hash value would render it useless.
Hardware Key
They may also make use of physical keys as an extra layer of protection using SoloKeys for hmac-secret FIDO2 extension (not yet implemented) or YubiKeys for HMAC-SHA1 challenge-response.
Add Entry
Once created users can now add new entries by adding a title, username, password or passphrase, tags, expired date, notes, additional attributes and attachments.
Templates
Or use custom entries templates for bank info, credit/debit card, email, ID card, notes and WiFi.
Attachments
Text files containing PGP, SSH keys and images for important documents can be added. But files with complex format like PDF and ODT should be avoided or have their textual and image information extracted. Users should be mindful of the size of the documents. The heavier the database is the longer it will take to be decrypted.
Password & Passphrase generation
Passwords or passphrase should be generated using the application builtin functionalities.
Passwords
As a default passwords have 20 characters of types A-Z a-z 0-9 &/,^@.#:%\='$!?*`;+"|~ and can be extended in length and character types such as - _ Space [](){}<>. User may choose to consider/ignore certain characters, have at least one from each categories and exclude ambiguous one.
Passphrases
Passphrases have 8 space-separated lowercase words from the EFF large word-list.
Form filling
Clipboard
Users should be careful when copying data from an entry. The clipboard is shared will all apps and despite a timeout of 20 seconds may not erase itself correctly on some devices.
Autofill
They could use the autofill service to fill forms. Before first use it needs to be enabled in the application settings and in the operating system settings sub-menu passwords, passkeys and account. Once set up users should see a popup appear for entry selection in apps and website with a corresponding entry.
Magikeyboard
They should however prefer using Magikeyboard a special keyboard to fill in forms. This method is the safest of the three as it does not depend on autofill services nor does it share data with other apps.
Application Timeout
To avoid letting the application opened when unused it will lock itself after 5 minutes of inactivity.
Syncing
No synchronization features are available to reduce code complexity and avoid being tied to a specific provider. Since the vault is a single file users should simply put it inside their shared cloud folder.