I highly recommend using KeepassX as a password manager, secured using a key file and not a password.
I like KeePassX as well, but prefer to unlock using a password. I have a Yubikey programmed to output a 32 random password that I generated and I append to that a 16 character password that's in my head. I keep the Yubikey and the SD card on which I have the password vault separate. The SD card itself is encrypted* and the version of KeePassX I run is on the card and is one I compiled myself.
Not sure I'd be getting additional protection with a key file. But perhaps I am wrong.
*I did that so that someone couldn't just copy the KeePassX database off it when I wasn't looking and run some offline attack against it. The SD card also has a kind of social engineering defence mechanism on it to dissuade the curious from playing with it... I wrote the word INFECTED on it.
I have found my YubiKey quite nice for password sercurity, but I use it in a slightly different way.
I use password-store, which is a git repository of GPG encrypted passwords. While I'm on my main laptop, which has Qubes, I can access passwords using a key stored in my keys vault using Qubes split GPG. Encrypted passwords are synced through SSH to my serwer. On my other computers, I can decrypt passwords with my YubiKey as a gpg smart card. This is probably way overcomplicated, but it works.
I am security conscious but not as conscious as jgc, I am doing the same with the database on the drive and the drive is encrypted. I have a "smaller" password in the head plus a Yubikey password which is appended to my smaller password. For each website I am using a randomly generated password.
What is important is that in my daily life, this is working perfectly well and I do not feel at all the annoyance of the added security against using the same dadada password on all the websites.
I really recommend a head stored + hardware generated password too, this is working wonderfully.
Sounds like a good system. Having something easy that you will actually use is the most important thing.
There is no one-size-fits-all solution and it should clearly depend on the threat model. I can imagine why someone who could be expected to have the keys to CloudFlare's infrastructure might want to take extra care.
I thought this might be the case, but it doesn't stop people from believing you may be a high value target. So the good security practices are very prudent.
I suppose I'm even less security conscious, as I'm storing my file in ownCloud and sync it also to my Android. I assume this use case prevents using a Yubikey password for enhanced security?
You can always put your files in OwnCloud in a TrueCrypt container, and anything that's unlocked by a password can use a Yubikey password with head-stored additions.
I'm not aware of ready-made solutions to locally decrypt cloud-stored data on mobile phones though, I don't think you can mount TrueCrypt volumes on your phone. Anyone know of a way to do this?
Just had a look at KeePassX, as it looks as though it has a sleeker UX, when compared with KeePass2.
It may be considered a faux pas, but I have come to like the http plugin, for KeePass2, which allows Firefox to reach into my database when I come to sign into an online account.
I like KeePassX as well, but prefer to unlock using a password. I have a Yubikey programmed to output a 32 random password that I generated and I append to that a 16 character password that's in my head. I keep the Yubikey and the SD card on which I have the password vault separate. The SD card itself is encrypted* and the version of KeePassX I run is on the card and is one I compiled myself.
Not sure I'd be getting additional protection with a key file. But perhaps I am wrong.
*I did that so that someone couldn't just copy the KeePassX database off it when I wasn't looking and run some offline attack against it. The SD card also has a kind of social engineering defence mechanism on it to dissuade the curious from playing with it... I wrote the word INFECTED on it.