A few of you noticed I had a long-lived hiatus from the Nex that lasted about 10 months. In this post I will do two things - first, I'll summarize what caused this sudden disappearance of mine, and second, I'll share my thoughts on password managers, since they have become a rather controversial topic on the web.

Long story short, in October last year someone spent some time near my house and managed to crack the password to one of my home wifi routers. By doing so, this person then logged in the email account of a local politician via my IP. Keep in mind this happened right before election campaigns.

The above concludes my home network's involvement in this whole story. However, the steps this person took next got me in some trouble. After he logged in the email account of this politician, they obtained access to their Facebook account, because it was linked to that email address. Then a few hours later, from a different IP address of some random people, this hacker again cracked their wifi password and through their IP logged in the Facebook account of said politician and shared a bunch of child pornography on their timeline.

Considering this happened right before campaigns, I'm 100% sure it was a paid job by competition with the intent of ruining this politician's reputation and, consequently, their chances of getting a chair in the government offices.

Fast forward a few months, in late February 2022, I get a knock on my door at 6:30 am. I open, and I see 7-8 fully-geared goons from a local governmental organization called GDBOP, which deals with organized crime. Hands on weapons, kevlar on them, the whole shebang. They tell me they need to sweep my apartment and have a warrant to do so, which was presented to me for verification.

The moment I saw all of those armed policemen on my door, I felt for the first time in my life what it is like to have your knees give out from pure fear. The source of that fear was a mistake I had made - temporarily moved my stash inside of my apartment for organizational purposes. Usually I don't keep any drugs at home for obvious reasons, but I let my guard down at the worst possible time I could. Naturally, I thought they were here for a drug sweep, not something else. And I had enough stuff in one of my drawers to put me behind bars for a good 6-8 years.

Then they explained to me they needed to take all of my electronic devices that had ever been connected to a network, and further explained to me what the reason for their sweep was. I still can't thank whatever spirits and gods may have watched upon me that day, for nobody even searched for drugs that day. Lucky me. Certainly a mistake I will never make again.

So these people confiscated my PC, my work laptop, my phone and even my router, and told me they need to analyze them for the presence of the aforementioned pornography. When I asked how long it might take for this analysis to complete, they told me "could be 2 months, could be 2 years, no way to tell". This is just how Bulgarian government operates. I got questioned and all that, almost lost my job because the company I work for didn't like the idea of having a potential criminal employed, especially considering how sensitive their clients are to such things.

Anyhow, a few weeks ago I got mail that they're returning my stuff and now I've got it all back, so I'm off any and all leashes, finally. It was one of the most stressful and scary experiences I've ever had. But it taught me a couple of very important lessons:
1 - never keep anything illegal in your home, even for a little bit
2 - always have strong passwords on your networks

The latter led me to rethink my password management setup, which is the second point of this post. I used to use LastPass, but recently they had a big breach and I don't like that at all, so I took matters into my own hands and changed my setup entirely. I will share it below in hopes that it might help someone else that is feeling doubts regarding the current password management setup they have.

As a manager, I use KeePassXC on both desktop and mobile. It holds the passwords in a local database that is SHA-256 encrypted. As long as you set a strong enough master password, even if someone obtains that file, it should be incredibly difficult, perhaps even impossible, to crack it open and decrypt its contents. But that's not good enough for me, so what I did is the following:

In case someone does indeed obtain that file and manages to crack my master password, instead of putting all my whole passwords inside, each entry contains only one part of the whole password. This is kind of the idea of cryptographic "salt". For example my Nexus password can have an entry in KeePassXC such that the password present in the database is "12bbcABC@rbn9))V*xcVJcxvcnMXNZ<WQ". However, my actual password contains not just that string, but something else before or after it. That something else is the same password I have for all other entries in the database, but it's nowhere to be found there. It's only present in my memory. Naturally, it needs to be strong enough so it's not that easily crackable, but anything above 15 symbols should work. Mine is 30+, and most generated passwords that I keep in KeePass are 40 random symbols, so technically all my passwords are 70+ symbols long, yet only 40 of those 70+ are kept in KeePassXC.

This results in a very robust and secure way of keeping your passwords. Whenever you log in anywhere, you type in your memorized password, then paste in the remainder from KeePass, and you're in. To update that database, I have it bound to Goole Drive. Whenever I change the database locally, the change is synchronized in Drive and I can refresh the DB in my phone to obtain the latest version. Add an additional layer of security on top in the form of a VPN, and you're rock solid.

Not sure if this will help anyone at all, but I thought it worth sharing, since it is indeed a very robust system that took some time to calibrate properly.

Anyways, let me put an end to my ramblings now. I'd love if any of you share any ideas of improving the above so it becomes even better. I know a self-hosted cloud service where one can keep their KeePass DB file is even better, but it's a bit too much hassle for a nobody like me.

Love & Light

Man, that's awfull!!! What a freaking nightmare.
I'm glad you're OK now. And welcome back.

I would in your situation just always assume i'm still on some government watchlist or in some kind of criminal database btw.
Governments tend to not delete the data they have on people, even when they're proven to be totally innocent.

But goddamn, what a mean and disgusting trick this person pulled on you. I hope they've managed to catch this asshole.

Thanks brother! Good to be back, that's for sure. And yes, I'm 100% certain I'm on their watchlist, even though they know I'm innocent. But I got nothing to hide anyway, so they can spy on me all they want. I've long given up the illusion of privacy in this technological day and age.

They haven't caught the hacker and probably never will. He most likely used a burner phone that he tossed in some lake once he was done. They don't stand a sliver of a chance of ever catching him. And they know it. But they still carry on with their "investigation", which is little more than simulating work.

Holy cow!

What a scummy thing to do. They could have easily shot you, if you would have reacted differently.
And bulgarian prisons are no joke either.

Thank you for reminding me to up my security. Been postponing that for a while now.

Have a gud one