Software I enjoy: KeePass

Password management made simple

2014-01-30
#software #linux #encryption #password management
opinion

Lots people (including myself) enjoy the ability for passwords to be saved for them. This has a number of upsides, the main one being the ability to use different passwords for each website without having to remember each individual password.

There are a number of ways to do this, the most prevalent being the built-in password saving mechanisms for each web browser. I really, really don’t like these, for a number of reasons. The largest one is that if someone manages to get access to your filesystem (not even necessarily physical access to your computer, just access to your filesystem) they’ll be able to copy over your user data directory (profile, plugins, etc etc) and will be able to start their web browser “as you” on their local machine, putting all of your saved passwords into their hands.
Internet Explorer, oddly, is smart enough to force you to enter the windows session password for the original account, but that requires me to start using Internet Explorer, which I really do not want to do for other various reasons.

So, how can we have password storage capabilities to allow us to use unique passwords all over the Internet (and beyond)? The solution: Use a password management software!

Most password management softwares store their passwords in database files that you can either keep on a flash drive, on a network share (if you’re in an environment that has one of these), or in the cloud using a service like SkyDrive, Google Drive, or (my preference) Dropbox.
These softwares also require that you supply a ‘master password’ to unlock the database before you can get to all of your passwords, which allows you to store the database wherever you want to.
Of course, for added security, you could encrypt the databases themselves using a solution such as TrueCrypt, but I have DropBox set to require authentication before I can access the files, which is good enough for my purposes. Besides, in order to get to get to my passwords, they’d have to decrypt my rather long master password, which would probably take months if not years, and in combination with my regiment of changing passwords every so often it will forever keep the bad guys guessing. ;)

My password management software of choice is KeePass. There’s a couple of reasons for this:

  1. First and foremost, it’s free. As a college student sometimes struggling to make ends meet, this is a Very Good Thing(tm).
  2. It supports multiple forms of encryption, including AES and TwoFish, giving you superior encryption of your databases.
  3. In addition to (or instead of) supplying a master password, you can supply a file that will be used as a key to open the database. For the extra paranoid, you could encrypt this key file inside of TrueCrypt (which itself will use AES/TwoFish encryption) in order to really stump the evil do’ers.
  4. In addition to being Free As In Beer (price), it’s also Free As In Speech (open source), and because of this multiple plugins have been made for it in order to extend it’s functionality. We’ll get to one such of those in just a second.
  5. Because it’s open source, it has been ported to run on just about everything. I have versions running on Windows 7, Windows XP, Arch Linux, and even Android.
  6. If, for some reason, I can’t seem to think of a suitable password for an application or web site (rare, but it does happen), KeePass has a handy password generator that will randomly concoct a password based on whatever you tell it to do: length requirements, upper case, lower case, special characters, and even high ANSI characters (letters with accents, symbols, etc).

The other really nifty thing about KeePass is that it also comes in a portable version, which installs to a regular old folder in your home directory and (the best part) doesn’t require admin privileges. Because of this, you can just throw KeePass on a flash drive and take it with you wherever you go.

I mentioned earlier that you can extend KeePass with plugins in order to make it do some really nifty things. I’m a really big fan of one such plugin, KeePassHTTP. This nifty plugin, among other things, allows web browser plugins to access your KeePass database to basically completely supplant your browser’s built-in password saving mechanism. Because of this plugin and a Chrome browser plugin named ChromeIPass, I now have a (mostly) hands-free method of managing all of my online passwords.

Here’s how I did it. These steps are confirmed to work on Windows 7, and I also have this working on Arch Linux, so this should work on relatively any operating system on which KeePass and Chrome (possibly Chromium? untested) can both run, but as with all of these things Your Mileage May Vary.

  1. Download KeePassHTTP. It’s hosted in a Git repository, but there should be a direct download available. As of 1/30/2014, that direct download is here, but if that link doesn’t work then just Google for it and you’ll find it.
  2. Place KeePassHTTP into the root folder that KeePass is installed in.
  3. Start KeePass.
  4. Install the ChromeIPass extension for Chrome (search for it in the web store). The KeePass padlock should appear on the right side next to the Chrome menu. (this only applies if you don’t use Chrome’s sign-in feature to sync all of your history and extensions
  5. Click on that padlock, and ChromeIPass will tell you that it needs to be able to interface with KeePassHTTP. Click the button to allow it to do so.
  6. At this point, KeePass will pop up telling you that it’s just added something to the database and it wants you to give it a unique name. Go ahead and name it something unique (location and computer name are my go-tos), and click through to confirm.
  7. Go to a web page that you have a password saved for, like your e-mail, a social networking site, etc. ChromeIPass will automatically fill the username and password fields for you!

Using the above in combination with Dropbox installed on each machine I use (or even just using the Dropbox web client), I can access my password list from anywhere I have an internet connection. It’s one of the most convenient things that I’ve set up in the last few months and, as of right now, it’s an indispensable tool for maintaining my security online and elsewhere.

This was a pretty long blog post. Did it help you? Let me know below in the comment section.

Comments: