Update (30/07/12): Troy hunt has broken down the security anti patterns used by Tesco, this is the other side of the password security issue that internet users are facing and is well worth a read - http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
Internet Security is a growing concern in these modern times. Identity fraud and password theft are on the rise and the last 12 months has seen some of the global technology giants including Sony, LinkedIn and Yahoo hit by hackers and security breaches.
Passwords are not the best security, as we know they can be easily guessed or brute forced if they are too short but if we make them too long or too complicated they become almost impossible to remember. Some people write down their passwords next to their computer, I’ve been guilty of this; just jotting down something you tell yourself is ephemeral and is still sitting on your desk 2 years later. There are some great strides being made in developing alternatives to password-based security but we are far from solving this problem and in the mean time internet users need to take steps to protect themselves.
There are a ridiculous number of ways to generate “secure” passwords but the fundamental flaw here is that the majority of internet users suffer from password reuse (XKCD comic, reading is mandatory) and this is a very bad thing. Ideally we should be creating a new password for every site or service we create an account for but surely the management of this is going to be a nightmare? Well, maybe not. This is where password managers come in.
The password manager space is a busy one but you don’t get far on the subject without hearing about KeePass, a plugin for KeePass or a derivative of KeePass and this is not a bad thing in my view.
From the KeePass website:
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
KeePass locks up all of your important passwords and secure information behind a customisable “Master Key” which is made from one or more of
- Master password
- Key file
- User Account
This allows you to decide exactly how access to the encrypted database is managed as sometimes you may want something more secure than just a password or even to have access locked to a specific user account.
Key files are something I will speak about later in the series; however, they are essentials files containing an encryption key as used in technologies like SSL and SSH. Using a key file means you must have access to the actual file (not just a file of the same name, it must be 100% identical to the file used to encrypt) in order to open the database.
What I love about KeePass is the flexibility which again, will be covered in much more detail later in this series but essentially KeePass is a toolbox and for the most part, lets you decide how and what information you want to store alongside your passwords. As well as usernames and passwords KeePass allows you to store other information in each entry such as notes, URLs, expiry, key/value pairs, file attachments. It also has a number of built-in password generators to help you generate secure passwords of varying length and complexity.
For situations where the out-of-the-box experience is not enough (such as hooking up to browsers), there is a good collection of plugins available to fill in the gaps.
Now obviously, like any security system the success or failure of KeePass depends on the user. If you don’t take precautions to keep the master key to the database out of harm’s way then obviously this is no better than just handing over a text file to a would-be computer hacker and asking them to rob you blind. Like many things on the internet, it requires thought on how best to use and implement it but when it is done right, you will reap the benefits of organised, easy to access passwords.
What about LastPass?
One of my colleagues uses LastPass and is pretty happy with it. He spends much of his working day logging in and out of web-based administration systems which is why LastPass works for him. One complaint he has though is that when you have multiple logins for the same URL, LastPass can’t cope and takes the one it has remembered over the one you actually want to use. This is not something I have found to be an issue with KeePass.
Having a look at LastPass myself I found that it seems to be focused on having passwords to hand in the browser which is great but not all of my passwords are used online. I have RDP passwords, computer game login passwords and even software serial keys which I want to keep safe, LastPass is not as well suited to these requirements.
Another factor in my choice not to use LastPass is where my passwords are stored. With KeePass I am responsible for where I put the databases and any key files I create which means I am in control of them. With cloud services like LastPass you are highly dependent on their infrastructure for both security and reliability. Now LastPass may still work without access to it’s online service but you certainly wont be adding any new passwords to all your devices if the service goes offline temporarily.
The security angle may be paranoia:
We use firewalls and best practices to protect the servers and service, but our best line of defence is simply not having access to data even if someone got in. If LastPass can’t access it, hackers can’t either. A large number of PBKDF2-SHA256 rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible.
But I have no proof of this, i’ll bet there are thousands of people out there who trusted Sony, LinkedIn and Yahoo and look what happened there. So while one could argue that having the databases so close to me could also be considered a security risk, at least I know how well protected they are and have the ability to destroy them if I have to.
A final, small, point on LastPass is that to use it on mobile devices you have to pay. This is not the case for KeePass since Android has KeePassDroid (and various others), iOS has MiniKeePass (again, others are available), both of which are free and even Windows Phone 7 has joined the KeePass party (granted, not for free) with 7Pass. Why spend money on something that you can have, legitimately and legally, for free?
This one for me really just comes down to cost. I can’t see a “killer feature” in 1Password that is worth $49.99 and can’t be fulfilled using KeePass, a plugin or a mobile app. If you feel I am wrong, please feel free to point out what you think is worth the money and I will be happy to re-evaluate. Some may call me a cheapskate but I don’t see the point in senselessly spending money on something that has a tried, tested and free alternative.
Hopefully this has served as an introduction to KeePass and explained why such a tool may be of value. In my next post I will be demonstrating how to get started with KeePass, setting up your master key and we’ll have a look at some of the data you can store inside. Continue to Part 2