About Andy Gibson

I am a student software engineer currently in my final (honours) year at University. I primarily work with the Microsoft .NET framework (2.0+) and surrounding technologies including WPF, LINQ, ASP.NET (+ MVC Framework) and Visual Studio. I also spend a lot of time in the web development arena and I have strong experience with XHTML, CSS, Web Accessibility, PHP and jQuery. I enjoy learning more about my fields of interest and am happy to lend a hand when I can.

KeePass

  • Part 1 – An Introduction
  • Part 2 – Your First Password Database
  • Part 3 – Browser Integration
  • Part 4 – Auto-Type
  • Part 5 – Plugins

Last year (I’m having that usual ‘new year’ thing where ‘last year’ doesn’t actually feel that long ago, sue me ;) ) I wrote a post introducing the password manager KeePass and stated it would be the first in a series. Finally, months later I am getting around to part 2 which will explain how to get started.

I feel I should point out that effective password management comes down to you, the user. You could use the most advanced tools in the world to lock up your passwords but unless you have secure passwords and good security habits, the strongest locks will not save you. Nagging out of the way, lets get started.

First you need to get a copy of KeePass (available free, with source from http://keepass.info/), and install it. If you are a Linux or OSX user, fear not as even though KeePass is written in .NET, it is compatible with Mono (instructions available here: http://keepass.info/help/v2/setup.html#mono) . KeePass is also available to run from a USB drive as portable software (http://keepass.info/help/v2/setup.html#portable)

Once KeePass is installed start it up and you will be presented with an interface that looks like the following.

keepass_basic_interface

Now we need to create a database which is done by either hitting the button on the toolbar or going to File -> New. You will then be asked for a location and a filename for the new database.

Once you have selected the location of your database you will be asked to create a master key:

keepass_master_key

Master keys are composite as the dialog suggests, they can be a mixture of a master password, a key file and a Windows user account. The simplest approach is to just use a password, a ‘one password to rule them all’ type approach which, while simple, can decrease the security of your database if this password is too easy.

A key file is exactly that, a file which acts like a master password in file form and can contain anything, they could even be existing files from your computer. Key files are a lot  more secure than a password however since they don’t live in your brain, they are harder to keep locked down or secret.

A good option is to combine a master password and a key file since it increases the work required to break into the database, especially if you are diligent.

More information on keys can be found on the KeePass site and really provides an in depth explanation of the options available to you (http://keepass.info/help/base/keys.html). If you are considering using a key file but don’t have the time (or patience) to read the KeePass page on keys then at least consider the following:

Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where youknow something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn’t increase security at all, because it’s very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.

Upon creating your composite key you will then be asked for the settings your database should use. They are fairly self explanatory and allow you to add a name, description, compression, master key change policy and most importantly, security options.

keepass_database_settings

It is worth having a look at the ‘Key transformation’ section of the ‘Security’ tab as this relates to how many times the content of the master key is transformed (re-written to obscure the original content). The more transformations the key has to go through the harder it is for guessing attacks to run against the database however it also adds a delay to save/load operations. On my quad core AMD Athlon II X4 955 (3.20 ghz) processor a 1 second delay covers 6744064 transformations. Using the 1 second delay link provided you can decide how much of a delay you want to add.

Once created, your database will be opened and on the left you will have a list of pre-defined ‘groups’ (folders) and on the right will be a couple of sample entries. Double clicking an entry will copy the password to your clipboard as will the shortcut ‘Ctrl + C’ which is handy for quickly copying the password. To copy a username you can use the shortcut ‘Ctrl+B’.

Groups can be easily added, removed, edited, etc. by right clicking on them and taking action as required. You can nest groups simply by dragging and dropping and icons can be assigned/changed from the ‘Edit Group’ menu option.

You can add new entries to a group by first selecting the group and then right clicking in the right-hand panel selecting ‘Add Entry…’ (or by pressing ‘Ctrl + I’) which will bring up this screen: keepass_add_entry

This should be simple enough to work through but one nifty feature I want to draw attention to the is the password generator (highlighted in the images above and below).

keepass_generator

This is one of the great features of KeePass for me, being able to randomly generate a strong, secure password which can not only be adapted with criteria but also be quickly stored against the account information I wish to use it with. The generator even lets you preview a selection of passwords the settings you choose will generate and if that isn’t enough, you can save patterns as profiles which can be easily reused. Nifty eh?

The ‘Advanced’ tab of the Add Entry screen lets you add your own custom fields and file attachments which are all encrypted inside the database. You can quickly access custom fields from the context menu for any given entry to save you opening up the details to get at them.

Auto-Type is something I haven’t personally used yet but is a very powerful feature of KeePass, you can configure it from the ‘Auto-Type’ tab and more information on it can be found at http://keepass.info/help/base/autotype.html

Any changes made to an entry are shown in the History tab and you can view/restore changes from here which can be helpful when multiple people have access to the same database.

Up Next

Hopefully this post has provided an idea of how to get started with KeePass and highlighted a few things to be thinking about when creating your databases and master keys. The next post will be looking at configuring web browsers to automatically (and securely) communicate with KeePass to provide auto-login capabilities.

If you have any questions please feel free to comment and I will do my best to answer them.

3 months and 3 DDD events are getting closer. DDD 10 takes place on the first week of September and has completely sold out (within minutes of opening), DunDDD will be happening on the 17th of November but in the middle is DDD North.

For those not in the know the DDD (Developer! Developer! Developer!) conference series are free, community-run conferences that take part across the UK and even further a field in Ireland and Australia. The success of the DDD series is in part down to the passion, dedication and drive of the organisers but much more importantly the commitment the development community puts in by turning up, speaking and providing feedback. Traditionally the conferences have a .NET/Microsoft focus, especially at the main (and original) event held in Reading however the regional events have seen a wide variety of alternative technologies and languages reach the agenda.

One of the great things about DDD conferences is democracy. Most of the events allow potential delegates to vote on sessions which gives the organisers an idea of what is popular and can then be used to decide who make the agenda. It also helps for room capacities.

I have got 2 talks up for DDD North this year and if you’re going to DDD North and would like to see either of them, please vote for them!

A Day in the Life of a Support Developer

Legacy projects, maintainance contracts, supporting code written by people who have long since left. The frustrations, the “WTF!?”s, the realisation that you can make it better, at the very least for yourself, but also for your fellow developers. These are all things I am sure many developers experience when working in support teams or on legacy projects and it is something I have learnt a great deal from.

>In this session I will show how, with help from people such as Michael Feathers (Working Effectively With Legacy Code), Uncle Bob Martin and The Pragmatic Programmers (Andrew Hunt & David Thomson) you can survive support desks and legacy projects while retaining your sanity. There will be code examples, hints & tips and open discussion.

Working Effectively

Umbraco is a Content Management System that has been making waves in the .NET development community lately (for various reasons). Because of it’s flexibility, extensibility and relative ease of use for the end-user, It is widely used and very popular with digital agencies using the .NET stack. However being an established CMS there are many tools, patterns and practices you can apply to Umbraco development that can significantly improve your productivity (and make life a little easier for your designers too!).

This session will cover areas such as:

  • Project and folder structure
  • Automation with Rake
  • Writing clean code without codebehind (or clogging up your Razor views)
  • Optimising use of the Umbraco Node API.
  • Hints and tips for faster, more efficient umbraco development

If you’re interested in working more effectively with Umbraco, this is the session for you!

I’ve just been updating the Scottish Developer’s website with a number of job postings that have come in from various companies over the past few days.

Barclays – Senior Development Manager

Hatstand – SQL Database Developer

The Zen Agency – .NET C# Web Developer in Glasgow

Craneware – Senior Database Developer & Software Developer Positions in Edinburgh

It is great to see so many opportunities for developers across Scotland but at Scottish Developers we are starting to realise our blog may not be the best place for advertising all of this great stuff. We are looking into options for a job board to better manage the postings we receive from companies looking for talented individuals which hopefully will make it easier to search through the list and filter results.

If you’re in the market for a new job then keep an eye on the Scottish Developers blog where you will find positions from real companies looking for people like you.

KeePass

Update (30/07/12): Troy hunt has broken down the security anti patterns used by Tesco, this is the other side of the password security issue that internet users are facing and is well worth a read - http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html

Internet Security is a growing concern in these modern times. Identity fraud and password theft are on the rise and the last 12 months has seen some of the global technology giants including Sony, LinkedIn and Yahoo hit by hackers and security breaches.

Passwords are not the best security, as we know they can be easily guessed or brute forced if they are too short but if we make them too long or too complicated they become almost impossible to remember. Some people write down their passwords next to their computer, I’ve been guilty of this; just jotting down something you tell yourself is ephemeral and is still sitting on your desk 2 years later. There are some great strides being made in developing alternatives to password-based security but we are far from solving this problem and in the mean time internet users need to take steps to protect themselves.

There are a ridiculous number of ways to generate “secure” passwords but the fundamental flaw here is that the majority of internet users suffer from password reuse (XKCD comic, reading is mandatory) and this is a very bad thing. Ideally we should be creating a new password for every site or service we create an account for but surely the management of this is going to be a nightmare? Well, maybe not. This is where password managers come in.

KeypassEnter KeyPass

The password manager space is a busy one but you don’t get far on the subject without hearing about KeePass, a plugin for KeePass or a derivative of KeePass and this is not a bad thing in my view.

From the KeePass website:

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

KeePass locks up all of your important passwords and secure information behind a customisable “Master Key” which is made from one or more of

  • Master password
  • Key file
  • User Account

This allows you to decide exactly how access to the encrypted database is managed as sometimes you may want something more secure than just a password or even to have access locked to a specific user account.

Key files are something I will speak about later in the series; however, they are essentials files containing an encryption key as used in technologies like SSL and SSH. Using a key file means you must have access to the actual file (not just a file of the same name, it must be 100% identical to the file used to encrypt) in order to open the database.

What I love about KeePass is the flexibility which again, will be covered in much more detail later in this series but essentially KeePass is a toolbox and for the most part, lets you decide how and what information you want to store alongside your passwords. As well as usernames and passwords KeePass allows you to store other information in each entry such as notes, URLs, expiry, key/value pairs, file attachments. It also has a number of built-in password generators to help you generate secure passwords of varying length and complexity.

For situations where the out-of-the-box experience is not enough (such as hooking up to browsers), there is a good collection of plugins available to fill in the gaps.

KeePass Main Dialog

Now obviously, like any security system the success or failure of KeePass depends on the user. If you don’t take precautions to keep the master key to the database out of harm’s way then obviously this is no better than just handing over a text file to a would-be computer hacker and asking them to rob you blind. Like many things on the internet, it requires thought on how best to use and implement it but when it is done right, you will reap the benefits of organised, easy to access passwords.

What about LastPass?

One of my colleagues uses LastPass and is pretty happy with it. He spends much of his working day logging in and out of web-based administration systems which is why LastPass works for him. One complaint he has though is that when you have multiple logins for the same URL, LastPass can’t cope and takes the one it has remembered over the one you actually want to use. This is not something I have found to be an issue with KeePass.

Having a look at LastPass myself I found that it seems to be focused on having passwords to hand in the browser which is great but not all of my passwords are used online. I have RDP passwords, computer game login passwords and even software serial keys which I want to keep safe, LastPass is not as well suited to these requirements.

Another factor in my choice not to use LastPass is where my passwords are stored. With KeePass I am responsible for where I put the databases and any key files I create which means I am in control of them. With cloud services like LastPass you are highly dependent on their infrastructure for both security and reliability. Now LastPass may still work without access to it’s online service but you certainly wont be adding any new passwords to all your devices if the service goes offline temporarily.

The security angle may be paranoia:

We use firewalls and best practices to protect the servers and service, but our best line of defence is simply not having access to data even if someone got in. If LastPass can’t access it, hackers can’t either. A large number of PBKDF2-SHA256 rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible.

But I have no proof of this, i’ll bet there are thousands of people out there who trusted Sony, LinkedIn and Yahoo and look what happened there. So while one could argue that having the databases so close to me could also be considered a security risk, at least I know how well protected they are and have the ability to destroy them if I have to.

A final, small, point on LastPass is that to use it on mobile devices you have to pay. This is not the case for KeePass since Android has KeePassDroid (and various others), iOS has MiniKeePass (again, others are available), both of which are free and even Windows Phone 7 has joined the KeePass party (granted, not for free) with 7Pass. Why spend money on something that you can have, legitimately and legally, for free?

And 1Password?

This one for me really just comes down to cost. I can’t see a “killer feature” in 1Password that is worth $49.99 and can’t be fulfilled using KeePass, a plugin or a mobile app. If you feel I am wrong, please feel free to point out what you think is worth the money and I will be happy to re-evaluate. Some may call me a cheapskate but I don’t see the point in senselessly spending money on something that has a tried, tested and free alternative.

Up Next

Hopefully this has served as an introduction to KeePass and explained why such a tool may be of value. In my next post I will be demonstrating how to get started with KeePass, setting up your master key and we’ll have a look at some of the data you can store inside. Continue to Part 2

I got assigned a rather annoying bug today whereby when a user using Firefox 7 went to a page that streamed a file for download, Firefox immediately stopped processing the page and returned the following error

Corrupted Content Error

A little bit of GoogleFu brought me to Firefox Bug #681140 - Corrupted Content error due to multiple Content-Disposition header field instances, new in Firefox 7.

There are a couple of reasons why this error will get thrown but the bottom line is Firefox thinks this is a form of response-smuggling and blocks it, in fact it doesn’t just block it, it denies any knowledge of anything to do with it, I could not for the life of me get Firefox to give me the response headers no matter what extension I used. In the end fiddler revealed the issue

content-disposition: attachment
Content-Disposition: attachment; filename="results.xls"

Fairly simple issue here, there are two Content-Disposition headers being sent to the browser and Firefox 7 throws it’s toys out of the pram if there is more than one.

Now, the cause.

I loaded up the controller that was generating these downloads and right enough, I found

Response.AddHeader("content-disposition", "attachment");
return File(content, format, filename);

I think you can see where I am going here. MVC is pretty good at removing a lot of the boiler plate we normally have to write and this is one of those cases. When you use the Controller.File method a number of headers are automatically set for you on the Response stream, if you provide a file name then one of those headers is Content-Disposition.

Ta-da, the source of the duplication.

So, when using FileResult in MVC, be very careful which additional headers you send out, check them in something like fiddler and don’t just assume that browsers in the future will accept malformed or duplicate headers.

Posted in MVC.