By July 16, 2007

Keeping passwords on lockdown

As a typical virtual citizen, I have about fifty hojillion accounts across fifty hojillion Web sites and networks. I try to recycle the same four or five usernames, and use about seven different passwords. My passwords vary depending on when I created the account, if the site has any requirements (such as no special characters, or must contain at least one number, password length, etc), and if I feel like the site is Super Important™. Even though I have a transponder that generates unique passkeys for eBay and PayPal, the root passwords for those places are not in use in any other Web site or application.

The problem that developed was that I couldn’t keep track of what password and username combination went with what site. I was also running the risk of someone being able to access multiple accounts if just one database was cracked or user:pass combo intercepted/divined. If someone was able to determine the username and password for an EVE Online forum, they may be able to get into my stock trading site account (not an actual example). I wanted to diminish the number of shared passwords I had on different sites, and keep track of all my usernames and passwords. After some preliminary research on the Ars Technica forums, I selected KeePass.

KeePass is a free program for Windows. There are other unofficial versions, such as PalmOS and Linux/MacOS. The application has a lot of security features I won’t get into here, but some of the ones that impressed me was the use of Rijndael and Twofish encryption algorithms and that the entire database was encrypted, including site URLs and usernames, not just the passwords. I have come to appreciate some of the other security measures KeePass employs, such as keeping a password copied to the Windows clipboard for one paste only.

Protecting the whole shebang
I have KeePass configured to require both a password and a license key file in order to access my user/pass database. By following the security approach of “what you have” and “what you know,” I hoped that someone plopping down on my computer wouldn’t have full access to all of my accounts. If I were really serious, I’d put the license file on a USB drive and keep the USB drive with me at all times. For now, it’s stashed somewhere on my network.

http://gallery.drfaulken.com/d/2668-2/login.gif

What does =zYP#/C89*8N6:I7 mean to you?
Fuck if I know, but that’s a random password KeePass generated for me. Sure beats your wife’s birthday or your kid’s social security number for a password. I used KeePass’s built-in random password generator to make new passwords for each site I visit.

http://gallery.drfaulken.com/d/2673-2/random_password_options.gif

Random like a tweener on Mall Night
KeePass allows you to select the components of your password, such as special characters, spaces, and whatnot. You can also specify the length of the password, which is very helpful. I wish there was an option to set sub-parameters, such as “must have at least x amount of numbers,” but so far every random alphanumeric password generated by KeePass has included at least once number.

You generate random passwords by mashing different keys on the keyboard, or by mousing around randomly. I prefer the mouse method, as I feel like it is more random and more quiet than the keyboard method. I found myself hitting the same patterns of keys over and over again, “lakjsdf08asdfjasldkvjaosdf0as8df09asdjfloajsdf0a8d0f8” for example, which has a fair number of home-row keys.

http://gallery.drfaulken.com/d/2671-2/random_password_input.gif

You can also set expiration length and other options with KeePass. I am only using a small subset of what KeePass can do for you, there’s a lot more functionality to explore.

Living with a password management program
It has been easier living with KeePass than I originally anticipated. I expected to have to enter my master password and locate the key file every five minutes to log into stuff. In reality, I mostly only sign in once and my status is set by a cookie. For example, I signed in once to Ars Technica and I’m good to go until I log out (which is never) or try to sign in from another computer. I don’t mind re-entering my information to KeePass so I can access my financial institutions. I don’t look at them often enough for it to be a big deal.

One of the neat things about KeePass is that it can automatically fill in your username and password on a Web site and then logs you in. Well, most of the time. KeePass plays nicely with Wachovia, but doesn’t like Discover. I think the application relies on standard form naming conventions, and if a site’s underlying Web code doesn’t use “username” and “password” accidents will happen (just a guess). KeePass only gets my Chase account’s password correct; the username field is left blank and my login fails. Sometimes the password gets pasted into a search box in Firefox — it’s interesting to see what Google comes up with for =zYP#/C89*8N6:I7. You can choose to copy your username or password manually from KeePass, so don’t sweat if the autocompletion doesn’t work for you.

The thing that surprised me the most wasn’t related to KeePass at all: about a half dozen or so sites don’t allow you to change your password! What a weird “feature.”

I have been using KeePass for about three weeks now, and have been very pleased. The application itself seems rock solid; no bugs or crashing to report. Aside from the aforementioned “force X type of character” requirement, I can’t think of anything else I’d like KeePass to do. If you’re looking for password management or better password security, give it a download.

KeePass, I encrypt
Five out of five STFU mugs!

full STFU mug full STFU mug full STFU mug full STFU mug full STFU mug

Related posts:

Posted in: review

3 Comments on "Keeping passwords on lockdown"

Trackback | Comments RSS Feed

  1. Seeyo says:

    In reality, I mostly only sign in once and my status is set by a cookie. For example, I signed in once to Ars Technica and Iā€™m good to go until I log out (which is never) or try to sign in from another computer.

    I typically followed this same usage pattern, though now I’ve pulled back a bit due to fears of XSRF attacks. Having been a developer for as long as I have, I don’t trust the developers of other sites to protect me from these types of attacks. Now I try to make sure I log out of any application of importance (banks, email, etc) before browsing around the web.

  2. BushPutin says:

    I’ve been using KeePass for a while now. I love this program, though it needs to have a WebDAV type of client/server model for efficient office sharing (department only)….yada yada yada, etc., etc., etc…..

  3. Bond says:

    šŸ˜› I was telling you about this free app a few months back! I use it every day since I have to store tons of client passwords for everything from DNS sites, web servers, to 3rd party admins. It’s a great tool.