Friday, March 02, 2007

Gimme KeePass!

Following up on my recent post, OpenID Is Not For Me, here is a better solution...

If you are like most people, you have a default user name and password combination that:

  • You can easily remember
  • You use almost everywhere to log on to computers, networks and web sites.

You may also have a post-it note somewhere with user names and passwords that you cannot remember because they are different than your default combination.

Few people do what the experts recommend:

  • Use "secure" passwords (long strings made up of upper and lower-case letters, numbers, and special characters).
  • Use different passwords to access different networks, different services and different hosts.
  • Change your secure passwords regularly.

Here is a solution that I designed to get me on the path of goodness and righteousness. I have been using it for a few weeks now, and I am prepared to recommend it to you. Here's how it works for me...

  • I got a U3 USB flash drive which I keep on my key ring, so I always have it handy.
    • U3 allows a flash drive to store and, when plugged into any Windows PC, securely run applications -- without leaving a trace of data on the host computer. For more info, see http://www.u3.com/.
  • I loaded KeePass on the U3 drive.

Features of KeePass include:

    • Download the Windows Keepass 1.06.U3P file from here: http://keepass.info/download.html.
      • Save it to your hard disk.
      • It saves as KeePass-1.06.zip. Rename it to KeePass-1.06.u3p.
      • Start the U3 Launchpad from the System Tray
      • Select Add Programs, then Install from My Computer
      • Browse to find KeePass-1.06.u3p.
      • Click Open and the Windows version of KeePass is installed in the Launchpad of the U3 USB flash drive.
    • If you need access to your passwords and data on non-Windows platforms (Mac & Linux), like I do, download KeePassX from here: http://keepassx.sourceforge.net/downloads/.
      • I got the Application bundle (I need the Linux functionality only).
      • Save it to your hard disk, unpack it and copy the KeePassX folder/directory to the /media/usbdisk/ location (NOT the media/U3 System/ location).
      • To run KeePassX from the flash drive, navigate to the KeePassX folder and run the shell script.
  • Create a new database and start changing your passwords!
    • Use KeePass (i.e.,the Windows version) to initially create your password database. The default KeePass database categories were a little better for me than the default categories in KeePassX.
      • It doesn't matter which version of KeePass you use to create (or update) a database, it interoperates with both KeePass and KeePassX.
    • Different web sites, hosts and services have different conventions regarding acceptable passwords -- the allowable character set (e.g., upper and lower-case letters, numbers, and special characters), password length and password complexity. Use the random password generator, setting it to be as long as allowed and using the largest character set allowed.
    • When adding user names and passwords for web sites, put in the URI for the https: login page, so you can jump from the database entry to the place where you will paste your new password.
      • This will save you having to drill down to the log in page.
  • Here are a couple of other recommendations:
    • Don't save your KeePass database to a USB flash drive only. You need to have a backup copy to protect yourself in case the drive is lost or broken.
      • Keep a copy of the database on the hard disk of your PC and remember to update the copy periodically.
    • I selectively let my home and office PCs remember user names and passwords, so I am not always having to go to my KeePass database.
      • The issues here are the probability of unauthorized access of those machines and the potential harm that could come from anyone accessing the sites/services as me.

You are ready to go now. You can take your U3 USB flash drive to almost any Windows or Linux PC, plug it in and access your services, hosts and web sites safely and securely. All your passwords can now be random and highly secure. And you can change them frequently, like you are supposed to do.

Go forth in the path of goodness and righteousness!

9 comments:

bgold said...

If you lose that USB drive, you're screwed.

Marco Barulli said...

John,
KeePass combined with a U3 USB flash it's a nice solution, but I believe that a well designed online password manager has significant advantages: ubiquitous access, no risk of losing your USB drive, automated login, ...


Take a look at Clipperz, a new online password manager where you can do way more than simply storing your passwords. It's free and completely anonymous.

Clipperz let you submit passwords and confidential information into your browser, but your secrets are locally encrypted by the browser itself before being uploaded to Clipperz.

The key for the encryption process is a passphrase known only to you.
Clipperz simply hosts your sensitive data in encrypted form and could never actually access the data in its plain form.

Of course, I'm badly biased in recommending Clipperz, since I'm one of the developers! :-)

Marco

John Redmond said...

Marco,
Thanks for your comment. I took a look at Clipperz, and I liked what I saw. I'm not ready to give up on KeePass-on-a-stick, however.

The main hangup I have is that I do not know you, so I don't want to trust you with my important data. I know you cannot steal the data. But what if your company goes out of business or your ISP shuts down or you forget to renew your domain registration... I could be in big trouble if I cannot access my data.

As for automated login, my online bill payment service tries to do this for me too (so I can check balances). I've found that it is not easy to set up each login. Furthermore, companies frequently change their login processes, breaking the automated routine. And more and more companies are using 2-factor authentication and dynamically creating login pages in different situations.

I've stopped using the automated login on my bill payment service. To check balances, I use KeePass instead, copying usernames and passwords from KeePass and pasting them in the appropriate login page.

I am not afraid of losing my USB stick. I've got it on my keychain, which I keep close track of. More likely, the USB stick will fail. In that event, I have a backup of my KeePass database.

Thanks again for your commment. - John

Marco Barulli said...

John,
I will try to answer some of your points

You said: "what if your company goes out of business or your ISP shuts down or you forget to renew your domain registration ... I could be in big trouble if I cannot access my data."

This was one of our concerns from the very beginning. To solve the problem we developed the "offline copy" feature.

With just one click you can dump all your encrypted data from Clipperz servers to your hard disk and create a read-only version of Clipperz to be used when there is no Internet connection.

The read-only version is as secure as the read-and-write one and will not expose your data to higher risks since they both share the same code and security architecture.

And of course you can move your offline copy to a USB stick. Read more here.

With regard to automated login you said:

"it is not easy to set up each login"
"more and more companies are using 2-factor authentication and dynamically creating login pages in different situations."

Did you try our bookmarklet? Creating new cards and new "direct logins" it's really easy and quick.
While it is certainly true that direct logins are not always possible, they are quiite convenient even for a subset of online accounts.

Read more about direct logins.


Best regards,
Marco

Jamie said...

Just a quick comment - I'm another recent Keepass devotee and have found it fantastic. I use it on a USB stick in exactly the same way that you do. The backup part is incredibly important though - those sticks are lost so easily.

I use a little batch script with these two commands and run it every now and again from the memory stick, just to make sure everything (including the Keepass database) is secure:

mkdir c:\FlashBackup
xcopy /S \*.* c:\FlashBackup\

Didn't know about the KeePassX though! Thanks for that!

Happy Linux Guy said...

I've been using keepass for a while now. It's great. It's included in the repositories for ubuntu. Plus, it's cross platform and open source. Can't beat that. The only thing they need now is to enable multiple user access, with permisisions.

Anonymous said...

A slightly more up-to-date version of KeePass for U3 that is being actively maintained can be found at:
http://www.u3applications.com/apps/keepass

rax said...

Hundreds of millions of USB flash drives are currently in operation around the world, with the vast majority not offering proper encrypted flash drive

rax said...

Hundreds of millions of USB flash drives are currently in operation around the world, with the vast majority not offering proper encrypted flash drive