You MUST get this software!!!!

J. B.
2011-09-13
2013-09-05
  • J. B.
    J. B.
    2011-09-13

    Sometimes I tone down my enthusiasm, which can be infectious, but can also be off-putting.

    But I was recently asked about the KeePass product, and after re-reading my reply I realized that a blasé, two paragraph note really doesn't do this product justice. 

    So, mostly unedited, find attached my sermon about KeePass and password security.

    It isn't the right product for everyone, but it's perfect for me, and people like me.  So in the case you might be one of those, this is for you.  I was asked "Do you recommend KeePass for personal use", and *I* said…

    ____________

    Do I recommend this for personal use?  ABSOLUTELY!  In fact, it was my use of it personally that led me to believe its ready for prime time in the "business" setting.

    But temper my comments with a grain of salt - I am a KeePass bigot of the worst sort, which you will quickly see.  :-)

    I long ago figured out that there's rarely a right or wrong with software, its usually about tradeoffs and personal values.

    I finally "got religion" when I had a Gmail account get hacked.  I have been using the same user ID and password (or small variants) for YEARS, and I suddenly was SHOCKED to realize how vulnerable I was.

    So I started investigating a number of solutions.  The single biggest concern for me is putting all my eggs in one basket on one hard drive.  But I've always been terribly lazy about backups.  So I was very interested in solutions that used the cloud.  I enter a password on my laptop, and instantly, no matter what computer I log in to, my password is available there.

    But I quickly started getting nervous about my cloud database getting hacked, which would be MUCH more catastrophic than having an email account get hacked.

    Also, a number of the cloud providers make noises about encryption over the wire, but can't insure that your information is secure once it REACHES its cloud destination.

    Then I discovered DropBox, and it was love at first "site".  The problem was, how to use it effectively. 

    And that's where KeePass came in.  I had known about it for a while, but it was cumbersome to have to manage a copy on a thumbdrive, a version on each computer, and to sync them all.

    Dropbox + KeePass = a marriage made in heaven.

    KeePass is produced by someone who is as passionate about security as I am about hot fudge sundaes.  His code is COMPLETELY open sourced and heavily vetted by a number of sources.  More important, he's been around for a long time, and the product is extremely mature.  He has a plug-in architecture for the product, and there are a variety of add-ons for capabilities like import and export to and from every format imaginable (another very important consideration for me, that many solutions don't cover adequately).

    Moreover, a few zealots have hitched their wagons to his rising star, and the result is a product suite that can do just about anything for anyone.

    The key is that the easier a tool is to use, the less secure it is.  So you have to have reached a place where you are ready for committing to real security.  Once you do, I honestly think that after you consider the alternatives, you'll end up here, or at least with a product that is philosophically similar.

    Here's how I do it.

    I have a local KeePass database on my hard drive.  On all my computers.  The database is configured to take advantage of a feature of KeePass that requires you to provide a key FILE, as well as a password to access it.  The key file can be anything, and the product can generate a high entropy one for you if you like.  The KeePass database resides in places that I need easy access to my passwords.

    I also have a DropBox directory on these machines.  Some people don't like the DropBox model, which creates a specific DropBox directory, but its perfect for me.  I don't want to mirror half my hard drive.  I have a handful of specific files I store there, one being a copy of the KeePass database. 

    But I never use that one directly.

    After I make changes to my local database, I then use an incredibly powerful feature of KeePass that does record-based synchronization between the "local" and the DropBox databases.  DropBox synchonizes its copy with the one in the cloud, and in turn the ones in the DropBox directories on all my other machines.

    But the key to my strategy is that although I have the key file on my local hard drive, I DON'T have a copy in DropBox.  If someone attempts to access my information, they have to crack DropBox's security (I coincidentally have a strong, 20 character password for DropBox that … I store in KeePass!), then they have to guess my very long, very secure KeePass database password (the site http://howsecureismypassword.net/ says it will take 3 trillion years to break it), and THEN they have to somehow obtain a copy of my key file.

    Could the CIA get in if they wanted to?  Sure.  Do I care?  No.  Little Johnny next door will NOT be getting my Warcraft account info in this, or several more lifetimes.

    As for the posse of KeePass add-on developers, one guy has created something called KeeFox.  It's an add-on for Firefox that uses the KeePass database for auto filling in forms, password dialogs, etc.  It recognizes form fields and URL matches, and will automatically fill things in correctly 99% of the time.  And since this uses Firefox for filling in the fields, there is no risk for key loggers, etc.

    For those cases that you need to fill in a password for something that isn't browser based, KeePass can also "autotype" using keyboard emulation, and has a very robust scripting dialog for navigating even the most complex forms.  It even has something called TCATO - two channel auto-type obfuscation - where it securely alternates between copy/paste and cursor movement to further confuse keyloggers.

    There is a forms package, if you want to define your own password data collection.  Some sites have multi-level security, needing not only your username and password, but your email, security questions, or a host of other information.  KeePass allows custom field creation, and the form manager lets you package and query for them attractively.

    The product is under active development, the developer is EXTREMELY responsive, and new plug ins come out all the time.  It's available on Linux, Mac and Windows, and there are apps for about every smartphone around.

    So, how much do I trust it?  Well, the last time I looked, I had over SIX HUNDRED entries in it!  Unbelievable, even to me.  Moreover, you can put ANYTHING in it.  Nominally, its structured for password generation, storage and retrieval, but you can store images, text files, word documents - ANYTHING.  I have all manner of product information, for example for my TIVO, Blockbuster and Netflix account information.  I need all this information in one place to add a service.  But I also store PDF help files, pictures, emails, you name it.  Anything I consider of value that I cannot afford to lose.

    I would literally be lost without my KeePass database, but I don't fear that anything will happen to it.  KeePass is available in portable form, so I have USB thumbdrives with the database and a copy of the software safe with relatives and in lockboxes.

    KeePass gives me a sense of security I haven't found in any other product. 

    Here’s a link to the KeePass plugin page:  http://keepass.info/plugins.html

    As you can see, the plugins are tagged as to which version they work with.

    Version 1.X has fewer features, but is more portable.  Version 2.X is feature rich, but requires .NET.

    The single BIGGEST reason I require 2.X is the synchronization.  It is seamless and flawless, and my cloud strategy demands that.  There are plugins to do synchronization for the 1.X product, but the 2.X sync is too perfect not to take advantage of, since the record level synchronization insures you CAN’T lose data from a synchronization.

    And even if you DID worry about that, the 2.X product features a history capability, sort’ve like SVN revisions or Oracle’s flashback.  You can always get back to a previous version (or purge the history if you don’t care for the baggage).  The product provides the single most important element of any security product, and that is “peace of mind”.

    That said, it's not for everyone.  It’s far too complex for my wife to use comfortably, even though she’s relatively facile with a computer, and not everyone embraces my passion for security. 

    But what I’ve found with KeePass, Dropbox, Evernote, Toodledo, and a handful of other technologies is that I now don’t worry about “losing” anything.  I’ve ground up a lot of hard drives in my time, to the extent that I don’t trust computers as far as I can throw them.  But technologies are starting to fill in those gaps if you’re willing to take the time and do the research, and I honestly sleep better at night knowing I have these tools working for me.

    A couple more KeePass related things you might find interesting:

    http://keefox.org/
    http://keepass.info/plugins.html#ffimport
    https://addons.mozilla.org/en-US/firefox/addon/hostname-in-titlebar/
    http://code.google.com/p/kpenhancedlistview/
    http://sourceforge.net/projects/kpetemplates/

    And if you Google “KeePass, Roboform, Lastpass”, or things like “KeePass alternatives” you’ll find a wealth of information and points of view to help you decide which might suit your needs better.  KeePass is my be-all, end-all, but it might not be yours.  Fortunately, you have a LOT to choose from!

    I also like Toodledo for task management, and Evernote for miscellaneous storage of the few things that I prefer not to store in KeePass, but that's another "story"…

    :-)

     
  • Frodo Baggins
    Frodo Baggins
    2012-01-06

    I totally agree, KP and the developers are wonderful. I also host my KeePass DB on DropBox and a key file… "elsewhere." ;)

    Having KP encouraged me to use strong passwords for everything and I have tried to convert others.

     
  • Jeb, you should seriously change your password asap…

    then they have to guess my very long, very secure KeePass database password (the site [http://howsecureismypassword.net/ says it will take 3 trillion years to break it),

    Now that they have it it takes some fractions of a ms…](http://howsecureismypassword.net/)

     
  • Louis Lafleur
    Louis Lafleur
    2012-01-16

    I'm probably being dense here, but I don't understand the enthusiasm of using KeePass with DropBox.  The reason I use KeePass is to have all my passwords stored on my PC's and not placed on the Internet.  If I was willing to use online storage for my passwords, why wouldn't I simply use LastPass?  It is very highly rated and seems to plug into browsers better then does KeePass.  What am I missing?

     
  • GreenLED
    GreenLED
    2012-01-17

    I was going to post a whole long speech on why I absolutely agree with louislafleur, but I just said, nah. Anyhow, I've posted what I would have said below . . .

    I could write pages about my enthusiasm (and I probably will), but storing your password database ONLINE in my humble and experienced opinion of over 10 years in IT is probably not the smartest thing you could ever do. Just the very thought that someone has the bits that contain my LITERALLY database of passwords makes me want to shoot myself in the foot. Why would you armor plate a shiny new tank with top secret armor and then put that tank in the middle of an atomic test site? I don't get it.

     
  • Frodo Baggins
    Frodo Baggins
    2012-01-17

    KeePass database is encrypted. Dropbox never has your cleartext passwords. While LastPass does.
    n.b. Dropbox is fine unless you this AES is broken. KeePass is for convenience, not security.

     
  • Frodo Baggins
    Frodo Baggins
    2012-01-17

    Unless you *think

     
  • Frodo Baggins
    Frodo Baggins
    2012-01-17

    It's up to each person to decide their level of comfort. Also, WMP does its calculations in local javascript.

     
  • bltkmt
    bltkmt
    2012-04-03

    I am just now trying the KeePass + Dropbox combination and am confused about the synchronization aspect.  My thought was to simply keep my .kdbx file in Dropbox and set my home PC and having each of those PCs load the database file automatically at Windows startup.  Can the file be opened by two PCs simultaneously?  What am I missing here on how to set this up optimally?

    Thanks.

     
  • wellread1
    wellread1
    2012-04-03

    If you do not make a lot of changes to your KeePass database then keeping your .kdbx file in a local dropbox synced folder can work.  However, because dropbox can not sync changes inside the .kdbx file, users on different PC that make and save changes simultaneously (i.e. before the dropbox can complete its sync procedure  to each user's  local dropbox folder) will create a file conflict that dropbox can not resolve.  In that case the user that finished the upload to the dropbox server first "wins".  Dropbox will make a copy of the "loser's" .kdbx file but it is up to the user to manually reconcile the differences.  See https://www.dropbox.com/help/36 for what happens when conflicts occur on dropbox.

    To reduce the possibility of such conflicts, it is better to save a copy of the .kdbx file in a local un-synchronized working directory for daily use on each computer.  Also place a copy of the .kdbx file in the local dropbox folder of each computer.  When you need to synchronize the two PC's use the KeePass synchronize feature to synchronize your local copy to the your local dropbox copy.  KeePass can merge changes inside the .kdbx file which is then synchronized via dropbox to the second user's .kdbx file in their local dropbox folder.  The second user can merge these changes in the dropbox .kdbx file into their local .kdbx file by performing a KeePass sync.

    Using this setup dropbox conflicts will be reduced substantially.  However, dropbox conflicts will still occur when both PC users synchronize their local copy with their local dropbox copy at the same time (from dropbox's perspective).  The conflicts will be less frequent because most users will synchronize less often than they save. Thus the frequency of potential conflicts is substantially reduced.

    A variant of the above conflict occurs when one (or both) user is disconnected from the dropbox servers but both users synchronize their local dropbox copy.  This conflict can be avoided completely by not using the KeePass synchronization feature when disconnected from dropbox (e.g. when disconnected from the internet).  Upon reconnection, and after the first successful dropbox sync., the user (who was previously disconnected) can safely use the KeePass sync to merge all of the changes in the updated dropbox copy with their local working copy. Changes that that user had made while disconnected will also be merged with the dropbox copy and propagated to the other PC user's working copy (after the user performs a KeePass sync).

    Most people with this setup who perform a KeePass sync between their working copy and the dropbox copy once a day, and who sync just before disconnecting from dropbox, will find they have an adequately up-to-date copy of their passwords and will rarely encounter dropbox file conflicts.

    -wellread1

     
  • lynn alfred
    lynn alfred
    2012-04-04

    It's a great tool for personal password's security.I really like it.

     
  • ambaloo
    ambaloo
    2012-06-09

    does anyone know how to open a keypass file that won't accept my password??

     
  • Horst
    Horst
    2012-06-09

    @ambaloo
    sorry, but a working solution of your question would make a program like Keepass useless.
    The only options you have are to remember your password
    or using a backup of your Keepass file for which you still know the password.

     
  • PAccO vIruSS
    PAccO vIruSS
    2012-06-09

    Jeb, for me it says

    It would take a desktop PC
    About 6 noventrigintillion years
    to crack your password

    I have 1024 chars password mixed case, high ANSI

     
  • Dan
    Dan
    2012-06-09

    KeePass database is encrypted. Dropbox never has your cleartext passwords. While LastPass does. n.b. Dropbox is fine unless you this AES is broken. KeePass is for convenience, not security.

    LastPass does not have any cleartext passwords. Not only that, but they have no way to decrypt them. The decryption happens entirely on your local machine. Doing the decryption requires your clear text master password which LastPass doesn't have.

     
  • develop1
    develop1
    2012-06-10

    Cacophony - I think what was meant by cleartext passwords on lastpass servers was the lastpass business model has a security hole in it.
    The hole is because the encrypt/decrypt is performed with a codebase and algorithm written by lasspass employees, controlled by lastpass employees, and is a closed source code base known only to lastpass employees.
    Since the "encrypted" file then stored on lastpass servers its possible that what customers think is encrypted is really clear text to the evil or disgruntled employee.

    The situation is different with Keepass.
    With Keepass the encrypt/decrypt is performed by codebase is vetted open source.
    The process of being a vetted open source ensures that a backdoor does not exist.

    It helps to know that when decrypts a keepass .kdbx file, the clear text exists in memory only, the datafile on disk remains encrypted.
    This means even when dropbox is used, the only thing that ever reaches a dropbox server is an encrypted file.

    If dropbox was evil, or if dropbox had a disgrunted employee the .kdbx file on their server would do them little good as they would have no means to open your .kdbx file.

    I am not saying that lastpass is evil, nor am I saying lastpass has disgrunted employees.
    I am saying the technical business model allows for the possiblity of one or both conditions and lastpass customers would never know (until its too late).

     
  • Dan
    Dan
    2012-06-10

    Cacophony - I think what was meant by cleartext passwords on lastpass servers was the lastpass business model has a security hole in it. The hole is because the encrypt/decrypt is performed with a codebase and algorithm written by lasspass employees, controlled by lastpass employees, and is a closed source code base known only to lastpass employees.

    No, according to their website LastPass does a 256 bit AES encryption on your local PC before anything leaves your machine. A disgruntled employee isn't going to be able to do anything with that encrypted data on their end.

    The open source model for Keepass is a little bit of a double edged sword. It can be vetted for security holes by anyone. And that includes a malicious hacker looking for vulnerabilities.

     
  • Dan
    Dan
    2012-06-10

    Oh, and it appears LastPass does the local encryption using javascript.. How do I know? I'm reading the source code right now! I All the javascript files are easily findable in the LastPass installation directory. The file is huge, but here's one small part:

                    Encrypt: function (q) {
                        var s = ,
                            u = ,
                            t, x, w;
                        w = fb.Prepare(q);
                        if (w == null) return null;
                        if (w.mode == "cbc") t = w.iv;
                        for (x = 0; x < w.data.length / 16; x++) {
                            for (q = 0; q < 16; q++) {
                                u = w.data;
                                if (w.mode == "cbc") u ^= t
                            }
                            t = fb.Cipher(u, w.round);
                            for (q = 0; q < 16; q++) s = t
                        }
                        if (w.b64) s = fb.BytesToB64(s);
                        return s
                    },

     
  • W. Schütz
    W. Schütz
    2012-06-13

    Cacophony:

    The open source model for Keepass is a little bit of a double edged sword. It can be vetted for security holes by anyone. And that includes a malicious hacker looking for vulnerabilities.

    It is wrong to believe this becomes impossible in any Non-open-source model: Even if the code is distributed compiled (and not as JS source as you found for LastPass) a person with capabilities to read assembly will be able to decode and reverse engineer the algorithm. In fact this happens every day…

    For this reason it is commonplace for applications that claim to be cryptographically secure to publish the algorithms. Thus everybody has a chance to find vulnerabilities - sure the better way compared to just some programmer implementing something and find later the developer did not understand what he was doing. There are many good samples for such shortcomings - one is the WEP algorithm used some years ago to make WiFi 'secure'.

    Even now that you found the algorithm used for LastPass: Do you have the proficiency to decide they do it in a secure manner?

    ***

    Concerning Dropbox: Dropbox does not claim to have files encrypted on their servers. For this reason I only use it for content I intend to publish anyway. If you have documents that need to be for your eyes only: Use a competitive product with clientside encryption. Some brands: SugarSync, Wuala or Spideroak. Of those I think Wuala offers the advantage of not having any US-based servers (the distributed storage described in some places has been abandoned some time ago). And the Europeans are far more conservative about dataprotection…
    Further you may encrypt all clouddata by using one of the following products before you put them in the sync folder: SOPHOS SafeGuard Enterprise or BoxCryptor, TrueCrypt.

     
  • Dan
    Dan
    2012-06-13

    Sure, I never said that proprietary software couldn't be analyzed for vulnerabilities as well. I simply don't believe that the Keepass approach is more secure than LastPass based on everything I've read.

    Could I decide the proficiency of the LastPass code I found? Probably. Do I care enough to do it with either the LastPass or Keepass code? No, as I'm sure countless others have already looked.

     

  • Anonymous
    2012-06-16

    I totally agree with jeb54321.

    The only  thing I hate about KeePass is that I have to use windows.
    I know you can use this with linux or OSX but it doesn't work like it works on windows.
    I will probably use a KeePass alternative like LastPass when I'm using an other OS.

     
  • Lihy Cohen
    Lihy Cohen
    2012-06-18

    I'm considering how Keypass can be applied to a scenario in which you need to store customer passwords in a MySQL database on the cloud, such as Xeround's cloud database, or Amazon Relational Database Service. These are databases provided as a service, so I don't have any access to the file system on the physical machine that is hosting the data. However, the actual application is running on a cloud machine instance, where I do have access to the file system. Does it make sense to save the keypass database on that cloud machine (which is the equivalent of Dropbox, if you will), and use keypass to store the customer passwords? But then do I need to encrypt the passwords on their way from the application to the database? If anyone has any experience with this scenario I'll be glad to hear how it's done. I would like to use KeyPass's model to encrypt those passwords, so I don't need to deal with the security within the application, but not sure how it would work. Your thoughts will be appreciated.