Thursday, February 12, 2009

Managing passwords with KeePass and KeePassX

When it comes to password protecting their digital lives, most people do a rather poor job. In my experience, the typical user will have a few passwords and some slight variations of them that they will use for just about all of their password needs. For a long time, I was like this too. This is a bad idea. In case you're not sure why, think about what would happen if one of your few passwords became compromised. How many accounts would that one password unlock? The correct answer should be one, but for most people, that answer is many.

A recent incident in which the job search website Monster.com was hacked illustrates how passwords can and do become compromised despite a user's efforts to keep their passwords safe Here is a link for the first incident, and here is the link about the most recent incident, and here is Monster's explanation of the incident.

Enter KeePass. KeePass is a free and open source encrypted password database. When you fire it up it prompts you to create a new database, which you can store wherever you like and name whatever you'd like. All KeePass databases have the .kdb file extension. Every time you open KeePass, it will auto-open the last opened database, a setting you can turn off if you want (but I love it). Each KeePass database is protected by a single master password that unlocks it. Now all you need to remember is one strong password for your KeePass database and you can store all the rest of your databases in there. The database is encrypted using AES, thus making you're password the weakest link in its security.

KeePass is a Windows only application, but there is a related project called KeePassX that has precompiled packages for Windows, OS X, and Linux. Both projects use the same .kdb files. KeePass is also available as a portable Windows application. This means that your password database is completely portable across just about any operating system you'll come across. You can even sync your database across multiple computers like Lifehacker suggests using a service like Dropbox or Syncplicity. Now there's no excuse for using either weak or redundant passwords.

I started using KeePass last year to keep track of my passwords. There are some services I use whose passwords I remember and there are some I have to look up every time. This is something I'm okay with because it means the passwords I use are strong ones. When I bought my Mac I started using KeePassX on it and the transition was completely seamless. Now I can move my password database back and forth between my Mac and my Windows computer and access my passwords just as easily in either operating system.

No comments:

Post a Comment