KeePass and Eating Your Own Dog Food

July 21, 2016

password_stock_image-100564400-largeFor a while now the information security community has been griping about the need for better passwords. The idea is, with more length and complexity, a password gets harder and harder to guess or crack, therefore a system is more secure. Like other information security professionals, I too have been pushing this agenda. But I realized something recently. I preach about having strong, complex, and unique passwords for every system, and while I follow this practice at work, I do a really poor job with all my personal accounts.

I decided it was time to ‘eat my own dog food’ and take my personal password security to the next level by using KeePass.

If you desire, you can find lots of comparison articles of all the different password management solutions that exist, so I’m not going to dive into that here. I’m going to walk through why I choose KeePass and how I set it up to work best for me.

 

KeePass

I choose KeePass for the following reasons:

  • OpenSource
  • Local Database
  • Password Generator
  • Multi Platform

KeePass is OpenSource, which is important when considering cryptographic solutions. A good cryptographic solution should stand strong, even if you know its inner workings. If a vendor or provider is hesitant to pull back the curtain and show you how their encryption or security works, run for the hills. Security through obscurity is a fundamental fallacy of security.

Another key reason I chose KeePass was because the credential data is stored in a local database. Some other solutions shoot your credentials off to a server on the internet for later retrieval. While this makes things flexible and available, it worries me a bit when considering the data is my username and password. Even though the information is encrypted, if for some reason it becomes vulnerable, it’s nice to know I’m in full control of the data. *straightens tinfoil hat*

One thing I really like about KeePass is its password generator. It will generate a password of random letters and characters that is really hard for a computer to guess, and hard for humans to remember if they don’t use a password manager. (XKCD) Lucky for us, we have password managers.

Lastly, I chose KeePass because it was cross platform. As a lover of all different flavors of devices (OSX, Windows, Android, *nix), being able to access my credentials on all of them is important. At the bottom of this blog post is a list of the different implementations of KeePass I use for each platform.

Setup

Setting up KeePass is pretty straight forward. I was working from my Mac at the time, so I setup my credential database using KeePassX . We create a database by selecting ‘New database’ from the ‘Database’ menu.

Screen Shot 2016-06-21 at 3.39.37 PM

We are now prompted for a password for this database. This password is the master key and is what will be used to encrypt and decrypt the database. Make sure it is a strong password that you will remember! Additionally, a key file can be added for extra security.

Snip20160621_1

The credential database is now created and we can add some credentials to be stored. We make a new entry by clicking the ‘new entry’ icon.

Snip20160621_3

Now we can set a title, username, and password for the entry. There is also a spot for a URL, which is handy for websites, and a general notes section.  If you click the ‘Gen.’ button next to the ‘Password’ field, it will reveal the password generator dialogue. From here you can specify some things, but I typically just leave the defaults. Click ‘Accept’ and it will populate the password field with the newly generated password. If you do not want to use a generated password, you can just enter your own password instead.

Snip20160621_6

After that you can click ‘Ok’ and you’re credentials will be added to the database. Now we need to save the database and we can do that by clicking the save button.

Snip20160621_10

Now that the database is saved, when can retrieve our username or password by right-clicking our entry and selecting “Copy username” or etc. This will add the given attribute to our system’s clipboard. It can then be pasted into whatever application it needs to be. This is not only quick and handy, but it can prevent shoulder surfing of passwords, since the password is never seen nor typed.

Snip20160720_3

 

Screen Shot 2016-07-20 at 5.02.42 PMThat’s it! We are now up and running with KeePass. The database is stored as a .kdbx file. This file contains our credentials and is encrypted with the master password set when we created the database. We can now move this .kdbx file to any device that we want to have access to the credentials. Once on a device, we can use a KeePass implementation to open and decrypt the database using our master password.

The simplest and easiest way to move the .kdbx file around is using physical media, like a flashdrive. However, this can be a pain. File syncing services such as DropBox and Google Drive can be used, however it’s a bit scary considering the database contains your credentials.  However, I still think this is better then a cloud-based password management solution since you still control the data at the end of the day. That being said, I use DropBox to sync my database around. It works great except for one little trick on Android. When selecting a .kdbx database on Android, you can’t directly choose the .kbdx out of DropBox. DropBox mangles the database when you do this and you won’t be able to open it. The solution is “Export” the .kdbx out of the DropBox app to the Android file system and then select the database off the file system.

Here are the implementations of KeePass I use on my various devices:

  • OS X = KeePassX
  • *nix = KeePassX
  • Windows = Official KeePass v2
  • Android = KeePassDroid

 

I’ve been using KeePass for a little bit over a month now and I’m loving it.

Thanks for reading!