dotEXE – KeePassX adalah salah satu software penyimpan dan generate password yang telah lama kami pakai. Software ini Free, Open source, ringan dan mudah digunakan baik di Linux maupun Windows, bahkan Mac sekalipun. Sebenarnya KeePassX sendiri dulu dirilis dengan nama KeePass/L for Linux, namun sejak porting untuk Windows sudah aktif dan massive dikembangkan, maka komunitas pengembangnya mengganti nama softwarenya menjadi KeePassX Password Safe.

KeePassX sendiri menawarkan fitur generate password dengan mudah dan aman. Generator passwordnya sangat mudah diatur ulang, cepat dan mudah digunakan. Bagi anda yang berurusan dengan generate banyak password, software ini sangat kami rekomendasikan.

Databasenya yang komplet baik itu metode enkripsi dengan AES atau Rijndael atau Twofish dengan key 256 bit sekalipun sudah ada. Selain password dan username yang bisa anda masukkan, anda juga bisa memasukkan informasi-informasi tambahan lain sesuka anda. Password yang dihasilkan oleh KeePassX sendiri kompatibel 100% dengan yang dihasilkan KeePass Password Safe.

Instalasi

Untuk distro Mandriva 2009.1 sendiri anda dapat menginstalasikan KeePassX dengan:

#urpmi keepass

Untuk versi Windows (dengan nama resmi KeePass Password Safe):

• Versi Portabel (ZIP) : http://downloads.sourceforge.net/keepass/KeePass-1.16.zip
• Versi Installer (EXE) : http://downloads.sourceforge.net/keepass/KeePass-1.16-Setup.exe

Referensi

Official Web KeePass: http://keepass.info/

KeePass (Wikipedia): http://en.wikipedia.org/wiki/KeePass

Official Project Page at Sourceforge.net : http://sourceforge.net/projects/keepass/

Una contraseña es tan importante como la información que protege. Con ellas cuidamos que nuestra información privada no se vuelva del dominio público. Todos tenemos información que proteger pero no siempre sabemos hacerlo bien.

Una contraseña es como un candado o como una cerradura. ¿Usaría usted un candado sencillo para cerrar una caja fuerte? ¿Dejaría usted la llave de su casa escondida bajo el tapete de la entrada? A veces somos así de confiados. Sin embargo, tratándose de nuestras contraseñas podemos ser aún más confiados y descuidados.

Crónica de un pequeño ataque

Yo no me considero confiado tratándose de seguridad informática. Siempre mantengo mis equipos libres de virus y spyware, tengo instaladas las últimas actualizaciones de sistemas operativos y aplicaciones, nunca utilizo equipos públicos ni ando navegando por los rincones más oscuros del internet. Y aún así hace algunos meses un anónimo hacker me dio un buen susto. Un día descubrí que alguien había entrado a una de mis cuentas de correo y que una vez adentro envió correos a toda mi lista de contactos para venderles a mi nombre no recuerdo qué producto, para luego finalizar con el borrado de esa lista de contactos a fin -supongo- de que yo no pudiera escribirles para advertirles del engaño.

Fue un ataque básico, casi infantil. Y digo ésto porque el atacante bien pudo haber causado daños mayores: aparte de haber podido borrarlo todo, pudo también haber robado mi identidad secuestrando mi cuenta; sólo tenía que cambiar la contraseña para lograrlo. En el perfil de mi cuenta de correo habían datos personales y entre ellos los nombres de otras cuentas de correo que también usaban la misma contraseña. Luego una búsqueda en Google pudo haberle revelado al atacante en qué redes sociales estoy inscrito. O bien, revisando mis correos recibidos en los que solicité la reposición de alguna contraseña pudieron darle los datos necesarios para saquear mi cuenta de Paypal, etc. El efecto dominó pudo ser devastador. Apenas me di cuenta de lo ocurrido, y de lo que aún podía ocurrir, procedí rápidamente a cambiar todas mis contraseñas.

Malas y buenas prácticas

A pesar de mis precauciones incurrí en varias de las malas prácticas de administración de contraseñas, mismas que listo a continuación:

• Utilizar una misma contraseña para las cuentas de correo, para los perfiles de Facebook y Twitter, para las agendas en línea, etc.
• Dejar contraseñas escritas en un papel bajo el teclado, en un post-it pegado en el monitor, etc.
• Utilizar contraseñas fáciles de adivinar: 1234, la serie Fibonacci, la palabra “password”, los dígitos de la fecha de nacimiento, el nombre de un ser querido, el nombre de alguna mascota, el de nuestro personaje favorito, etc.
• Usar contraseñas con sólo letras minúsculas, o sólo claves numéricas.
• Usar contraseñas cortas de 6 a 8 carácteres.
• Utilizar como contraseña una palabra cualquiera que pueda ser obtenida de un diccionario.
• No cambiar la contraseña en muchos años.

En contraste, las buenas prácticas serían:

• Utilizar una contraseña diferente para cada servicio en línea.
• Cada contraseña debe ser bien creada. Este punto lo explicaré más adelante.
• En vez de anotar cada contraseña en una libreta o en una colección de post-its pegados en nuestro espacio de trabajo, utilice un software administrador de contraseñas. Yo recomiendo uno llamado KeePassX: es libre, trabaja tanto en Linux como en Windows y Mac OS, tiene una versión portable que puedo llevar en una memoria USB; y así sólo necesito recordar una contraseña maestra para acceder a un archivo electrónico de contraseñas guardado en un compacto archivo encriptado.
• Cambiar las contraseñas con regularidad, especialmente las más utilizadas.

Para crear una buena contraseña

A continuación daré algunos consejos para crear contraseñas difíciles de robar aunque relativamente fáciles de recordar.

1. Combine letras mayúsculas con minúsculas.

2. Utilice números junto con las letras.

3. Si el sistema lo permite, utilice símbolos de puntuación como espacios en blanco, _, -, +, *, etc.

4. Utilice la mnemotecnia. La mnemotecnia es una técnica para memorizar usada para recordar un concepto complejo partiendo de uno simple. Por ejemplo, podemos ver una computadora y pensar: “Esta es la computadora de Juan Pérez”. Esta frase, fácil de recordar, podemos usarla para generar una contraseña utilizando las iniciales de la frase. Así de

“Esta es la computadora de Juan Pérez”

podemos obtener

“EelcdJP“.

También podemos usar alguna frase más compleja, algo que tengamos en mente o incluso la letra de alguna canción:

“Soy un fanático de la serie LOST y quiero ver la 5a temporada completa”

“Yo se bien que estoy afuera, pero el día que yo me muera sé que tendrás que llorar” (tomado de la canción mexicana “El Rey”, de José Alfredo Jiménez).

para obtener algo como

“SufdlsLyqvl5tc”

“Ysbqeapedqymmsqtqll”

5. También puede reemplazar algunas letras por números, como:

0 por O y o
1 por l e I
2 por Z
3 por E
4 por A
5 por S
7 por T
9 por e

Así podríamos tomar una palabra o nombre más o menos común para convertirlo en algo más críptico. Por ejemplo,

“Mi nombre críptico”

podría transformarse en

“M1n0mbr3cr1p71c0″.

6. Utilice el máximo de carácteres que el sistema le permita.

7. Combine varios de los anteriores consejos:

“Soy un fanático de la serie LOST y quiero ver la 5a temporada completa”

“Yo se bien que estoy afuera, pero el día que yo me muera sé que tendrás que llorar”

se convertirían en:

“5ufd15Lyqv15tc”

“Y5bq9ap9dqymm5qtq11″

8. Utilice un generador automático de contraseñas. Precisamente KeePassX tiene uno integrado.

Para concluir

Mi esposa cree que le oculto algo cuando le digo que no conozco mi contraseña actual de correo electrónico. Pero es verdad, no la conozco porque fue generada de manera automática, mide como 16 carácteres, y nunca tengo necesidad de verla o teclearla puesto que el administrador de contraseñas la pone por mí en memoria y yo sólo tengo que poner el cursor en el campo de “Contraseña” y presionar las teclas Ctrl+V para ingresar mi clave. Creo que mis contraseñas tienen ahora un nivel aceptable de seguridad, y en tanto ningún hacker demuestre lo contrario lo seguiré creyendo así. Por cierto, creo que la técnica de mnemotecnia también debería usarse para la pregunta de seguridad que algunos sistemas de correo ponen para el caso de que perdamos una contraseña. Así, si me preguntan por el nombre de mi mascota ya sabré que debo escribir “F1ru1a15″ en vez de “Firulais”, cosa que espero el hacker no sepa.

Más información:

• Adivinamos su contraseña: ‘1234′. ElPaís.com.
• Cómo hackear hotmail.
• Contraseñas seguras: Cómo crearlas y utilizarlas.
• Contraseña.com – Generador de Contraseñas Aleatorias.
• KeePassX

Ich verwende die tolle und plattformübergreifende Passwortverwaltung Keepass schon seit langem. Sie ist in den Packetquellen von Ubuntu enthalten und lässt sich einfach mit Synaptics oder im Terminal mit

sudo apt-get install keepassx 

installieren.

In KDE4.3 ist mir allerdings aufgefallen, dass in die Zwischenablage kopierte Passwörter, nicht gelöscht werden. Eine Einstellung von Klipper, der KDE4 Zwischenablage verhindert dies!

Diese Einstellung kann man sehr schnell ändern, dazu im Panel mit der rechten Maustaste auf das Zwischenablagesymbol und “Klipper einrichten” wählen. Anschliessend das Kreuz bem Punkt “Prevent empty clipboard” herausnehmen.

Most of us could care less about security.  We use easy passwords and leave our login credentials out in the open.  We do these things for convenience, but at the cost of security.  So how do we balance the two?

There are many ways to keep your accounts secure and private.  To secure an account, you need to have a good password.  I recommend using this site.  Every time you go there, you will get a random string of characters to use as a password.  Just select as many characters as you want and copy and paste it as your password.  The only problem is, they are long and random, making them hard to remember.  Fixing this is easy with KeePassX.

KeePassX is a free and open-source password manager that securely stores all of your login information in a database.  Why is it better than Firefox’s built-in manager?  Well, for one, you can access this database either with a password or a key file.  A key file is simply a file that you must present to the program in order to unlock the database.  This gets rid of the need for a password, making it much more convenient and secure.

To install KeePassX on Ubuntu, simply check the box next to it in Add/Remove Programs.  To launch it, go to your Applications menu and then to your Accessories menu and click on the KeePassX entry.  Once you start it, you need to create a database.  To do this, go to File, and then New Database.  In the window that pops up, uncheck the box next to Password and check the box next to Key File.  Then click on Browse and select the file you want to use as the key.  Make sure that this file will never be deleted.  Keep a backup just in case.  Once you choose a file and click OK, your password database will be created.

Now it is time to add your accounts.  Right click on a group in the left pane and select Add New Entry.  Add a title, your username and password for that site, and click OK.  Just repeat this for all of your accounts and when you are done, click the floppy disk icon to save.  To login to sites now, open KeePassX, select the account you want to use, right click on it, select Copy Username to Clipboard, and paste it into the username field on the site.  Then select Copy Password to Clipboard and paste it into the password field.

If you have multiple computers (or even if you don’t), KeePassX in combination with Dropbox can be amazing.  You can put your database file (it’s encrypted, so don’t worry about security) into your Dropbox to sync it with all of your computers.  As long as that computer has KeePassX or KeePass (the Windows version) installed, it can use the file.  This is perfectly secure because your database requires the key file to be opened, so even if someone gets the database file, they can’t use it.  Just make sure you have the key file on all of your computers to do this.  If you don’t have multiple computers, consider Dropbox as a free backup solution for your database.

If you followed these steps correctly, you should have a convenient and secure way to manage your passwords.  If you have a question, concern, idea, or solution, leave a comment and for those of us in the USA, have a great 4th of July weekend!

Nach dem Update auf Leopard crashed KeePassX Es gibt auch schon einen entsprechenden Post im Forum. Freue mich über zieldienliche Hinweise aller Art oder Empfehlungen für Alternativen  wie z.B. 1PasswordUpdate 2007-10-28 18:40 So wie es aussieht funktioniert KeePassX zumindest wenn es über das Terminale mittels /Applications/KeePassX.app/Contents/MacOS/keepass aufgerufen wird. Die Darstellungs ist bescheiden … und da scheint auch das Problem mit Leopard zu liegen. Mal sehen wie es weitergeht …Update 2007-10-11 14:43Gerade habe ich einen Hotfix für KeePassX eingespielt und das Problem ist behoben. Der Fix war übrigens schon am 30. Oktober 2007 verfügbar. Wirklich Prima! 

Wer heutzutage ein bisschen im Internet unterwegs ist hat schnell dutzende Passwörter. Ich habe beispielsweise mehr als 100 Passwörter.

So viele Passwörter kann sich natürlich keiner merken. Eine “Verwaltung” mit Zetteln am Bildschirm kann keine Lösung sein, genau sowenig, immer das selbe Passwort zu verwenden. Was auch gar nicht geht, da bei vielen Anwendungen Passwörter mit der Zeit ablaufen.

Vielen ist sicherlich diese Variante von besonders kleveren Kollegen bekannt, die immer das selbe Passwort verwenden und eine fortlaufende Nummer anhängen. Nach dem Zeitablauf wird die Nummer hochgezählt. Welche aktuelle Nummer zu welcher Anwendung gehört, wird in einer Excel-Datei gespeichert. Das so was im Schadenfall als grob fahrlässig anzusehen ist, brauch ich kaum zu erwähnen.

Was liegt also näher eine richtige Passwortverwaltung zu verwenden? Ich zeige in diesem Artikel zwei Möglichkeiten zur Passwortverwaltung auf.

In Gnome, dem Standard-Desktop von Ubuntu wird Seahorse mitgeliefert. Seahorse verwaltet PGP- und SSH-Schlüssel und Passwörter von Programmen die Seahorse unterstützen. Dazu gehören beispielsweise der Netzwerkmanager, Empathy, Gnome Do, Nautilus uvam. Leider unterstützen Firefox und Thunderbird nicht Seahorse, sondern verwalten Passwörter selbst.

Man findet es in “Anwendungen->Zubehör->Passwörter und Verschlüsselung”. In den ersten drei Tabs finden sich die SSH- und PGP-Schlüssel. Passwörter sind im vierten Tab enthalten. Wer sich nicht mehr an ein Passwort erinnern kann, hat hier die Möglichkeit sie anzuzeigen. Ansonsten sind hier keine Tätigkeiten notwending, die Passwörter werden automatisch eingefügt.

In KDE heisst die Passwortverwaltung KWallet und nimmt entsprechende Aufgaben war.

Firefox bietet die Möglichkeit eingegebene Passwörter zu speichern. Dabei erkennt es automatisch, wann eines eingegeben wurde und fragt nach, ob dieses gespeichert werden soll. Diese befinden sich in den Firefox-Einstellungen im Tab Sicherheit.

Eine besonders sichere und plattformübergreifende Anwendung zur Verwaltung von Passwörtern ist KeepassX. Es ist das Äquivalent zur Windows Software Keepass. Damit können Passwortdateien sowohl unter Windows als auch in Linux verwendet werden.

Als Verschlüsselungsalgorithmen stehen in KeepassX AES und Twofish zur Verfügung. KeepassX wird nicht wie Seahorse automatisch beim Systemstart aufgesperrt. Man kann wählen, ob eine Datenbank mit einem Passwort, einer Schlüsseldatei oder beidem aufgesperrt wird. Dabei soll die Schlüsseldatei auf einem USB-Stick gespeichert werden.

Gespeichert Passwörter können mittels einer Autotypefunktion in Anwendungen eingefügt werden. Sehr interessant ist die Funktion des Passwortgenerators. Damit können halbwegs sichere Passwörter erzeugt werden.

Eigentlich wollte ich heute einen Artikel zum neuen KeepassX 4.0 schreiben. KeepassX ist das Linux-Äquivalent zu Keepass, einer freien Passwortverwaltung.

Leider musste ich feststellen, dass in der neuen Version 4.0 ein Bug in der Autotype-Funktion enthalten ist. Beim Autotype in Firefox wird ein evtl. enthaltenes @ nicht geschrieben. Das benötigt man beispielsweise, wenn man die EMail-Adresse als Nutzer benutzt.

Das einzelne Einfügen nur des Nutzers funktioniert.

Natürlich habe ich den Bug schon in SouceForge geposted und werde den Artikel nachholen, wenn er beseitigt ist.

Using a password vault or a password safe can provide some ease and can simplify our lives nicely. However, what is the point of saving all these passwords when we can just type it in – or use Firefox or Opera to do it for us?

Let’s look at several and consider what they offer – and the hidden surprise that makes them most valuable. There are several that are worth considering depending on your environment – Apple’s Keychain, GNOME’s Keyring, KDE’s Kwallet, KeePass and KeePassX, and Passpack. The first three belong to that set of tools that provide for password vaults that are unlocked when you log into your computer. As long as you are logged in – and perhaps only until the screen saver kicks in or you log out – these tools will be active and your passwords automatically available.

KeePassX is part of a small set of tools that provide this capability, though in a cross-platform way.

Lastly, PassPack is an online password vault which is easy to use and provides for exports to other systems like KeePassX and its ilk.

What is it that provides a surprisingly high level of security with the use of these vaults? Simply this:

You can generate random passwords of arbitrary length that you need not even try to remember.

This is very powerful. Passwords no longer need to be memorized: so why try? The passwords can be generated by the associated password generator, and then copied or otherwise placed into the password field of whatever process is requesting authorization.

There is no pattern which makes it easier to crack – no combinations of words, numbers, etc – just pure randomness (or as close as one can get on a non-random entity like a computer).

Once you have a tool like a password manger in place, you can use a different password – a random password – for every site and every location that a password is needed.

Despues de algunos días traduciendo al Castellano KeePassX por fín puedo decir que, ya he terminado y está disponible para la gente que necesite usarlo

Descargar aquí traducción de KeePassX 0.3.X->0.4.X al Español (España)

Si ets usuari habitual de la Ret, t’hauràs trobat amb que tens mil contrasenyes per accedir al gmail, al flickr, al hotmail, a yahoo, als bancs, a la universitat, al teu blog, i a altres mil comptes diferents. Això vol dir que, o bé tens un fitxer amb mil i una contrasenyes, o bé que sempre fas servir la mateixa (sistema gens segur) a tot arreu.

Doncs bé. Després de mesos de recerca i tasques detectivesques d’investigació, ja puc recomanar-vos el programa que faig servir per tal de generar el meu propi clauer digital: KeepassX.

Què és un clauer digital?

Essent exactes, podriem dir que és un pendrive en el qual l’usuari emmagatzema informació d’accés i que està protegit per maquinari (hardware). Hi ha que fins i tot llegeixen l’emprempta digital (biomètric) per permetre engegar un portàtil.

Pels neòfits, un clauer digital serà el nostre clauer de claus (passwords, paraules de pas, contrasenyes), però digital.

Per què necessito un clauer digital?

Per tal de protegir-te d’atacs indiscriminats de robots (programes) que intenten descodificar la informació del teu ordinador i fer phising, per exemple. Amb un clauer digital tindràs la informació ’susceptible’, agrupada, endreçada, encriptada i, per tant, inaccessible a tercers.

Però, és tan perillòs?

Depèn de l’us que facis d’internet. Si nó tens connexió ADSL a casa, segur que no és perillós. En cas contrari, no siguis paranoic, però protegeix-te’n.

Com em faig un clauer digital?

Bé. Després de preguntar als meus companys del departament i contrastar les seves respostes amb Sant Google, vaig optar per instal·lar-me el KeepassX. És un programet molt fàcil d’utilitzar -disponible per Windows, OS X i Linux- que emmagatzema la informació en el fitxer database.kdb.

Però un clauer, me l’haig de dur amb mi, no? Com les claus de casa…

Això és el que faig jo (porto el pen penjat del coll, literalment). Faig servir una versió ‘portable’ del KeepassX en el pendrive, un KeepassX OS en el Mini (Mac) i un KeepassX en l’Ubuntu. Quan haig d’obrir el gmail des del treball (windows), només cal que posi el pendrive, executi KeepassX i obri la base amb les claus. Fins que no marxo a la tarda no la tanco. Així tinc l’aplicació oberta per tal d’accedir a les claus que necessito.

Però això és un pal, no?

Doncs sí. Malauradament, l’única manera d’obrir un pany és agafant la clau amb la ma i ficant-la dins el pany. Digitalment això ho fem obrint la base de dades i fent un copy-paste de la contrasenya que necessitem. Sempre hi ha la possibilitat de dir-li al nostre navegador firefox que recordi les contrasenyes que fem servir… però això només és recomanable en el cas d’ordinadors de molta confiança (el de casa).

I com és una clau?

Per entrar al fitxer de claus, fem servir una clau. En el meu cas la tinc amb un algorisme de 128. I després cada clau pot ser introduida manual, o bé generada pel propi programa. Us asseguro que no hi ha nassos de recordar dues claus seguides d’aquestes. Són megasuperllargues (tot el que nosaltres vulguem) i totalment aliatòries.

I no hi ha alternatives al clauer?

Home, més que alternatives, potser complements. Aviat us parlaré del OpenID. Deixeu-me que el provi primer

Really nice program for storing all passwords in. Protect your passwords with both a keyfile and a password. Works beautifully!

With the mix of Operating Systems I am forced to interact with these days, keeping my sanity with the same set of applications across those systems has become quite important. Here are the apps I currently use that bridge the gap between Windows and Linux, and what I use them for.

KeePassX – homepage -  given that I am using multiple OSs, and have to remember all my logins for work, my online bills, and personal sites, the need for a secure program to record these data is tantamount. KeePassX is the Linux version of the app. My thumb drive holds the encrypted data, as well as the PortableApps version of the program for when I’m in Windows-land. Tremendously important app!

On that same thumb drive exists my Mozilla folder. The Mozilla folder contains subdirectories for FireFox and Thunderbird. Since I use IMAP for most mail and Firefox doesn’t need a huge wedge of files for it’s configuration and maintenance, it’s a slim solution to my communication needs. Thunderbird is the cross-platform mail client. If I’m writing or checking my personal email, it’s in Thunderbird.

However, my blasphemy is great in that I use a completely different browser on Linux. I’m a serious Epiphany fan. Unfortunately, there is no Windows port of this browser. I sincerely wish there were! Maybe when I win the lottery and have no further need to sell 8 hours of each day to a company I could start the port… Ah, dreams!

Firefox is kept configured on the thumbdrive to allow me to port links over without having the email them back and forth. Note to self: research a bookmark sharing tool that will allow integration with Epiphany.

For writing things that aren’t code, I rely on OpenOffice. Again, there’s a PortableApps version, but I tend to keep the full version of the software installed on each machine. Why?

1. it’s thick (takes up a large space on even the PortableApps version)
2. running OO.org off of my thumbdrive is slow

Yes, the speed is entirely my fault. I should have purchased a faster USB stick. Mea culpa. However, what I’m really interested in carrying around on it are the documents I create themselves.

Una muy mala costumbre es utilizar el mismo password para todo, y en muchos casos, nuestra fecha de nacimiento, dni y tonterías varias.

Esto es un error muy grave, pero la verdad es que recordar cada una de las contraseñas de cada uno de los sitios a los que nos registramos es imposible pero….

Esta tarea es sencilla con una aplicación que genere, almacene y proteja nuestras contraseñas. Para el caso de GNU/Linux, disponemos de varias alternativas, pero sin lugar a dudas me quedo con keepassx.

Esta herramienta nos genera una base de datos encriptada, a la cual solo podremos acceder con esta herramienta y una contraseña maestra, que es la única que a partir de ahora tendremos que recordar.

Además recientemente se ha creado una versión para Windows, por lo que podremos abrir nuestra base de datos independientemente del sistema que estemos utilizando.

Referencias:

• gnulinuxville.wordpress.com
• ubuntips.com.ar
• loquemeparecehoy.blogspot.com

I have over a hundred accounts on the Internet. I do a lot of online shopping for everything from books to computer hardware to toys for my kids. I also have accounts on various social networking sites like linked-in, facebook, myspace, plaxo, pulse and naymes. I use online authoring sites like wordpress, freesoftwaremagazine, digg, technorati and others. I like to personalize google news and various product support sites to my own tastes. I like it when sites like this allow me to create a profile – essentially a login account.

I also work in the software industry and write a fair amount of open source code, so I have accounts at locations like sourceforge.net, which manages separate authentication materials for mailing list accounts, primary site access, shell access, etc – and often for each project they support. This means literally dozens of passwords for a single site.

These places are all pretty benign as far as security issues are concerned. Frankly, I don’t really care if someone knows my middle name, or my phone number for that matter. But I do most of my banking online , and some web-based store fronts keep track of my credit card information these days. I have the option of not giving it to them, but if I trust them, I like to use this feature, and that presents a real security problem for me. Some of these sites have fairly good identity security–others do not. I don’t know which ones do and which ones don’t.

I used to use the same password everywhere – so I wouldn’t forget it. When I started doing online banking and storing credit card information at various store fronts, I used one password for these places, and another one for everywhere else. But lately the number of security classifications I use has increased significantly, making it difficult to remember all of the passwords I use.

If a hacker can break into one of these weaker sites, and capture account information and passwords, they can then access more sensitive personal information at many other sites where I have accounts. Now, I’m not a conspiracy theorist. I don’t believe there are groups of people out to get me personally. But I do believe in bad guys. And I know for a fact that there are bad guys out there “phishing” for random authentication materials. If they find a way to access one (like mine) and if they then find that I use the same password at my bank, I really do believe they’ll go after my cash. After all, they don’t really care whose money they take.

KeePass

Recently, I was introduced to the KeePass project on SourceForge.net. What a gem of a little project! KeePass allows you to store passwords and other account information in an easily accessible hierarchical format within an encrypted database on your hard drive. You only need to remember a single master password to get into the database.

Some people might balk at the idea of another layer of indirection between themselves and their online banking web site. I’d agree myself, if it weren’t for some of the really cool usability features in KeePass. For instance, KeePass can copy a password to the clipboard from an entry in its database, which means you need only click on the password entry field and press Ctrl-V to paste it in. If you care to take this to the next level, KeePass will also fill in login forms automatically with a configurable hot-key press on the login page of your sites.

KeePass also contains a small area in each password entry for notes and such. I have an AT&T cell phone account which allows me to connect to the Internet on my laptop through my phone over a high-speed connection. But configuring this connection initially was a real pain in the neck! Once I got it figured out, I wrote down the steps for configuration so I wouldn’t forget them. The next time I needed to reconfigure my laptop, I forgot where I’d written down these instructions. Now, I have them in the notes section for my AT&T wireless account in KeePass.

Another nice feature is that KeePass will automatically generate a high-security password for you, with a single click. When I create a new account on a web-site these days, I just pull up KeePass and create the account and the KeePass entry at the same time. When the site asks me for a password, I don’t waste time thinking about what I should use–I just tell KeePass to give me a good one, then cut and paste it in.

Finally, KeePass will stay resident on your Windows machine, adding a little icon to the system tray while it’s running. Click the icon and you have instant access to your password database. With highly configurable security policy tailored to your personal tastes, you can decide how often you want to type in your master password: Once at login, each time you click the system tray icon, only when you lock it, when you lock your computer screen, etc. You can also configure it to minimize to the tray, or to close to the tray.

Taking It With You

This is all well and good if you only work on one machine. I work on multiple machines. I have one at home where I spend time shopping, and I have one at work where I access my sourceforge.net accounts. I have a laptop that I take with me to sneak in some work or play while I’m waiting at the repair shop for my car to be fixed. Sometimes I use my wife’s laptop–just because it’s handy. Sometimes I use a kiosk computer at the airport or at the library. Sometimes I use a colleague’s computer in another office at work.

KeePass has a solution for this problem as well. If you wish, you can store the database on a removable media device, like a USB drive. You can pick up a 1G USB drive these days for 10 to 20 bucks. And this is 100 times as much memory as you need for a password store.

But the database does you little good if you can’t access it with the KeePass program when you need a password. The designers of KeePass understood this. You can store a portable version of the program itself on the USB drive. Portable, in this context, means programming in such a way that the software requires no explicit installation. It creates no registry entries, or special file system objects. This means you can access your password database from any Windows machine with a USB port. Just plug it in and run the program right from the USB drive.

What, Now Linux Too?!

What more could I ask for? Well…recently, I installed Linux on my desktop machine at work. Since moving to OpenSUSE 10.3, I’ve been very satisfied with what I’ve been able to accomplish using only free software. It’s been a whirlwind romance, and I’ve loved every minute of it, but it’s the first time I’ve been without a Windows machine handy to…you know, do the stuff I can only do on Windows. Sad to consider it that way, but it’s been true for me, so I’m guessing it’s true for most everyone else, as well.

Unfortunately, KeePass is a Windows program. “Well, I’m in love with the concept, not the program”, I told myself. So I went looking for a more portable alternative. One that was perhaps not as functional as KeePass, but at least ran on Windows and Linux. And I found it–KeePassX. This is a spin off of the original Windows open source program found on SourceForge.net.

KeePassX is written using QT and compiled under mingw on Windows, so its interfaces on both platforms are nearly identical. The people who did the port stayed true to the original KeePass look and feel as much as they could in this portable version. I’m very pleased, because now I can carry copies of KeePassX for Windows and Linux, as well as the database which, of course, both versions will open and process.

The only glitch I ran into with KeePassX was that it requires the mingwm10.dll, which fact is not advertised anywhere on the KeePassX web site that I could find, and the win32 package didn’t ship with this library. In fact, the only reference to it that I could find was an entry by a user in their forums indicating that they should probably mention the requirement somewhere. Personally, I think it’s an oversight, and that the Windows bundle should just install it.

To get the library, I just did a Google search for mingwm10 and found a myriad of places from which I could download it. I did that, placed the library in the same directory as the executable and all was well again.

Setting It All Up

To set all this up, I first formatted the USB key under Windows (because Linux has no problem reading FAT-formatted drives, and typically Windows only does Windows). Then I created a directory structure like this on the USB key:

Win32\
   ...unpacked files from KeePassX Win32 bundle
Linux\
   ...unpacked files from KeePassX Linux bundle
Install\
   ...bundles for both platforms, plus mingwm10 bundle, still packed
Passwords.kdb
Autorun.inf

Now, I like to do things up right. On Windows XP, when you insert a USB key, it acts like a removable drive–a CDROM or a USB hard drive. On these types of media, you can place a file at the root of the volume called Autorun.inf, which describes for Windows some things you’d like to have happen when the volume is mounted. I added the following text to an Autorun.inf file on the root of my USB key:

[autorun]
action="Run KeePassX"
open=Win32\KeePassX.exe
icon=Win32\KeePassX.exe
shell\keepassx=&KeePassX
shell\keepassx\command=Win32\KeePassX.exe

The “action” keyword allows Windows to display an option called “Run KeePassX” in the list of stuff to do when a drive is mounted that contains mixed media. Unfortunately, the graphic files (icons, bitmaps, etc) on a QT application are stored separately from the binary, so Windows interprets them as picture files. Since there are both pictures AND executables on the USB key, Windows doesn’t know what you really want to do, so it asks you every time you insert the USB key.

On Vista, you have a few more options. You can add more entries under a “[Contents]” section that tells Vista exactly what to do in the case of a conflict. To me, it’s a no-brainer to have done this in XP, but that’s not the way things came out, so we have to put up with the confusion. Most often, CDROM’s that contain executables designed to be run when the disk is inserted are installation CD’s for software you purchase. These have all sorts of media, but they often come packaged up in CAB or ZIP files, so Windows is not confused. There are only executables, so there’s no ambiguity. Windows just runs the setup.exe or install.exe program, as specified in the “open” tag.

When specifying an “action”, the “open” option tells Windows what to do if you select the “Run KeePassX” option in the pop up menu when the key is inserted. The “icon” option is really neat because it not only tells Windows what icon to display next to the action in the pop up, but also what icon to display in file explorer when the drive is mounted. The “shell” option is used to add a context menu option to the menu that comes up when you right-click on the drive in file explorer.

Look here at msdn.microsoft.com to learn more about Autoplay on Windows platforms.

Now, I’ve got the best of both worlds, and access to my password database from either place. Could I be any happier about the state of my personal Internet security? I don’t think so.

[Edit: I lost my password database the other day - it was corrupted when I pulled the USB key out of my Linux machine while the program was open. I think the corruption occurred because I popped it into a Windows machine, opened the database, and then put the key BACK into the Linux USB socket, and saved the database. In any case, I HIGHLY recommend you backup your password database once in a while. Luckily, I had a recent copy saved off somewhere, and I was able to get back about 95 percent of my data. Now, I keep a backup of the database on the same USB key in a "Backup" directory, which I overwrite quite often. I also keep a backup on another disk that I backup once a week or so, if I've made changes during the interim.

One person I know stores his database in a subversion repository, and updates it on any of his machines. That's nice to get the latest version on any of your own machines, but it doesn't help you when you want to access your store on a machine that's not yours. Still, it's a good idea to keep it in a repository like this.]