Software and services for password manager have been around for a long time. I was skeptical about using such products because I thought it was leaving “all your eggs in one basket”. Loose your key file and / or password, goodbye to your box of login details. It also have it’s advantages too. For example it can automatically populate a log in form and if it has a password generator, it will (mostly) always be more secure than one that is written down or remembered from a dictionary word(s).
I decided to try such services after all the news around Sony’s PSN fiasco and even more services such as EA and Code Masters break in.
For my first venture into using such software I decided to limit the use to my non-essential accounts such as forums and casual websites which require a password. If I loose the password for such sites I can reset them and more importantly not care (as much) if I loose them.
I was considering what I believe to be the two popular solutions: LastPass and KeePass. They do the same thing but their implementation is very different. LastPass is a Software As A Service (Saas) where everything is stored in the cloud. It is accessible online and using browser plugins and as an App on phones. The mobile editions are not free compared to the browser versions but it is cheap. Recently LastPass was compromised and shows what the dangers of trusting sensitive information to third parties or service outage.
KeePass on the other hand is a local client which also have plugins for various browsers. I opted for this solution and decided to manage the distribution of the password database externally. KeePass is not as well integrated as LastPass but at least I know who and where my password DB is. KeePass is open source and there are currently no cost to use the software.
Both solutions are cross platform and offer mobile clients.
KeePass uses a .db file to store the database of passwords. Multiple databases and therefore files can be created in any accessible locations. This makes it very easy to send or use a file sharing service. I chose Dropbox as my preferred service. Sending a file makes it vulnerable because it can be intercepted. In this case (and for any single point of entry / failure) use a strong password for your KeePass databases. I also recommend using a keyfile / password combination.
KeePass needs to be installed and a new database needs to be created. Go to http://keepass.info/ and download the latest version. I chose 2.x branch. Follow the on-screen prompts to install the program. Start the program and proceed to create a new database. This will prompt to save the database as a file. Save it in the Dropbox folder so that it is synchronized. It may also prompt to save the key file if chosen to use a key file. I’d recommend not saving this to Dropbox and manually copying it to other locations / devices as this will not change like the password database will. Also this is needed every time to log into the database.
There are plugins for web browsers which will link to the KeePass database. Using the plugins allow the web browser to automatically enter username and passwords and prompt to save login details. I tried KeeFox with Firefox which worked but in order for KeeFox to work KeePass also had to be running which meant you had to type in the password everytime you started Firefox. You don’t have to login but it meant KeeFox wouldn’t have access to the login details. Also you could save your password so you don’t have to enter it when KeePass started but I felt that neglected the point of using a password manager. It’s a balance of convenience versus security.
One problem I had encountered was integration with native software. Whilst the browser is supported fairly well, there are no hooks or integration with desktop software. One restriction I hit was logging into a web service within a game e.g Windows Live, EA, etc. It meant I had to minimize (and hope it did not crash), find and copy the password to clipboard and switch back in good time before KeePass wiped the clipboard. What made it worse was some games (like Mass Effect 2) did not allow pasting of passwords! The automatic typing of the password which was aimed at passwords on webpages or when a dialogue box appears doesn’t always work within the game. I would suspect this is the same for all applications.
Whilst I’m still cynical about password managers I can see it being a valuable tool. My main concern is putting “all your eggs in one basket” so to speak but at the same time cannot remember a 64bit password. The final straw came when my key file stopped working and I uninstalled it. I believe 2 factor authentication is the way forward.