Better Password Management
||The article you are reading has moved! It is now available at: http://blog.tinisles.com/2006/07/better-password-management/|
Saturday night geek project: do something about my dodgy password management. Maybe listening to the Security Now podcast has got me paranoid enough to do something about my passwords. I currently deal with passwords in a way that's no embarrassingly bad I'm not going to mention it. Not as bad as a "passwords.txt" on the desktop - but still pretty bad. (And by the time you read this it'll be A LOT more secure :)
I REALLY REALLY should be doing the following things for my passwords:
- Different passwords for all my logins.
- Using randomly generated passwords - filled with lots of funny characters, mixed case, and numbers.
- Regularly changing passwords. Take out a night every few months to log into all the sites I use and change my password?
- NOT storing them in a clear file somewhere. Maybe I shouldn't be storing them in the IE & Firefox autocomplete databases. How strongly encrypted are they?
Thinking though the features I'd want for an app to automate this:
- Generates random passwords.
- Stores everything with strong encryption.
- Runs from a USB key so I can use it from work and home.
- preferably open source (or a free download).
- Nice to have: integration with the IE & Firefox password autocomplete. Or maybe just an easy way to export the existing passwords from my browsers.
- Some automated means of doing the monthly password update?
A search of Firefox extensions, and SourceForge came up with: RoboForm, Password Safe, and KeePass. RoboForm has most of the features I'm after (USB key operation, IE/Firefox integration, and password generation) but is limited after the trial period runs out. Password Safe and KeePass look very similar - decided to go with KeePass as: it's a single EXE, has a prettier UI, and it's a more popular project for SourceForge.
KeePass stores all your passwords in an encrypted database - which requires a password to access. When adding an entry you can choose to generate a random password.
Unfortunately there is no browser integration, but there in an auto-type feature. This enters your credentials into the active form. By default it'll simulate you typing your username, pressing tab, typing your password, and pressing enter. This is also configurable per entry. An entry can be set to expire by date - this is the closest to any automation of a monthly password update.
Now I've spent a night logging into a stack of websites, and changing my passwords to randomly generated ones. Which means I'm completely reliant on the Keypass database - there's no way I'd be able to commit these passwords to memory. A copy of the KeePass database at home, and work is fine - how often do I go to an internet cafe anyways? For convenience I've allowed Firefox to remember passwords for the sites that allow it (banking sites are "autocomplete=false" for good reason!) - and I've set a master password on the Firefox password store. This reliance also means it's very important I have backups of theKeyPasss database, plus a backup of "plaintext" export in the event I forget the KeyPass password.
Some words of warning about the process of updating all your passwords. After you've generated your password you'll paste it into the change password page somewhere. The password input box will most likely display stars as you type. You want to be pretty confident you are pasting the right thing in there. If you accidentally paste something else you'll just see stars and won't know - effectively locking yourself out of the account! Another website I use had a 8 character limit on their passwords - I pasted in a 15 character string and only the first 8 characters were saved. Because I was seeing stars I had no way of knowing what'd happened - I only worked out what'd happened when I noticed the wrong password page had the same limit (yet the main login page didn't!). Chris Pederick's Web Developer Extension has a feature to turn password fields into plain text fields - this means you can be totally confident you've pasted the right thing.
Another warning on the autotype feature: if you have the Firefox Password Manager open when you select auto type - all your passwords get wiped out. Because the 'auto-typed' tab selects the 'Remove All' button, and then the 'enter' clicks it! Firefox wipes out all your passwords without prompting you!
I've been running for a week now with KeePass and I find it's working well. As I mentioned I now can't pop into an internet cafe and check my mail - something which I haven't done in a long time. Plus I'm now WAY too paranoid to log into an online banking site from an internet cafe.