Monday, 6 February 2017

KeePassX - Cross-Platform Community Edition

One of the big problems that many people have with passwords is that there are just too many to manage in your memory alone. People either end up wring them down (which is actually a pretty good solution if you keep that piece of paper secure), or using the same password for many sites. This creates the problem that if one site gets compromised, the hackers will now have access to accounts on other sites that share that same password (assuming you use the same email address). The best solution to this problem is to use a password manager, which is the electronic equivalent of that piece of paper you write all of your passwords down on.

There are many options available for managing passwords. Some of them are online and accessed through your browser, and some are locally run programs. I prefer to use something that's local (don't always have Internet access) and open source (don't trust software that you can't audit, especially with passwords).

I've been managing my passwords using a piece of software called KeePassX for about 10 years, pretty much since I started using Linux. It's a fantastic tool that allows you to keep track of all of your passwords in a very secure way, storing them centrally with you only needing to have to remember a single password. It works across devices, and applications are available for Linux, Windows, Mac, Android, and iOS. It supports basic 2-factor authentication using key files. With this feature, you need both your password and and a key file to be able to decrypt the password repository.

KeePassXC is the "community" branch of the KeePassX source code. The KeePassX project that it's based on has apparently been slow to incorporate new features and changes, and one of the big benefits of open-source software is the ability to "fork" a project to take it in a new direction. In this case that new direction involves incorporating new features such as reloading the password file when it changes on disk, using website's favicons as entry icons, and a few other nifty features. Reloading the file when it changes on disk is a big one for many people as I'll explain in a bit. The project keeps almost all of the existing KeePassX features as well, minus a few that were deemed "potentially insecure".

Multiple Machines

Because of the "autotype" feature supported by KeePassX (and KeePassXC) that allows you to have the software type in your username and password for you, it's quite convenient to have the software running locally on each machine you use, rather than say reading the username and password from your phone and typing them in manually. It works, but if you use long, complex passwords it's slow and error prone. To do this of course you need a copy of the password file to work with.The problem is sharing the file between the multiple machines. To do this, the best thing to do is probably to use a file-synchronization service. DropBox is probably the one you're most familiar with, but if you're interested in Security, I'd pick pretty much anything ahead of that one. SpiderOak is my favourite as their one of the few that actually do security "right". Unlike most of the other services of this type, you control the encryption key for your files, meaning that even SpiderOak has no idea what you're storing there.

Once you have your file synchronization service set up, put your password file in one of the directories that gets synchronized and any changes made to it will be visible on all machines. This makes the new automatic reload feature of KeePassXC worth its weight in gold. It means that you no longer have remember to close the file after you've used it, or make all of your changes on a single machine and have the file open "read-only" on the rest of them.

WARNING: Do not synchronize your key file (for 2-factor authetication) on your file synchronizing service. This defeats a large part of the use of it. Put the file on your devices manually, or worst case, using a different synchronization service.

At this point there doesn't seem to be an Android or iOS version of KeePassXC,  although there is an Android version of KeePassX. This version will work with the KeePassXC files, but will not automatically reload when changes are made. This is not that much of a big deal as on other platforms though, as most of the file synchronization services do not automatically synchronize either;'; they're more of a manual "on demand" sort of thing.

This workflow should allow you to be more secure, spend less time typing in passwords, and learn a few new tools. Keep in mind that KeePassX and KeePassXC can store more than just password ... they can also store embedded files of any kind.  Great place to keep PDF versions of your tax forms perhaps?


No comments: