Passwords have become part of our everyday life. They are necessary to protect our data and privacy. As with all security related issues though, safety and ease of use are at two sides of the spectrum, and unfortunately most people opt for ease of use in choosing simple passwords they can remember.
There is however, in my opinion, a happy in between. Once again technology has opened doors for us. The solution is using password management software.
I will talk about two applications with two different target users. The first is personal password management. The second is corporate, or any group, password management.
Personal Password Management
With so many different sites and systems requiring passwords now-a-days, it becomes increasingly tempting to use simple to remember passwords, and to reuse passwords across different systems. This can result in a serious security hole, as there are applications that are very good at trying millions upon millions of passwords in a short time. Reuse also exposes you to the problem of losing control of your password in one system (either via someone guessing it, brute forcing it, or bad security in the system revealing the password), and having many other systems exposed simultaneously.
A solution to this is having strong password unique to every system. Of course the problem with this is that it makes it virtually impossible to remember the passwords. Saving the passwords in a text document is dangerous too, as anyone with access to your computer would have the keys to your realm!
In my opinion, requirements for an ideal personal password management system:
- Secure
- Easy to use
- Free
- Open source
- Groups of passwords
Enter KeePass (and alternatives).
KeePass
KeePass is an application that stores all your password, along with user names, URLs, descriptions, in an encrypted database, only visible when you successfully supply your master password. Now you only have to remember one password, and can afford to make it good. (Many experts now say it is acceptable to write your password on a piece of paper and store it in your wallet, since most people are good at taking care of their wallets, and there are ways to ‘encrypt’ the password in some custom way only you’ll understand. I agree).
To use passwords, you can open the password entry, and drag and drop the fields in to the login form fields. (This feature occasionally does not work, depending on what platform the form is on).
KeePass additionally allows you to use a Key File, which can add some additional security. A key file is simply some file that you need to point to to be able to open the database. Anyone not knowing which file it is will have a hard time figuring that out, specially if combined with your password.
KeePass also has some additional tools, such as password generation (including lists). You can define the format and length of the passwords.
KeePass also saves the history of each password, so you can see previous passwords used.
You can organize passwords in to hierarchical groups, and export and print individual groups,
There is even a recycle bin in case you accidentally delete a password.
Some features I have not used, but are present and possibly very useful, include plugins and triggers.
One last feature that is very useful is the ability to use a remote database. That means you can store your keepass database file in a ftp server (without worrying about security since it is very strongly encrypted), and access it from anywhere you can run keepass and have internet access on.
[EDIT 5/24/2015]
I’ve been using KeePass for several years now, and still find it performs as expected to my satisfaction. Especially useful is leveraging Dropbox to make the database available from anywhere I can access my dropbox.
Running windows 8.1 on my home system provides the original native functionality of KeePass, where it was originally designed to work. Since my writing, I updated to the improved 2.16 version, which has a new database format. For a while, this created some issues with compatibility on different formats.
At work, I run OSx Yosemite. From what I have found, there are two applications capable of reading KeePass’s kdbx database format: KeePassx, and MacPass. KeePassX is pretty ugly and difficult to use. MacPass is a lot cleaner, although a bit more limited to KeePass.
Finally, password management would be incomplete in modern society without mobile support. I run Android 5.1 Lollipop on my Nexu5. For a while, I could not access my passwords, since the version of KeePass for mobile hadn’t been updated to support the KeePass 2.x version of databases, kdbx. Luckily, thanks to KeePassDroid, this is no longer the case.
So now, thanks to Dropbox and KeePass being open source, I ah now able to securely access and manage my passwords across all my devices.
Group Password Management
Managing passwords for a group or business is a whole different ball game. You introduce more complexity in the form of multiple users, privileges, reports, etc.
In my opinion, an ideal group password management system would entail:
- Simple to use
- Secure
- Multiple users
- Users with privileges
- Administrator(s)
- Reports on use and changes
- User and password groups
- Open source
My search for the ideal system was fairly disappointing in that I was unable to find any ideal system, let alone an affordable system. At the end of the very long tunnel, though I ended up fairly happy with WebPasswordSafe, from the open source community.
WebPasswordSafe
WebPasswordSafe is a fairly simple, secure, fairly new, easy to use, open source web application that I put in to use at our company. The system has a single administrative user which can create other users. Each user can in turn create user/password combinations to store.
Users can be part of groups. Passwords can be assigned to groups and/or users, each with either Read, Write, Grant, or no privileges. While there are not groups for passwords, you can assign tags to passwords which can be used for searching, and if managed correctly can simulate the use of groups.
There are also reports in PDF or CSV format for:
- Users (With user name, email, full name, indication if active or not, date created, last log in)
- Groups (Group name and users belonging to groups)
- *Password Access Audit (Not quite clear yet what this one represents exactly)
- *Permissions (Each password with each user/group who has access to it, and with what level of access)
- *Password Export (Export Password)
*Only available to administrator
WebPasswordSafe is a little difficult to install and get working, but anyone with some knowledge in linux, some courage, and determination can get it working.
Conclusion
I recommend WebPasswordSafe for its ease of use, ability to share passwords by groups, assign privileges, and on account of being open source and for being still active and being upgraded.