Ottawa PC Users' Group, Inc.
 Product Review 


Keeping Passwords Safe
by Alan German

I normally only use one or two login passwords and so, previously, I have never bothered to check out password encryption programs. However, recently, I seem to have had to consult my "top secret" hard-copy file of web site passwords in order to access various obscure sites that I use only infrequently. While this file folder is a useful resource for storing multiple passwords, the difficulty comes when needing to locate a given password. Typically this means leafing through multiple printouts of login credentials for a wide range of web sites that aren't arranged in any kind of logical sequence. I suppose I could organize these listings in a loose-leaf binder, rather than using a simple file folder, but it is probably even more efficient to use a computer-based password manager.

The essence of these software systems is an encrypted database, opened by means of a master password, that contains listings of individual web sites and their associated login credentials. Even better, most of these programs offer a way to enter a userid and password for any given site more-or-less automatically, thus expediting the login process.

My password manager of choice is KeePass, primarily as it is open-source software that garners good reviews, but also because the Windows version has a Linux equivalent (KeePassX) which means that I can use the same password database on both platforms. There are both 1.x and 2.x versions of KeePass with Version 1.23 being compatible with KeePassX. Consequently, it is KeePass Version 1.23 that is reviewed here.

By default, KeePass offers to store passwords for three groups of applications, namely Internet, eMail and Backup systems. I only require to store passwords for web sites and so opted to set up a new database in the Internet group. The only requirement is to select a master password with which to access the database. Optionally, one can also specify a "key file". This is an additional security measure since both the master password must be entered, and the specific key file must be present, before the password database can be opened.

With the database open, a new set of login credentials can be entered by selecting "Add Entry", either by clicking on an icon, or by using the program's edit menu. The subsequent dialogue box has fields for Title, User name, Password, URL and Notes. An icon is associated with each listing and this can be selected from an available set of icons or a custom image can be used. The entry can be set to expire on a given date and time; however, by default, the expiry date is unchecked.

The password that is entered (and repeated as a double check) is encrypted in the final database and is displayed as a series of asterisks. A button (three dots) lets you see the actual password string behind the asterisks (when the encrypted database is open). The "quality" (i.e. strength) of the selected password is roughly indicated by the length of a horizontal bar, and an indication of the number of bits used in the string. For the paranoid amongst us, there is a built-in password generator that will produce (presumably) incredibly secure passwords. My test used a 256-character string producing a password with a full horizontal bar and 535 bits.

Clearly, one could use KeePass purely to store login credentials. The web sites are listed in alphabetical order so retrieving a given record is quite simple. One could then copy and paste the userid (User name) and password (having used the "three dots" button to extract the encrypted text) from the data record into the login prompts on the web page. However, as noted earlier, KeePass provides an option for the program to "fill-in the blanks" on the login screen. This process is a little non-intuitive and, in my case, required reading through a section of the web-based KeePass Help Center (Help - Help Contents - KeePass Help Center - Features - Auto-Type) a couple of times before I clued in on the technique.

The first trick is to hit the drop-down "Tools" button in the lower-left corner of the data record for any given web site. With the desired web site open in the browser at the login page, one clicks on "Auto-Type: Select Target Window". Then, one uses the second drop-down menu to select the appropriate listing which in my test case was "Ottawa PC Users' Group (OPCUG) Inc. - Mozilla Firefox".

The second trick is to navigate to "Tools - Options - Advanced - Auto-Type" in KeePass's main menu and enter a keyboard shortcut in the "Global auto-type hot key combination" field. I opted for Ctrl + Alt + P as the keystroke combination that would automatically populate a web site's login credential fields.

Even then the process turned out to be somewhat hit and miss. For example, I couldn't get the system to work for OPCUG's web site as KeePass returned the login credentials for a different entry. And, in my DropBox account, KeePass selected the correct entry, but populated the E-mail field (effectively the userid) with my DropBox password instead of the user name! However, the auto-type process worked fine for some other web sites, e.g. National Capital Freenet.

While the automatic login process appears to be fraught with difficulties, KeePass does at least let me store my infrequently-used web site login credentials in an electronic format, and provides a readily-available resource for this information when it is needed. So, no more leafing through dozens of pieces of paper for me!


Bottom Line:

KeePass Password Safe (Open-source)
Version 1.23
Author: Dominik Reichl
http://keepass.info/

 

 


Click here to view the full OPCUG website with frames.

Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews do not necessarily
represent the views of the OPCUG or its members.

Send comments or suggestions to the .