Password safes

Until recently, I kept a spreadsheet on my local machine containing my passwords and related information. It was always backed-up to a local NAS device with the rest of my files but it was in a directory with other sensitive files that I don't upload to Dropbox. From that one source I could produce any format I might need; like CSV format for importing into another application or a text-only version for grepping.

When I started out, I was really good about using unique passwords, that were phrases and pretty strong. I even had a tab explaining the whole phrase in case I ever forgot what the cryptic actual password stands for. I would incorporate within the phrase for each password something about the nature of the site. It really helped me remember some pretty crypto-strong passwords and it worked well for many years.

Well, not exactly. I got lazy and tended towards using one of my favorites on many different sites. I try out so many things I never know what I'll stick with so I went the easy route. On important sites or frequently used sites, I still used strong unique passwords but on most everything else I used a common one. Also, because the spreadsheet was at home, it eventually got out of date. Finally, because I'm not a big fan of bloated software, I started editing the text-based version and now had two master password lists which got out-of-sync.

But with the recent attacks against some major sites like Evernote with the result of passwords being compromised, I started thinking about updating the spreadsheet with all the current passwords, then systematically changing all passwords on sites using the common password, and then exporting the master to all the different formats. While I was mulling this over, I changed a couple passwords on sites that had become more critical over time, wrote the new passwords on a sticky note to later update the spreadsheet with...and then lost the note.

So my research for password safes turned up some tools. This post is really not meant as a review of the options but I listed them here in case they might be new and useful to anyone. There's really no suspence - I chose KeePass - but I've added some of my thoughts on each tool regardless.

  • LastPass
    Looks really nice with good browser integration but is proprietary software and I prefer free software.

  • Password Safe
    Very windows focused but open source and strong community.

  • My Passwords
    I like that it's Java-based and well done but doesn't conform to any accepted file format.

  • Java Password Safe
    Combination of Password Safe file standard but Java-based. Long-term this might be the best choice for me because the YubiKey.

  • YubiKey
    YubiKey provides a second layer of security by requiring both the password and a small USB device.

  • 1Password
    The website didn't mention a Linux client. Full stop. I'm obviously very opinionated about my OS but these decisions are based on pragmatism not religion.

  • KeePass
    I like that KeePass has a long history, is an accepted standard, has an pretty good Linux native client and great support in Firefox using the plugin, KeeFox. It's very well done and documented. I use Conkeror, which is a keyboard-driven derivative that might be able to use the Firefox plugin with (probably quite a bit) of work. But, really the plugin is icing on the cake and the normal Firefox form fill-in feature works fine after the first login.

So, I created a KeePass2 file (with the .kbdx extension), set the master password and put it up on Dropbox. I changed my password on all sites that were still using the common one by using the password generation feature in KeePass which defaults to a random 20-bit hash. Because of Dropbox, I've got all my passwords at work and I've shared a folder with my wife who can pull it up if she needs to. I feel back on top of my online passwords and more protected with better security.