By Chris Cardinal
On January 25th, 2011
As a web development firm, we frequently have to manage passwords and other credentials for multiple clients and their projects. This includes everything from SFTP and SSH information, database passwords, DNS managers, domain registrars, and everything else under the sun. We’ve moved to a policy of good password practice across the board at the urging of common sense, and one of our former developers, Alan Hogan. (Our previous system was not sharable, and wrought with other shortcomings.)
We needed a password system that was secure but which would allow us to share client passwords across our team, while ensuring limited access within the organization, and unique, complex passwords every single time. We ended up making use of the wonderful KeePass tool, synced through Dropbox.
KeePass is a wonderful password manager (though not as much for Mac or Linux users, for reasons I’ll get to) in general. And it has some pretty great features, some unique to KeePass, others relatively standard fare:
Clearly, any good password manager needs to be secure itself. KeePass supports AES and TwoFish, amongst other encryption standards that are very difficult to crack. Your password database is duly encrypted thusly. Further, you can expand your security by requiring the use of a unique key file in addition to (or instead of, though this isn’t recommended) the password you use to unlock the database. This adds an additional layer of security against things like keyloggers, in that the hacker must have access to and identify the key file to use, in addition to knowing or cracking your password. (A strong password is still important, since simple passwords will fall to dictionary attacks relative quickly.) You can also use your Windows login to unlock your database, but again, this shouldn’t be your only method to unlock, and this doesn’t work when sharing a password database as we do.
KeePass also goes to some length to keep your passwords completely out of process memory. This keeps malicious software from identifying passwords in the memory stream of the process while it’s running. It also can be configured to automatically purge the computer’s clipboard after a set period of time, to prevent a user from walking up to your computer and hitting paste and hoping for the best.
Workspace locking goes hand-in-hand with strong security, itself being a subset of the program’s security. You can easily configure KeePass to automatically re-lock your database after a period of system OR KeePass inactivity, when the software is minimized, or when your workstation itself is locked. (I’ve noticed that it can sometimes pause the locking process when the database has changed, though this might have been resolved in recent updates.)
Intelligent Sync Management
KeePass surprised me with its intelligent management of file changes. If a user on my team alters the KeePass file (which is stored to a Dropbox folder we all have access to) while I’m using the file, it prompts that it can merge the changes with any changes you may have made. Unless both of us happened to be editing the same record, the merge typically works perfectly, ensuring that all of our changes are current.
We store our KeePass file on our team’s Dropbox folder. We have a very strong password applied to that file, which we change frequently. We also require the use of a key file to unlock the database, which is NOT stored in our Dropbox. This file is distributed manually and only on a few systems. We also maintain several different databases, based on what access a user needs. Unfortunately, there isn’t a way to share a record amongst databases in order to keep it current, so this sort of functionality only goes so far, but if necessary, we’re able to quickly change all of the passwords we need to in the event of a personnel change or other problem.
Dropbox syncs the file as I described above, ensuring we’re all working off of the same copy of the file. If we wanted to, we could enforce a read-only rule that would have one member of the team making all password changes and entries, but this wouldn’t be very efficient for our team, and we trust our team members.
Unfortunately, KeePass isn’t built to play terribly kindly with OS X or Linux. KeePass is kept in two development variants: 1.x and 2.x, with 1.x being Windows- and WINE-compatible, but missing some great features, and 2.x only working in Mono, to varying degrees of success (as far as those in our organization were concerned.) A solution to this is KeePassX, which works natively in OS X/Linux, but which doesn’t support the kdbx file format used by 2.x. The KeePassX developer is looking to rebuild it to support kdbx, so hopefully we’ll see that problem reconciled in time, but for now, Mono may be your best bet, if you can get it to cooperate.
KeePass has a pretty great Android app that can work together with the Dropbox app to load your database, even if it requires both the password AND key file. I haven’t had a chance to use the iOS apps, but apparently they’re pretty nice as well. I generally use this in read-only mode exclusively, but it’s convenient nonetheless when you absolutely *need* a password. There’s also a plugin system that allows for some cool extensibility, and it’s actively being developed, so you’ll see updates hit on a regular basis. It’s also entirely free.
You can easily sort passwords into folders and sub-folders, assign icons to them, search through records, attach other encrypted data to each record, store record histories, and even have it perform a macro of keystrokes when “auto-typing” your password in. (This is useful if you need to select a database, for instance, from a dropdown. You can even have it launch a new browser tab, browse to the page in question, and go from there, though this requires a bit of configuration to get working.)
Overall, we’ve been very happy with KeePass. We weren’t willing to take the plunge and use an online, hosted solution to store our passwords, if we could avoid it. Because we control the encryption and access requirements, and because Dropbox is pretty secure in and of itself, I feel comfortable keeping our password database on Dropbox, encrypted with AES-256 bit on a strong password, and backed by a non-Dropboxed encryption key.
This is a somewhat unique configuration for our smaller group, and you’ll likely need to modify it accordingly, but hopefully this can give you a great starting place for good password management with your team.
KeePass Password Manager (free!)