Tuesday, 10 May 2016

KeePass: easing the pain of passwords

Having to live our virtual lives with a stack of user names and passwords is a real pain.

I guess many people will use the same password, or the same password root and just add a new suffix if forced to change (eg. peterpassmore2016).

What with user leaks (where user-error allows passwords to be revealed) or company leaks (where a company accidentally releases user account details), we really should take internet security more seriously.

In the past I have either stored username/password details in my email system, or relied upon Firefox to keep track of them. Neither of these are good ideas.

If you are a Windows user, there are a lot of email scams which include an Office document attachment (usually a Word .doc file, but sometimes and Excel file) that may run VBA code. This code will attempt to find your ...\temp folder, build a CScript program, and then run this to pipe data out of your Outlook email client.

I don't use Outlook or Windows, but I'm sure there are other email related vulnerabilities I should be worried about.

As for passwords in Firefox, I have to be very careful when I upgrade Linux or move my Home data, to ensure that this password data is not lost. And now that I use SSBs the whole password management problem has just got worse.

A time to reflect

I retired recently, but in the 7 years leading up to this point, I have been using an excellent application in my working life called KeePass. For Debian based Linux systems, just open Synaptic and search for KeePass.

For Windows or iOS just go to the download page and select the latest Pro version.

In the left pain you can add or remove groups that have some meaning to you via the right click menu, and order them as required.

In the right pain you can use the right click menu to add entries for specific accounts. When you add an entry, KeePass creates a random password for you. But you can simply over-write this with one of your own, if you prefer.

How secure?

Of course you have to remember the password to access KeePass, but once in, you can access all other account, username, and password details. You can also include other important stuff like National Insurance, driving license and Passport numbers.

My partner has my master KeePass password (but not the KeePass database) and I have hers. We keep KeePass on our laptops and recent backups of the KeePass databases on memory sticks that are only used for archiving (i.e. not used on a day-to-day basis).

I have not made any attempt to store this stuff on the Cloud, since it wouldn't benefit us, and may create other security issues.

No comments:

Post a Comment