These days you really need a strong, unique password for almost everything you do online. To make matters even worse for the average user, security nuts will tell you that you actually need a different password for essentially every account you hold. Why? Consider the following scenario:
Little Timmy signs up for Facebook using his super secret password @wesomeS@auce3!. This password is so strong and good that even he can hardly remember it. Then he wants a Twitter account so he goes and signs up there using the same password. Some time passes and Timmy’s Twitter account is hacked. Using his associated e-mail address they try the same e-mail and password on Facebook (because it is a popular website that most people belong to) and lo and behold they have access. Little Timmy’s virtual life falls apart around him.
What to do?
So what can you do about it? Well for one don’t use the password above because now it is all over the internet. For two use strong unique passwords for each website you care about. What do I mean by that? Well in the above example Timmy clearly cared about both Facebook and Twitter so he should have used different passwords for each. That way when his hypothetical Twitter account became hacked the attackers couldn’t use the same password to gain access to his Facebook account. That said it is always good to have a throw away password or two to use on those one-off websites that you will either never visit again or don’t care if they get compromised. Third either remember all of these unique passwords in your super genius conehead sized brain or use a password safe to make it easy on yourself.
A password safe is essentially a program that allows you to maintain a number of different passwords while only having to remember one. Essentially you enter a master password into the program and this acts as your key to unlock all of your others passwords. That way you (technically) only have to remember one password at a time (the master password) and you only have one password to change on a regular basis (although you should obviously refresh your other passwords every so often as well). A number of these programs exists (such as LastPass, etc.) but personally I prefer KeePass.
KeePass comes in two flavours: version 1.x (which is technically now legacy) and version 2.x (which is current). Beyond feature set the biggest difference is that version 2.x requires the .NET Framework (or Mono) and version 1.x doesn’t. For the purposes of this post I’ll be focusing on version 2.x.
KeePass has a number of great features that make it indispensable in my day-to-day computing life. While the full feature list is actually quite long I’ll just list the most useful or important ones here:
- Open source which means that the source code has been looked at and checked over for any sort of backdoor or other nonsense that a potentially evil author would code into it. This is very important when you’re considering placing all of your password eggs in one proverbial basket.
- When you create a new password entry you can store any sort of arbitrary information along with it:
- All of your passwords are stored completely encrypted including all comments, website URLs and user names. This is incredibly convenient because it allows you to safely do things like create an entry containing you credit card information. Never again will you have to hunt down your wallet to make that spur of the moment online purchase!
- It is portable – you can run it straight off of a USB stick, no installation required!
- Rule based, strong password generator. Having a long, strong, password is very important but remembering one is very hard. Instead why not have KeePass generate a per-website, completely random, strong password for you? Using a website that for some reason doesn’t like special characters or only allows up to a 12 character password? No problem just change the rule set you use when you generate that particular password.
Here are some examples of random passwords I just generated now:
- Cross-platform – KeePass has implementations on almost every platform. Version 1.x runs on Windows, Mac and Linux (via KeePassX). Version 2.x runs on Windows, Mac and Linux (using Microsoft’s .NET or the open source Mono). There are even versions of it for Android, iPhone and others.
- Auto-type – this is by far the best feature. Even if you, for some reason, didn’t want to use any other feature that KeePass has to offer, its Auto-type functionality alone is worth the install. Essentially you tell KeePass what window to look for (for instance Firefox browsing my bank’s website) and how it should type things for you (usually user name, tab, password, enter). Then you set up some key combination you want to use (like Ctrl + Alt + A) and KeePass does all of the typing for you. Now when I want to enter one of those crazy strong and super random passwords I don’t have to type it out or even copy and paste. I simply click my mouse in the user name field and press Ctrl + Alt + A. The genius of this is that it can work for all accounts on your computer not just website ones – for instance I use it at work to keep track of my passwords for our internal programs.
WHO IS PAYING YOU?
All of this praise may make it seem like I’m getting paid to write this article but that isn’t the case (not that I would turn the money down mind you *hint hint*…). KeePass is just one of those programs I use daily that does so many things right I can’t help but like it. So in conclusion give it, or a similar password store, a try and make your online presence more resilient to password hacking. Let me know which password safes you think are awesome.
Previously I was running KDE 4.3.3 on top of Fedora 11 (for the first experiment) and KDE 4.6.5 on top of Gentoo (for the second experiment).