Archive

Posts Tagged ‘security’

Trying out KeePassX

October 23rd, 2016 No comments

KeePassX is an independent implementation of the popular password manager that supports the KeePass (kdb) and KeePass2 (kdbx) database formats. Like the official KeePass application, KeePassX is open source but the main difference is that KeePass requires Microsoft’s .NET framework or the Mono runtime to be installed whereas KeePassX does not.

The feature list from their website shows that KeePassX offers:

  • Extensive management
    • title for each entry for its better identification
    • possibility to determine different expiration dates
    • insertion of attachments
    • user-defined symbols for groups and entries
    • fast entry dublication
    • sorting entries in groups
  • Search function
    • search either in specific groups or in complete database
  • Autofill (experimental)
  • Database security
    • access to the KeePassX database is granted either with a password, a key-file (e.g. a CD or a memory-stick) or even both.
  • Automatic generation of secure passwords
    • extremly customizable password generator for fast and easy creation of secure passwords
  • Precaution features
    • quality indicator for chosen passwords
    • hiding all passwords behind asterisks
  • Encryption
    • either the Advanced Encryption Standard (AES) or the Twofish algorithm are used
    • encryption of the database in 256 bit sized increments
  • Import and export of entries
    • import from PwManager (*.pwm) and KWallet (*.xml) files
    • export as textfile (*.txt)
  • Operating system independent
    • KeePassX is cross platform, so are the databases, as well
  • Free software
    • KeePassX is free software, published under the terms of the General Public License, so you are not only free to use it free of charge, but also to redistribute it, to examine and/or modify it’s source code and to publish your modifications as long as you provide the same freedoms for your modified version.

I’ve been a long time user of KeePass and figured I would check out KeePassX to see if there were any advantages to making the switch. Opening up my existing KeePass2 database was a breeze and even the ‘experimental’ autofill seemed to work just fine. I should also point out that, at least on Linux, KeePassX seems to be much quicker and definitely feels more native compared to the WinForms+Mono official version (I imagine the opposite is true while running on Windows).

The password generation tool for KeePassX is also very similar to the one in the official KeePass however they’ve opted for some defaults which could actually reduce the randomness, and thus security, of a password: exclude look-alike characters, ensure that the password contains characters from every group, etc.

The Password Generator in the official KeePass application

The Password Generator in the official KeePass application

These defaults do make it a bit easier to read or transcribe the passwords should you ever need to and given a long enough password the impact on security should be minimal.

The Password Generator in KeePassX

The Password Generator in KeePassX

So what are my feelings on KeePassX overall? In my limited use it seems like an excellent alternative to the official KeePass application and one that may almost be preferred on non-Windows platforms. I think I’ll be making the switch to KeePassX for my Linux-based installs.

Update: after some slow progress a few developers decided to fork the KeePassX project over at KeePassX Reboot. We’ll have to see how things with this fork play out but I wanted to mention it here in case you decided that the fork was the better version for you.




I am currently running a variety of distributions, primarily Linux Mint 18.
Previously I was running KDE 4.3.3 on top of Fedora 11 (for the first experiment) and KDE 4.6.5 on top of Gentoo (for the second experiment).

Ubuntu 16.04 VNC woes? Try this!

October 2nd, 2016 No comments

You may recall a few years back I made a very similar post about Ubuntu 14.04’s ‘VNC woes’. Well unfortunately it seems things have changed slightly between 14.04 and 16.04 and now the setting that once fixed everything now doesn’t persist and is only good for that session. Thankfully it is pretty easy to adapt the existing work around into a script that gets run on startup in order to ‘fix it’ forever. Note that these steps should also work on any Ubuntu derivatives such as Linux Mint 18, etc.

Credit goes to the excellent post over at ThinkingMedia for confirming that the fix is basically the same as the one I had for 14.04. What follows is their instructions on creating a start up script:

1. Create a text file called vino-fix.sh and place the following in it:

#!/bin/bash
export DISPLAY=0:0
gsettings set org.gnome.Vino require-encryption false 

2. Modify the file’s permissions so that it becomes executable. You can do this via the terminal with the following command:

chmod +x vino-fix.sh

3. Create a new startup application and point it at your script. Now every time you reboot it will run that script for you and ‘fix’ the issue.

One last thing I should point out – this work around disables the built in VNC encryption. Generally I would absolutely not recommend disabling any sort of security like this however VNC at its core is not really a secure protocol to begin with. You are far better off setting up VNC to only listen to local connections and then using SSH+VNC for your secure remote desktop needs. Just my two cents.




I am currently running a variety of distributions, primarily Linux Mint 18.
Previously I was running KDE 4.3.3 on top of Fedora 11 (for the first experiment) and KDE 4.6.5 on top of Gentoo (for the second experiment).

KeePass: The Cross-platform Password Safe

December 20th, 2012 1 comment

These days you really need a strong, unique password for almost everything you do online. To make matters even worse for the average user, security nuts will tell you that you actually need a different password for essentially every account you hold. Why? Consider the following scenario:

Little Timmy signs up for Facebook using his super secret password @wesomeS@auce3!. This password is so strong and good that even he can hardly remember it. Then he wants a Twitter account so he goes and signs up there using the same password. Some time passes and Timmy’s Twitter account is hacked. Using his associated e-mail address they try the same e-mail and password on Facebook (because it is a popular website that most people belong to) and lo and behold they have access. Little Timmy’s virtual life falls apart around him.

Think I’m being paranoid? Take a look at these examples and adjust your tin foil hat accordingly.

What to do?

So what can you do about it? Well for one don’t use the password above because now it is all over the internet. For two use strong unique passwords for each website you care about. What do I mean by that? Well in the above example Timmy clearly cared about both Facebook and Twitter so he should have used different passwords for each. That way when his hypothetical Twitter account became hacked the attackers couldn’t use the same password to gain access to his Facebook account. That said it is always good to have a throw away password or two to use on those one-off websites that you will either never visit again or don’t care if they get compromised. Third either remember all of these unique passwords in your super genius conehead sized brain or use a password safe to make it easy on yourself.

Password Safes

A password safe is essentially a program that allows you to maintain a number of different passwords while only having to remember one. Essentially you enter a master password into the program and this acts as your key to unlock all of your others passwords. That way you (technically) only have to remember one password at a time (the master password) and you only have one password to change on a regular basis (although you should obviously refresh your other passwords every so often as well). A number of these programs exists (such as LastPass, etc.) but personally I prefer KeePass.

KeePass

KeePass comes in two flavours: version 1.x (which is technically now legacy) and version 2.x (which is current). Beyond feature set the biggest difference is that version 2.x requires the .NET Framework (or Mono) and version 1.x doesn’t. For the purposes of this post I’ll be focusing on version 2.x.

KeePass has a number of great features that make it indispensable in my day-to-day computing life. While the full feature list is actually quite long I’ll just list the most useful or important ones here:

  • Open source which means that the source code has been looked at and checked over for any sort of backdoor or other nonsense that a potentially evil author would code into it. This is very important when you’re considering placing all of your password eggs in one proverbial basket.
  • When you create a new password entry you can store any sort of arbitrary information along with it:

    New Password Entry

    New Password Entry

  • All of your passwords are stored completely encrypted including all comments, website URLs and user names. This is incredibly convenient because it allows you to safely do things like create an entry containing you credit card information. Never again will you have to hunt down your wallet to make that spur of the moment online purchase!
  • It is portable – you can run it straight off of a USB stick, no installation required!
  • Rule based, strong password generator. Having a long, strong, password is very important but remembering one is very hard. Instead why not have KeePass generate a per-website, completely random, strong password for you? Using a website that for some reason doesn’t like special characters or only allows up to a 12 character password? No problem just change the rule set you use when you generate that particular password.
    Password Generator

    Password Generator

    Here are some examples of random passwords I just generated now:

    Lots of random passwords!

    Lots of random passwords!

  • Cross-platform – KeePass has implementations on almost every platform. Version 1.x runs on Windows, Mac and Linux (via KeePassX). Version 2.x runs on Windows, Mac and Linux (using Microsoft’s .NET or the open source Mono). There are even versions of it for Android, iPhone and others.
  • Auto-type – this is by far the best feature. Even if you, for some reason, didn’t want to use any other feature that KeePass has to offer, its Auto-type functionality alone is worth the install. Essentially you tell KeePass what window to look for (for instance Firefox browsing my bank’s website) and how it should type things for you (usually user name, tab, password, enter). Then you set up some key combination you want to use (like Ctrl + Alt + A) and KeePass does all of the typing for you. Now when I want to enter one of those crazy strong and super random passwords I don’t have to type it out or even copy and paste. I simply click my mouse in the user name field and press Ctrl + Alt + A. The genius of this is that it can work for all accounts on your computer not just website ones – for instance I use it at work to keep track of my passwords for our internal programs.

WHO IS PAYING YOU?

All of this praise may make it seem like I’m getting paid to write this article but that isn’t the case (not that I would turn the money down mind you *hint hint*…). KeePass is just one of those programs I use daily that does so many things right I can’t help but like it. So in conclusion give it, or a similar password store, a try and make your online presence more resilient to password hacking. Let me know which password safes you think are awesome.

This post originally appeared on my personal website here.




I am currently running a variety of distributions, primarily Linux Mint 18.
Previously I was running KDE 4.3.3 on top of Fedora 11 (for the first experiment) and KDE 4.6.5 on top of Gentoo (for the second experiment).

A Matter of Opinion

July 19th, 2010 No comments

Tonight I installed VirtualBox, an incredibly handy virtualization program that lets me run instances of Windows and other Linux distributions from the comfort of my Linux Mint 9 Isadora desktop. Upon installing the latest version in my repositories, I launched the program, only to be confronted by a dialog box offering a link to a newer version of the program available on its website. So I clicked the link, and downloaded the *.deb of the new version. My package manager started up, tried to install the new package, and complained that it conflicted with the existing VirtualBox install. So I opened synaptic, uninstalled the version of VirtualBox that I got from my repositories, and finally installed the most recent version from the website.

So here’s my question, and please feel free to leave your opinion in the comments below: Should Linux applications warn the user about updates that are not available from their repositories?

On one hand, I like having up to date software, but on the other, package maintainers work hard to ensure that everything that ships with a stable distribution plays well together, and probably don’t appreciate these apps leading users outside of their carefully curated repositories. From a security-oriented point of view, this is also bad practice, as much of the security that is inherent in Linux comes from the fact that the vast majority of the software that you install has been vetted by the package maintainers who work to ensure that your distribution is safe and stable. And surely the guys who program VirtualBox, being the insanely awesome ninja-powered pirate wizards that they are, could have come up with a way to update my install without my having to uninstall and re-install an entirely new version. Just sayin’

Chime in with your opinion in the comments below.




On my Laptop, I am running Linux Mint 12.
On my home media server, I am running Ubuntu 12.04
Check out my profile for more information.