Pretty Good Password Management

The Thinker by Rodin

I hate passwords. And yet my electronic life is full of them. I don’t understand why in 2005 I still have to use such an annoying means as passwords to authenticate myself. You would think that there would be a better authentication solution like digital certificates that industry would universally embrace. But that would require, like, work, coordination and money! So for now and likely for the indefinite future systems designers will continue to play in the safety of their own sandboxes and throw yet more passwords and password management schemes at us. Someone hand me some aspirin!

So we are stuck with those damned and annoying passwords. Every year I have more passwords to maintain. Each site seems to have varying policies on if or how often I must change my password, and how complex my password must be. I had to change my Lotus Notes Internet Password today. I have been avoiding it for weeks because it is such a hassle. My agency requires a password of at least eight characters, one of which must be a special character such as the # sign and one of which must be a number. But the first character must not be an alphabetical character. It made my head hurt just trying to think up a password I’d remember with these bizarre rules.

Pretty much every day I struggle to recall my passwords. And of course I am constantly forced to change them. When I change them many systems won’t let me reuse old passwords, or use any variant of a password that looks like another password I used. Some won’t allow me to use any word that is in the dictionary. All this complexity means that many of us just write the darn things on pieces of paper, which defeats the purpose of creating complex passwords in the first place. The reality is that password schemes are so complicated these days that we can’t put them all into our memory.

Browsers are much better at remembering passwords. This does help but opens up another vulnerability: anyone who can sit down at your computer can potentially get into systems accessed over the Internet. Internet Explorer encrypts passwords. The browser I use, Mozilla Firefox, does not encrypt passwords by default. Over time though our numerous Internet passwords become important. I really need to carry them around with me but they are tied to my machine. Neither browser is smart enough yet to read passwords by default from portable devices like Flash drives. Clever people can move passwords managed by browsers from machine to machine but it is not intuitive and it’s a hassle. So mostly we don’t do it.

But today I tried out a free solution that, while not perfect, is a step in the right direction. It’s probably too much of a hassle to use if most of the systems you access are over the Internet. But if you are like me and you have to authenticate yourself to your computer, the network, the email system, the payroll system, the training system, the travel system and any other number of systems scattered here and there then Keepass may be a solution to check out.

First of all it’s free. I always prefer free if I have the option. Second, it’s open source so it is not proprietary. Third, it keeps a doubly encrypted password database. Using highly secure encryption algorithms it is unlikely anyone but the NSA would be able to decrypt it. And fourth, it’s reasonably portable. I created a password database on my Flash drive. I can also put the Keepass application on my Flash drive. It doesn’t need to be installed! And I can use it on any Windows computer from Windows 95 to Windows XP. Perhaps some day they will have versions that work on a Mac or on a Linux desktop. But right now it only does Windows.

You can authenticate yourself to Keepass with a master password or pass phrase of your choosing. Once activated you can use it to get to any of your passwords. You select the password you want from your Keepass database and press a button that places it in the Windows clipboard. Then you just paste it (quickly) where you need it. Although the password lives in the clipboard, it doesn’t stay there for long. (The default is ten seconds.) Minimize Keepass and it requires that you reenter the master password or pass phrase if you need to use it again.

It would be better if it filled in the password for you automatically. But it does have a nice feature for Internet passwords where you can put the URL into the database. Click on it and it takes you to the password page for that system. That saves some time.

There are additional security features you can enable if you want. In addition to a master password or pass phrase you can create a key disk, which is a file that will open the database. With this option you have to point it to the file containing the key disk. Since the computer’s hard disk typically has hundreds of thousands of files on it, it is pretty unlikely that someone will accidentally choose the right file. Used with a master password or pass phrase and you have two forms of authentication, which is doubly secure.

There are some downsides. If you lose the master password you are generally stuck. There is no password recovery method. But most of us can remember the one master password or pass phrase. So it’s usually not a problem. You will probably want to back up your password databases periodically to other media like a Flash drive to protect yourself from catastrophic password failure.

For now Keepass works for me. It’s easier than thinking and a heck of a lot less aggravating!

One thought on “Pretty Good Password Management

Leave a Reply

Your email address will not be published.