My Profile Photo

Sheogorath's Blog

KeePass - The place for all your keys and passwords

on

Secure passwords are needed these days. Using passwords only once improves security a lot. It’s also important to use long passwords. More than 16 characters are recommended. Complex passwords also improve the security significantly.

For secure passwords length is more important than being complex

As you see in the picture from XKCD sometimes less complexity is better than more.

But if you don’t have an eidetic mind it’s hard to memorize 100 passwords for 100 different websites where you’re registered.

The solution: A Passwordsafe.

KeePass

KeePass (2.x) is a powerful open source tool and works on Windows and Linux alike.

It allows you to generate passwords with different pattern and length. It stores them in a secure AES or in Version 1.x Twofish encrypted password database. Unlike the Windows Credential Manager or LastPass it doesn’t store them in a cloud. This keeps your passwords secret and you in control.

Store your passwords in the Cloud

The downside of the local storing of passwords is that you can’t easily use it on multiple devices. To solve this problem KeePass is able to sync database files against each other.

It merges the databases. So if you change your password for website A on device A and for web page B on device B you can just sync your databases and you have both changes stored without losing anything. This is important because most cloud storages like OneDrive, Google Drive or DropBox and even OwnCloud just replace files or store multiple versions of it. Synchronization isn’t limited to local files. By using URLs it’s possible to directly sync your databases with a file on your cloud storage.

By default synchronization is a one shot operation. But you can add triggers which can automate some tasks. And yes, synchronize databases is such a task.

As example I use my Home-NAS to synchronize my database between my Arch-Linux notebook and my Microsoft Windows Surface.

KeePass plugins - Unlock the real power

KeePass has a really powerful plugin interface, that reveals it’s true power by allowing you the customization for your purposes.

Password Counter - Unify your passwords

Having the same passwords for multiple targets is less secure. In most cases you don’t restart your digital existence when you start using KeePass. So you may have a lot password duplicates on different sites, tools, etc.. Using the “Password Counter”-Plugin helps you to improve your security. It shows you which passwords are saved multiple times in your password database. Now you can relax and change your password duplicates over time.

Favicon Downloader - Beautify your password entries easily

The “Favicon Downloader” is a little plugin which beautifies your password entries. In KeePass you can set an icon for a password entry. This plugin downloads the favicon from a website which is provided by the URL-field and place it as entry icon.

KeePassHttp - KeePass as Firefox password store

Really useful is the KeePassHttp-Plugin. It lets applications interact with your KeePass database over a http interface. It is used by several external tool plugins to communicate with KeePass like PassIFox, ChromeIPass (Update: no longer available), Dash and NotesIPass.

PassIFox replaces the internal password storage of Firefox and stores all your passwords in KeePass.

Replacing the internal password storage implies the usage of the browser’s password context options. So if you register to a web page and your browser asks you to remember these password, it stores the credentials in KeePass instead of the browser’s password store. Using the browser’s native auto-fill-in for passwords make it a really useful tool.

I really love this solution. There is just one little problem I noticed. If you use Firefox-Sync (remember to disable password sync) to sync your bookmarks, history, etc. you have to unlock your KeePass database before starting Firefox.

KeeAgent - Use KeePass as SSH-agent

Many people uses SSH-agents. If you have multiple SSH-Keys it’s annoying to keep them in sync over all your devices. You also have to secure them by storing them encrypted and loading them to ssh-agent on startup results multiple password prompts. Annoying!

KeePass + KeeAgent -> Works!

The KeeAgent takes that role and replaces tools like ssh-agent or pagent. After installing it you simply create a new password entry and enter the password of your encrypted SSH key. Now you switch to the attachments tab and attach your SSH key file to this entry.

At least you switch to the KeeAgent tab, allow KeeAgent to use this entry, select the key from attachment, enable the autoload on database open and unload on database lock options. That’s it. So you only need to unlock your database and start working with SSH.

By the way if your SSH client requests a key from KeeAgent and your database is locked it’ll automatically fire up the unlock dialogue.

KeeChallenge - Use your YubiKey with KeePass

The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor protocol developed by the FIDO Alliance.

Wikipedia 27.03.2016

YubiKeys are useful and make your password database more secure. KeePass can use multiple Master Keys to save your database. At first I used One-Time-Passwords (OTP) with OtpKeyProv. After pressing my YubiKey wrong (results a new OTP) and had some strict configuration (allows only the next OTP) it results the loss of my whole password database. HORROR!!!

So I started searching for a better solution and found: KeeChallenge.

KeeChallenge uses challenge-response mechanism instead of a one-time-password which prevents my first mistake.

Every time you unlock your database you put your YubiKey into a USB-Slot of your device and enter your database password. Now the icon of your YubiKey starts blinking and you press it to unlock your database. Easy and secure.

Native auto-fill-in for applications

To use your passwords managed by KeePass in applications without a plugin, KeePass provides a native auto-fill-in function. There are two options to pass your credentials to the application.

First you can just use auto-typing which automatically uses keys (like tab or enter) to switch input fields.

The better option is the manipulation of URL handling which is also possible. This way you can put your passwords in the URL which is called. This includes manipulation of shell commands.

As example you can authenticate against MySQL with a single click by using:

cmd://mysql -u {USERNAME} -p {PASSWORD} {URL:HOST}

Centralize your Shared-Account-Passwords

There are many companies and projects allowing you to sign in with your account to different sites. All passwords are stored in a database So it would be nice to just reference them and only have to change one entry for one global account. And yes, that’s possible in KeePass and one of the features I love.

Create an entry with your “global credentials”. Now create a new entry containing the URL to your target site. Instead of enter your credentials you select the “tool” button in the left corner, select insert field reference and add the reference you want to use.

Conclusion

KeePass is really my choice of a password manager. I’m using the explained setup for a while now and it works perfect. Tablet and Notebook are in sync.

But one thing is important: Always memorize the password of your mail accounts. It’s important because what ever happen to your password database (like losing your YubiKey or ransomeware encrypts it) you can recover most passwords from your mail account.

KeePass is a good alternative to LastPass, improves your passwords security and allows you to load SSH keys on startup. Enter one password, press your YubiKey and start working!

It’s simple, it’s fast, it’s open source and secure. Anything else you need?


Some more information:

Alternative KeePass clients: