Saturday, November 17, 2007

Freeware Appreciation Day: KeePass Password Safe

Summary: Use KeePass Password Safe to store your passwords, account information, and other sensitive data.

In response to Jeff Atwood's call to support small software vendors, I decided to institute a personal Freeware Appreciation Day on which I will contribute to one of my favorite freeware makers. I will try to observe the Freeware Appreciation Day on a monthly basis until I run out of money or cover all of my favorite applications (I hope that neither of these will happen).

This month's contribution goes to KeePass Password Safe, an OSI-certified, free, open-source, light-weight, and easy-to-use password manager created by Dominik Reichl. Before picking KeePass, I checked a few similar utilities including commercial Password Plus, SecureSafe Pro, RoboForm2Go, IBM/Lenovo hardware-dependent Password Manager, as well as free, open source Password Minder and Password Safe, but I liked KeePass most.

KeePass is portable (i.e. you can run it from a USB drive) and very easy to use. It keeps your information in a data file (database) encrypted with a user-defined password. You must specify this password in order to open the data file when starting the application or if you want to open a different data file.


Once you open the data file, KeePass displays the information about your user accounts (or whatever you saved in it) grouped by categories.


When adding or updating an entry, you can specify the title of the entry, your user name, the URL of the site (I wish that the URL were displayed before the user name), password, notes, and other information. There is an option to attach a file to a password (account) record, but I haven't tried it, yet.


The grouping feature allows you to organize your records in a logical manner. You can add and delete groups, or move items from one group to another. If you forget in which group you stored an item, you can search for it using the Find dialog box.

The basic functionality of KeePass should satisfy most users, but it can also be extended via plug-ins. For example, you can use plug-ins to export passwords to a comma-separated text file, import passwords from Firefox, open Web sites and fill in the login data automatically, and do more.

If you decide to use KeePass, you may need to figure out how to keep your data file in sync between multiple computers. One option is to keep the file on a USB drive (you can either open it from a USB drive or use the USB drive to copy it between machines). Although the file is encrypted, you will feel safer if you use the drive's built-in encryption or tools such as TrueCrypt.

If you do not like an idea of carrying data files on a USB drive, consider using a Web-based service, which allows you to map your personal online storage as a local drive, such as Who.HasFiles or GmailFS. If you store your data file online, remember to keep a backup copy in case the service goes down.*

UPDATE: To synchronize your KeePass data file across multiple computers (and keep online backups), try the DropBox synchronization tool. Dropbox worked very well for me, but there are also other alternatives, such as Syncplicity and SpiderOak. Or instead of using KeePass, try the online-based LastPass; it offers most -- if not all -- features of KeePass, and even more (it also lets you import the data stored in the KeePass data file).

Additional references:
Wikipedia: Password Manager



*Although keeping data files on a USB drive or online are both viable options, it would be more convenient to use a Web-based password manager. In fact, several online password managers popped up recently. After trying a few of them, Clipperz and Passpack seemed most advanced to me. Unfortunately, they both have limitations. Passpack has a difficult-to-use two-password authentication scheme, and, what is worse, it limits the size of the password database to 128 KB (approximately 150-200 records in a free account), while Clipperz is yet to implement the importing feature; Clipperz v. Passpack, Round 2 offers a good comparative review of both services. I'm looking forward to using a Web-based password manager, but until these services mature, I'll stick to KeePass. NOTE: See the update note.

6 comments:

felix said...

Nice review! I've been using PasswordsPlus for awhile now (a legacy of my long history with Treo's, alas)... Need to switch and have been waffling between the online services (a little wary of them) and finding a new desktop app... looks like there's an OSX version of keepass and I'm going to give that a spin. :)

Alek Davis said...

Thanks, Felix. Please keep us posted.

Tara (PassPack) said...

Hello.
You mentioned a "difficult-to-use two-password authentication scheme" for PassPack.

I'm not quite sure what you mean: is this the password quality requirement?

We're always looking to improve and some people really don't like that we require strong pass phrases. We're *thinking* about lowering the standard. It's a tough decision though since, well, we're talking about an online password repository.

Please let me know your thoughts. It'll surely help us in making a final call.

Thanks,
Tara
PassPack Founding Partner

PS. We're letting folks pre-upgrade to a larger account (8x capacity) on a free-for-now basis More info here:

http://tinyurl.com/347h8z

Tara (PassPack) said...

Sorry, I don't link that link:

http://tinyurl.com/347h8z

Alek Davis said...
This comment has been removed by the author.
Alek Davis said...

No, I'm fine with the strong password requirement (although, again I'm not sure you should be forcing it onto users), but I do not like the fact that I need to remember two passwords (I haven't tried it in a while, but if I remember it correctly, one is used to log in, another to "unpack", or something like this, the same issue mentioned in Felix' review). It's nice that you offer an option to upgrade to a bigger accounts, but at some point, you'll be charging for them, including the ones you're offering for free now, right? And while the fee is not that big (around $36/year based on current exchange rate), it is still not free and probably more than people from emerging markets would be willing to spend. Anyway, I really like what you're doing and wish you all the best.