KeePassX: Keeping Your Passwords Safe
For a long time, my password tracking system was quite simplistic: hope I remembered the right passwords for each site or record them in an ordinary word-processor document. Such methods obviously have great flaws. I might have a hard time remembering a password for an infrequently used site, and a word-processor document isn't the most secure place to store passwords. Such a system also tends to promote either too-simplistic passwords or recycling the same password across Web sites (both being easier to remember). For these and other reasons, I decided using a password manager would make my digital life a lot easier.
A password manager is a program that stores passwords. The stored passwords usually are encrypted for security purposes. Password managers can be either desktop-based (the password data stored in an encrypted database file on a hard drive), portable (similar to the desktop version, but stored on a smartphone or similar device) or on-line (data stored in an encrypted form on a trusted third-party Web site). Besides the increased security (over writing down passwords on a piece of paper or within an unencrypted text document, or resorting to memory), password managers also allow for more complex (thus, harder to guess/break) passwords to be created and stored. After some research, I decided to use KeePassX as my password manager of choice.
KeePassX is a multiplatform, open-source password manager. Unlike some password managers, KeePassX is desktop-based, which has its advantages and disadvantages. However, KeePassX can be used along with an on-line storage system, such as Dropbox (I discuss how to do that later in this article).
KeePassX comes with various features, including the ability to import and export passwords, search functionality, organize passwords/user names within predefined categories and a secure password generator. KeePassX also comes with a limited AutoType feature, or the ability to enter user name and/or password information automatically on a Web page from an entry.
Password information is stored in an encrypted 256-bit database file, which is compatible with other platforms' versions of KeePassX (including KeePassDroid for Android smartphones, KeePass for Windows and so on). However, for compatibility, password files created by other versions must be stored in the older (version 1.x) format that KeePassX uses, versus the current (at the time of this writing) 2.x version, although work is being done to allow a future version of KeePassX to use the newer format.
Setup and Basic Usage
KeePassX is available in many repositories; thus, installation should follow standard procedures for your distro of choice.
Upon initial launch, KeePassX prompts the user to create a new database. As shown in Figure 1, the Set Master Key box will be displayed, asking one (by default) to create a master password for the database. You should choose a strong master password. An alternate option is to use a key file instead of or in addition to a password (more on key file usage later). For most of this article, however, I use only a master password for my examples.
Figure 1. The Set Master Key Box
After creating the password, the default main window (Figure 2) appears, displaying (in menus and a toolbar) most of KeePassX's features. The menus consist of File (importing and exporting database formats, saving changes to databases and so on); Entries (adding, deleting and making changes to entries, as well as copying entry information to the clipboard); Groups (organizing entry information into various categories); View (toolbar/entry information display settings); Extras (settings for KeePassX itself, as well as the password generator); and Help (links to KeePassX's Web site, FAQ list and so on).
Figure 2. The Main KeePassX Window
By default, two groups are created in a new database: Internet and Email. To create a new category, choose Groups→Add New Group, then enter the name of the new group in the Group Properties window that appears. You also can choose an icon for the new group from the pop-up menu. After finishing, select OK. The new category will appear in the left-hand pane.
To enter a new password and/or user name into KeePassX, select a category from the left-hand pane for the new password, then either select Entries→Add New Entry or choose Add New Entry from the toolbar. A New Entry window appears (Figure 3), allowing you to enter password and user name information, along with any other needed information. Additional information you can enter includes Title (a name for the entry); Username; Password; Repeat (enter the same password twice for verification); Comment (to enter comments about the entry); Expires (set an optional expiration date for the password); Attachment (attach a file to the entry); and Tools (a pop-up menu). A quality progress bar also is included under the password section, indicating the password's relative strength.
Figure 3. The New Entry Window for Entering New User Names and Passwords
The Tools pop-up menu contains two options:
AutoType: Customize sequence—customize the sequence of password/user name information entered into forms.
AutoType: Select target window—select which application or browser window to enter password/user name information.
For extra security, the password can be shown or hidden (displaying asterisks) by clicking the eye icon next to the password entry boxes.
The password generator is available by clicking the Gen button within the New Entry window (or from Extras→Password Generator). A box as shown in Figure 4 appears. This feature allows you to create a random, strong password. Three tabs are available within the generator: Random, Pronounceable and Custom. Under Random, you can select various criteria for generating a password, based on types of characters used, uppercase or lowercase and so on. Under Pronounceable, some similar options to Random are available, although the selections here are to generate a password exclusively or near exclusively with letters. Finally, under Custom, an entry box is shown, allowing you to type in a word or phrase to define what characters are used to generate a password. The bottom of the password generator includes several features, such as setting the length of the password, a password bit strength indicator and use of an entropy generator. The entropy generator creates a random set of data (based on keyboard activity or mouse movement) upon which to base generated passwords.
Figure 4. KeePassX's Password Generator
The Expire option in the New Entry window allows you to set a date indicating how long the password should last. This can serve as a reminder to change passwords regularly for extra security. To view which passwords already have expired, select Extras→Show Expired Entries.
To use a stored user name or password, KeePassX has two options: either copy the information from KeePassX and paste it into the required entry areas, or select the AutoType feature. To copy the information, select either Copy Username to Clipboard or Copy Password to Clipboard from the toolbar, or choose the same-named options under the Entries menu. For AutoType, select Entries→Perform AutoType while the browser is open to the desired login page; the information will be entered automatically.
Figure 5. KeePassX's Main Window, with an Entry Displayed
To lock KeePassX from others' use (such as when you step away from the computer), select File→Lock Workspace, or select Lock Workspace from the toolbar. To unlock KeePassX, select the Unlock button displayed, and enter the database's master password. For more privacy, an option also exists to hide passwords and/or user names. Go to View and select Hide Usernames and/or Hide Passwords. Asterisks will be displayed in place of the user names and/or passwords.
Figure 6. An Entry with User Name and Password Information Hidden
If you have multiple databases to manage, KeePassX also offers a bookmark feature. To bookmark a database file, select File→Bookmarks, and choose either Add Bookmark (to bookmark a database file) or Bookmark This Database (to bookmark the presently open database). The bookmarks then will appear under the Bookmarks menu. There's also a Manage Database option to manage existing bookmarks.
To import or export database files, go to File and select Import from or Export to. Import formats besides KeePassX include PwManager and KWallet. Export formats include KeePassX and as a text file.
Advanced Use: Cloud-Based Database File Storage and Smartphone Access
One popular advanced use for KeePassX is to keep a password database stored in an on-line storage medium, such as Dropbox. Besides serving as a means of database backup, this also lets you access and update a password file from any number of devices, including smartphones. This is done using KeePassX's sibling versions for various smartphone OSes, including the version I use here, KeePassDroid for Android smartphones. (Instructions should be similar for those with iOS, Windows or BlackBerry smartphones.)
Figure 7. A Dropbox Directory, Containing a Password Database
To start, access (or create if you don't have one) your Dropbox account. Then, move the database file to your Dropbox directory (Figure 7). Next, open KeePassX and select File→Open Database (or Open Database from the toolbar). Select the database file from your Dropbox folder, and then enter your master password and use KeePassX as usual.
To set up your Android smartphone to access the password database, install KeePassDroid (and, if not already installed, the Android Dropbox app) from the Android Market. Next, launch Dropbox, and select the database file. KeePassDroid then launches and opens the file, displaying a master password entry box. After entering the master password, a smartphone-friendly interface showing the various password groups will be displayed. Functions are available for going to an entered URL, as well as copying and pasting a user name and password. Entering or modifying user names and/or passwords also is offered by KeePassDroid, which will update the database file stored on Dropbox (and, of course, allow you to access the new information from KeePassX on a desktop).
As shown previously, this allows KeePassX to have some of the functionality of an on-line password manager, while maintaining the advantages of being desktop-based. Although I've not tried it, this method should be similar (available smartphone app permitting) for other cloud-based storage systems, such as Ubuntu One (which also has an Android app available).
KeePassX offers two types of 256-bit encryption: AES and Twofish. The type of encryption used may be changed by accessing File→Database Settings. AES is the default, and although Twofish may be used, it's compatible only with KeePassX's version 1.x database format. Therefore, it's probably best to leave this option as the default.
Instead of a master password, a database can be opened using a key file. A key file is a file that stores data (such as a master password or random data), and it is stored elsewhere (on the same hard drive, on a USB drive and so on). One advantage of a key file instead of a master password is that an actual file is required to open the database. Because the key file can be stored elsewhere (such as on a separate USB drive), this also serves as a security option. Another advantage is that a key file may contain lengthy or complex data. However, one downside is that anyone who finds the key file can open the database, similar to somebody that discovers the master password. Also, if the key file is lost (or damaged, deleted or anything similar) or if any information in the file is changed, opening the database will be impossible.
For extra security, both a master password and a key file may be required for accessing a database.
To use a key file, under File→Change Master Key (or in the Set Master Key window, if initially creating a database), select the key file check box. If a desired key file doesn't already exist, select Generate Key File to create one, then select a name and storage location for the file. To open the database using a key file, select the check box next to key file (and the check box next to password too if required), and click Browse. Browse to wherever the key file is stored, select it, then select OK to open the database.
Differences between KeePassX and LastPass
Another popular password manager is LastPass. Unlike KeePassX, LastPass is proprietary instead of open source, and it relies on a cloud-based solution (storing encrypted password information on-line). LastPass comes as a plugin for most browsers and is compatible with Linux. Similar features to KeePassX include password generation and an ability to fill in login information for Web sites. However, some advanced features, including support for smartphones and removing advertising, requires upgrading to a $12/year "premium" version. LastPass also requires Internet access for its full cloud-based use, which might be an issue for some.
KeePassX is a very useful and valuable password manager. Its storage capabilities and strong password generator have helped me greatly improve my on-line security over my former password-tracking methods. KeePassX's cross-platform compatibility also provides versatility in conjunction with its sibling application KeePassDroid. Although there are other good password managers, KeePassX in particular is worth trying.
KeePassX FAQ: http://www.keepassx.org/faq