Everybody knows that password reuse (using the same password on different services, websites, etc.) is a bad habit from the point of view of security. The reason is simple: if a single website where your password is used gets compromised, then somebody could get access to your password and consequently get access to your account on all the websites where you use the same password. You can get a full description of this phenomenon on XKCD.
On a less funny note, there have been countless stories of password breaches where password databases of major websites got compromised. These incidents revealed that very often, these websites do not follow even the very basic security practices to protect their user passwords.
Despite, having been well aware of this fact for years, I have never really taken the problem seriously, barely using a few different passwords depending on the level of trust I had in the websites. About one year ago, my Gmail account has been hacked and used to send spam emails to my contact list: it is a very unpleasant experience when you are being asked by one of your colleague to explain the “funny email” that was sent on your behalf... This is when I decided to have only single-purpose passwords. However, it quickly became apparent to me that I would need a proper set of tools to handle them. My requirements for this set of tools were the following:
- the core of the solution had to be open-source: you can read Bruce Schneier's opinion about why open-source is good for security.
- there had to be real-time synchronization of my passwords on the different machines I use.
- there had to be a way to access my passwords on my phone, in the case where I need a password on a machine I do not use regularly.
The solution I found, which I have now been happily using for some time, is the combo: KeePassX + Dropbox + KeePassDroid.
KeePassX
Here is the description of KeePassX you can find on its official website:
KeePassX is an application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License.
KeePassX saves many different information e.g. user names, passwords, urls, attachments and comments in one single database. For a better management user-defined titles and icons can be specified for each single entry. Furthermore the entries are sorted in groups, which are customizable as well. The integrated search function allows to search in a single group or the complete database.
The idea behind KeePassX is simple: all your passwords are stored in a database which is encrypted by your master password (a password you choose when creating the database). Every time you launch KeePassX, the password has to be typed to unlock the database. Once it is unlocked, you have a nice and simple interface to add/delete/modify password, organize them in different subgroups, etc.
KeePassX interface
Let me mention here the killer-feature of KeePassX, autofill: it allows you to automatically fill your username and password in a login form by pressing a global shortcut. KeePassX decides which password to use on which website based on the window title that you associate with the password when creating it.
Dropbox
The password database being just a single file (with extension .kdb), the synchronization of my passwords across several computers was really easy to setup: I just added the database file to my Dropbox folder.
I am not fully satisfied by this part of the solution and would feel more comfortable if I were not relying on a third-party to store my passwords. However, the database file which is hosted by Dropbox is encrypted by my master password and I can live with this at the moment. Yet, I would be happy to find an open-source synchronization tool which stands comparison with Dropbox.
KeepassDroid
Finally, getting access to my passwords on my phone simply involved installting two applications found on Google Play (my phone runs Android): KeePassDroid and Dropbox.
The Dropbox app will take care of getting your password database file on your phone memory. Then, you can link the file to the KeePassDroid app by following these steps:
- in the Dropbox app, navigate to your password database file and try to open it.
- if you have the KeePassDroid app installed, you will have the option to open the file with it. Choose this option.
- on the first screen presented to you, check the option "Use this as my default database" and type in your password.
- you should now be able to navigate through your password database.
If you are an iPhone user, iKeePass should do the job.
Conclusion
I am not claiming that my solution is the perfect way to manage your passwords: this is just the solution I currently use, and it has worked well for me until now.
I know that some people have been successfully using LastPass: the approach is browser-based and very different from the one described in this article, but I would be interested to find a comparison of the two solutions from the point of view of usability.