Recently I sat down for a minute and thought about how many usernames and passwords I enter on a daily basis. Between my various e-mail accounts (4), social networking sites (3), my personal blog, the various online games I play (3), access to my work web apps (2), computer authentication password, online banking (4), IM clients (4), and other various logins for commenting on other blogs and miscellaneous sites like eBay, I’ve got literally dozens of passwords and usernames to keep track of.
If you’re like me, you cheat a little. You probably use your e-mail address as a username whenever you can (or recycle the same username), re-use the same password depending on the sensitivity of whatever you’re logging into, and save certain passwords on the sites you visit frequently. Let’s not kid ourselves- we know in the back of our minds that this isn’t the best way to do it, but everybody does it anyways. But is there a better way? Can we keep our really sensitive information safe with the same kind of convenience given by saved passwords, recycled usernames, and re-used passwords?
Well in a word, “no,” but we can come close. Password management applications offer a compromise between convenience and security by storing an encrypted database of your usernames and passwords behind one master password.
Enter KeePassX, a cross-platform password manager based on the old Windows Keepass Password Safe. While not as polished as the commercial alternatives like 1Password, KeePassX is no less functional and comes without the rather hefty $39.95 price tag.
The main window of KeyPassX is simple and intuitive- 3 different panes containing the list of password groups, the list of passwords within the active group, and a sort of “card” showing the basic information for each password entry. I’m partial to the 3-column layout of Apple’s Address Book and the various Apple Mail plugins that do the same thing, but that’s a minor issue. Passwords and usernames are blocked out with asterisks, which you can view by opening the entry.
Creating a new entry brings up a window in which you enter a Title, Username, URL, password, and a comment. You can get to the highly customizable password generator from here; which allows you to select the type of characters to include, the length, and various options for character selection. As you can see from the screen shot, nobody is ever going to guess “~pE2%*dp=*K=?W7$J1,Kmo@;|“. You can set a password to expire after a certain amount of time, as well as choose an icon for each entry.
Worried about security?
KeePassX’s databases are stored locally and protected by 256-bit AES or Twofish encryption. Even 128-bit encryption like that used by 1Password would take millions of years to crack via brute-force, so you’ve really got nothing to worry about on that front.
Other nice features of KeePassX are cross-platform database formats and my personal favorite- the ability to use a key file to unlock the database. So if you wanted you could only unlock your database by inserting a USB stick containing the key file.
There are some issues I have with KeePassX. First of all it’s still in beta (version 0.4.0 as of this writing). While I have not experienced any crashes after a couple days of use, stability is something I consider of paramount importance for a program that handles such sensitive information. While the main screen has a “New Entry” button, a “New Group” button would be nice also. Safari or FireFox integration would be nice, but since it’s open source maybe someone much smarter than I am will create a plugin. The Settings are a little sparse- for example, it would be nice to be able to make the username visible in the Entry list. Lastly, the program could be a little more robust by offering different categories of entries such as Credit Card numbers and software license information, both of which have fields not necessarily applicable to logins and passwords.
Minor quibbles aside, KeePassX is a promising alternative to storing a text file in an encrypted disk image or shelling out $40 for commercial software. I am very impressed with the program so far, and plan to use it extensively.
Do you know of any other password managers? Leave a note in the comments.