I always advise users to create hard-to-guess passwords, never re-use them across sites, and change them semi-regularly. The push-back I get is that this can be a daunting task to try and remember a myriad of constantly-changing credentials, no matter how good the mnemonic techniques may be. But one look at the growing list of high-visibility break-ins and security compromises is all you need as incentive. Why make it easy for crackers to jump from one service to another just because you were a victim of limited brain cells devoted to passwords?
Call it “do as I say, not as I do”, the Cobbler’s Children syndrome, or just simple laziness, but despite the best of intentions I was not following my own advice. I rotated between a small list of re-used passwords and trusted that a bit of variability in username combinations would be enough to protect me. But I was kidding myself. An incident was probably inevitable.
Before I tempted fate, it was time to walk the walk. I decided that I needed a significant change; I didn’t just want a new mnemonic-based scheme whose pattern someone might be able to figure out. What I needed was true random password generation along with a password management tool that eliminated the need for me to memorize anything. But the big hurdle? Multi-platform support, since I needed to encompass not only my PCs (home and work), but iPad and iPhone. And a browser-plugin was out of the question because of security and my use of multiple browsers.
A cloud-based management tool could be just what the doctor ordered. But I have a few reservations about reliance on a remote service, namely: a blind faith in their security model and a need for offline support when the network was not available. Plus there are the usual concerns over the lock-in on a service that could disappear completely, something you’d ponder with any cloud opportunity. And with the recent breach at LastPass, I decided that a pure-play cloud solution was not for me.
I needed something where the encryption was proven reliable. Where the cloud was my sync tool, but not my security provider – something where I could keep an offline copy of the password database, but use the Internet as a transfer tool between devices. Certainly I could use my own web site to host the password database, but I preferred the idea of a sync tool that could handle multiple updates to a situation where I have to manage changes and post via FTP. 1Password‘s use of Dropbox hit the mark, but I’m a cheap bastard; $15 for the iOS app, and another $40 for each Win/Mac license didn’t strike me as equitable. (If it were me, I’d charge for the Win/Mac apps, but use the mobile versions as freebies that lure you in.)
Enter KeePass and Dropbox.
KeePass was a no-brainer, an open-source password manager that runs on a variety of platforms. It can manage all info (passwords, bank accounts, credit cards) and can even be used to generate random keys. You use cut/paste to transfer the credentials to any awaiting app without even needing to see what they are. It supports a password database that can be protected by any combination of master password, key file, and/or association with a Windows GUID/login. (However, word of warning: stick with the master password only, because mobile clients can’t deal with the latter two.)
As for syncing database files between devices, Dropbox to the rescue! There are native filesystem Dropbox clients for Win/Mac, and even versions for iOS that don’t technically have a filesystem. (For iPhone/iPad, Dropbox essentially *is* your filesystem.) I elected to put my sync’d database in my Public folder, which may seem contrary to good security. A Dropbox public folder is accessible by anyone on the Internet, not just another Dropbox user. So why am I putting my password stash there? Dropbox has a known exploit whereby an installed config database can be copied to any other machine and grant access to that user’s storage without their Dropbox password. I’m not so much concerned about my password database(s), but rather all my other sync’d files; I didn’t want to leave a config database exposed on my work PC. So instead of requiring a Dropbox install on a machine I didn’t own, I opted to use the KeePass “Open via URL” feature while at work. But my password database needed a URL. If I had put it in a “shared folder”, only the directory is assigned a URL. The only way Dropbox files have a direct URL are if they are in the Public folder. Is it a bit of a risk? Yes, but the mapping to my user-id is not common knowledge, nor are the filenames I use for the databases. And any KeePass database is encrypted with a very long master password, so good luck with that. Although not with Dropbox per se, I could have used a password-protected FTP URL and KeePass will upload upon save, but FTP is not secure; best to consider the work copy as read-only.
Now all I needed was a KeePass client for iOS that also supported Dropbox.
Because I opted for the 2.x version of KeePass rather than the “classic” 1.x, there was only one applicable KeePass client for iOS: iKeePass. But based on the iKeePass reviews, it was buggy, crashed often, and the UI needed work. Slim pickings, beggars can’t be choosers. (I was regretting going for KeePass 2.x, because PassDrop looked like a thing of beauty for the 1.x version.) After all the research, it was time to plop down my $0.99 on iKeePass. It was 10am on July 31. I’m not sure what compelled me, but I made one last search on the iTunes store. Imagine my surprise to find that a new player had suddenly entered the race mere minutes before: MiniKeePass. What timing! It supports 2.x, Dropbox, and even has a UI that was very similar to the desktop client (not to mention PassDrop). Jackpot! And the real kicker: FREE. (Look, another “cheap bastard” sighting.)
MiniKeePass options screen
When a database is opened in MiniKeePass, it prompts for the master password. It can add that password to the iOS keychain so that you never have to enter it again, but I opted to disable that feature. I knew what I was getting into when I created such a long master password, so I decided to keep security stringent. The database is open and accessible for as long as you are “in it”. As soon as you drop back to the pick-a-database screen, you will have to re-enter the password. As an added bonus, MiniKeePass also has the option to protect the app with a PIN code that kicks in after a set timeout.
If I had any MiniKeePass complaints, it would be that the password file is treated as an import rather than a native Dropbox file. I like that this sets up an automatic offline capability, but I don’t like the fact that edits can be made which aren’t immediately pushed to the original source copy. There is an “export”, analogous to “Save As”, but I’d prefer an auto-Save back to Dropbox. Nor is there any attempt to re-import from the Dropbox source if it was newer. [The authors promise full Dropbox integration in future releases.]
The above observations aside, I’m very pleased with this cross-platform setup so far. No matter how I may tinker, the new scheme can do all I wanted/needed, and so great that it is all free. But it’s only been a week, and in fact only one day under MiniKeePass. But I like what I see; I think MiniKeePass is killer, certainly compared to the competition. If you have an iPhone/iPad and already use KeePass 2.x, it is a must-download that belongs in your toolbox.
Update: It’s been over a month now and I’m not one bit dissatisfied. I have KeePass syncing across multiple PCs using Dropbox, with MiniKeePass pulling it down to iPad/iPhone. I’ve heard about a KeePassSync plug-in, but have had no motivation to check it out.
The latest version of MiniKeePass supports keyfiles – which seems to be an absolute rarity for mobile implementations – so I will see if I can mobilize my corporate kdbx as well.
August 11th, 2011 on 5:21 pm
Very good article, thank for effort. Let’s hope (and let’s ask) they add automatic Dropbox sync: for now is a big limit.
August 11th, 2011 on 9:33 pm
Grazie. I already bugged them about it, and they confirmed they are working for the next release. Spero di si.
August 29th, 2011 on 1:12 am
Another new application is available: KyPass.
August 30th, 2011 on 8:03 am
Yup. KyPass is a “takeover” of the abandoned MyKeePass, with support for 2.x files. $2.99 on the app store.
August 30th, 2011 on 4:10 pm
What do you think about Passwordmaker?
http://passwordmaker.org/
August 31st, 2011 on 9:15 pm
For those that don’t know, PasswordMaker is a hash-based password generator that creates repeatable non-reversible complex passwords using only your own “master password” and a string unique to the resource you are securing (typically the URL of the site). The advantage is that there is nothing to store. In theory.
PasswordMaker is good. It has a web service that solves a key problem of not having to install anything if you don’t want to. And plenty of clients on multiple platforms. But it was not for me.
The general problem with hashed-based is that if the “string” changes, the password does too. What happens when your Washington Mutual online banking gets bought by Chase? The URL could change even if your account didn’t, so you have to remember to use the old URL string for the algorithm.
The other problem is that the hash algorithm creates the same ‘style’ of password (size, character set, etc) for all. If you run into a site that does not accept that style, you’ll have to tweak the algorithm’s output which will end up changing what is produced for all others. PasswordMaker gets around that by allowing you to create groups that apply different algorithm criteria based on the resource. But to duplicate the algorithm behavior on PC, Mac, iPhone, etc you have to duplicate these multi-group settings precisely or else the generated passwords will not match across platforms.
And when all else fails, PasswordMaker lets you store fixed passwords and share them via their web site. But isn’t “no need to store anything” supposed to be their differentiating feature?
September 1st, 2011 on 10:41 am
Hi,
Thanks for the detailed opinion!
About the first probelm: In case the URL changes I just change the password. Changes like that are not very common though and you should change passwords anyway every now and then. Which by the way arises one problem with Passwordmaker’s approach: if you must/want to change your password, it’s not that convenient because it depends on the URL or your username which don’t change.
The character set and size problem is a more annoying one. Sticking to alpha-numeric password has saved me from all problems regarding the character set, but I’ve run to some sites that don’t allow long passwords… well there are not many of those to be honest.
I like Passwordmaker a lot, but it’s still not an all-in-one solution for me. I use it mainly for all the various forums and websites I’m using. For my bank account, primary email and shell account I’m still using my own head and would never outsource them anywhere
April 26th, 2012 on 3:58 am
Yeah i heard about Minikeepass , Actually i am using a jailbroken ipod touch, and i just want to know is it really safe to use Minikeepass on a jailbroken device ? and is this app is really safe in itself ?
Looking for your response.
Thank You !
April 26th, 2012 on 7:19 am
I don’t jailbreak, so I can’t answer for certain. But unlike most other apps, you can know exactly what the program is doing by reviewing the source code. I certainly trust the developers and their AppStore version. Do you trust Cydia? (Which I personally believe is an “Android Marketplace” accident waiting to happen…)