I always advise users to create hard-to-guess passwords, never re-use them across sites, and change them semi-regularly. The push-back I get is that this can be a daunting task to try and remember a myriad of constantly-changing credentials, no matter how good the mnemonic techniques may be. But one look at the growing list of high-visibility break-ins and security compromises is all you need as incentive. Why make it easy for crackers to jump from one service to another just because you were a victim of limited brain cells devoted to passwords?

Call it “do as I say, not as I do”, the Cobbler’s Children syndrome, or just simple laziness, but despite the best of intentions I was not following my own advice.

I rotated between a small list of re-used passwords and trusted that a bit of variability in username combinations would be enough to protect me. But I was kidding myself. An incident was probably inevitable.

Before I tempted fate, it was time to walk the walk. I decided that I needed a significant change; I didn’t just want a new mnemonic-based scheme whose pattern someone might be able to figure out. What I needed was true random password generation along with a password management tool that eliminated the need for me to memorize anything. But the big hurdle? Multi-platform support, since I needed to encompass not only my PCs (home and work), but iPad and iPhone. And a browser-plugin was out of the question because of security and my use of multiple browsers.

A cloud-based management tool could be just what the doctor ordered. But I have a few reservations about reliance on a remote service, namely: a blind faith in their security model and a need for offline support when the network was not available. Plus there are the usual concerns over the lock-in on a service that could disappear completely, something you’d ponder with any cloud opportunity. And with the recent breach at LastPass, I decided that a pure-play cloud solution was not for me.

I needed something where the encryption was proven reliable. Where the cloud was my sync tool, but not my security provider – something where I could keep an offline copy of the password database, but use the Internet as a transfer tool between devices. Certainly I could use my own web site to host the password database, but I preferred the idea of a sync tool that could handle multiple updates to a situation where I have to manage changes and post via FTP. 1Password‘s use of Dropbox hit the mark, but I’m a cheap bastard; $15 for the iOS app, and another $40 for each Win/Mac license didn’t strike me as equitable. (If it were me, I’d charge for the Win/Mac apps, but use the mobile versions as freebies that lure you in.)

Enter KeePass and Dropbox.

KeePass was a no-brainer, an open-source password manager that runs on a variety of platforms. It can manage all info (passwords, bank accounts, credit cards) and can even be used to generate random keys. You use cut/paste to transfer the credentials to any awaiting app without even needing to see what they are. It supports a password database that can be protected by any combination of master password, key file, and/or association with a Windows GUID/login. (However, word of warning: stick with the master password only, because mobile clients can’t deal with the latter two.)

Update: MiniKeePass for iOS can now handle key files.

As for syncing database files between devices, Dropbox to the rescue! There are native filesystem Dropbox clients for Win/Mac, and even versions for iOS that don’t technically have a filesystem. (For iPhone/iPad, Dropbox essentially *is* your filesystem.) I elected to put my sync’d database in my Public folder, which may seem contrary to good security. A Dropbox public folder is accessible by anyone on the Internet, not just another Dropbox user. So why am I putting my password stash there? Dropbox has a known exploit whereby an installed config database can be copied to any other machine and grant access to that user’s storage without their Dropbox password. I’m not so much concerned about my password database(s), but rather all my other sync’d files; I didn’t want to leave a config database exposed on my work PC. So instead of requiring a Dropbox install on a machine I didn’t own, I opted to use the KeePass “Open via URL” feature while at work. But my password database needed a URL. If I had put it in a “shared folder”, only the directory is assigned a URL. The only way Dropbox files have a direct URL are if they are in the Public folder. Is it a bit of a risk? Yes, but the mapping to my user-id is not common knowledge, nor are the filenames I use for the databases. And any KeePass database is encrypted with a very long master password, so good luck with that. Although not with Dropbox per se, I could have used a password-protected FTP URL and KeePass will upload upon save, but FTP is not secure; best to consider the work copy as read-only.

Now all I needed was a KeePass client for iOS that also supported Dropbox.

Because I opted for the 2.x version of KeePass rather than the “classic” 1.x, there was only one applicable KeePass client for iOS: iKeePass. But based on the iKeePass reviews, it was buggy, crashed often, and the UI needed work. Slim pickings, beggars can’t be choosers. (I was regretting going for KeePass 2.x, because PassDrop looked like a thing of beauty for the 1.x version.) After all the research, it was time to plop down my $0.99 on iKeePass. It was 10am on July 31. I’m not sure what compelled me, but I made one last search on the iTunes store. Imagine my surprise to find that a new player had suddenly entered the race mere minutes before: MiniKeePass. What timing! It supports 2.x, Dropbox, and even has a UI that was very similar to the desktop client (not to mention PassDrop). Jackpot! And the real kicker: FREE. (Look, another “cheap bastard” sighting.)

MiniKeePass options screen

When a database is opened in MiniKeePass, it prompts for the master password. It can add that password to the iOS keychain so that you never have to enter it again, but I opted to disable that feature. I knew what I was getting into when I created such a long master password, so I decided to keep security stringent. The database is open and accessible for as long as you are “in it”. As soon as you drop back to the pick-a-database screen, you will have to re-enter the password. As an added bonus, MiniKeePass also has the option to protect the app with a PIN code that kicks in after a set timeout.

If I had any MiniKeePass complaints, it would be that the password file is treated as an import rather than a native Dropbox file. I like that this sets up an automatic offline capability, but I don’t like the fact that edits can be made which aren’t immediately pushed to the original source copy. There is an “export”, analogous to “Save As”, but I’d prefer an auto-Save back to Dropbox. Nor is there any attempt to re-import from the Dropbox source if it was newer. [The authors promise full Dropbox integration in future releases.]

The above observations aside, I’m very pleased with this cross-platform setup so far. No matter how I may tinker, the new scheme can do all I wanted/needed, and so great that it is all free. But it’s only been a week, and in fact only one day under MiniKeePass. But I like what I see; I think MiniKeePass is killer, certainly compared to the competition. If you have an iPhone/iPad and already use KeePass 2.x, it is a must-download that belongs in your toolbox.

Update: It’s been over a month now and I’m not one bit dissatisfied. I have KeePass syncing across multiple PCs using Dropbox, with MiniKeePass pulling it down to iPad/iPhone. I’ve heard about a KeePassSync plug-in, but have had no motivation to check it out.