There is no denying the math, but until biometrics and multi-factor authentication become more prevalent, alphanumeric passwords are here to stay no matter how deceased they may actually be. But mathematics aside, it is the human aspect that is the far greater threat to password security.

Luckily, tools such as KeePass – which provide a central database in which to store totally random complex passwords – can be used to offset the exploitabilities of the human element. The database is strongly encrypted (optionally multi-factored), and every resource can have its own unique, randomly-generated, complex password. Best of all, the cut & paste process means there isn’t ever a need for the user to even know what the password may be. Simply let KeePass generate something for the account, and blindly paste the copied value when you need to use it.

But if you are a heavy KeePass user, you probably keep the application open at all times. This is the equivalent of putting all your passwords on a PostIt note affixed to your monitor. If you stepped away from the workstation without locking it, someone could read all your password entries or even use SaveAs to make their own cracked copy of the entire set.

For this reason, unless you live and work alone, I strongly recommend that a workspace-lock be enabled on your KeePass installation. KeePass has a number of workspace-locking options, but none of them are enabled by default. You can lock after a certain amount of KeePass inactivity, workstation inactivity, whenever the app is minimized, when suspend mode kicks in, or when the (Windows) system auto-locks via screensaver.

A locked workspace requires you to reconfirm your pass phrase and/or key file before KeePass can be accessed again. It’s a bit faster than exiting & restarting the app each time – though that is in fact one of the lock options. But some measure of workspace lock is worth the slight inconvenience. Pick one and use it. You’ll be safer for it.

Share/Bookmark

“Now I have a wordy histogram to remind nerds the value equating halfbaked spatial diameters and Pi run nineteen long digits, an actual ‘piem’.”

That equates to 3.14159265358979323846264.

I did this to impress my friends and win bar bets.

Neither of which happened.

As one would, in retrospect, expect.

Happy Pi Day!

Share/Bookmark

Rumors abound with Apple. And because they are so tight-lipped about product release schedules, no one (who doesn’t work for Apple) will truly know for certain until the big unveiling. Tech journals are filled with unverifiable hints from supply chain partners and “sources familiar with the situation”, and everyone is eating it up in anticipation. Slow news day? Let’s throw out an Apple rumor to keep people interested!

Since your guess is as good as mine, I thought I would add my own random predictions to the mix. And random it truly is.

Introducing the “Apple Prediction Generator”.

All done in jest. No truths implied to named media outlets or unnamed sources. But isn’t it interesting how some generated quotes actually resemble real-life headlines? I’m just sayin’…

Share/Bookmark

My favorite songs of 2011? After seeing the BET “Top 100″ (where everything by Beyonce, Rhianna, Jay-Z, Kanye, Nicki Minaj, or Drake was apparently a winner), or the hipster lists from Spinner and Wired (which seem to go out of their way to ignore lamestream artists), I decided to take a look at my iPod’s most-played list and filter for all the releases of 2011. I’m not embarrassed to admit to having some Top40 in there:

1. The Airborne Toxic Event – Welcome To Your Wedding Day
2. The Black Keys – Lonely Boy
3. Adele – Rolling In The Deep
4. Christina Perri – Arms
5. Mumford & Sons – The Cave
6. Mayer Hawthorne – The Walk
7. Two Door Cinema Club – What You Know
8. Ra Ra Riot – Boy
9. Tom Waits – Satisfied
10. Super Heavy – Miracle Worker
11. Gotye – Somebody That I Used To Know
12. Sara Bareilles – Gonna Get Over You
13. Snow Patrol – Called Out In The Dark
14. The Joy Formidable – Whirring
15. Gavin Degraw – Not Over You
16. Florence + The Machine – Shake It Out
17. Wilco – One Sunday Morning
18. Maroon 5 – Moves Like Jagger
19. Everything Dies – El Mariachi Bronx
20. The Kooks – Junk Of The Heart
21. Death Cab For Cutie – You Are A Tourist
22. Raphael Saadiq – Stone Rollin’
23. One Republic – Good Life
24. Katy Perry – Firework
25. Guster – Do You Love Me

The only artist that all four lists have in common is Adele. (And she can be found on pretty much any 2011 compendium out there.) Perhaps a preview of things to come for the Grammys in Feb, with a consensus “Artist of the Year”, and maybe “Song of” and “Record of the Year” for “Rolling In The Deep”…

Share/Bookmark

Now, to experienced MiniKeePass users, this may seem entirely intuitive. But I remember when I first installed MiniKeePass there was a brief moment of questioning, so I guess it would be a worthwhile public service to expand on that small bit of detail.

What Is KeePass?

As a refresher, KeePass is a cross-platform (Windows, Linux, Mac) open-source password manager that enables you to safely lock away your multitude of passwords in a single location. Putting all your eggs in one basket may seem like a risky proposition, but AES & Blowfish encryption helps to make it practically close to uncrackable.

KeePass can use “two-factor authentication” to protect your personal data – something you know (a master password) and something you have (a key file). You can define a password database to require one, the other, or both in tandem for accessing your treasure trove. Needless to say, using both offers the strongest form of security. (Even if your master password is cracked, they still can’t do diddley unless they also have the key file.)

The idea is that when prompted for a password from a web site or program, you would simply bring up the KeePass app and right-click on the entry to select “Copy Password” (Ctrl-C shortcut). The copied password will remain in the cut-buffer for a brief period, so head back to the original app and paste it in.

KeePass uses a tree-view model to display your password entries hierarchically. You can arrange the order of the “folders” and “items” by using the Alt-Up/Down arrow keys. After adding/deleting entries or re-arranging their order, you would “Save” to update the database.

Using KeePass With Dropbox

Saving the KeePass password data creates a .kdbx file. Normally, one would store these files on the local operating system (eg, in your My Documents or home directory). But if you want to share this password data on multiple machines (and take advantage of the KeePass cross-platform feature), you can store them on your Dropbox drive instead.

Dropbox adds “cloud storage” to your local system. You must be Internet-connected to access, but while you are online you have 2G of free space for storing anything, including kdbx/key files. Dropbox also caches your files, so on the off chance that you have lost Internet connectivity, you’ll still have access to the files as of when disconnected. When you load Dropbox on another machine and login to your account, you’ll see the same KeePass files that were deposited by the source machine.

In fact, “source machine” may be a bit of a misstatement because Dropbox allows any logged-in system to access/update the kdbx database. Technically, the last machine to update could be considered the “source”. You are going to have to keep track of how/when you make changes to password info. If KeePass is open simultaneously on multiple machines, neither will automatically detect changes made from the other as long as the kdbx file is kept open. For this reason, I would strongly encourage making one system the primary from which all changes are made.  Then you would just reload the file on all secondaries.

Using MiniKeePass

MiniKeePass is an iOS implementation of the KeePass software. It runs on the iPhone (or iPod Touch), and in non-tablet mode on an iPad.

Worried about MiniKeePass security? It uses the same algorithms as the desktop KeePass, plus it adds a PIN code for additional mobile safety. And if you have any doubts about secret backdoors or bad programming, it is open-source and you can inspect the code if so inclined.

As with the desktop version, you use MiniKeePass in parallel with any password-prompting app. Use the task switcher to bring up Mini and copy the password into the buffer, then switch back to paste it into the app which was waiting for authentication. One difference from the desktop version is that there is no right-click in iOS: you tap the password and select “Copy” rather than the “Edit” that you would otherwise use for updating.

MiniKeePass also differs from KeePass in one other very significant way. iOS devices do not have a “file system”; they have storage allocated for an app’s use, but it cannot be accessed like a drive or directory. In this sense it is more like the Windows Registry, available to the app but not directly to the user.

This storage is a secure sandbox for that app and that app alone. So when you create or access a kdbx/key file in MiniKeePass, you are doing so within the memory structure of the program, not in some globally accessible file system. There is no “Save” function – all changes are immediately applied to kdbx database in local storage.

I’m guessing most people use MiniKeePass as an adjunct to KeePass running on their preferred desktop platform, desiring to load their database from another source. However, if you want to use *only* on the iPhone/iPad, there is nothing preventing it. To start with a new kdbx, press the + icon. But as explained, this newly created file will only exist in MiniKeePass – not visible to other apps. (Also note: because the edit capabilities are a little lighter on the iDevice, unlike the desktop version, you don’t have the ability to re-order the folders/items: you are pretty much limited to a FIFO order of how they were entered.)

Using MiniKeePass With Dropbox

Although iOS does not have a file system per se, Apple users have been using Dropbox to simulate one. And MiniKeePass benefits indirectly as a result. I say indirectly because although MiniKeePass understands Dropbox, it does not interface to it natively. This is, I believe, a major source of both confusion and frustration with the product: in as much as MiniKeePass “supports” Dropbox, it treats it as a source for import/export, not as a local filesystem.

1. To load a kdbx/key file from Dropbox to MiniKeePass, you navigate to the stored location within Dropbox and tap on the file.
2. Dropbox will respond dumbly that it does not know how to open a file of that type. “Sorry, this document can’t be viewed.” Great. Now what?
3. If you click on the Export icon (rectangle with an arrow), you will find that MiniKeePass has been installed as an import handler. Selecting MiniKeePass will trigger an import.
4. When you next visit the MiniKeePass home screen, the imported file(s) will appear.

The key takeaway here is this concept of the import/export process. If you don’t keep this idea firmly in mind, you’ll just find yourself frustrated and confused:

• When you make changes on the iDevice, they remain local to the app. Even if the source was originally from Dropbox, it will not make its way back to Dropbox until you export it from MiniKeePass (similar rectangle-with-arrow icon).
• If password changes are made from another system, MiniKeePass will not notice them even if Dropbox has already sync’d the updated copy to the iDevice. You need to refresh Mini’s local copy by re-importing from Dropbox.

The MiniKeePass developers have told me that full [direct] Dropbox support is on their ToDo list, but until then, remember that their kdbx/key storage is localized.

I wouldn’t anticipate future Mini to do what even KeePass does not – ie, support simultaneous write access and concurrent update detection – but I would at least hope that it will detect any updated Dropbox-sourced files at startup…

Share/Bookmark

Depending on who you are talking to, the task of network monitoring can mean bandwidth, traffic analysis, packet inspection, performance, or uptime.

What follows is by no means a complete listing of possible applications, but an explanation of which sample tools could be considered appropriate for the task at hand.

Bandwidth

Sample MRTG Graph

Bandwidth is the throughput that a particular network connection can support. For example, a bonded 2xT1 Internet connection has a max bandwidth of approximately 3Mbps (2x 1.544). Whereas a laptop NIC might support 100Mbps, and a switch interlink could clock in at 10Gbps.

So bandwidth monitoring is knowing how much of the available allotment any one particular port is using. This measure is typically represented as a strip chart with peaks and valleys. Tools such as MRTG (open-source), Cacti (open-source), PRTG (trialware), and Dell OpenManage (OEM bundle) use SNMP to query the built-in port counters of switches and routers to provide a graphical view (and running history) of your port utilizations.

For simple port-to-device mapping, you would be measuring the traffic that a single host is using. Yet for a firewall’s connection to the Internet, you would be measuring the aggregate usage for all your online users, possibly even including inbound remote VPN.

It is the connection to the Internet that is often the first target of measurement. If you oversee a 3M pipe and you have a monitoring system in place to know that it is consistently saturated, then you can use that as justification to management for increasing the size of your connection.

But in the above graph, what is the make-up of the traffic? Who is doing what? SNMP port utilizations take a simple-minded all-bits-are-the-same view. You know that a lot of something is happening, but nothing specific. If the port of a desktop is showing high activity, how do you tell if it is a CIFS file copy vs a BitTorrent download? And if too many users are visiting inappropriate web sites or streaming audio, maybe identifying and curtailing that activity would be more cost-effective than simply upgrading the Internet speed. But how would you find out?

Traffic Analysis

Sample PRTG TopList

An analysis of the specific traffic goes deeper than SNMP’s all-bits-equal view. It provides a more detailed breakdown of port activity based on protocol and source/destination information, presented in bar chart, pie chart, or % tabular form.

To obtain a detailed traffic analysis, you need a device on your network segment that is listening to all activity, not just those packets destined as its own. A NIC configured in this manner is said to be in “promiscuous mode”. A Unix/Linux box with such an eavesdropping NIC can use the open-source NTOP program to show top network activity. (NTOP is similar to the on-the-same-host TOP process monitoring tool.)

Another method of capturing this aggregate data involves a switch that is configured to duplicate switch traffic and send it to the port where the monitoring node resides. Cisco calls this “SPAN” for “Switched Port ANalyzer”; other manufacturers simply call it port-mirroring. A network sniffer sensor, such as the one provided by PRTG, can be used to analyze this cacophony of traffic and produce easy-to-understand lists and graphs that show how bandwidth is being consumed.

Lastly, sFlow or NetFlow records can be used to deliver traffic-flow measurements to a remote monitoring device. As routed traffic, the advantage of flow monitoring is that the collector can be indirectly connected to the network that it is monitoring (rather than on the same switch or subnet). PRTG (trialware) and SolarWinds Orion NTA (commercial) offer NetFlow collectors that can produce wonderful eye-candy.

Packet Inspection

Sample WireShark Output

Packet inspection is the hardcore version of traffic analysis. A “network protocol analyzer” – also known as a ”sniffer” – utilizes a NIC in promiscuous mode to capture every packet on the wire. It reassembles all the frames and allows an administrator to view them in the context of sessions between source and destination. Not for the faint of heart, sniffers expose all the gory bits-and-bytes innerworkings of TCP/UDP packets and Ethernet frames.

WireShark, formerly Ethereal, is the classic open-source tool for deep inspection. While it is not known for its management-friendly colored graphs, it does give the network administrator an in-depth view of exactly what is going on with the network from the Application layer (HTTP, IMAP, etc) all the way down to the Data Link layer (MAC addressing). It is the gearhead’s ultimate debugging tool.

Performance

Sample SmokePing Graph

Performance of the network is measured in terms of packet loss (number of times a packet was lost in transit), latency (typical time for a packet to go up and back), and jitter (the standard deviation across all latency measurements). For applications such as VoIP, details like a packet loss profile of the network is every bit as critical as measuring pure bandwidth.

SmokePing is an example of an open-source tool that provides such metrics. It is in some sense a cousin of MRTG, which is appropriate considering their shared RRDtool lineage. Yet instead of total bandwidth, the spikes of the strip chart represent latency (round-trip time) against a baseline of packet-loss, with the gradiant wisps of ‘smoke’ indicating the amount of jitter.

Uptime

Sample Nagios Status Screen

Uptime monitoring of a network allows the administrator to see – and more importantly, be notified – when a network-connected device goes offline. These tools typically support not just ICMP “ping” detection, but port-specific connectivity for measuring HTTP, SMTP, and other application/service responsiveness.

Nagios (open-source), Zenoss (open-source), and SolarWinds ipMonitor (commercial) are great examples of this kind of tool. You can define service groups, contacts, and escalation rules. And you are able to monitor system internals performance (such as CPU load, RAM, disk space, etc) in addition to whether the port or protocol is “pingable”.

These systems can provide a geographic overlay map-based view of your enterprise, and also understand the concept of dependencies such that if a switch goes down, you will only be alerted about it – not overwhelmed by the screaming horde of unreachable hosts that might be hiding behind it.

Which Is Right For You?

With all the choices available, there is no one correct selection. Yet I would never suggest using SmokePing for deep packet inspection, and that was the main point of this overview: the right “network monitoring” tool for the right “network monitoring” task. But within the scope of, say, bandwidth monitoring, the choice of Cacti vs MRTG vs something else becomes a personal preference.

You could elect to go best-of-breed and have multiple small tools, or you could try for the kitchen-sink approach and get one tool that does many things. But there are trade-offs with the latter, and you need to be aware of the capabilities before getting too far down the garden path. For example, Nagios is famous both for its complexity in setting up, and its extensibility in making it do whatever you need via plug-ins. You could use Nagios to monitor bandwidth, but doing so requires MRTG and the check_mrtgtraf plug-in, so you are not really gaining a kitchen sink solution after all.

Zenoss is a bit more of a one-stop-shop in that it has built-in MRTG-like graphs and histories, as well as WMI host performance monitoring, a rudimentary CMDB, and event monitoring via SNMP traps and Syslog centralization.

And PRTG is very much like the all-encompassing Zenoss, except running on Windows. It likewise supports SNMP traps & polling, centralized event logging, and WMI queries, plus adds WBEM, SOAP/REST, and NetFlow/sniffer sensors.

I have used all of the above apps and would not fault the choice of any. But I must admit that I am a very big fan of the kitchen-sinky PRTG. The AJAX web interface is among the most impressive UIs that I have ever seen. They suck you in with 10 free sensors, and when you find out everything it is capable of, you are going to start wanting to spring for more…

Share/Bookmark

Likewise, the iPad was equally revolutionary in it’s positioning as a re-imagined PC alternative and Internet/media consumption device.

These were paradigm shifts. Nothing since then – whether from competitors or Apple’s own evolutionary releases – carry the gravitas that would allow anyone to call them similarly “revolutionary”.

Yet “not revolutionary” has been the charge levied – unfairly, in my opinion – against releases such as iPhone 3GS, iPad 2, and iPhone 4S. To my way of thinking, “revolutionary” is a difficult goal to achieve for any well-entrenched product line. And it got me to thinking: what would make for a “revolutionary” jump in mobile devices?

• A capacitive multitouch display that also had solar charging capabilities? (Not just a solar cell on the back, but one integrated into the touchscreen?)
• A pico projector and integrated laser-projection keyboard?

What do you think? Take a moment to participate in this thought experiment. Beyond simply “bigger, faster”, what next technology iteration would make a mobile device be worthy of the label “revolutionary”? Please comment!

Share/Bookmark

For months leading up to the 2011 iPhone release, speculation was running rampant. One oft-repeated rumor centered around the idea that Apple would introduce a low-cost less functional smartphone that targeted the feature-phone crowd (to be called an “iPhone 4S”), and the next rev of the product evolution aiming for the power users (to be called “iPhone 5″).

At the end of the big reveal, Apple did just that. Sort of.

The fact that their low-cost phone was simply a re-pricing of current models should be irrelevant. The low-cost expectation was met – can’t get lower than $0. As for “less functional”, while it will run iOS 5.0, it probably won’t be powerful enough to run some of the more advanced features such as Siri voice recognition. But for the feature-phone crowd, cost trumps all.

Meanwhile, their next-gen is a “world phone” with a dual-core CPU running twice as fast as the previous model, 7x the graphics performance, 64G of storage, an 8MP camera with 1080P full HD video, increased battery life, first-in-class voice recognition, and a dual-band dynamic antenna system that promises to squeeze 4G performance out of 3.5G HSPA+ networks.

Despite substantively meeting the early prognostications, reaction was – yawn – surprisingly negative. And much of the criticism seemed to be superficially related to the fact that Apple’s product naming did not meet the “4S” vs “5″ expectations:

Apple unveils iPhone 4S; but no iPhone 5

Apple iPhone 5? Nope. It’s the 4S

Apple iPhone 5 Not Released, iPhone 4S ‘Just Not Good Enough’

iPhone 4S, Not iPhone 5, is Featured Device at Apple Event

No Apple iPhone 5: Major Disappointment, or A Lesson in Hype?

Everyone seemed to be thrown by naming the “next-gen” phone using the label that they had erroneously attributed to the low-cost model. Had Apple called it “5″, would a majority of the reactions possibly have been colored differently? Why so focused on a name?

That “lesson in hype” headline is a particularly worthwhile read. The author rightfully points out that there was no hype. Apple was mum throughout. The “hype” was really “media anticipation” in absence of hype. But let’s go with that premise anyway… Is the next-gen phone worth the “hype”? In many peoples’ estimation, no. Why? Because the “4S” is not “revolutionary”, only “evolutionary”.

Sorry, but what is revolutionary about the ‘missing’ features of an alternative case design? NFC? 4G? Larger screen? These are all things that various competitors currently sport. Features worthy of debate, certainly, but hardly worthy of any revolutionary label.

I’ve said this before, but the only revolutionary phone was the iPhone1, just like the only revolutionary tablet was the iPad1. Both went where no device had ever gone before, carving out a market where there once was none and inspiring competitors who try to match their design and features. The revolution beyond those initial releases will come from the iOS software, not the hardware. The only time I’ll call the next iPhone revolutionary will be if it doubles as a microwave or some other unexpected integration.

The “4S” is still a great piece of engineering, and those who can see beyond a skin-deep name & unchanged case should be pleased. Am I buying one? Probably. I certainly won’t be joining anyone in line on Oct 14, but I will get it eventually. And not because it is hip, cool, or “revolutionary”. No, it will be because it has useful features that allow me to get things done quickly and with the least amount of friction, with the impeccable Apple eye for design, quality, and cohesive integration.

Regardless of whether it is named “5″, “Desire”, or even “iPhone 2011″.

“Doff thy name, and for that name which is no part of thee, take all myself.”

Share/Bookmark

So now I have a wallet with ID, credit cards, and high-use “rewards cards” in one pocket, and a bumpered iPhone in the other. Cash/coins and sometimes even keys are optional, but I never leave the house without both the phone and the wallet. So why not combine them? This was the premise behind 12 South’s BookBook.

Based on the success of their MacBook and iPad covers, they came out with a “pocket Bible” sized antiqued leather case – but this one can also act as a wallet. Bibliophiles would be smitten by the bookish resemblance, but honestly I could have cared less. I just liked the consolidation idea. There are other wallet-ish iPhone cases, but for me a driver’s license window was mandatory, as well as the ability to hold more than just one or two cards. I intend this to be my everyday wallet, not a stripped-down “night on the town” pinch-hitter.

BookBook is extremely well made. Very sturdy leather construction; I don’t see it falling apart any time soon. It holds the iPhone with speakers & ports accessible (though you have to slide the phone up to clear the lens from the case for photos).

On the wallet side, there is room for my driver’s license, auto club card, multiple debit/credit cards, a couple rewards cards, and even a thick HID building access card. Oh wait, what’s that you say? There’s an app for that? Why yes, yes there is. CardStar allowed me to electronically store all my rewards cards, and even my AAA card. So what’s the toteboard say now? “Driver’s license, multiple debit/credit cards, and even a thick HID building access card.” And the fit is no problem for the BookBook.

So how is it working out? Well, I must admit that I have to retrain myself a bit. There are times – such as working in the server room – where I have set “the phone” down. I must remember that I also just set my wallet down, and there is nothing in my back pocket anymore. A couple times now I’ve locked myself out because my HID card key is still sitting next to the console right where I left “the phone”. But I’ll get over that. I learn, eventually.

No, the bigger issue is answering the phone when in a hurry. When not pressed for time, it is easy to double over the book jacket and hold the sheathed phone to my ear. But when scrambling to answer, I feel quite foolish holding an open book against the side of my head.

Share/Bookmark

Call it “do as I say, not as I do”, the Cobbler’s Children syndrome, or just simple laziness, but despite the best of intentions I was not following my own advice. I rotated between a small list of re-used passwords and trusted that a bit of variability in username combinations would be enough to protect me. But I was kidding myself. An incident was probably inevitable.

Before I tempted fate, it was time to walk the walk. I decided that I needed a significant change; I didn’t just want a new mnemonic-based scheme whose pattern someone might be able to figure out. What I needed was true random password generation along with a password management tool that eliminated the need for me to memorize anything. But the big hurdle? Multi-platform support, since I needed to encompass not only my PCs (home and work), but iPad and iPhone. And a browser-plugin was out of the question because of security and my use of multiple browsers.

A cloud-based management tool could be just what the doctor ordered. But I have a few reservations about reliance on a remote service, namely: a blind faith in their security model and a need for offline support when the network was not available. Plus there are the usual concerns over the lock-in on a service that could disappear completely, something you’d ponder with any cloud opportunity. And with the recent breach at LastPass, I decided that a pure-play cloud solution was not for me.

I needed something where the encryption was proven reliable. Where the cloud was my sync tool, but not my security provider – something where I could keep an offline copy of the password database, but use the Internet as a transfer tool between devices. Certainly I could use my own web site to host the password database, but I preferred the idea of a sync tool that could handle multiple updates to a situation where I have to manage changes and post via FTP. 1Password‘s use of Dropbox hit the mark, but I’m a cheap bastard; $15 for the iOS app, and another $40 for each Win/Mac license didn’t strike me as equitable. (If it were me, I’d charge for the Win/Mac apps, but use the mobile versions as freebies that lure you in.)

Enter KeePass and Dropbox.

KeePass was a no-brainer, an open-source password manager that runs on a variety of platforms. It can manage all info (passwords, bank accounts, credit cards) and can even be used to generate random keys. You use cut/paste to transfer the credentials to any awaiting app without even needing to see what they are. It supports a password database that can be protected by any combination of master password, key file, and/or association with a Windows GUID/login. (However, word of warning: stick with the master password only, because mobile clients can’t deal with the latter two.)

As for syncing database files between devices, Dropbox to the rescue! There are native filesystem Dropbox clients for Win/Mac, and even versions for iOS that don’t technically have a filesystem. (For iPhone/iPad, Dropbox essentially *is* your filesystem.) I elected to put my sync’d database in my Public folder, which may seem contrary to good security. A Dropbox public folder is accessible by anyone on the Internet, not just another Dropbox user. So why am I putting my password stash there? Dropbox has a known exploit whereby an installed config database can be copied to any other machine and grant access to that user’s storage without their Dropbox password. I’m not so much concerned about my password database(s), but rather all my other sync’d files; I didn’t want to leave a config database exposed on my work PC. So instead of requiring a Dropbox install on a machine I didn’t own, I opted to use the KeePass “Open via URL” feature while at work. But my password database needed a URL. If I had put it in a “shared folder”, only the directory is assigned a URL. The only way Dropbox files have a direct URL are if they are in the Public folder. Is it a bit of a risk? Yes, but the mapping to my user-id is not common knowledge, nor are the filenames I use for the databases. And any KeePass database is encrypted with a very long master password, so good luck with that. Although not with Dropbox per se, I could have used a password-protected FTP URL and KeePass will upload upon save, but FTP is not secure; best to consider the work copy as read-only.

Now all I needed was a KeePass client for iOS that also supported Dropbox.

Because I opted for the 2.x version of KeePass rather than the “classic” 1.x, there was only one applicable KeePass client for iOS: iKeePass. But based on the iKeePass reviews, it was buggy, crashed often, and the UI needed work. Slim pickings, beggars can’t be choosers. (I was regretting going for KeePass 2.x, because PassDrop looked like a thing of beauty for the 1.x version.) After all the research, it was time to plop down my $0.99 on iKeePass. It was 10am on July 31. I’m not sure what compelled me, but I made one last search on the iTunes store. Imagine my surprise to find that a new player had suddenly entered the race mere minutes before: MiniKeePass. What timing! It supports 2.x, Dropbox, and even has a UI that was very similar to the desktop client (not to mention PassDrop). Jackpot! And the real kicker: FREE. (Look, another “cheap bastard” sighting.)

MiniKeePass options screen

When a database is opened in MiniKeePass, it prompts for the master password. It can add that password to the iOS keychain so that you never have to enter it again, but I opted to disable that feature. I knew what I was getting into when I created such a long master password, so I decided to keep security stringent. The database is open and accessible for as long as you are “in it”. As soon as you drop back to the pick-a-database screen, you will have to re-enter the password. As an added bonus, MiniKeePass also has the option to protect the app with a PIN code that kicks in after a set timeout.

If I had any MiniKeePass complaints, it would be that the password file is treated as an import rather than a native Dropbox file. I like that this sets up an automatic offline capability, but I don’t like the fact that edits can be made which aren’t immediately pushed to the original source copy. There is an “export”, analogous to “Save As”, but I’d prefer an auto-Save back to Dropbox. Nor is there any attempt to re-import from the Dropbox source if it was newer. [The authors promise full Dropbox integration in future releases.]

The above observations aside, I’m very pleased with this cross-platform setup so far. No matter how I may tinker, the new scheme can do all I wanted/needed, and so great that it is all free. But it’s only been a week, and in fact only one day under MiniKeePass. But I like what I see; I think MiniKeePass is killer, certainly compared to the competition. If you have an iPhone/iPad and already use KeePass 2.x, it is a must-download that belongs in your toolbox.

Update: It’s been over a month now and I’m not one bit dissatisfied. I have KeePass syncing across multiple PCs using Dropbox, with MiniKeePass pulling it down to iPad/iPhone. I’ve heard about a KeePassSync plug-in, but have had no motivation to check it out.

The latest version of MiniKeePass supports keyfiles – which seems to be an absolute rarity for mobile implementations – so I will see if I can mobilize my corporate kdbx as well.

Share/Bookmark