Password Manager

[Will Rickards]

Anybody use a good password manager that makes it easy to share them between machines? A network connection required would be fine. I'm just looking for something secure. I use a plain text file now at home. At work I use Password Safe but it's UI is not so great. I need to get these lists synced up. I use firefox as my web browser, but I don't like to let it remember passwords on my work machine. So something that lets firefox password lists synce up might work.

Most of the passwords are for websites. Some are for software logins.
These are all personal stuff.

For clients (mostly law firms) we store their remote access information in something a little more secure than a plain text file but not much. If there is something that would fill this need too, that would be great. It needs to be shared by about 25-30 people on a network with various updates, insertions and deletes. We need to be able to store much more than username and password though. We use like 10 different types of remote connection and we need to store what type and the server addresses and lots of other info.

 

[Buck]

Gator!

[Buck ducks and glances around as he waits for someone to hit him.]

 

[Handruin]

I use to have one, but I can't find it on my hard drive, nor can I remember the name. I do remember getting it from sourceforge, so I took a gander. I couldn't find the one I thought I had, but I did find KeePass - (home page). I downloaded it and gave it a test drive and it seems to work good.

It uses a single file to store passwords. I imaging if you shared this on a network drive, you could share it between machines, but you run the risk of someone else getting the file. I have no idea how hard it is to decrypt, but I peeked inside the file, and couldn't make out a damn thing.

In this section I will tell you how the databases are encrypted. If you aren't a cryptographer and don't know anything in the security field you won't understand that much. In this case just believe me it's secure ;-)

All databases are encrypted. Currently they are encrypted using the Advanced Encryption Standard (AES/Rijndael), a 128-bit block cipher, using a 256-bit key. I've chosen the CBC block cipher mode. A 128-bit initialization vector (IV) is generated randomly each time you save the database.

In order to generate the 256-bit key for AES the secure hash algorithm SHA-256 (which belongs to the SHA-2 family) is used. The user key (the passphrase the user enters or the binary string in the key-file) plus a random salt is hashed using SHA-256. The random salt is generated randomly each time you save the database and saved in it.

Each time you start KeePass, the program will perform a quick self-test where the AES/Rijndael cipher and the SHA-256 are tested against their correct test vectors.

 

[Fushigi]

I have no idea how hard it is to decrypt, but I peeked inside the file, and couldn't make out a damn thing.

Currently they are encrypted using the Advanced Encryption Standard (AES/Rijndael), a 128-bit block cipher, using a 256-bit key. I've chosen the CBC block cipher mode. A 128-bit initialization vector (IV) is generated randomly each time you save the database.

In order to generate the 256-bit key for AES the secure hash algorithm SHA-256 (which belongs to the SHA-2 family) is used. The user key (the passphrase the user enters or the binary string in the key-file) plus a random salt is hashed using SHA-256. The random salt is generated randomly each time you save the database and saved in it.

AES is a current, highly secure encryption algorithm. A block cipher is appropriate for this kind of data, and a 256 bit key is probably overkill for personal use; quite good for corporate use. It'd probably take years to brute-force a decryption key.

The better (longer, random) the passphrase you use, the better the encryption will be, although if their 'salt' shaker is sufficiently random even a short passphrase should be adequate.

 

[Handruin]

As you type in a password, it gives you a graphical bar representation of the bit-level encryption. I asssume this is to clearly illustrate the longer a password, the stronger the encryption?

Sounds like a decent tool based on your confirmation of encryption level? I don't know if it will suit the needs of Will, but I might start using this for my own needs.

 

[Will Rickards]

I downloaded it and am trying it out. It looks nice enough for my use. Maybe I'll put the database on my usb flash drive. I'm trying to think of a good password for the master key. I tried the random generator but that was too difficult to remember.

 

[Handruin]

I agree. I tried a random password and this is what I got:

HIlDc58qwqN_o6A2

I like how it randomizes the generation by either mouse movement, or by pounding on the keyboard.

 

[Fushigi]

Forgot to link.

 

[Fushigi]

Take the first five words of the second sentence in the third paragraph of the fourth book on your bookshelf. Capitalize every 5th letter and replace e with 3 and o with 0. Use + _ ) ( in that order to replace the spaces.

Or figure some similar goofy thing. As long as you can remember how you derived it you're fine.

The point is to remember how you got the password, not what the password is.

 

[Will Rickards]

I thought I was going to have to bail on this program.
It was running so slow it was nearly unusable.
And my machine locked up when I went away to give Liam a bath and put him to bed.

I watched the processes in task manager and apparently nod32 really doesn't like this program. It is probably triggering its heuristics or something.
Once I excluded the program directory from being scanned, it cured the speed problem.

 

[Handruin]

That's a very interesting find. I wonder why it would be scanned so intensely by NOD32?

 

[The JoJo]

Oubliette all the way for passwords

 

[Fushigi]

That's a very interesting find. I wonder why it would be scanned so intensely by NOD32?

I've no real idea, but I could guess the way the prog works might look like a polymorphic virus.

 

[Will Rickards]

And my machine locked up when I went away to give Liam a bath and put him to bed.

This turns out to be due to bittorrent. I recently installed it to get the latest slackware iso images. And since it takes a while even on broadband, I leave the computer alone and go do other stuff. When I come back the computer is locked: numlock doesn't respond and the screen won't return from being powered down. This is the official client. Anybody use any of the other bittorrent clients and are they any better in this regard?