Password storage, part 2 - my choice

Note: read  Part 1 for general considerations.

After some tries I settled on Keepass family. The original app works on Windows and has two lines: Keepass Classic (1.x) and Keepass Professional (2.x). Before you jump to the latter (it has a bigger version number and it's called professional, so it must be better, right?), bear in mind that Keepass 2 is written in .NET. What's wrong with that?

- It severely limits the number of systems that can run it. While you can use it on most versions of Windows and (with Mono) on Linux, BSD and MacOS X, .NET runtime needs to be installed. What if you need to run it on someone else's machine? No problem in carrying a few MB portable Keepass binary with you, but .NET Framework is large and invasive.
- It's way slower then Keepass Classic.


Supported systems



Keepass 1.x only runs on Windows, but there are ports and clones for almost any system and device: Linux, MacOS X, PDAs/smartphones (iPhone, Blackberry, Android, Windows Mobile) and even dumb phones (using Java Mobile, almost any phone can run it). All of them use the same file format. I mostly use KeepassX on Linux, supplemented by Windows and phone versions.

Windows version can be integrated with Portable Apps Suite and Bart Preinstalled Environment, two great tools that many IT professionals carry around. No problem in using my passwords on a friend's computer, got Keepass Portable and the database is backed on my USB drive [*].

Organizing passwords


Image via Wikipedia Keepass can organize your passwords in the tree structure (eg. you can start by dividing into Personal and Work, than in Personal into Shops, Forums, Websites...). Useful if you have dozens of them. Even better, you can search your database. When adding a new entry, you have a choice of writing a password or generating a new one with a given length and set of characters. There's even an option to generate pronouncable passwords. I usually go with a long random string of mixed case letters, numbers and several special characters.


Keepass database is a single file. It means in case of corruption, you lose it all, so Keepass automatically writes backups. It's protected with a strong encryption, so it's safe to send it over the network. Just remember to choose good password: containing numbers, special signs and REALLY long - like, 20 characters or more.

Noticed that Keepass gives you an option to see the password you're typing instead of asterisks and to correct it in case of a mistake? All apps written by security-savvy people do it. Asterisks give little protection against someone looking over your shoulder (they can see the keyboard anyway!), but discourage from using strong passwords.


Integrating with other applications

Keepass can import passwords from several applications, including Firefox, and export to XML (both human and machine readable) or TXT. There are plugins to integrate it with web browsers and other apps. I don't use them though, there's a simpler and more secure option: press Ctrl-Shift-A while visiting a page, Keepass will auto-type your username and password. It matches application titlebar to the entry's Title and URL field. To make sure the match is correct, install Hostname in Titlebar extension in Firefox. For other apps, use Ctrl-C to copy password to clipboard (Ctrl-B for username). Keepass will clear your clipboard after a specified time (20s by default).

-------------
Footnote:

[*] Some would consider it insecure: if you don't control the machine, it might steal the password you use - or ALL passwords once Keepass database is unlocked. In my opinion it's secure enough provided that you:

1) trust your friends not to intentionally steal your password,
2) trust your friends to secure their machines.
 
While condition 1 is generally always met, condition 2 rules out many machines. When I need to work from an untrusted system, I use Keepass on my phone. It's damn inconvenient to type a Keepass password on the phone's keyboard (obviously I've chosen a strong one) and even worse to read on the phone and type on the computer  the password from Keepass, considering that most of them look like F25c6D-SGe#r5vK;DVb5, but I do it maybe twice a year.

Possibly related articles

• [Tutorial] Sync Passwords Across Computers And Android With KeePass (androidpolice.com)
• How to Import KeePassX Password to LastPass (And Vice-versa) (maketecheasier.com)
• Password Manager Battle Royale: Who Will End Up On Top? (makeuseof.com)
• Best Password Manager: KeePass [Hive Five Followup] (lifehacker.com)

Password storage, part 1 - considerations

Typical user needs passwords for dozens if not hundreds of different systems: computers, mail and IM accounts, forums, shops, newsletters etc. It is clearly impossible to remember more than a handful of good passwords, which leaves two choices:
- write down the passwords, or
- use the same password for different systems.

Both choices can be insecure, but experts agree: reusing password is the worst choice.


Some kind of password storage system is then essential. As usual, we have many options, but neither of them really stands out. I'd like my password storage to have the following six characteristics, ordered from the most important:
#1 Security
#2 Reliability
#3 Ease of use
#4 Universal access
#5 Portability


Security
Obviously, you don't want anybody to see your passwords. It's easy to say you want maximum security, but this requirement t interferes with all other characteristics.


Reliability
In the digital age, if you loose all your passwords, you might as well restart your life. OK, maybe it's not that dramatic, but you'd waste days to regain access to your data and some will be irrepplacably lost. You might even consider reliability more important than security, I won't argue. Questions to ask when assessing the system:

- Is the storage easy to backup?
In case of the software, that rules out everything that stores passwords in locations like Windows registry. A hidden file somewhere deep in your home directory is marginally better. A known location is preferred.

- Is it likely that the storage can be corrupted? What then - do I loose all information or a part of it?
That again rules out registry. Also, be careful with the software that stores all your passwords in one encrypted file. A one byte error can make it inaccessible. On the other hand, one file is trivially easy to backup, so there's no excuse not to have dozens of copies scattered everywhere.


Ease of use
If the system is too complicated, people won't use it. Simple. But many so-called security professionals get it wrong. You can see it in every other office. If you implement authentication system that requires complicated, often changed passwords and limits access to data, you'll probably find out your users share accounts and post the password on the bulletin board.

How does it apply to a password storage system? Ideally, it should be completely transparent: you need to login somewhere, magic happens, you're in. Browser password manager get's close to the ideal, especially when not protected with master password. Convenient, insecure, unreliable and limited to one app.


On the other end of the spectrum is a password written down on a piece of paper, sealed in an envelope and stored in a safe, protected by walls, locks, alarm systems and armed guards. When you need it, go to the safe, authenticate to the guard, disarm alarm system, use the key and code to open the deposit box, break the seal, take out the paper. Codes to nuclear warheads where stored that way. Guess what? After the cold war had ended, it turned out some of the codes were set to a string of zeros. Lesson learned: even in maximum security environment you can't make your system too hard to use or it WILL be circumvented.


Universal access and portability
Ideally, it should be equally easy to use your system with every website and every application. Taking your passwords from one computer to another (e.g. on a USB drive or over the network) is very convenient, but might clash with #1. If you use different operating systems, you want your system to work with all of them. Maybe you need a command line and a GUI version.



What are the choices?


1) Paper and pen
Don't laugh, the low-tech solution actually have some strong points. Paper is quite reliable (unless you have a terrible handwriting). It can be backed up with a copy machine. It's portable. It works with every opearing system, website and application.


On the other hand, paper storage scores terrible on #1 and #3. It's inconvenient. Typing the password you read from the paper is slow and prone to errors. The stronger the password, the worse it gets. It's also hard to keep the system secure, especially with dozens of passwords: that means either a large sheet of paper or many small cards, both unwieldy and devastating when lost.


However, it's easy to relatively securely store a few passwords that way - security guru Bruce Schneier recommends keeping them in the wallet. You might consider some form of simple encryption or obscufation. It won't stop a commited attacker - anything simple enough to do in your head is also too simple to be secure - but might be enough to stop a kid who accidentaly found your password card.


2) Text file
Only marginally more advanced then paper and pen, text file with all logins and passwords also has some merits. It's can't break. It's easy to copy. It works with every system with one obvious exception: the password to the computer you use to read the passwords has to be stored elsewhere (in organic memory, maybe). You can use it with Notepad on Windows and vi on Linux, copy-paste or retype passwords to every application.


To be secure you should never keep it unencrypted. And you absolutely shouldn't send it unencrypted. This reduces the portability. You can, however, choose an encryption software that doesn't require installation and keep on the USB drive together with your password file. You can find a program compatible with OpenPGP standard, they work on every operating system. However, it reduces ease of use which wasn't particularly great to begin with. Retrieving password requires decrypting, finding an entry, copy-pasting and securely deleting an unencrypted file. Adding new password is even worse: decrypt, enter your login, create a password (either with external tool or just by creating a random string, whatever you do, never reuse an old password), encrypt, securely delete a clear-text copy. Even security-savvy users don't want to bother doing that many times a day. Still, it's a good backup system - write your passwords once, enrypt with a strong password, store it everywhere you can.


3) Stored in an application
Mail client, instant messenger, web browser - all can store the passwords for you. It's handy and everyone but the most paranoid use that option to some extent. If you keep some considerations in mind, it's quite secure. Your computer should be protected anyway. If it's not, whichever option you choose, you're not safe: even keeping your passwords on the paper won't protect you from someone recording keys pressed on your keyboard. Never use it as your only password storage. Otherwise, one day you'd want to access your account with another application or from a different machine and you'll find there's no way to recover your password.


4) Password storage software
Generally, it's a graphical user interface to option number 2. Password store encrypts your secret data, you use a master password to unlock it. It's easier to add new entries, most apps have an integrated password generator. However, they usually work on one operating system only, be it Linux, Windows or MacOS. Some require installation, I recommend against them - choose one that works from the USB drive. Also note where it stores the passwords, so you can backup the file regularly. Passwords stores sometimes integrate with applications that require passwords, others have an auto-type feature, worst case - use clipboard.


It's quite clear that password store is the most secure option while being almost as convenient as storing password in the application. Which software I've chosen? Read part 2.

Possibly related articles

• How To Backup True Crypt Data To Be Prepared For Emergencies (ghacks.net)
• Password Manager Battle Royale: Who Will End Up On Top? (makeuseof.com)
• Top Password Managers for iPhone (brighthub.com)
• 10 Security Gadgets to Keep Your Stuff Safe on the Go (mashable.com)
• Creating a secure password (beast4romtheeast.wordpress.com)
• How to Write Down and Encrypt Your Passwords with an Old-School Tabula Recta [How To] (lifehacker.com)

Xen 4.1 released

Image via WikipediaAfter almost a year, a new major version of Xen hypervisor was released. Xen 4.1 adds several performance enhancements and support for very large systems.

There's also a new API: Xen 4.1 includes support for old xend/xm tools, but they're deprecated. You should migrate to xl command and libxl toolstack. There are some significant differences, so upgrade path is not easy. A terrible idea in my opinion: Xen was always harder to run then its competitors, adding another obstacle definitely won't help. That is, unless you run a high-level tool, in which case you don't care about the gory details.


Now if only I can get my hands on a physical machine to run some tests...

Related articles

• Xen 4.1 hypervisor released (zdnet.com)
• Xen 4.1 Hypervisor Released (news.slashdot.org)