Skip to content

Better Password Management

Saturday night geek project: do something about my dodgy password management. Maybe listening to the Security Now podcast has got me paranoid enough to do something about my passwords. I currently deal with passwords in a way that’s no embarrassingly bad I’m not going to mention it. Not as bad as a “passwords.txt” on the desktop – but still pretty bad. (And by the time you read this it’ll be A LOT more secure 🙂

I REALLY REALLY should be doing the following things for my passwords:

  1. Different passwords for all my logins.
  2. Using randomly generated passwords – filled with lots of funny characters, mixed case, and numbers.
  3. Regularly changing passwords. Take out a night every few months to log into all the sites I use and change my password?
  4. NOT storing them in a clear file somewhere. Maybe I shouldn’t be storing them in the IE & Firefox autocomplete databases. How strongly encrypted are they?

Thinking though the features I’d want for an app to automate this:

  1. Generates random passwords.
  2. Stores everything with strong encryption.
  3. Runs from a USB key so I can use it from work and home.
  4. preferably open source (or a free download).
  5. Nice to have: integration with the IE & Firefox password autocomplete. Or maybe just an easy way to export the existing passwords from my browsers.
  6. Some automated means of doing the monthly password update?

A search of Firefox extensions, and SourceForge came up with:
RoboForm, Password Safe, and KeePass. RoboForm has most of the features I’m after (USB key operation, IE/Firefox integration, and password generation) but is limited after the trial period runs out. Password Safe and KeePass look very similar – decided to go with KeePass as: it’s a single EXE, has a prettier UI, and it’s a more popular project for SourceForge.

KeePass stores all your passwords in an encrypted database – which requires a password to access. When adding an entry you can choose to generate a random password.

Unfortunately there is no browser integration, but there in an auto-type feature. This enters your credentials into the active form. By default it’ll simulate you typing your username, pressing tab, typing your password, and pressing enter. This is also configurable per entry. An entry can be set to expire by date – this is the closest to any automation of a monthly password update.

Now I’ve spent a night logging into a stack of websites, and changing my passwords to randomly generated ones. Which means I’m completely reliant on the Keypass database – there’s no way I’d be able to commit these passwords to memory. A copy of the KeePass database at home, and work is fine – how often do I go to an internet cafe anyways? For convenience I’ve allowed Firefox to remember passwords for the sites that allow it (banking sites are “autocomplete=false” for good reason!) – and I’ve set a master password on the Firefox password store. This reliance also means it’s very important I have backups of theKeyPasss database, plus a backup of “plaintext” export in the event I forget the KeyPass password.

Some words of warning about the process of updating all your passwords. After you’ve generated your password you’ll paste it into the change password page somewhere. The password input box will most likely display stars as you type. You want to be pretty confident you are pasting the right thing in there. If you accidentally paste something else you’ll just see stars and won’t know – effectively locking yourself out of the account! Another website I use had a 8 character limit on their passwords – I pasted in a 15 character string and only the first 8 characters were saved. Because I was seeing stars I had no way of knowing what’d happened – I only worked out what’d happened when I noticed the wrong password page had the same limit (yet the main login page didn’t!). Chris Pederick’s Web Developer Extension has a feature to turn password fields into plain text fields – this means you can be totally confident you’ve pasted the right thing.

Another warning on the autotype feature: if you have the Firefox Password Manager open when you select auto type – all your passwords get wiped out. Because the ‘auto-typed’ tab selects the ‘Remove All’ button, and then the ‘enter’ clicks it! Firefox wipes out all your passwords without prompting you!

I’ve been running for a week now with KeePass and I find it’s working well. As I mentioned I now can’t pop into an internet cafe and check my mail – something which I haven’t done in a long time. Plus I’m now WAY too paranoid to log into an online banking site from an internet cafe.

Some Things I Currently Think Are Cool

Okay, I’m a geek.. There won’t be any going back after this..

VMware update

What I’ve discovered playing with VMware server.

The wikipedia entry is actually more informative than the VMware website (or I was more patient tonight). From wikipedia:

  • the difference between VMware Player and Server: VMware Player, a free virtual-machine host, can run virtual machines made by other VMware products, but cannot itself create new virtual machines.
  • how to lock your VM network adapter to one MAC address: disable all networks/adapters other than bridged and edit each virtual machine’s .vmx file to change “ethernet0.address” to a unique MAC and “ethernet0.addresstype” to “static”. Make sure to also remove the “ethernet0.generatedaddress” entry entirely. Setting the MAC Address Manually for a Virtual Machine goes into more detail.

At first I was a bit puzzled that I could power up my Trustix VM – and it’ll be visible on my network via ping and SSH. Yet when I logged out of the host OS the VM would disappear. According to the forum post “VM powers off by itself….” this is caused by connecting to the host OS via Remote Desktop. A better alternative is to power up my VM via the VMware Server Console.

VMware Server is a true client/server app. Your virtual machines execute on a server somewhere – and you can connect to administer/view the machines from another PC using the VMware Server Console. For me this required opening up port 902 on my host OS.

Connecting to the VM Server.

Trustix VM viewed from my main PC.

Now that my VM is running continuously – I can do all my Linux mucking around from an SSH client. So I don’t really have much need to connect via the VMware Server Console.

Trustix + VMware Server

Queen’s birthday long weekend – and I’ve found another quick geeky project to play with at home. This one was quick (I swear!). I’ve being contemplating recently how I’d go about setting up a small business network with the essentials – web/mail/file/proxy server plus the very necessary extras like back-up and spam/virus filtering for email.

The offerings from the open source world are pretty impressive (without getting into a debate over paid-for / free software). Which led me to the Trustix Linux distro – from their website:

Trustix Secure Linux is a distribution for servers with a heavy focus on security and stability. One of the main features of Trustix is its small size which combined with easy updating by the automated secure software updater swup, makes it a smooth and inviting system to administer.

Having been away from the Linux world for 10 years and having never been an expert – the idea of a ‘minimal’ distribution appeals to me. An ‘everything plus the kitchen sink’ distro just means more things that could go wrong, more potential security holes, and more applications to patch/update.

Got an install up-and-running on my ‘test’ machine. In the mood for experimenting I downloaded the free VMware Server, and a Trustix install ISO file. The virtual PC can be set-up to boot straight from the ISO image, and install Trustix effortlessly. I know of a few people working with production servers hosted in VMware. I can see the advantages – I can now easily move my Trustix install between PCs running VMserver. Making it possible to run several servers on one physical machine – and move them off onto more physical machines as the additional resources become needed.

Documentation is a bit thin on the ground, the TrustixWiki covers most of the scenarios I’m interested in. So now its time to roll up my sleeves (stop saying ‘I bet this is easier in Windows’) and think about the features I want on my new server!