Skip to content


aToaD #12: KeePass and KeePassX

If you follow the IT news closely enough, not a week goes by without a story of compromised credentials. For instance, a recent, really big one was reported there on Hold Security, with more than a billion credentials stolen from various vulnerable websites. Security being a race between those who make it and those who break it, I think we’ll always see such kind of news. Maybe fewer as website operators grow more careful, but still some.
Meanwhile, the impact of such hacks can be minimized by following trivial recommendations you probably read about many times already: use strong and unique passwords. Strong so that they can’t be bruteforced even if the site didn’t hash them very strongly (like, md5 with no salt), and unique so that even if the hacker eventually managed to get the clear-text version (non hashed storage – bad but still occurs more often than you think -, or if the server was compromised enough to capture passwords as people logged in), then it will only let them steal one account of yours, not all of them.

Those recommendations are trivial, yet many people know them but still don’t follow them. And if you’re one of those people, I suppose you know why: it’s just impossible to remember so many passwords. As I’m writing those line, my password database contains over 500 credentials… There’s just no way to remember that. The solution resides then in… a password manager. The concept is simple: put all your unique passwords into a database, and encrypt it with a single, very strong password which you must not forget. Down from 500+ to only one big password to remember, sounds like a good deal.

Many services provide that. You probably heard of LastPass, maybe also RoboForm. Those are close source (you usually want to avoid that in cryptography), commercial solutions. I’m not sure about RoboForm, but LastPass is cloud-based and when they have an outage you lose access to your passwords (happened about a week ago).
My personal favorite is KeePass, which is free and open source, and stores things locally, not in the cloud (you can should then back up the KeePass database using your favorite backup service(s) – possibly SpiderOak?). Unfortunately, it only works natively on Windows (although it should work on Linux and Mac OS via Mono). If you want a native solution under Linux, a possibility is then KeePassX, which is sadly still in alpha stages (although it worked pretty fine last time I tried it, it mostly lacks polishing and richer features).

For an extra layer of security, you can also configure your firewall to prevent KeePass from accessing the network. And each KeePass release is signed with the OpenGPG key of one of the developers, you can check that signature too (see this old post if you have no clue about OpenPGP).

Update (2014-08-21)

Well, as I was saying as an introduction, if you follow the IT news, you see those database hacks on a regular basis. Here’s one which hit the news just today: Data breach at UPS Stores in 24 states (CNN).

Posted in A Tool A Day, security.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA