Wednesday, January 25, 2012

Password Management Software: KeePassX

For the progressing student of cyber-jutsu, it will be evident that the number of usernames and passwords one needs to manage can become extreme.  From a white-belt level we learn that human nature must be observed if we are to win in cyberspace.  Human nature, in this case, is the simple fact that most people will take the path of least resistance.  If something is difficult to do - then they will not do it.  If it is easier to do the wrong thing, then most people will do that thing - even to their own detriment.  So our goal in this is simple:  make it easy to do the right thing.

Social networking sites, Blogging sites e-Bay, PayPal, pandora (music site), other web sites and just about any system you need to log into, all require usernames and passwords to access.  The common, but unsophisticated and unacceptable solution many people who have not been initiated into the ways of cyber-jutsu adopt is, to re-use the same password for every site they log into.

The practicing cyber-jutsu student will quickly see the problem with this.  If the password for any one of these sites is compromised or somehow revealed to a malicious person - then all of the accounts with the same password are thus compromised.  The result can be described as a cyber-tsunami.

While the reality is that there is "no silver bullet"; and, we must be perpetual students and develop on-going processes to maintain our cyber-security, we can talk here about one part of the overall process.  Let us look at the pros and cons to employing a software tool category known as password managers.  In particular, I'll talk about a free tool called KeePassX.

KeePassX is a cross-platform password management program.  It is available for Windows, Mac OS X, and our favorite operating system, Linux.  OK.  So, what does it actually do?

The program creates an encrypted database (256 bit key based on either the AES or Twofish algorithms) to store your usernames, passwords, links, and additional related information.  What that means practically, is that even if someone were to get ahold of your database file, they would have a hard time cracking it to get your information.  Additionally, KeePassX gives you what we call a "two-factor" authentication option to access your stored information.

Two-factor authentication, in this case, can be thought of as factor 1. something you know, and optionally factor 2. something you have.  And, in this case, the "something you have" is any file you would like to use.  You identify a computer file that needs to be present to log into the password database.  If this sounds too technical for you - trust me - it takes more brain power to understand the philosophies behind its operation than it does to use the very intuitive user interface.

To use the "second factor", one need only click the "Key File" check-box, and then the "Browse..." button to select the file you want to use.  I recommend using a file on removable media, such as a usb drive.  In this way, whenever you want to log into this program, you have to supply the file that is on the removable media.  This makes your password management database very secure.

Once you are logged in, you can create groups to help classify the different sites or systems you need to log into.  Then you create the accounts within those groups.  When you want to log into a site, you select it in the main window, then click on the "user" button along the top (which looks like an icon of a person).  This copies the username into your clipboard, so you can paste it into the login box on the website (ctrl-v on Windows and cmd-v on Mac OS X).  Then you do the same thing to enter your password.  Click on the password button at the top of the screen (which looks like an icon of a key) and then paste it into the password field on the website.

On Linux systems, you can automate the whole process such that you can select the site you want to log into, double-click it, and your default web-browser will automatically launch and the username and password will automatically populate the fields and log you in.  This takes a bit of configuration, and may be considered a brown-belt level task.

Alas, we are trying to make this an easy process - and so far - it just seems to be more work.  So where do we get our win?

The major win is found in this applications ability to generate random and complex passwords for you.  These passwords that are generated will never need to be remembered, and never need to be typed out.  The only password you will ever need to remember is the password you need to get into KeePassX, when you first launch it (as described above).

You can adjust your settings within the Password Generator window to meet your desired complexity and the capabilities of the site you are using.  You may be surprised to find some of the sites you use will not allow special characters in the password.  Similarly, many sites have unsatisfactory length restrictions.  As a general rule, more complex and longer passwords are the way to go.

The program collects "entropy" based upon your random key-strokes and mouse movements, to ensure that the password that is generated is truly random.

The "New Password" field (see image below) will populate with a complex password after enough entropy has been gathered.  This is a fast process.

And there is your benefit.  That long and ugly password is not crackable in any reasonable amount of time, given current technology.  If you are securing your bank accounts - then a good policy will be to change that password on a regular basis.  As long as you change the password more frequently than the amount of time it would take to crack the password, your account will not be cracked.  The exact frequency will be an increasing quality as technology continues to increase computing power.  At this time, changing your password in this manner once per month should be more than sufficient.

Changing a password that you don't need to remember in your brain should be less of a chore than coming up with new passwords you have to recall from memory every month.

You should also recognize that so many people use a word or a name for their password (often simply appending or prepending a number) that the majority of attackers use "dictionaries" to attack accounts.  You might note that the password listed above, will NEVER be found in a dictionary.  This is important.  It means that an attacker has to "brute force" your password one character at a time.  This is a very time-intensive process, which requires many many computing cycles.

You may note that in the image above, I have NOT selected the option to ensure that the generator includes characters from every group.  Forcing the program to include characters from every group actually reduces the overall randomness of your password.  If an attacker doesn't know exactly what your password is composed of - nor exactly how many characters your password it - this makes the job of cracking the password even harder.

You should use this program, or one like it, for as long as you have to use passwords.  Ultimately, passwords may be replaced by other means such as biometric devices (e.g. fingerprint readers, iris readers, etc.)

Using a program like this means you have to keep your KeePassX database safe and secure.  You can actually keep the entire database on a usb key.  If someone gets your database, and guesses your password, and figures out what file you are using as the second authentication factor - then you still lose.  So, care must be taken.  But - like your house keys, or your car keys - having a small device to keep safe seems to be something we are capable of doing.  Long, complex passwords, on the other hand - are simply better off being managed by a computer program.

How do you come up with a good password for the database itself?  I always suggest that folks use the first letter of each word in a long phrase they can recall easily.  The typical example is the phrase, "four score and seven years ago..."  which would or could yield the password:  4#&7ya

In my humble opinion, that password is too short - but it is good as an example to teach how to come up with a complex password.  Another good thing to do is to come up with a positive affirmation as the phrase for your password.  In this way, you achieve true cyber-jutsu.

"Dissatisfaction with life arises from desiring to have what cannot be had, and desiring to avoid what cannot be avoided." - The Buddha


If you are a brainiac  - perhaps you could take a phrase like that and use the second letter in each word - or the last letter of each word.  I think you get the idea now.  Your goal should be to come up with a password for your KeePassX login that is more than 8 characters in length, and uses upper and lower case letters, numbers, and at least one special character.

No comments:

Post a Comment