Wednesday, October 09, 2013

Using KeePass with Dropbox for Cross-Platform Password Management

As I have been creating new accounts for myself on multiple websites in recent months, I have been taking lessons from the widely-reported story from August 2012 of how Gizmodo contributor Mat Honan's multiple accounts with shared passwords had been hacked. I have used different, lengthy passwords with multiple randomly-generated characters for each site. However, such lengthy passwords are impossible for me to remember, and I would not want to use the even less secure method of writing all of them down.

I had heard multiple computer security experts recommend using such different, randomly-generated passwords and storing them in a password store which would require remembering only one master password. Ideally, for greater security, a key file would be used for the encrypted password store. In seeking out such a password store that was free, open source, and available across multiple platforms, I came across KeePass. The site's download page has the Windows download, as well as links to other sites with ports to other operating systems. One idea I came across in my research on KeePass was to keep the password database and key file in a Dropbox account, allowing it to be used across multiple computers, as documented in several blog posts, including my primary source.

The following are tips that I have to use these resources across multiple environments, having looked at a few different options for Windows, OS X, and Linux.

You will notice that there are two versions of Keepass available for WIndows on the download page: "Classic Edition KeePass 1.26", and "Professional Edition KeePass 2.23". [All version numbers are as of the date of this blog post.] Due to difficulties I had with the KeePass 2.x ports for OS/X and limitations of various smart phone apps that can work with KeePass databases, I would recommend using the "Classic Edition" for Windows.

For OS/X and Linux, I would recommend downloading "KeePassX". I would recommend the "Binary package (PowerPC and Intel) v0.4.3". Note that this download page also hosts installers of KeePassX for Windows. For Ubuntu and other Debian-based Linux distributions, the "keepassx" package may be installed, Using GUI tools such as the Ubuntu Software Center or Synaptic Package Manager, or via the command line using the command

sudo apt-get install keepassx

Downloads of the keepassx package for multiple RPM-based Linux distributions may also be found using rpmfind.net.

For iPhone users, "MiniKeePass", an app that can read, but not write to, a KeePass password store, is available in the iTunes App Store. Android users may find the "KeePassDroid" app on Google play. The Droid app has had read and write access to KeePass 1.x databases and read access to KeePass 2.x databases for some time, and write access to KeePass 2.x databases is currently in beta. The KeePass download page offers links to "Contributed / Unofficial KeePass Ports" and other resources for other operating systems and devices.

The following is a walk-through of setting up a KeePass 1.x password store using KeePassX on a Mac, and sharing this password store via Dropbox with an iPhone. Similar steps may be used with KeePassX or KeePass on other desktop or smart phone operating systems.

After installing KeePassX from the download binary, start setting up the new password database by clicking on the "New Database" icon, which is the leftmost one on the toolbar at the top.

KeePassX-new-windowA "New Database" dialogue box appears. For the best security, you will want to enter both a Password and generate a Key File. Enter a password that is easy to remember, yet contains letters in mixed case, numbers, and non-alphanumeric characters. Then, check the "Key File" box, then click the "Generate Key File..." button. Select the Dropbox folder in which you wish to store the file and give the key file a name in the file dialogue that appears, and select "Save". The name of the key file will now appear in the "Key File" field, as shown. Click "OK" to continue.

set-master-keyYou then will be asked to re-enter your Master Key password for the database. Re-enter the Password you entered in the previous dialogue, and press "OK".

The new database initially has two groups for stored passwords: "Internet" and "eMail". You will likely wish to create additional groups to locate accounts more quickly by group. To do so, choose "Groups" > "Add New Group..." from the menu.add-new-group

In the "Group Properties" window that appears, give an appropriate title for the group. The default icon for new groups is an image of a key. There are several other options available from the drop-down selector for this icon. You may wish to choose one that provides a good visual cue for the type of group it is. When done entering group properties, click "OK".

After creating the first set of groups desired, it is time to start entering passwords. For example, suppose we want to create a new, randomized password for a Gmail account. First, create a new entry, save the database, and snsure that you can access it before you actually change the password. This is a precaution to ensure that you do not change the password to something you cannot remember, and then find that you cannot access the entry you created that stores that password.

add-new-entryFirst, right-click (ctrl-click on a Mac, if you have not enabled right-clicking with a Magic Mouse) on the existing "eMail" group in the pane on the left side of the KeePassX window, and select the "Add New Entry..." choice. In the "New Entry" window that appears, enter a meaningful Title to indicate the account for which the password is being generated, the Username for the account, and the URL for the login page. To generate a new password, click on the "Gen." (for "Generate") button to the right of the "Repeat" field.new-entry

In the "Password Generator" dialogue that appears, select the "Random" tab. Select as many of the "character groups" that the account supports, and set the length to the lesser of the maximum allowed by the account, or at least as long as needed to max out the "Quality" bar to the right of the "Length" field. It is also good to "Enable entropy collection", which further randomizes the password generator by popping up a dialogue that asks you to hit keys and/or move your mouse over the window when generating the password. Hit the "Generate" button to generate the password.Password Generator
Once the password is generated, the "New Password" field will be filled in with asterisks indicating the length of the password.

If you are curious, you can click on the button with the image of an eye on it to the right of any password fields to view the passwords. You will see that such randomly-generated passwords would be very difficult to remember, and would also be impervious to dictionary attacks.

Click on the "OK" button on the "Password Generator" dialogue to save the new entry. The new entry will be shown under the group to which it was added in the main KeePassX window.

example-keystore.kdb in Dropbox folderBefore proceeding actually to change the password to the generated password, first save the password database to the desired folder on Dropbox. Now, to test that the password store is accessible for this example, load it into MiniKeePasss on the iPhone. To do this, first open the Dropbox iPhone app, look for the .kdb password database file, and tap on it.

On the screen that appears stating that Dropbox is "Unable to view the file", tap on the "Use" button in the lower right-hand corner of the screen. This button looks like an arrow pointing down into an open box.
Unable to view file 
Of the list of options that appear, tap on the "Open in MiniKeePass" icon.
Open in MiniKeePass

Tap on the desired database in the "Databases" portion of the "Files" page in MiniKeePass.

Files: Databases and Key Files

On the "Password" page, tap on "Key File" and select the appropriate key file, then enter the master password for the database store, then tap "Done". If the key file does not show up as an available option, go back to the Dropbox app and add the .key file to the list of those available to MiniKeePass in the same manner as you did to add the .kdb file: tap on the file, then the "Use" button, then the "Open in MiniKeePass" button.
Password and Key File

eMailGroupsAfter successfully entering your password and key file, you should see all the groups that you created in the database.

In this example, tapping on the "eMail" group will show the email entry that you previously added.

Having now shown that you can access the KeePass database both on the Mac and the iPhone, go back to the KeePassX window on the Mac and click on the URL to login to the email web site. In case you forgot your username (e.g. if you are not sure if it is simply [user] or [user]@[domain]), right-click [or ctrl-click] on the account entry and select "Copy Username to Clipboard". You can then go to your web browser and paste the entry in the username field. Note that some financial institutions and other sites may not allow right-clicking on a field and pasting for the username and password fields, but I have found that there is usually no problem simply clicking on the field and using the standard paste key combination (Command-V on OS X, Ctrl-V on Windows and Linux). If those don't work, there are other options for disabling scripts that disable this paste functionality.

Sign in to the account with your old, current password, and go to the change password page. When it is time to enter your new password, right- (or ctrl-) click on the account entry in KeePassX, select Copy Password to Clipboard, and paste the password in the password confirmation fields in the browser.

Check that the password entered is valid. If it is not, for example, if the password is too long or contains characters that are not allowed, go back to the KeePassX window, right- (ctrl-) click on the entry, and select the "View/Edit Entry..." option. Click on the "Gen." button, modify the settings for the random password generation, and repeat the password generation process. Test the new password, repeating the process until the password is accepted.

Once the password is accepted, be sure to save the database to save the changes.

Gmail Account
CopiedWith the password changed, if the account is one you access on your iPhone, you will need to reload the database within MiniKeePass and copy the password from the database to the password field in your account settings. Repeat the process of loading the database by opening the key store database in the Dropbox app and opening it within MiniKeePass. Upon navigating to the eMail group and the entry within it for the account, click on the "Password" field. The screen will change to indicate that the password was copied to the clipboard.

Navigate to the location for entering the password for the account, and paste it into the password field.

As a safety precaution, be sure to back up your KeePass password store, both the database and key files, to another location to ensure that the information may be retrieved should access to the primary location - Dropbox, in this example - be lost for any reason.

1 comment:

santhoshi m said...

Different password management software helps to manage and store lengthy as well as different types of character passwords that is used to login diverse websites.