11 March 2008

KeePass

By Andrew Clifford

If you do not use a password manager like KeePass, you should.

How many passwords do you have? 5, 10, 50? You probably have more than you think. To my surprise, I found I had 106.

How do you remember all your passwords? If you are typical, you have them written down. Probably not all in one place: some on a list, some on scraps of paper, maybe some in a spreadsheet. You have probably forgotten or lost many of them.

You need a password manager like KeePass.

A password manager is a database of user names and passwords, secured by one master password. They have been around for years, but are not as widely used as they could be. I started using KeePass about six months ago, and now I wouldn't be without it.

The obvious objection to password managers is that they might not be secure. KeePass has impressive security features: it uses strong encryption, prevents brute-force "dictionary" attacks, encrypts program memory, protects passwords from key loggers, can be integrated with Windows security, and can use a key file as well as the password.

KeePass has many other advantages.

There are other password managers. There are password managers with limited functions in browsers and in Windows itself. KeePass is simple, free, effective and cross-platform

There are risks with any password manager. If anyone gains access to the password manager, all your passwords are compromised. If you forget your master password, or the database is deleted, all your passwords are lost. You have to remember one strong password to keep the database secure, and include the password database in regular backups. But the risks are much greater without a password manager: writing passwords down, forgetting passwords, or using the same password for everything.

KeePass has a place in the corporate environment. It does not replace security infrastructure such as directories (LDAP or Windows Active Directory), or advanced features for high security systems. But in all except the most locked-down installations, many passwords fall outside the official, managed security infrastructure. For these, KeePass is a simple, effective solution that greatly reduces the risks associated with bad password practices.

If you do not use a password manager, look at KeePass.