I'd forgot about the LastPass hack until I read Mitch's post this morning. I also had this appear in my Twitter stream the other day:

I didn't give it much though. I use a password manager but it ain't the famous ones. I don't like the idea of someone else storing my list of God-like credentials. OK, I use two services like OneDrive and Google Drive but I'll get to why I don't have an issue with that until later....

I use the open source KeePass project.

Image:I don’t use LastPass, I use the open source KeePass for password creation and management

What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

Is it really free?

Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

What I like about KeePass is that I get to decide where my database file of password is stored. Said database is encrypted with 256 bit  AES and mine is stored in a file sync service like Google Drive (as the KeyPass database is already encrypted with my chosen key I have no issues storing it in a file sync service). Additionally, KeePass allows two form factor to be enabled, so I also have my KeePass setup to require a  key file that is required in addition to my password and that is shared with my PC's via another different file sync service (say MS One Drive). Yes I could keep in on some other form factor like a USB thumb drive, but that is a tad unwieldy for me. Anyway whenever I need to start KeePass or unlock it, I need both:

Image:I don’t use LastPass, I use the open source KeePass for password creation and management

Other things I like is integration (via plugins, and there a lot of plugins) to Firefox and Chrome, personally for Firefox I use PassIFox (which also requires KeyPassHttp):

Image:I don’t use LastPass, I use the open source KeePass for password creation and management

It also has a great password generator built right in:

Image:I don’t use LastPass, I use the open source KeePass for password creation and management

Which will create a password like this example:

Image:I don’t use LastPass, I use the open source KeePass for password creation and management

How guessable is that? Yeah, I know right....I also use the maximum number of characters a web site allows for passwords, so if a site is limited to 24 characters that's what I use. That alone is great for your security. For example using A-Z and a-z is 52 characters in total. A 24 character password is therefore 52^24. That's a big, big number (1111010^2 I think, but don't quote me on that), then add in numbers, special symbols and spaces (if the website allows it) and you have a pretty awesome password generated for you,

So what is the down side? Yeah, there's always a down side and that is mobile. Now there are iOS and Android implementations of KeePass and I use the iOS one on occasion but it's read only (you can't create password entries on the device) and it's not a simple matter to type (my admittedly complex) password on a small phone keyboard. Still it works but it's not too suave and sexy. Again I use the file sync iOS app to sync the KeePass database to the device.

So there you have it. If your looking for a pretty good (actually I'd say great) password manager and creation tool and you want complete control of your password database give KeePass a try. I love it (and it's probable that this was one of my TWiL tips back in the day, that's how long I've been using this).

Darren Duke   |   June 17 2015 07:06:20 AM   |    misc  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (2)

Gravatar Image
1 - Lars Berntrop-Bos       06/17/2015 9:23:55 AM

On Android there is a great KeePass client, Keepass2Android, which also supports adding to the db. Great stuff!

Gravatar Image
2 - ursus       06/18/2015 1:55:35 AM

I know it's not open source and you are not asking for alternatives but I have been using 1Password for a couple of years now. It has a Windows, OS X, iOs and Android (I assume, have never tested it) - love the software and it does everything you talked about AND is read/write on iOS. Is quite expensive though.