Password Management with KeePassX
Working with as many systems as I do, I have to keep track of a pretty huge number of user accounts and passwords across many diverse environments. For a long time I used a GPG encrypted text file to store this information, but recently I went looking for a more structured solution. I found KeePassX, and promptly fell in love.
KeePassX is a password management application for Linux and OSX. It supports the same database format as KeePass Password Safe for Windows, providing a cross-platform solution for managing passwords securely. It’s database is protected using either AES or Twofish encryption with a 256 bit key, which provides adequate encryption for the majority of users.
The interface is extremely simple. Select ‘File -> New Database’, and then enter a password or passphrase. KeePassX has the option to also use a key file for authentication - allowing you to place a key on a USB stick to add a physical authentication token to your password for added security.
Click for larger image
Once your database is created, choose a name and location for it with File -> Save Database As. KeePassX sorts your passwords into groups that you define for easier organisation. To create a group, right-click in the group panel of the dialogue and select ‘Add New Group’ or select the ‘Add New Group’ option from the ‘Edit’ menu. Name your group, and then select it in the group pane and click either the small + symbol on the toolbar or ‘Edit -> Add New Entry’.
The ability to attach a file to an entry I find extremely useful to attach keys, seed files, or other tokens that are linked to this account. I also find the feature to generate passwords directly in the Entry dialogue extremely valuable, saving me from making transcription errors when I store or change a password.
Click for larger image
While KeePassX doesn’t natively support any kind of synchronisation, a service like dropbox would easily allow you to keep your password databases in sync between your Windows, Linux, and OSX machines. I use Subversion to make sure that my passwords are up-to-date on every machine I use them on. I also maintain separate databases with separate passphrases for home and work use, allowing me to only check-out the database I need on that particular host.
A feature I find surprisingly useful is that KeePassX will copy usernames/passwords to clipboard without the text being viewable. In an office environment where I often have a vendor or another consultant sitting by me assisting, being able to get at infrequently used passwords I haven’t memorised without showing them to all and sundry is a relief. KeePassX will clear the clipboard of secure information within a configurable time period, to minimise the risk of accidental pastes of root passwords into work IRC. Yes, $colleague, I’m looking at -you- =)
Click for larger image
For those using locked-down or shared Microsoft Windows workstations, KeePass Password Safe is available as a portable app from PortableApps.com.
EDIT: As people have pointed out in the comments, there are also mobile versions of KeePass - in fact I have the J2ME version on my Nokia S60 cell phone. Unfortunately my insanely long passphrase is almost impossible to type in even with qwerty on a phone so while it’s a great idea to have access to the database on my phone I find myself unable to really use it =)
Dunedan said,
September 14, 2008 @ 1:30 pm
> KeePassX will clear the clipboard of secure information within a configurable time period
I noticed that the clearing works well, but Klipper already remembers the password in it’s history. So it would be possible for somebody else to see the password when he get access to the computer.
Bernhard Friedreich said,
September 14, 2008 @ 1:31 pm
Yeah this is really a great program.. thx for the tip with subversion.. will think about that solution..
Don’t know if it’s just me but maybe I didn’t fully understand what you’ve written.. on the KeepassX homepage there’s also a zip package for windows .. so it works on Windows too (and not just macos/linux).. actually I’m using it on Windows atm .. I love Qt :-)
Didn’t know about the feature with the clipboard yet.. will have to try it out.. could be useful at school :p
xdmx said,
September 14, 2008 @ 1:46 pm
i’m using keepass for years now (first keepass on windows and then keepass on linux), and i’ve to say that imho it’s the most advanced and better password manager i’ve ever used (yes, kwallet is nice because the kde integration, but it miss really a lot of features… a keepass like version of kwallet with its kde integration would really rock).
btw, keepass can be run also on pda and mobile phone, so you can really have your passwords everywhere :)
the only problem with keepass i’ve had is the one dunedan said in his post… klipper keeps the pass in its history.. :(
you can also automatically insert the user and pass in a form using ctrl+v, instead of copy first the username and then the pass :)
(for the kwallet maintainer(s), if you read this, have a look at keepassx and think about all its features, wouldn’t be nice to have them also in kwallet? :) )
xdmx said,
September 14, 2008 @ 2:10 pm
oh, i forgot… if you use ctrl+v klipper doesn’t save the user and the pass in its history… ;)
Michael Leupold said,
September 14, 2008 @ 2:33 pm
I’m currently working on updating the kwalletmanager gui to be better suited for managing passwords. It might make it into 4.2. If it does I’d love to hear your thoughts about it. For a start I’ll also try KeePassX to see which goodness it offers that I might implement as well :)
xdmx said,
September 14, 2008 @ 3:05 pm
@michael:
actually i’m stuck with the 3.5, so i don’t know exactly what has kwallet in kde4, but i can tell you what’ i think it’s useful in keepassx :)
- the possibility to add for every record more information (title, username, url, password, comment, expires and attachements)
- a password generator which can be used to generate any kind of password (you can choose almost everything, length, characters groups and single characters). it tell you also the quality of the password in bit :)
- iirc kwallet in kwallet is possible to create different groups of passwords (eg. emails, servers, etc… and maybe more than one depth, so emails -> [gmail, yahoo, etc], and in then in the group “gmail” has the passwords for that group. i don’t know if would be a good idea to have the parent group to show all of their children (so emails would show all emails of their subgroups gmail, yahoo, etc)
- the possibility to open the url of a selected url (right click on the record and then open url)
- copy user and password of a selected record and the clear clipbloard after X seconds (about this would be really nice to have cleared also klipper, if present)
- perform autotype, i think this is the functionality i use most (with the password generator) :) it’s very useful, but i don’t know about it in kwallet, as it’s well integrated with kde wouldn’t be so useful,, but then i think to stuff like firefox, which iirc kwallet isn’t so good integrated with it (or maybe is firefox which isn’t so integrated with kde :) , or at least for now until the qt firefox version :) ), so in that case it would be very useful (yeah, i know that there is konqueror as browser, but it still miss a lot of features too :( )
- ask everytime the main password when you try to access the password manager. just to protect better all the passwords. and maybe the possibility to use a password + a token file
- the possibility to import/export passwords. about this would be really good the possibility to manage the keepass files, so you can use the same file with keepass and with kwallet, but also with the keepass for pda and mobile phones
mmm…for now that’s it :)
Don Tomaso said,
September 14, 2008 @ 3:23 pm
I changed from KeePassX to pwmanager (http://extragear.kde.org/apps/pwmanager/) a while ago because it was better integrated with KDE and kwallet. But it seems pwmanager has been unmaintained a while, and is a bit flaky under KDE 4.
I really like the kwallet-integration of pwmanager which allows me to automate tasks like opening encrypted disks and setting up ssh-tunnels at login. I guess this isn’t possible with KeePassX? On the FAQ it says “There is no interface build in to support plugins. Therefore, no plugins available.”
Stefan said,
September 14, 2008 @ 3:54 pm
Thanks for the tip! I need a password manager that runs under Linux, Windows and OSX. I didn’t know KeePassX until now and was running Password Gorilla which is a bit limited and crashes a lot under OSX.
I’m gonna checkout KeePassX now.
NickElliott said,
September 14, 2008 @ 5:52 pm
I’ve been using KeePass for some time now for all applications and accounts which require password access. One of the attractions, as you mention, is that the database format is common between it and the Linux port, KeePassX (and OSX version). I think some mention should go to Dominik Reichl for keeping the original Windows application open source, it is an excellent application and credit is due.
I was a Windows user for years because of the dictates of work but am now making the transition to linux - applications such as this are invaluable. It demonstrates the significant benefits to be had from open document formats.
I can recommend Keepass(X) as feature rich and flexible, well worth looking at.
Ian Monroe said,
September 14, 2008 @ 6:05 pm
I already have the gnome and KDE wallet managers. The last thing I need is another!
Jonathan Verner said,
September 15, 2008 @ 1:13 am
Hmm, keeping the database in svn would seem _potentially_ insecure to me. A potentail attacker would have access to many different versions of the encrypted file which might help him very much in recovering the master password. It would probably still be very hard, but who knows (I don’t :-) ).
jhall said,
September 15, 2008 @ 4:33 am
@Bernhard, I actually discovered the Windows version first a long time ago, so I guess I didn’t notice there was a Windows download on the KeePassX page!
@Jonathan - I do understand that risk. For me, it’s Secure Enough - the subversion repository is obscure and private, although I do understand that this doesn’t make it foolproof!
Any time we switch on a computer though, we make a compromise between security and ease of use, and this is a compromise I’m ok with in this situation.
jhall said,
September 15, 2008 @ 4:34 am
@Ian - if you don’t need a cross platform solution then there’s no reason not to use the wallet manager you already have.