Add password article

3 files changed, 141 insertions, 0 deletions

diff --git a/content/images/keepassx.png b/content/images/keepassx.png
new file mode 100644
index 0000000..52adca0
--- /dev/null
+++ b/content/images/keepassx.png
diff --git a/content/password.rst b/content/password.rst
new file mode 100644
index 0000000..2cf1fb2
--- /dev/null
+++ b/content/password.rst
@@ -0,0 +1,135 @@
+How I solved my password problem
+================================
+
+:date: 2013-02-24 23:00
+:status: draft
+
+.. :status: draft
+
+Everybody knows that *password reuse* (using the same password on different
+services, websites, etc.) is a bad habit from the point of view of security.
+The reason is simple: if a single website where your password is used gets
+compromised, then somebody could get access to your password and consequently
+get access to your account on all the websites where you use the same password.
+You can get a full description of this phenomenon on XKCD_.
+
+.. _XKCD: http://xkcd.com/792/ 
+
+On a less funny note, there have been countless_ stories_ of password breaches
+where password databases of major websites got compromised. These incidents
+revealed that very often, these websites do not follow even the very basic
+security practices to protect their user passwords.
+
+.. _stories: http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ 
+.. _countless: http://abcnews.go.com/blogs/technology/2012/07/yahoo-password-breach-includes-gmail-hotmail-and-aol-users/ 
+
+Despite, having been well aware of this fact for years, I have never really
+taken the problem seriously, barely using a few different passwords depending
+on the level of trust I had in the websites. About one year ago, my Gmail
+account has been hacked and used to send spam emails to my contact list: it is
+a very unpleasant experience when you are being asked by one of your colleague
+to explain the “funny email” that was sent on your behalf... This is when
+I decided to have only single-purpose passwords.  However, it quickly became
+apparent to me that I would need a proper set of tools to handle them.  My
+requirements for this set of tools were the following:
+
+* the core of the solution had to be open-source: you can read `Bruce
+  Schneier's opinion`_ about why open-source is good for security.
+* there had to be real-time synchronization of my passwords on the different
+  machines I use.
+* there had to be a way to access my passwords on my phone, in the case where
+  I need a password on a machine I do not use regularly.
+
+.. _Bruce Schneier's opinion: http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity 
+
+The solution I found, which I have now been happily using for some time, is the
+combo: KeePassX + Dropbox + KeePassDroid.
+
+KeePassX
+--------
+
+Here is the description of KeePassX you can find on its official website_:
+
+    KeePassX is an application for people with extremly high demands on secure
+    personal data management. It has a light interface, is cross platform and
+    published under the terms of the GNU General Public License.
+
+    KeePassX saves many different information e.g. user names, passwords, urls,
+    attachments and comments in one single database. For a better management
+    user-defined titles and icons can be specified for each single entry.
+    Furthermore the entries are sorted in groups, which are customizable as
+    well. The integrated search function allows to search in a single group or
+    the complete database.
+
+The idea behind KeePassX is simple: all your passwords are stored in a database
+which is encrypted by your *master password* (a password you choose when
+creating the database). Every time you launch KeePassX, the password has to be
+typed to unlock the database. Once it is unlocked, you have a nice and simple
+interface to add/delete/modify password, organize them in different subgroups,
+etc. 
+
+.. figure:: static/images/keepassx.png
+    :target: static/images/keepassx.png
+
+    KeePassX interface
+
+Let me mention here the killer-feature of KeePassX, *autofill*: it allows you
+to automatically fill your username and password in a login form by pressing
+a global shortcut. KeePassX decides which password to use on which website
+based on the window title that you associate with the password when creating
+it.
+
+.. _website: http://www.keepassx.org/ 
+
+Dropbox
+-------
+
+The password database being just a single file (with extension .kdb), the
+synchronization of my passwords across several computers was really easy to
+setup: I just added the database file to my Dropbox folder.
+
+I am not fully satisfied by this part of the solution and would feel more
+comfortable if I were not relying on a third-party to store my passwords.
+However, the database file which is hosted by Dropbox is encrypted by my master
+password and I can live with this at the moment. Yet, I would be happy to find
+an open-source synchronization tool which stands comparison with Dropbox.
+
+KeepassDroid
+------------
+
+Finally, getting access to my passwords on my phone simply involved installting
+two applications found on Google Play (my phone runs Android): KeePassDroid_
+and Dropbox_.
+
+.. _KeePassDroid: https://play.google.com/store/apps/details?id=com.android.keepass
+.. _Dropbox: https://play.google.com/store/apps/details?id=com.dropbox.android
+
+The Dropbox app will take care of getting your password database file on your
+phone memory. Then, you can link the file to the KeePassDroid app by following
+these steps:
+
+* in the Dropbox app, navigate to your password database file and try to open
+  it.
+* if you have the KeePassDroid app installed, you will have the option to open
+  the file with it. Choose this option.
+* on the first screen presented to you, check the option "Use this as my
+  default database" and type in your password.
+* you should now be able to navigate through your password database.
+
+If you are an iPhone user, iKeePass_ should do the job.
+
+.. _iKeePass: https://itunes.apple.com/en/app/ikeepass/id299697688?mt=8   
+
+Conclusion
+----------
+
+I am not claiming that my solution is the perfect way to manage your passwords:
+this is just the solution I currently use, and it has worked well for me until
+now.
+
+I know that some people have been successfully using LastPass_: the approach is
+browser-based and very different from the one described in this article, but
+I would be interested to find a comparison of the two solutions from the point
+of view of usability.
+
+.. _LastPass: https://lastpass.com/ 
diff --git a/theme/static/main.css b/theme/static/main.css
index f11ee13..8602f2b 100644
--- a/theme/static/main.css
+++ b/theme/static/main.css
@@ -107,3 +107,9 @@ tt{
     font-family: Monaco,Menlo,Consolas,"Courier New",monospace;
     font-size: 110%;
 }
+
+.figure .caption{
+    text-align: center;
+    font-style: italic;
+    margin-top: 0.5em;
+}