diff options
Diffstat (limited to 'content')
| -rw-r--r-- | content/images/keepassx.png | bin | 0 -> 74351 bytes | |||
| -rw-r--r-- | content/password.rst | 135 |
2 files changed, 135 insertions, 0 deletions
diff --git a/content/images/keepassx.png b/content/images/keepassx.png Binary files differnew file mode 100644 index 0000000..52adca0 --- /dev/null +++ b/content/images/keepassx.png diff --git a/content/password.rst b/content/password.rst new file mode 100644 index 0000000..2cf1fb2 --- /dev/null +++ b/content/password.rst @@ -0,0 +1,135 @@ +How I solved my password problem +================================ + +:date: 2013-02-24 23:00 +:status: draft + +.. :status: draft + +Everybody knows that *password reuse* (using the same password on different +services, websites, etc.) is a bad habit from the point of view of security. +The reason is simple: if a single website where your password is used gets +compromised, then somebody could get access to your password and consequently +get access to your account on all the websites where you use the same password. +You can get a full description of this phenomenon on XKCD_. + +.. _XKCD: http://xkcd.com/792/ + +On a less funny note, there have been countless_ stories_ of password breaches +where password databases of major websites got compromised. These incidents +revealed that very often, these websites do not follow even the very basic +security practices to protect their user passwords. + +.. _stories: http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ +.. _countless: http://abcnews.go.com/blogs/technology/2012/07/yahoo-password-breach-includes-gmail-hotmail-and-aol-users/ + +Despite, having been well aware of this fact for years, I have never really +taken the problem seriously, barely using a few different passwords depending +on the level of trust I had in the websites. About one year ago, my Gmail +account has been hacked and used to send spam emails to my contact list: it is +a very unpleasant experience when you are being asked by one of your colleague +to explain the “funny email” that was sent on your behalf... This is when +I decided to have only single-purpose passwords. However, it quickly became +apparent to me that I would need a proper set of tools to handle them. My +requirements for this set of tools were the following: + +* the core of the solution had to be open-source: you can read `Bruce + Schneier's opinion`_ about why open-source is good for security. +* there had to be real-time synchronization of my passwords on the different + machines I use. +* there had to be a way to access my passwords on my phone, in the case where + I need a password on a machine I do not use regularly. + +.. _Bruce Schneier's opinion: http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity + +The solution I found, which I have now been happily using for some time, is the +combo: KeePassX + Dropbox + KeePassDroid. + +KeePassX +-------- + +Here is the description of KeePassX you can find on its official website_: + + KeePassX is an application for people with extremly high demands on secure + personal data management. It has a light interface, is cross platform and + published under the terms of the GNU General Public License. + + KeePassX saves many different information e.g. user names, passwords, urls, + attachments and comments in one single database. For a better management + user-defined titles and icons can be specified for each single entry. + Furthermore the entries are sorted in groups, which are customizable as + well. The integrated search function allows to search in a single group or + the complete database. + +The idea behind KeePassX is simple: all your passwords are stored in a database +which is encrypted by your *master password* (a password you choose when +creating the database). Every time you launch KeePassX, the password has to be +typed to unlock the database. Once it is unlocked, you have a nice and simple +interface to add/delete/modify password, organize them in different subgroups, +etc. + +.. figure:: static/images/keepassx.png + :target: static/images/keepassx.png + + KeePassX interface + +Let me mention here the killer-feature of KeePassX, *autofill*: it allows you +to automatically fill your username and password in a login form by pressing +a global shortcut. KeePassX decides which password to use on which website +based on the window title that you associate with the password when creating +it. + +.. _website: http://www.keepassx.org/ + +Dropbox +------- + +The password database being just a single file (with extension .kdb), the +synchronization of my passwords across several computers was really easy to +setup: I just added the database file to my Dropbox folder. + +I am not fully satisfied by this part of the solution and would feel more +comfortable if I were not relying on a third-party to store my passwords. +However, the database file which is hosted by Dropbox is encrypted by my master +password and I can live with this at the moment. Yet, I would be happy to find +an open-source synchronization tool which stands comparison with Dropbox. + +KeepassDroid +------------ + +Finally, getting access to my passwords on my phone simply involved installting +two applications found on Google Play (my phone runs Android): KeePassDroid_ +and Dropbox_. + +.. _KeePassDroid: https://play.google.com/store/apps/details?id=com.android.keepass +.. _Dropbox: https://play.google.com/store/apps/details?id=com.dropbox.android + +The Dropbox app will take care of getting your password database file on your +phone memory. Then, you can link the file to the KeePassDroid app by following +these steps: + +* in the Dropbox app, navigate to your password database file and try to open + it. +* if you have the KeePassDroid app installed, you will have the option to open + the file with it. Choose this option. +* on the first screen presented to you, check the option "Use this as my + default database" and type in your password. +* you should now be able to navigate through your password database. + +If you are an iPhone user, iKeePass_ should do the job. + +.. _iKeePass: https://itunes.apple.com/en/app/ikeepass/id299697688?mt=8 + +Conclusion +---------- + +I am not claiming that my solution is the perfect way to manage your passwords: +this is just the solution I currently use, and it has worked well for me until +now. + +I know that some people have been successfully using LastPass_: the approach is +browser-based and very different from the one described in this article, but +I would be interested to find a comparison of the two solutions from the point +of view of usability. + +.. _LastPass: https://lastpass.com/ |
