path: root/content/password.rst

How I solved my password problem
================================

:date: 2013-05-03 23:00

.. :status: draft

Everybody knows that *password reuse* (using the same password on different
services, websites, etc.) is a bad habit from the point of view of security.
The reason is simple: if a single website where your password is used gets
compromised, then somebody could get access to your password and consequently
get access to your account on all the websites where you use the same password.
You can get a full description of this phenomenon on XKCD_.

.. _XKCD: http://xkcd.com/792/ 

On a less funny note, there have been countless_ stories_ of password breaches
where password databases of major websites got compromised. These incidents
revealed that very often, these websites do not follow even the very basic
security practices to protect their user passwords.

.. _stories: http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ 
.. _countless: http://abcnews.go.com/blogs/technology/2012/07/yahoo-password-breach-includes-gmail-hotmail-and-aol-users/ 

Despite, having been well aware of this fact for years, I have never really
taken the problem seriously, barely using a few different passwords depending
on the level of trust I had in the websites. About one year ago, my Gmail
account has been hacked and used to send spam emails to my contact list: it is
a very unpleasant experience when you are being asked by one of your colleague
to explain the “funny email” that was sent on your behalf... This is when
I decided to have only single-purpose passwords.  However, it quickly became
apparent to me that I would need a proper set of tools to handle them.  My
requirements for this set of tools were the following:

* the core of the solution had to be open-source: you can read `Bruce
  Schneier's opinion`_ about why open-source is good for security.
* there had to be real-time synchronization of my passwords on the different
  machines I use.
* there had to be a way to access my passwords on my phone, in the case where
  I need a password on a machine I do not use regularly.

.. _Bruce Schneier's opinion: http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity 

The solution I found, which I have now been happily using for some time, is the
combo: KeePassX + Dropbox + KeePassDroid.

KeePassX
--------

Here is the description of KeePassX you can find on its official website_:

    KeePassX is an application for people with extremly high demands on secure
    personal data management. It has a light interface, is cross platform and
    published under the terms of the GNU General Public License.

    KeePassX saves many different information e.g. user names, passwords, urls,
    attachments and comments in one single database. For a better management
    user-defined titles and icons can be specified for each single entry.
    Furthermore the entries are sorted in groups, which are customizable as
    well. The integrated search function allows to search in a single group or
    the complete database.

The idea behind KeePassX is simple: all your passwords are stored in a database
which is encrypted by your *master password* (a password you choose when
creating the database). Every time you launch KeePassX, the password has to be
typed to unlock the database. Once it is unlocked, you have a nice and simple
interface to add/delete/modify password, organize them in different subgroups,
etc. 

.. figure:: static/images/keepassx.png
    :target: static/images/keepassx.png

    KeePassX interface

Let me mention here the killer-feature of KeePassX, *autofill*: it allows you
to automatically fill your username and password in a login form by pressing
a global shortcut. KeePassX decides which password to use on which website
based on the window title that you associate with the password when creating
it.

.. _website: http://www.keepassx.org/ 

Dropbox
-------

The password database being just a single file (with extension .kdb), the
synchronization of my passwords across several computers was really easy to
setup: I just added the database file to my Dropbox folder.

I am not fully satisfied by this part of the solution and would feel more
comfortable if I were not relying on a third-party to store my passwords.
However, the database file which is hosted by Dropbox is encrypted by my master
password and I can live with this at the moment. Yet, I would be happy to find
an open-source synchronization tool which stands comparison with Dropbox.

KeepassDroid
------------

Finally, getting access to my passwords on my phone simply involved installting
two applications found on Google Play (my phone runs Android): KeePassDroid_
and Dropbox_.

.. _KeePassDroid: https://play.google.com/store/apps/details?id=com.android.keepass
.. _Dropbox: https://play.google.com/store/apps/details?id=com.dropbox.android

The Dropbox app will take care of getting your password database file on your
phone memory. Then, you can link the file to the KeePassDroid app by following
these steps:

* in the Dropbox app, navigate to your password database file and try to open
  it.
* if you have the KeePassDroid app installed, you will have the option to open
  the file with it. Choose this option.
* on the first screen presented to you, check the option "Use this as my
  default database" and type in your password.
* you should now be able to navigate through your password database.

If you are an iPhone user, iKeePass_ should do the job.

.. _iKeePass: https://itunes.apple.com/en/app/ikeepass/id299697688?mt=8   

Conclusion
----------

I am not claiming that my solution is the perfect way to manage your passwords:
this is just the solution I currently use, and it has worked well for me until
now.

I know that some people have been successfully using LastPass_: the approach is
browser-based and very different from the one described in this article, but
I would be interested to find a comparison of the two solutions from the point
of view of usability.

.. _LastPass: https://lastpass.com/