How to set up a portable, non-cloud-based password manager
- 30 March, 2016 22:12
Nothing helps strong passwords become a central tenet of your electronic life than conscientious use of a password manager. However, the compromise of at least one cloud-based password manager last year and recent actions by a government agency may have given you second thoughts about using the cloud for something that instinctively feels like it should be managed locally.
Those incidents aside, password managers remain the best way to avoid reusing weak passwords which is as commonplace as the number of password leaks that happen every year, even on large, reputable websites. And, if you don’t mind putting in a modicum of effort, you can still establish a non-cloud-based password manager that can be utilized across multiple devices.
Here, we take a closer look at how you can securely set up KeePass – a highly rated open-source password manager – in a way that keeps your passwords within easy reach. (There are two versions of KeePass that are maintained concurrently; we will be focusing our attention on KeePass 2.)
1. Setting up KeePass
At its core, KeePass is straightforward to understand. A master key generated from the user password is hashed using SHA-256, which is subsequently used to encrypt the password database with AES-256.
To unpack that a bit for the layperson, SHA (Secure Hash Algorithm) is a type of cryptographic hash, or “signature” for a computer file (text or data). It’s a one-way state: It can’t be decrypted. SHA-256 is an almost unique 256-bit hash. AES (Advanced Encryption Standard) is a cipher (secret code, in other words) used widely across the internet, and is, in theory, uncrackable, given the number of keys used. And AES-256 is mathematical equivalent of 2256 key possibilities.
The use of strong encryption does not detract from the need for a sufficiently complex password, since an attacker with a pilfered copy the KeePass database can attempt to crack it using dictionary and password guessing tools. Of course, having to remember just one extra-strong password to protect all other passwords is what makes the use of a password manager appealing in the first place.
KeePass is available on Windows and because it is written in .NET, can be made to run on Linux, OS X, Linux and BSD with Mono. A cross-platform port called KeePassX is also available for those who prefer not to use Mono, though it lacks in certain features such as support for plugins and auto-typing of passwords on non-Linux systems.
Overall, the KeePass project is mature and well-supported, and the download page on the official website lists contributed ports for mobile platforms ranging from Windows Phone, Android, iOS, BlackBerry and even Palm OS. Your mileage may vary with some of the ports, though the top mobile platforms such as Android and iOS appear to be well-supported with apps that are maintained.
2. Strengthening your KeePass database
So what length of password is good enough to properly secure a KeePass database? There is no clear consensus on this, mainly due to highly divergent factors such as complexity of password and speed of computers tasked to perform any brute force attempt. Still, a password length of more than 12 characters may be a good start with a non-dictionary-based password, though some recommend at least 20 characters.
Strong master password aside, KeePass offers two other main ways to ratchet up the security of the password database. The simplest relies on having KeePass run the encryption key through additional iterative rounds of encryption. The default value is set at 6,000 rounds, though this could be configured to a much higher value to make it orders of multitude harder to pull off a successful brute force attack.
Indeed, a modern desktop or laptop could easily be set to between 10 million to 20 million rounds for those who can live with a very slight delay when opening (and saving) the password database. KeePass itself comes with a nifty feature that shows how many key transformation rounds can be set for those prepared to live with a 1-second delay. Of course, it may be a good idea to ease off slightly if you intend to access the database from a smartphone.
The second approach involves specifying a key file or input from a key provider plugin on top of the master password. As described earlier, the composite master key is used to encrypt the password database, and the added complexity makes the password database that much more secure against brute force attacks. (We won’t be looking at the option involving “Windows user account,” since it’s Windows-only and isn’t portable across devices)
While the master password is “something you know,” the use of a key file allows for the implementation of a “something you have” approach. Specifically, the key file could be saved on a USB flash drive which is physically required to unlock a KeePass database.
An alternative to using a flash drive would be the YubiKey, a dedicated hardware the size of a small USB dongle designed to offer two-factor authentication. With the use of the Challenge-Response key provider plugin for KeePass, it is possible to set up a YubiKey such it will have to be plugged into a USB port for the password database to be decrypted.
This can be done by setting up the YubiKey with the YubiKey Personalization Tool, and loading it with the same secret key that is fed to the Challenge-Response key provider plugin when setting up KeePass on the desktop. Subsequent attempts to load the KeePass database will culminate in a prompt for the YubiKey.
3. Synchronizing between devices
The simplest way to use KeePass everywhere would be to save KeePass and the password database on a USB flash drive and bring it along everywhere. This mode is supported by KeePass, which is designed to be run directly off a portable storage drive with no installation needed. The downside though, is the risk of losing the only copy – or latest copy for those who do regular backups – of the password database, as well as an inability to access it from a smartphone or tablet.
[Related: How to evaluate password managers]
An alternate method supported by KeePass would be to manually sync the database to a network location or FTP site. There are also a number of third-party plugins that add support to cloud resources such as Google Drive, OneDrive and Dropbox, as well as private cloud locations such as Amazon S3, SCP and FTPS.
While all of the above is technically the cloud, the advantage to using KeePass with them is how a hacker who manages to gain unauthorized access to the cloud account will still have to crack the encrypted database file. Assuming the tips in the previous section are adhered to, this could well be a non-trivial task indeed.
For those who desire to stay completely off the public cloud, one option would be to sync the KeePass database between devices using BitTorrent Sync. Free for personal use, BitTorrent Sync is also available on all major desktop and smartphone platforms.
4. Using KeePass on your smartphone
Getting KeePass to work on your mobile device of choice is a matter of synchronizing the password database file and opening it from a supported KeePass client. As noted earlier, a number of options are available to synchronize the password database across multiple devices. It is worth noting that not all cloud storage service supports making a download for offline access – so you may have to resort to third-party apps for this.
For those using the KeePass in Challenge-Response mode with a YubiKey, it is critical to ensure that the corresponding XML file is kept in sync, too. The YubiKey configuration outlined in the previous section will work with both the KeePass2Droid or Keepass2Android apps with the free YubiChallenge app installed. When challenged, simply tap the NFC-capable YubiKey Neo on the NFC reader on your smartphone to be authenticated.
Note that Challenge-Response mode on a smartphone will only work with the YubiKey Neo, and only on NFC-capable Android devices. At the moment, the iPhone’s restricted support for NFC means that the YubiKey Neo will not work with iOS devices, though it is understood that a Bluetooth version is currently under development.