This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Reviews

Four password lockers that can help you keep your Web logins secure

By Ben Martin on October 21, 2008 (9:00:00 AM)

Share    Print    Comments   

It is good practice to use a different password for each Web site you need to log in to. Good passwords tend to be long and contain a wide selection of characters. That can make remembering all your passwords difficult. But you can make things easier on yourself by storing passwords for various Web sites in an encrypted file on your computer. I'll take a look at a four programs that give you easy access to your passwords when you need them and protect the password file itself against compromise.

Of course, storing passwords on a computer introduces a degree of risk. The program might be buggy, the cryptography library used by the program might be buggy, and you are effectively lumping all of the passwords that you store in the encrypted database into the same security bracket -- that is, if the encrypted database is compromised, the attacker will probably be able to use any password contained in it. One the flip side, by using a single very strong password to protect 50 Web site login credentials, you don't have to keep memorizing new strong passwords every time you access a new site. Still, you might not ever want to store the password you use to authenticate with your bank.

I looked at KeePassX, Password Dragon, Password Gorilla, and JPasswords, most of which allow you to store not only user name and password information but also the URL associated with this key and other metadata -- information you can refer to collectively as credentials. Generally the credentials are stored into a single file, perhaps referred to as the credential database, which is encrypted prior to being saved to disk. As a disclosure, I have been using KeePassX to store passwords for a while, but I have tried not to have any bias toward KeePassX in this article.

The key used to unlock the credential database can be a combination of a password and a file containing encryption keys. Generally, having an encryption key file is of no use unless you also know the password to unlock it as well. Which combination of password and encryption key file you use generally depends on how severe the impact of disclosing the credential database is. If you are using a separate encryption key file, you might like to store that key file on a secure flash drive so that it is physically separate from the machine that stores the encrypted credential database.

KeePassX

KeePassX can encrypt your credentials database using either AES or Twofish, and includes implementations of these algorithms with the source code.

KeePassX is not in the distribution repositories for Fedora or Ubuntu, but it is available as a 1-Click install for openSUSE 11, Fedora 9 for both 32- and 64-bit, and 32- and 64-bit packages for Ubuntu Hardy. KeePassX is also available for Mac OS X, Windows, and Maemo. The main dependency of KeePassX is the Qt library.

KeePassX can use a combination of password and key file to protect your credential database. Selecting "New Database..." from the File menu brings up the dialog window shown below. If you use an external encryption key file, that file will contain 64 bytes of ASCII characters.

You can group your credentials, and each group can itself have subgroups. A group also has an icon associated with it to allow you to quickly find the credential you are after in the main treeview shown below. There are about 70 icons available with KeePassX, or you can use an custom image of your choosing.

Because the credentials include a URL, the context menu for each credential includes an option to open the URL in a browser. The context menu for a credential also includes options to copy the user name or password to the clipboard using Ctrl-C and Ctrl-B respectively.

Copying a password to the clipboard poses a few security risks. Apart from the fact that any program that can read the clipboard can sniff your passwords, you have a password in the clipboard until you next copy to the clipboard. The preferences for KeePassX let you set up a timeout so KeePassX will automatically clear the clipboard when the timeout expires. This helps to solve the latter problem by only having the password available for, say, five seconds in the clipboard. You can also set a timeout to lock KeePassX itself after inactivity for a given number of seconds.

The credential editing dialog is shown below. You can configure whether a password should be visible by default. Leaving it obscured is handy for laptop use where you might want to see the full details of a credential without potentially exposing the password to an onlooker.

Password Dragon

Password Dragon is a Java application and requires version 1.5 or later of the Java Runtime Environment. Cryptography uses the Blowfish algorithm and is handled by the BlowfishJ library. Once you have a JRE installed, the below commands will get Password Dragon up and running:

$ unzip /.../passworddragon.zip $ cd passworddragon $ java -jar passworddragon.jar

The main interface is shown below. You can add up to 10 custom attributes to each credential, which will be displayed in the details view shown toward the right of the screenshot.

Password Dragon includes support for categories, which let you group your credentials and use the category during searches to limit the results. For example, you could create finance and social networking categories to help you find only the credentials relevant to the task at hand. A category cannot be nested inside another, and each credential can be associated with only a single category.

Password Dragon's preferences allow you to set whether the Account Name, User ID, Password, URL, Notes, and Category are masked in the Main Table and the View Record dialog. You can set an inactivity timeout in minutes and elect to automatically copy the User ID or Password to the clipboard when you perform a URL launch. You can clear the clipboard on exit, but not after a specified time has passed after a password was copied to the clipboard.

Password Gorilla

Password Gorilla uses the Twofish algorithm to encrypt its credentials database. It is packaged in Ubuntu Hardy Universe but not for Fedora 9 or openSUSE 11. Password Gorilla uses Tclkit, which is available as a 1-Click install for openSUSE but is not packaged for Fedora 9. The Tclkit Web site offers builds for ARM and x86 architectures in both 32- and 64-bit. Password Gorilla is also available for Mac OS X and Windows. The below commands will install and execute Password Gorilla on a Fedora 9 machine.

$ cd $ mkdir ~/password-gorilla $ cd ~/password-gorilla $ cp /.../tclkit-linux-x86_64.gz . $ gunzip tclkit-linux-x86_64.gz $ chmod +x tclkit-linux-x86_64 $ cp /.../gorilla-1.4.kit . $ ls -lh -rw-r--r-- 1 ben ben 246K 2008-09-14 14:32 gorilla-1.4.kit -rwxr-xr-x 1 ben ben 2.2M 2008-09-14 14:32 tclkit-linux-x86_64* $ ./tclkit-linux-x86_64 gorilla-1.4.kit

Password Gorilla has no support for external key files and currently supports only a password-protected credential database. You can tell Password Gorilla to lock itself after a given number of minutes of inactivity. There are no options to clear the clipboard automatically at any time, but you can clear the clipboard manually from the Edit menu. The details for a credential are shown in the screenshot.

JPasswords

JPasswords uses Java and requires version 1.4 or later of the JRE. There are two main downloads of JPasswords: the normal version and the deluxe version, which includes some additional look and feel files. JPasswords lets you store a password-protected credentials database but does not support external key files for encrypting your credentials database. JPasswords uses Twofish in CBC mode to encrypt the credentials database.

Once you have a JRE installed, you can start JPasswords by executing java -jar jpws-deluxe-0-5-0.jar.

JPasswords supports automatic locking after a nominated period of minutes have passed without activity. You can also have JPasswords automatically clear the clipboard after a given number of seconds so you don't accidentally leave a password there after copying it to your Web browser. JPasswords supports groups, but you cannot nest a group inside another group. The main window is shown in the screenshot.

The two top items in the context menu for a credential are Password to Clipboard and Username to Clipboard. The three items in the toolbar of the details window are to "Copy the password to clipboard," "Copy username to clipboard," and to "Clear clipboard."

Final words

If you have a mobile device with a Java runtime then JPasswords will give you automatic clipboard-clearing functionality and has no dependencies other than the JRE and its jar file. If Tclkit runs on your embedded platform of choice then Password Gorilla is also easy to install and get running. The interface for Password Gorilla is quite compact so should work well on embedded targets, with the context menu for a credential allowing you to quickly copy the username, password, and URL to the clipboard. If Qt is available on your platforms then KeePassX will integrate well with KDE 4 on your desktop while still working on smaller targets like Maemo.

In a future article I plan to cover two other alternatives that you may already be familiar with: gnome-keyring and KDE Wallet.

Ben Martin has been working on filesystems for more than 10 years. He completed his Ph.D. and now offers consulting services focused on libferris, filesystems, and search solutions.

Share    Print    Comments   

Comments

on Four password lockers that can help you keep your Web logins secure

Note: Comments are owned by the poster. We are not responsible for their content.

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 68.192.12.60] on October 21, 2008 09:34 AM
I use the encfs fuse filesystem. Simply create a directory, mount it with encfs. Move your configuration files and directories into the encrypted directory, and symlink them back to their original location. All application maintained passwords are now secure, with no change in the application. One password at login makes all sensitive application configuration files accessible. Highly secure, and transparent in use.

#

Re: Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 212.159.72.217] on October 21, 2008 12:56 PM
The encfs fuse filesystem is useful, but never forget that if your machine is compromised, then potentially if you can see something as clear text then so can a remote intruder.

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 130.226.70.227] on October 21, 2008 10:39 AM
Seems you forgot the most important one: Revelation for Gnome-desktop - I use it daily and it's a very nifty tool.

#

Re: Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 78.86.173.177] on October 21, 2008 11:09 AM
I think you will find that Revelation is much more popular than any of the apps that were reviewed. Its powerful and well-designed. It really should have been included in the review...

#

KeePassX in Ubuntu

Posted by: Anonymous [ip: 130.234.192.123] on October 21, 2008 11:29 AM
Unless I misinterpret what is meant by 'distribution repositories', the claim that KeePassX isn't available in Ubuntu's is incorrect, because it *is* available from the 'universe' repositories: http://packages.ubuntu.com/search?keywords=keepassx

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 79.52.180.138] on October 21, 2008 11:33 AM
"Good passwords tend to be long and contain a wide selection of characters"
Then why nor Ubuntu's Network Manager nor Wicd can properly handle symbols in WPA/WPA2 wireless encryption keys forcing me to use ASCII things only?
Anyway thanks for the article, i was just looking for a good password manager!

#

Tip: Clipperz

Posted by: Anonymous [ip: 213.33.89.38] on October 21, 2008 12:11 PM
On the everything-online world, Clipperz is the best solution ever. Take a look. The features (and the SW design idea is great). Offer one-click logins, offline versions...

Igor Gomes

#

Clipperz is AGPL too

Posted by: Anonymous [ip: 78.134.15.54] on October 21, 2008 01:25 PM
Thanks Igor.

I just want to add that Clipperz is also available as a downloadable AGPL package to be installed on any PHP/MySQL enabled server.

Or you can enjoy the hosted version at http://www.clipperz.com

Either way it is always free (as in beer and speech).

Marco
Clipperz co-founder

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 192.107.26.131] on October 21, 2008 02:38 PM
You've forgotten Sea-Horse, which is the GNOME Desktops default key-ring manager.

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 67.101.237.55] on October 21, 2008 02:46 PM
The approach I have for passwords is to have a "master" password that I memorize and to which I add a few website-specific letters or characters for individual websites. I'm able to remember passwords for about 30 sites with this system at the moment (and I imagine I'd do fine with more). Here's how it works:

pick a good, random-looking master password (and think about type-ability)
qywue1) for example
somewhere within the master password, embed site-specific character(s)
qgywue1) for gmail
qyywue1) for yahoo
if you really want to obscure the password, use hard-to-spot site-specific characters. Instead of using the first letter of the site, use the second. Or use the second and add three. With the example master password above, gmail becomes "m" plus three or "p", for a finished password of qpyque1) .

Sometimes you'll have two sites with conflicting password requirements, but in my experience, a random-looking, 8-character password with a number and a symbol in it works for most sites.

#

Four password lockers that can help you keep your Web logins secure

Posted by: simeon on October 21, 2008 04:52 PM
For people more concerned with speed than gui (and who always have a terminal or two open anyways) - use pwsafe. It's a command line client so `pwsafe -p foo` will put the password for account foo in my X clip buffer after I've supplied the master password. This isn't as fast as automatically retrieving passwords (say with the KDE Wallet) but the autopassword feature won't work for many of the things I do anyway (say a sudo password while SSH logged into a remote box.) Using a console client lets my interaction stay the same no matter what I need the password for...

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 216.110.195.123] on October 21, 2008 09:49 PM
In my case, I use password composer http://www.xs4all.nl/jlpoutre/BoT/Javascript/PasswordComposer. It uses a hash password and the site name to generate a secure password. For instance a master password of "gorilla" and a site of "www.google.com" will yield a password of "a58430cc".

This way I have one simple master password to remember. Each site gets a custom, secure password. Every site I visit gets it's own password. Anyone that compromises one password at one site, well that is all they get, one password for one site.

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 203.98.30.10] on October 21, 2008 11:27 PM
Also should be noted that KeePass is available for Windows Mobile devices too - I use it in Windows, Linux and on my Palm 750v with the same data files.

#

For generating good passwords, the simple way is this:

Posted by: Anonymous [ip: 67.239.18.204] on October 22, 2008 12:52 PM
#!/bin/sh
head -c 18 /dev/random | base64 | sed 's/\//Z/g;s/+/z/g;'

#

Password Safe / Password Gorilla...

Posted by: Anonymous [ip: 74.94.32.174] on October 22, 2008 01:40 PM
Bruce Schneier (arguably the best known cryptographer in the world), created a great product called Password Safe:
http://www.schneier.com/passsafe.html
Only problem with Password Safe is that it is limited to Windows, however Password Gorilla is designed to be compatible with Password Safe and utilizes the same password database file as Password Safe. Password Gorilla's site even states "All credit for the idea and the technology behind Password Gorilla belong to the authors and maintainers of Password Safe.", so that adds some points to Password Gorilla score in my book.

#

Re: Password Safe / Password Gorilla...

Posted by: Anonymous [ip: 10.69.19.172] on October 23, 2008 10:44 PM
I agree that Password Safe is where its at and you don't have to give it up to work in a mixed environment. It runs great for me under wine 1.0 and I move the encrypted credential file back and forth between the two all the time.

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 207.236.152.157] on October 22, 2008 06:13 PM
About KeePassX.
- last time I checked, it WAS in Ubuntu repository, but the build version was ages old... better install latest release from website.

- KeePassX is the counterpart of KeePass that runs on Windows. Both of them are able to share the same password file (like a previous poster noted for Password Gorilla / Password Safe).

- Both KeePassX and KeePass can run from USB key without installation (I only tested KeePassX with Ubuntu though...). My password file can come with me wherever I go and I can read it no matter the OS I am currently using... That was the mobility I needed.

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 81.38.32.25] on October 28, 2008 05:22 PM
> Sometimes you'll have two sites with conflicting password requirements, but in my
> experience, a random-looking, 8-character password with a number and a symbol in it works
> for most sites.
Mmm... maybe you don't know but if you are registered in two different websites, but being owned by the same one... he's going to find similarities between
qzywue1)
qxywue1)
that you have submitted to him. And for gmail, yahoo, just keep trying. Am I wrong or right?

#

Four password lockers that can help you keep your Web logins secure

Posted by: Anonymous [ip: 208.59.115.131] on October 31, 2008 03:36 PM
KeePass was always my favorite password manager, let me recommend using a web based solution like Passpack.com because it is similarly secure, yet can be accessed easily online.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya