Friday, November 21, 2014

An Offline Password Manager

I'm not a huge fan of the cloud. It's not just for tinfoil hat's sake. I've seen just enough server repositories and companies fail that I hesitate to truly trust them with my data security. I'd rather just back up my own stuff and do all my syncing over my home network. The one exception I've made is with Firefox Sync, where I can sync all my bookmarks, history, and passwords across the various TenFourfoxes and Iceweasels I have. But I've been thinking lately about those passwords and the ways Firefox sells password security short.

It's not just that it's in the cloud (though encrypted). Firefox keeps passwords in plain text on your hard drive unless you secure them with a master password, and if you pick a good password it starts to be inconvenient to enter it every time you start the browser. And if you're going to put up with a little inconvenience, why not just use an offline password manager?

Offline password managers have the inconvenience of a couple more clicks but have the advantage of making you completely responsible for your own passwords. They're stored on an encrypted file on your hard drive and no one else has access. You never have to worry about how LastPass or Firefox Sync are storing your passwords or which institutional entities have the keys to the kingdom.

I'm not completely willing to give up the convenience of Firefox Sync. For the vast majority of my passwords, I don't hugely care about security. They're mostly forum passwords and sites I don't even remember registering with. But for sensitive passwords for banking, Paypal, or anything financial-related, I want to keep those out of Firefox Sync and encrypted on my hard drive. And it just so happens there's a password manager for this that's cross platform and still runs on Tiger PowerPC: it's called KeePassX.

Setup is pretty self-explanatory. You just start a new database and enter your passwords. One cool feature is it rates the quality of your existing password and also features a password generator with many parameters like password length and whether it's pronounceable. From then on, you just copy your password to the clipboard with a click and then paste it into your web page's password entry (Firefox usually auto-enters the username).

Some of you (okay, nearly all of you) might be bothered by the OS X icon. One generous soul, however, contributed their own, much better, icon in this KeePassX forum post. I couldn't get their .icns file to work, but I saved the .png image displayed in the post, used FastIcns to convert it to my own .icns and installed it in the app package (by right-clicking and choosing "Show Package Contents" and then finding and replacing the original .icns image).

Another forum post features an unofficial version of KeePassX with global auto-type: Global Autotype for OS X: at last! This allows you to hit a key combo without having to switch to KeePassX to copy a password. It's a universal binary, but it doesn't launch on Tiger, so I guess it requires Leopard.

One caveat when using KeePassX on Linux: KeePassX erases your password from the clipboard after several seconds, but some clipboard managers (I'm looking at you, Parcellite and Glipper) don't respect this and still keep your super secret password displayed in their menu. Something to be aware of.

Some people report good results syncing their KeePassX database file on Dropbox, but that kind of defeats the purpose of keeping your passwords offline, so it's not for me.

One fun thing about this is going into Firefox's password manager to delete your sensitive passwords and seeing all the crap you registered for in the past. I'm apparently signed up on cracked.com. I have beautiful taste.