Passwords are still one of IT's necessary evils. Biometrics and two-factor authentication have augmented passwords and in some cases replaced them entirely, but, for the most part, when it comes to security on a PC, phone or website, it's passwords all the way.
The more passwords you have to remember, the more cumbersome and inconvenient security becomes. I have more than 60 passwords that I have to use on a monthly basis for all the work I do, and I flat-out refuse to use the same passwords for all of them. That means some form of password tracking is needed -- and since I'm not on the same computer all the time, my tracking system needs to be at least somewhat portable and not dependent on a network connection. What to do?
First approach: Encrypted files
More on password protection:
Securing removable drives with BitLocker To Go
Portable USB thumb drive encryption: Software and security policy
Guide to managing passwords in the enterprise
Endpoint management is more than just the desktop
My first approach to portable password management (admittedly a primitive one) was to keep them in an encrypted file. I used a program called fSekrit, a simple Notepad-style application for keeping encrypted (AES/Rijndael, 256-bit key) notes. What made it interesting was that the notes I kept were stored as part of the program itself. Unless you knew the assigned password for that particular instance of the program, it wouldn't open, and the notes wouldn't be readable. Passwords are never stored anywhere in plain text.
The entire program was a mere 50 KB plus the notes themselves, and it ran on just about any edition of Windows I would be likely to use. The best part was, since it was entirely self-contained, all I had to do was throw fSekrit on a thumb drive and take it with me.
It took a month or two for the limitations with this scheme to become clear.
- The way the portable passwords were stored amounted to nothing more than a flat text file. That meant doing anything more sophisticated than simply throwing the passwords into the file was entirely up to me. It quickly became a management nightmare.
- Using this program didn't do much for the whole rigmarole of copying and pasting passwords into their target fields.
- If I wanted to keep multiple copies of the file anywhere, I had to reconcile any differences between them by hand.
In short, what started as a good idea turned into something of a management nightmare. I needed a better way to handle this. I liked the idea of using a thumb drive as a portable password repository, but there was a lot of room for improvement outside that.
Second approach: An actual password-management application
After deciding that a more systematic approach was in order, I looked into standalone password management applications -- programs I could take with me and that were dedicated specifically to securely storing and retrieving portable passwords. I found a whole slew of them, but for a variety of reasons, I settled on KeePass.
KeePass is an actual database, not just a flat-file storage system. It's designed to store not only passwords but also usernames, the websites or locales used for the passwords and free-form note or key/value field pairs that allow extended properties to be assigned to password entries as well. It also has systemwide hotkeys to allow automatic copying and pasting of usernames and passwords, which makes actually using it much less of a hassle.
The database is password-encrypted with some native protection against brute-force cracking. That way, the database and a copy of KeePass can be kept together with little risk to the end user. If I lost the drive that held the database, none of my passwords would be at risk. Without the main password, the database would be useless, which means the only password that I have to memorize is the one to the database itself.
Here are a number of KeePass's other features that caught my attention:
- Among the add-ons available for it are tools to allow certificate-based key providers and login cards, support for one-time passwords and other enterprise-level tools. These add-ons make it easier to integrate KeePass into environments where credentials are already being managed by those tools, and make it useful for multiple end uses in an enterprise.
- It includes measures that make password hijacking much more difficult. When a password is placed on the clipboard, for instance, it's retained there for only a few seconds (the length of time is user-settable). After that, the password's automatically replaced with whatever was previously on the clipboard. Also, the UAC desktop (when supported) can be used for secure input of the master database password.
- It has a strong random password generator, which makes it easy to create passwords according to rules demanded by your IT department.
- The program runs without being formally installed, so it can be used from a USB drive or network share without difficulty.
- The program intelligently reconciles multiple versions of the same database. If you add a password in one copy of the database but not another, the program can figure out which fields need updating if you feed it both database copies.
KeePass has two main product branches: a 1.x version, for retaining backwards compatibility with older versions of Windows; and a 2.x version that runs on .NET. I opted for the 2.x version because it features a greater range of features and add-ons.
Future portable password directions
Because a program like KeePass covers so much territory, it's hard to talk about what would be the next best step for portable password management via a USB key.
One thing that comes to mind is adding another layer of protection by using a self-encrypting drive, such as IronKey or Kingston's DataTraveler line of products. They aren't cheap, but they add a layer of hardware encryption, which makes it difficult to determine what data is stored on the drive.
Another possibility is to use an operating system-level encryption layer such as BitLocker, but that would restrict password use to specific editions of Windows.
I'd love to see the hassle of passwords done away with, but that would require major advances in everything from biometrics to computer design, none of which are on the table yet. For now, I've found a method that gets me most of the way home and that lends itself to being used in multiple environments without too much pain.
This was first published in September 2012