What the Zuk: KeePass is an essential tool for your online security

What the Zuk is a (very) occasional feature, in which I review software that I have been using for many years, and which is instrumental for my work. These are the first tools I install on every new system, the reliable work-horse applications I turn to for every need. In each installment I will explain what makes this particular program special, and why I find it so vital for my computing experience.

You need a password manager!

If you already use a password manager (such as LastPass), feel free to skip this part. But if you don't currently use one, let me reiterate: you need a password manager.

Saying "safeguarding your identity online is important" is almost like saying "wearing a seat belt is important"; that's quite an understatement to make. There's no lack of incentive: 2010 had some very high-profile security breaches, and it may very well be that your account (or a loved one's account) was impacted.

But theory is one thing, and practice is something different entirely. Using a password manager may feel counter-intuitive: if I know my password by heart, I feel like it's "mine"; it feels private, personal, and "secret". Writing it down somewhere might make it feel like it's not as private.

Also, you can only memorize so many passwords. True, some people use complex algorithms to create a different password for every site, but sadly, most people simply resort to using the same password everywhere. And that's where things become dangerous: since most people also use the same username everywhere, one random security breach on a website you've only used a couple of times may bring down the entire stack of cards. A diligent hacker could go around with your newly-acquired username and password, and log onto all sorts of interesting accounts under your name.

When you use a password manager and generate a unique, random password for every site, a security breach will usually have a minimal impact on your life. But using such a system also means you won't actually know the passwords to many of your accounts: they'll all be filed in your password manager, and not in your head. So you need a really reliable password manager. Which brings me to the next part:

Why KeePass

First and foremost, KeePass is reliable. I've been using it for about three years now, and have yet to experience a single data loss. It just works. I cannot stress how critical this one factor is: losing your KeePass database is akin to losing your entire online presence.

While reliability is key, it's not the only thing KeePass has going for it. Here are several other things I like about it:

Speed

KeePass is very, very fast to use. Searches are instant even with a database containing hundreds of entries (mine contains around 300 individual entries). It opens the database very quickly, even when it's encrypted using a long passphrase, a 256-bit key and 6,000 transformation rounds.

Offline functionality

Ultimately, KeePass is just a small utility with a tiny database. It doesn't require you to be online to use; it still works when your Web connection breaks down, or even on a system that never had such a connection. It's fully portable, requires no installation, and takes up only 3MB. It does not depend on any particular browser.

File synchronization (for Dropbox)

I use KeePass both on my desktop computer and on my laptop. It sometimes happens I make a change to the database (modify a password, add a new account) using the laptop, while KeePass is still running with the database open on the desktop.

Rather than freak out or overwrite the change, the desktop instance of KeePass detects that the database has been modified while it was open, and offers to synchronize it for me. A single click syncs the database, and any changes I made using the laptop now appear on the desktop database.

Of course, sync isn't required if you always make sure to close the desktop copy before modifying it using the laptop, but still – it's a very nice touch, and makes KeePass feel that much more solid.

Android client (and more)

Using KeePassDroid and Dropbox for Android, I can access my KeePass database while I'm on the go. Typing my master passphrase on an Android device is a tedious affair, but still, it's nice to be able to open the database from anywhere.

There are also versions for PocketPC, Windows Phone 7, iPhone, J2ME phones, BlackBerry, PalmOS (!), Linux and OS X. In short, you can get KeePass to run just about anywhere you need it to.

Password generator

When creating a new user account, it's not always easy to come up with a random, secure password. KeePass has a built-in password generator, accessible right from the Add Entry dialog (and also from the menu, as a stand-alone dialog). By default, the generator simply creates very long, totally random passwords. But with a bit of tweaking, it can produce pronounceable passwords, or passwords according to any sort of pattern you wish to use. You can specify "a vowel first, then two consonants, then a digit, then a capital letter" and KeePass would generate a large list of passwords conforming to the pattern.

Better yet, you define a pattern and set it as the default for newly generated passwords, so that every new account you add has a pre-filled password with your favorite pattern.

The history feature

Back in July, I published a rant lamenting the lack of a read-only mode for KeePass 2.x. Reader Ariel Horwitz then taught me something new in the comments: KeePass has a history feature. Every time I modify an existing password, the old password is automatically saved, along with the date and time of the change, under the History tab for that entry. That's an incredible feature, because it means even if you modify the database mistakenly, save it and close it, you would still have access to your previous password. A beautiful feature, really.

Auto-type

KeePass has several auto-type interfaces; personally, I use the following sequence:

• Access the website I need, and make sure the Username textbox has keyboard focus (i.e, is waiting for text).
• Bring up the KeePass window using the global hotkey (Ctrl+Alt+K by default).
• The Search box is now active. I just type any part of the title or username for the site I need, and hit ENTER. The list is then populated with only the relevant entries (usually just one).
• I hit Ctrl+V
• KeePass now reactivates the most recently active window (which is the browser), types my username, hits TAB, types the password and hits ENTER. This simple sequence is enough to log me in to just about any website or online service.

That's a fairly rudimentary way of letting KeePass type for you; I know it may seem like I perform a lot of steps, but it's actually very fast.

KeePass also has a more advanced auto-type feature which matches the window title to a database entry, so that you don't even have to bring up the KeePass window: you just hit a global hotkey, and your username/password pair for this particular website is automatically typed. That's a tad too automated for me, but the option is there if you like that level of sophistication.

Customizable columns

By default, KeePass shows the entry title, and a bunch of asterisks for the password (and maybe the username too, I can't recall). Luckily, this can be easily changed. My KeePass shows the title, the username (not as asterisks) and the last modification date for each entry.

This way, I can see at a glance what new user accounts I opened in the past few days, or find the oldest passwords in my database (dating back to 2007, but mostly for services I no longer use).

There are a ton of other columns you can toggle, including the URL, notes, creation time, expiry time (you can have passwords expire) – it's infinitely customizable.

Open-source

KeePass is an open-source project. As such, I can be assured that smart and supremely paranoid geeks reviewed the code for possible flaws and vulnerabilities. That doesn't mean they found every possible bug, but it's a heck of a lot better than a closed-source product requiring me to trust a company with vested commercial interests and PR managers who may be afraid to expose security holes.

While we're on the subject, this would be a good time to mention KeePass 2.14 was just released, with a whole bunch of new features. The KeePass developer base is certainly active.

Bottom line

This was not a comprehensive overview of KeePass; these are just a few of my favorite features. Use the comments to let me know what are your favorite KeePass features.

Also, KeePass is not the only good password manager in existence. It's just a very, very good one. As I said at the outset – if you're already using a password manager, carry on. But if you or your loved ones are not yet sold on the concept of letting your computer remember your passwords for you – this is one New Year's resolution you won't regret.

Tags: apps, encryption, features, keepass, passwords, privacy, review, security, utilities, zukerlist