In the world of technology, one of the major vulnerabilities of any system or data in the system is the password used to access the information. And password management is a difficult and cumbersome solution for even technology experts, let alone personal computer users. As someone who works in both areas and has given a lot of thought to this over the years, I thought it would be useful to share my experiences with password management and show my current solution to this pesky problem.
Password management for me has morphed many times over the years and decades that I have needed to manage different passwords. One of my first solutions back when I first got an email address in college involved jotting passwords in the back of a Franklin planner. That evolved into various forms of the sticky note next to the computer – or stuffed into a file if it was a banking password. It also included using the same password for many different accounts, and then later into putting all passwords into an Excel document, later encrypted with a password.
None of these solutions were ideal, of course, and as I increased the number of accounts I had and web services I used, my ad hoc solutions quickly became untenable.
I have been using KeePass to manage all of my passwords for a number of years. The reasons I selected this solution over some of the others out there (such as RoboForm, 1Password or LastPass) were:
- KeePass is open source.
- The UI of KeePass is hierarchical, allowing me to organize accounts into folders, and it just felt intuitive to me, after looking at some of the other solutions.
- I started with the RoboForm free trial, but when that expired I just didn’t feel it was worth paying to continue using the solution.
- KeePass doesn’t have great browser integration, but I found that keeping the application open and switching between the app and the browser was not really an issue for me.
- KeePass worked on both Windows and Mac.
- KeePass allows me to export all my passwords, which I can open and print from a spreadsheet. This is a good solution for archiving or creating a hard copy backup of my passwords, for instance to store in a safe deposit box.
As a consultant who had to manage many different passwords on the job or at home, the organization of passwords into folders just felt logical and well organized. I liked the fact that I controlled the instance of the application. I also liked that the storage structure of KeePass is simple and easy for me to understand; it consists of a standalone executable with separate, encrypted database files that live in a folder on your computer.
Since KeePass met most of my criteria, I used that solution.
My KeePass goes mobile
I initially put my KeePass database file and the executable file onto a (software based) fingerprint enabled thumb drive. This gave me two points of security; my KeePass database password, plus my software based thumb drive. I would keep backups of the KeePass database file on another computer, but my source was the thumb drive. Of course, this meant I was required to use a computer for all my password access, which worked on the whole but became a limitation as I was starting to use my smartphone for more tasks. Plus, my software based fingerprint thumb drive only supported Windows, and was becoming overly cumbersome to use.
When I looked for a smartphone enabled solution for my iPhone, I was pleasantly surprised that MiniKeePass, another open source tool, was available. I liked how it could hook up to Dropbox*, which I had begun using for a few months. While Dropbox does present some security concerns in its own right, I decided that the convenience of being able to access my passwords on my phone and iPad outweighed my security concerns with Dropbox and with KeePass. Plus, MiniKeePass does have secured pin access to the application. And I also recommend enabling a Passcode Lock on your phone, enabling Erase Data (after 10 failed attempts), and enabling Auto-Lock.
If you’re comfortable using KeePass, MiniKeePass should be pretty straightforward. First, you’ll need to create a folder in your Dropbox account to store your KeePass data file (kdb or kdbx). I placed my KeePass database file in a folder called KeePass right at the root of Dropbox.
Then install the Dropbox app on your mobile device. Once you have that, I recommend enabling the password protection option in the Dropbox application (on the iPhone, inside the Dropbox app, select Settings then Passcode Lock).
Next, install MiniKeePass on your device from the app store. I also recommend setting up a pin for this application as well, with the Delete All Data option Enabled. (You’re just choosing to delete the data from the MiniKeePass application on your mobile device, not your KeePass database from Dropbox). You can also choose other security options in this application.
Now, go to your Dropbox account, select your kdb or kdbx file, and you’ll get an Unable to view file message like this:
Select the Open In .. icon on the bottom right, and you should get a prompt that allows you to select MiniKeePass to open the file, like this:
Once you enter your KeePass database password, you’ll have access to your passwords just like you do with the computer application. You can tap on the username and the password field, and you’ll get a prompt to copy or edit the field, just like in the full desktop application:
You can also create new entries in your KeePass database from your phone, but I rarely use that feature. I still use the desktop application in front of a computer as my primary means of generating new passwords.
My password management solution has come a long way since the early days of either using one password for everything or having a bunch of sticky notes with passwords in my planner or near my computer. I think this solution gives me a good amount of flexibility without greatly compromising security. Certainly, this solution isn’t bullet proof, but I think it is the best option for balancing ease of use and security.
What option or technique do you use to manage your passwords? Do you find it works for you, and provides you a good level of security for your vital information?