Cross-platform Password Storage: migrating to KeyPass


This is NOT a how-to on password creation or design.

If that is what you’re looking for, then do a search on this site using the keyword “password” and you’ll see quite a few results. A lot of articles by Jim Hiller, and also the DCT resident security professional, Ken Harthun.

Regardless of how you create passwords, ultimately you’re going to want to store them electronically. That’s what this article is about, and more specifically the freeware crossplatform password manager “KeyPass”:

 

KeePass 2 Icon

1.x ("Classic Edition") Icon

The use of a password manager is particularly critical when you have a lot of passwords. With a password manager, all you have to do is remember one password to gain access to all the others. Of course, all a hacker has to do is break that one password, and he/she will have access to all your passwords (so make that one password strong . . .again, see articles by Jim Hillier and Ken Harthun.)

If you’re like me, you have a gazillion passwords because in addition to email accounts, on line banking, credit cards, payment methods like PayPal, the popularity of “Epayments” for utilities and such, you also register for a lot of forums and web sites.

I have maybe a coupla’ hundred passwords, some seemingly important and some seemingly not so important and some probably obsolete and just clutter.  But each is different, and there’s no way I could remember all of them without some kind of password manager/password storage.


Different” is good because if you have the SAME password for a lot of sites, then when a hacker breaks that one password, they can apply that crack to all the other places you have it. And, indeed, that’s what they do . . . if they crack one of your passwords, they’ll try it on other places . . . and a lot of people in fact HAVE the same password for multiple sites. Bad practice. Again, a password manager makes it easy for you to use different passwords for every site.

Before I go any further, let me mention that I am a security fanatic, suffering from OCD paranoia that I am constantly under attack. Consequently, I see keylogger ghosts and file hackers everywhere, so I take two precautions.

To thwart the keylogger gremlins, I copy my passwords to the clipboard (I am a ‘nix kinda’ guy, but ‘nix has a clipboard just like Windows) and then paste them into the field required. And password managers are ideal for this manipulation. If you type in your password, a keylogger can and will record that event. Better to copy and paste.

I’m so paranoid that I clear my clipboard after each retrieval and use of a password. I don’t want to leave any remnants of passwords hanging around for hackers to harvest.

To thwart hackers who might penetrate my file system, I store the password database files on removable media (a USB stick) which I only insert when I know I’m going to use a password and then remove immediately after I’m done. When I’m on line, I feel naked and don’t like to give hackers too much time to penetrate even encrypted files, so I don’t have the USB stick with the password database on it inserted unless I need it.


This can become tedious, and is probably a little overkill on my part, but it satisfies my security character and behavior disorder.

And since I would not have access to my critical sites without the right password, I make an OpenOffice password protected back up file (csv converted to spreadsheet format and then deletion of the csv file) of my password database . . . and store this also on removable media.

OK, earlier I said I was a ‘nix kinda’ guy. KeePass has versions for both ‘nix and Windows, which is why I favor it. I can run KeePass directly in ‘nix or run the Windows version when I’m in my Windows Guest VM.

In that manipulation, there are issues of shared files in the VM (I use Sun VirtualBox, now Oracle, but that is wayyyy beyond the scope of this article), so visit your VM website or forum if you need tips on this. VirtualBox uses something called “Guest Additions” to achieve sharing between files. I’m pretty sure any VM has that capability.

Now I migrated my password database to KeePass because I wanted to be able to use a password manager in Ubuntu. I had had an old password manager called “Any Password” which I had downloaded and installed years ago from ZDNet when I was a Windows kinda’ guy . . . I carried it with me when I went to ‘nix and ran it on my Windows Guest VM. ‘Any Password’ will ONLY run in Windows, so I had to fire up my VM any time I wanted to retrieve a password. Talk about tedious . . .

Since I had already built my password database in Any Password, I certainly didn’t want to retype all those passwords into KeePass . . . thus the use of the Import/Export function in KeePass 2.x (AKA “Professional Edition”), which is excellent for a wide variety of formats:

           

That second screenshot just shows a few of the many password managers KeyPass 2.x will import from.

Importation of a password database from another password manager can be problematic if you’re trying to import the password database into KeePassX because the Import function in KeePassX is limited:

Which leads us to the differences between KeePassX (1.x) and KeePass 2.x, and the logical question “Which one should I download?”

Looking at the download page, you might think it’s just a simple progression of versions:

So you might think that KeePass 2.18 is like an upgrade to 1.21, and the logical answer to the question above would be, “Of course you should download the latest version, which would be 2.18.”

Not so fast . . . there’s a lot more to it than that when making a decision on which version of KeePass to use.

First of all, KeePass 2.18 is a COMPLETE rewrite of KeePass 1.21, so much so that the code is substantially different, the database architecture is different . . . and . . . well, suffice it to say the download page is very misleading, and can be very confusing if you scroll down and look at all the choices.

So let me make it easier for you and hopefully clarify what can be extremely confusing on that page.

There are advantages and disadvantages to each, and each is better suited for a certain OS. Either version is just as secure as the other. The differences are NOT in security as much as they are in ease of use on a particular OS and features.

Of course, using the portable version is a whole ‘nother topic, and has advantages and disadvantages of it’s own. (That’s beyond the scope of this article, and a discussion of that would make this even lengthier than it already is . . . reader’s who have experience with portable apps can ‘speriment as they please.)

My recommendation for which “non-portable” version to download, if you are going to use it in Windows, is KeePass 2.18 (AKA “Professional Edition”, though it kind of baffles me why the developers named it that . . . it would more appropriately be called “Windows Edition” IMO.)

KeePass 2.18 has a more robust Import/Export capability than KeePass 1.21 (AKA KeePassX, or “Classic Edition” . . . and, yes, this nomenclature further confuses the issue.)

Simple distillation though: Download 2.18 if you’re going to use it on Windows.

BUT, 2.18 on Linux is another story. For it to work on Linux you also have to install an additional program called “Mono”:

In simple terms, Mono will allow Linux to use the .NET framework, which KeePass 2.18 is based on (KeePassX . . . 1.21 . . . does NOT require .NET framework.)

Running Mono on Linux will take up a lot of resources, plus installing Mono can be difficult:

Unless you are an “Uber-Geek”, I wouldn’t recommend messing with Mono . . . and even those who are super-experienced can foul things up with Mono.

So the distillation for Linux: Download and install 1.21, “KeePassX” here further on down that page:

I don’t mean to bash the designers of that page, but the layout is very confusing.

Of course, if you’ve got a Windows Guest VM, as I do, you can have the best of both worlds . . . I have KeePass 2.18 in my VM (which I used to import my ‘Any Password’ database, and then export to 1.21 in Linux via VM file sharing)…plus KeePassX (1.21) in my Ubuntu host OS.

So the usefulness of this tip certainly applies to individuals who dual boot both Linux and Windows, AND also applies to individuals with only a dedicated OS on their machine . . . MAC OS X, Linux, or Windows . . . who either wish to migrate to KeePass or just flat out start using a good password manager.

About the Author

Bob Jamieson

Bob got his first computer in 1986. It had a whopping 512KB of RAM (yes, “K”, not “M), a 20MB (yes, “M”, not “G”) HDD, an 8MHz 8086 processor, and no mouse of course, because it had an early version of command line DOS. For almost 24 years now, Bob has been “into” computers, primarily focused on stability and security, with a particular emphasis now on “safe surfing”. For several years Bob was a moderator on the McAfee forums, but has “retired” as a “McAfee Maniac”. In his working days Bob was a chemist in the environmental arena. A primary hobby outside computers is cooking.

There are 2 comments

Comments are closed.