Last week I suggested a do-it-yourself approach to generating pass phrases. Using an available list of 80,489 4-to-6-character strings of words and word fragments, and randomly selecting five such strings, plus 5 digits, plus one of the 30 or so punctuation marks, that scheme could generate this many possible pass phrase strings:
804895 × 105 × 30 = 10,134,537,017,850,952,546,024,347,000,000
That is very close to 2103:
2103 = 10,141,204,801,825,835,211,973,625,643,008
So, my suggestion provides almost 103 bits worth of security. Of course, people will clamor for 256-bit security. “AES can use a key that large so why not?”
Because to provide “only” 103 bits worth of entropy or security, my suggestion would require you to remember something like the following for every one of your several passwords:
Barbs3+ Clonic2+ Teryl7+ Rictus4+ Vestas0+
You want something more than twice as long for every account? I didn’t think so.
My suggestion was only intended to make you think. Think about what would be involved in creating, and then remembering, a password with the level of security that we believe we need. We need to think carefully about security mechanisms, as we do in Learning Tree’s System and Network Security Introduction course, but then we need to find a practical solution.
Good news: there is a practical solution!
KeePassX is a great tool for password management. It provides strong and portable storage of password and other account information, and includes a utility to create arbitrarily strong passwords. This evolved out of the KeePass project, but you want the latest KeePassX version as it’s the truly cross-platform one.
I must enter the master password when I first start the application. The database is encrypted with AES, using a key based on your master password.
Your master password is the security weak link. It doesn’t matter if you have generated 64-character passwords using the full keyboard set of characters, or if you set up a custom configuration to use Twofish instead of AES. When the attacker gets a copy of your password database, they will only need to guess your master password.
Since you will probably be using KeePassX on a smart phone, the awkwardness of poking at a smart phone keyboard representation limits your ultimate security.
Here is the main screen. I have entered the master password to decrypt the database and gone into Internet → Frequent Traveler. You can organize things however you want. The data doesn’t have to be user names and passwords. I have a folder for things like driver’s license and passport numbers, insurance policy details, and credit/debit cards.
With an account highlighted, Control-C copies the password string. Then I switch to the window where I’m logging in, and Control-V pastes it into place.
Let’s look at the screen for one account, where I am asking KeePassX to generate a password:
By default, when I go back into this record I will see only stars in the password field to protect me from “shoulder-surfing”. But I can click the eye icon to see the content. That lets me use my phone to see how to log in on a computer workstation.
On Linux or OpenBSD this is a simple matter of adding a package with
pkg_add. See Learning Tree’s Linux server administration course or my guide to package management if you need help with package management.
Beware: many Linux distros include multiple versions, possibly
keepass2x, in which case it’s the third of those. Check the documentation! As usual on OpenBSD, the only available package,
keepassx, is the correct one.
On Android, get the Keepass2Android app.
On other operating systems, see the keepassx.org website.
Start by sitting in front of your most comfortable interface (probably not your smartphone!) to populate your database. Plan on taking a while to remember, look up, and enter all those accounts. No, I don’t know any trick for exporting saved passwords from browsers. I don’t think there is a way to do that, and that’s probably good. Once you finally get the database created, make sure the application is installed on your other platforms and then copy the encrypted database file into place.
On Unix-family operating systems, it goes in
On Android it’s somewhere like this:
Now it’s just a matter of copying a newly modified database file to your other platforms after you make a change or addition.
I’ve made it easier for me to copy the file on and off my phone by running an SSH server on it.
Passwords often provide little more than the illusion of security. A tool like KeePassX makes static passwords as safe as they can be.
The remaining problem is that an attacker may somehow observe or capture a password and then re-use it. We need an authentication method that would take something impossible like a time machine to defeat it.
There is such a thing! Check back next week for an example of strong authentication, in which the user proves they have access to a secret without revealing what that secret is.