Adventures in Password Management

In my last post I mentioned the Heartbleed bug that affected much of the web’s traffic. Over the past week I’ve been busy changing my passwords for my various accounts scattered across the web.

First observation: I have a LOT of online accounts. While I’m usually good at remembering if I have an account with a site once on that site, I’m not so good at sitting down and remembering every single site I have. Compound this with my being online for well over ten years, inactive accounts, old accounts that are registered to an inactive email, and this problem quickly becomes a big one.

Second: Password security practices highly recommend using a unique password for each site, one that can’t be easily guessed. I don’t know about you, but I’m terrible at coming up with a unique password for the many sites I use on a regular basis. Off the top of my head I can think of Gmail (x4), NaNoWriMo, Twitter, this site, Wikiwrimo, my webhost, Github, Reddit, Grooveshark, Pandora, Last.fm, Faceburger (okay, this is more like rarely), my banks, my student loan site, my various utilities sites, Amazon, Goodreads, Steepster, … And that’s just scratching the surface. I definitely used the same password on some of those sites because I can’t remember that many passwords. A few folks I know have some success with the xkcd password style, and I’ve used that style a few times, but I’ve never managed to use different ones across a large number of sites.

This is a big problem and it’s not going to get any better.

Enter a password manager.

I’ve known about password managers for a long time but never got around to using one. There were several problems with using a password manager, I thought.

* I use multiple computers regularly and need to sync those passwords across multiple accounts.
* I have a smartphone and an iPod touch and need to sync my passwords to those devices.
* I have Linux computers, so any option would need to be usable on a Linux box
* Ideally this solution would be free of cost as well as open source software.
* Also, I want a pony.

After a little investigating, it turns out that KeePass satisfies all those requirements.

“But wait,” I can hear anyone who clicked that link say. “KeePass looks like it’s just for Windows. What are you on about?”

The original software is just for Windows, but there are contributed packages for just about everything under the sun, including Android and iOS apps and various Linux packages. Perfect. I installed the Arch package, created a database with a long password I can remember, and got to work changing my passwords. Each entry in KeePass is for a separate account, and you can make notes for things like security questions, enter your username, and generate passwords based on almost any parameter you desire. KeePass also has an extensive plugin system that can integrate with Firefox and Chrome, generate xkcd-style passwords, and much more.

Once I got into the password changing flow, I saw a lot of notifications on my phone saying account action was required. My (Android) phone detected that I had changed my Gmail password and told me to change it on the phone. This shouldn’t be a problem, I thought. I’ll just go the Play Store, install KeePassDroid, and… oh. I couldn’t do anything in the Play Store on my phone because my password was wrong/old. Fine. I tried installing the app from the Play Store on my computer. The Play Store said it would install the app shortly… after I updated my password on my phone. Crap.

In the end, I wound up typing my new gibberish-filled password on my phone. That’s not an experience I want to repeat. This allowed me to install KeePassDroid so I could upload my password database online, then download it again. Like KeePass you have to decrypt the database with your master password. KeePassDroid also lets you copy a password to your clipboard so you can paste it into a password field when you’re visiting a site or app. The password is removed from your clipboard a few minutes later. This worked well for my uses. Oh, and I could delete my online upload of the file so it wouldn’t sit around online permanently.

I haven’t tested KeePass on another computer yet, but it should work similarly with the small wrinkle that Fedora has a package for KeePassX instead of KeePass. So far this method of password management is working well for me. I may change some of my most commonly used passwords to xkcd-style memorable ones just in case I find myself using someone else’s computer. But beyond that, I have to remember only my computer logins, SSH key passphrases, master password, root password, and Dropbox password (for uploading that file). That’s not so bad, and I can probably un-remember some of those.

Get yourself a password manager. Doesn’t matter which one; just get one. You won’t regret it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.