KeePass for password management

Posted by Patrice Neff Fri, 30 Sep 2011

I have a simple password policy: every account gets its own password. To manage this I store them in a password manager.

When switching to Windows one of the most painful things was replacing that password manager for which I had used the Mac Keychain. It’s a password storage, secured with either the login or a separate password. It integrates extremely well into the system. Apple even ships pre-installed Subversion clients and SSH agents that store their passwords in the Keychain. And for non-integrated applications, getting a password out is relatively easy using a simple keyboard shortcut. That is topped off with secure notes for credit card information and similar.

Since Windows XP Microsoft now ships a Credential Manager. But when comparing it to the Mac Keychain it fares very poorly. It doesn’t have a flexible way to enter your own passwords, doesn’t have a search, nor an option to manually get access to a password again and — worst of all — no program except the Windows Explorer and VPN software seem to integrate with it. Not even Internet Explorer. So I looked for a good password manager on Windows. I’m still not comfortable with cloud-based password managers such as Passpack or LastPass (which might actually have had a security breach a few months ago).

I ended up with KeePass, an open source software for storing passwords and other sensitive information.

Using it is very simple. When creating a password I enter a title and the username I chose on the site. Then I copy out the password that was automatically generated and paste it into the web site signup form.

For accounts that have some sensitive data in it I set an expiry date, usually one year in the future. When opening KeePass it shows a list with all expired entries so I can go and change those passwords.

When it comes to logging in on that web site again, I use the Auto-Type feature. So I navigate to the web site and press the global hot key (defaulting to Ctrl+Alt+A). This will find the right user name and password and enter it in the currently active window. If I have multiple accounts on a site as often happens for business vs. private accounts, KeePass presents me with a small prompt to ask me for which account I’d like to use. Auto-Type can also be heavily customized to work for web sites that don’t have a typical username and password login form.

On the iPhone I have access to the same password database using MiniKeePass.

So overall I’m pretty happy with KeePass. But there are some web sites where the default Auto-Type doesn’t work well. One culprit is Google. For the initial login they ask for the username and password. Then a few days later — for security reasons — they ask for just the password. But in those cases quickly searching for the password in KeePass and copying it using a keyboard shortcut works well enough.