Rule number one for using a password is do not repeat using them. If your email got hacked, all your other online accounts will be compromised together because they all use the same password. This is easier said than done because setting a different and complicated password for each online account will only risk forgetting them and then have to go through the time wasting process of resetting it and again, setting a new password.
One way to solve it is to use a Password Manager software where you can set a really long password with a combination of words & letters and the best part is you don’t even have to remember it. All you need to do is to remember a single Master password and “rely” on the password manager to help you login to the other sites. Definitely sounds good but let us think of the real danger in using a password manager. What IF your master password gets stolen? Wouldn’t that be even more riskier because the hacker has a list of all the sites together with your login information? Today let’s take a look at KeePass, a very popular password manager because it is open source (free) and there are no backdoor secretly embedded to the software.
The Pros of KeePass
1. Portability
KeePass has two versions, the installer and portable. Obviously the good thing about the portable version is you can save it on a USB flash drive and carry with you your password wherever you go and able to login to password protected websites on any computer.2. Free and Open Source
KeePass is open source, meaning anyone can download the source code and check if it is truly clean without secret backdoor. Open source also means that it is free. You don’t need to purchase a license or pay subscription fees.3. Auto login with TCATO (two channel auto-type obfuscation)
Auto login is very important because it prevents you from using the physical keyboard in the first place to login which can be captured and logged by keyloggers. The TCATO auto login feature in KeePass is smart enough to confuse the keylogger by using the Windows clipboard to transfer parts of the auto-typed text into the target application. I’ve tested it and the keylogger only managed to capture keystrokes like [Back][Left][Left][Right][Right]. Unfortunately the TCATO feature must be manually enabled because it is disabled by default. You can do so by editing an Entry, go to Auto-Type tab and check on Two-channel auto-type obfuscation.4. Works on all browsers without plugins
KeePass is an independent software and works without installing any plugins to the web browser.
The Cons of KeePass
1. No on-screen keyboard
In my opinion this is probably the most important missing feature on KeePass. When you run KeePass, it prompts you to enter the Master Password. That most important password CAN be captured by keylogger and now all the hacker need to do is to download the KeePass database file saved as Database.kdb (for v1) or NewDatabase.kdbx for v2 and above to obtain all your password. Do note that the OSK on-screen keyboard plugin for KeePass v1 uses the Windows on-screen keyboard which CAN be keylogged. Yes, the Windows On-Screen keyboard is useless and doesn’t outsmart keyloggers.2. Unsecure Windows Clipboard Handling
It is stated that KeePass has protection against clipboard monitors but during testing the keylogger is able to log the clipboard when I double click on a field of the password list to copy its value to the Windows clipboard.3. No online service
KeePass don’t come with an online service to sync your password or to even check what is your password. The password file is always kept locally on your side.
KeePass is great especially the TCATO technology. However until KeePass implements an on-screen keyboard to enter Master Key, I wouldn’t recommend anyone to use it. There is no point in making something easier but comes with a huge risk.
[ Visit KeePass Official Website ]
@Raymond
What about the new secure dekstop option in KeePass?
Also Neo’s Safekeys could be an option.
Why use copy pasting when you could use drag-n-drop.
Normally you install dropbox on a fresh windows installation. You only have to type that password one time.
@Grolo: The Windows on-screen keyboard or the plugin is useless because keyloggers are ABLE to capture and log what is typed in there.
TCATO is for auto typing password and is totally different from clipboard copying and pasting.
Dropbox login information can be stolen when you type the username and password on a computer that has a keylogger installed.
TFM does not say anything about these “cons”. Ignorance is what gets you into trouble.
1. No on-screen keyboard
You can easily start a keyboard in windows or just use a plugin.
But you don’t need this there is an option in keepass for secure desktop.
2. Unsecure Windows Clipboard Handling
Use two-channel autotype
3. No online service
dropbox.com
There are no cons just RTFM.
I like keePassX (keepass with an X on the end)
keepassx.org
Very similar to keepass.
Yet another reason to use keepass over Lastpass:
nakedsecurity.sophos.com/2011/05/05/lastpass-tells-users-to-change-master-password-after-network-traffic-oddity/
A good way to handle your Keepass everywhere: Just put your encrypted Keepass file into your Dropbox folder and use it where ever you like :D….
Thought you maybe interested a new verison of Keepass has been released: keepass.info/news/n110410_2.15.html
And it includes this important feature that will help defeat keyloggers :)
Added option to show the master key dialog on a secure desktop (similar to Windows’ UAC; almost no keylogger works on a secure desktop; the option is disabled by default for compatibility reasons).
Hello, Raymond
I absolutely disagree with you in point which is mentioned in Frank’s (#29). I’ve been testing LastPass, and the most insecure feature of it is that all your passwors are virtually available to LastPass Corp. Also, the client is closed source so you never know about possible backdoors and spy tools bundled with LP.
What about syncing, KeePass (v2) CAN sync and even backup databases. Just use triggers -> keepass.info/help/v2/triggers.html
I have folders of 2 KP versions in my Dropbox folder, v1 is backup in case the PC I wanna launch KeePass on doesn’t have .NET Framework (weird, yes, but it happens). That said, I’ve configured my KeePass to sync modified .kdbx file to KPv2 Dropbox folder, then export database to .kdb file and place it in KPv1 folder. Piece of cake if you read the documentation. KP also makes to local copies on my HDD.
What about LastPass. As I said, it’s closed source. I would NEVER ever trust my passwors to a closed-source application that can send my passwords to a corporation. This is the biggest risk. Also, one suspicious feature is pasword analyzing. Maybe it is performed by a piece of JavaScript code, but if not – it is very fishy.
Browser integration may sound good, but what if I want to store non-internet passwors in LP? Every time I want to enter password I should open browser. Ridiculous! KP is standalone, and that is its advantage here.
LP’s on-screen keyboard is nice, but it doesn’t outweight all the cons of this app.
All-in-all, IMO KeePass is better when configured properly. Even if someone knows my master password he still need physical access to my PC to get .kdb(x) files, or he should guess my Dropbox password, which is compicated.
Cheers!
Raymond,
I would be really grateful if you could write a review about Lastpass, including the explanation of its encryption system and other main security features.
The main problem is that people don’t know how it works and that’s why they avoid Lastpass. It’s difficult to find a good article about Lastpass that is easy to undersand. There are always a lot of questions and arguments whether it is safe to store your passwords in the cloud.
So, my personal opinion of what the article should include:
*Step-by-step explanation about how Lastpass works.
*Using Lastpass on public computers (dangers and protection: logging in with Laspass’ bookmarklets, keyloggers, etc.)
*What the users should firstly do when they start using Lastpass to ensure their safety (Tips and tricks).
*Many examples (when it is effective/possible to use brute force, keyloggers, non-SSL websites and etc.)
I use KeePass on my Windows Mobile (yes the dinosaur OS!) only, however I do keep a copy of the kdb of my laptop in case I lost the phone.
You can alsways be safe from any keylogger by entering 1st part of your password, then “use your mouse to click some where else, type some thing”, then “click the password box to enter the 2nd part of your pass”.
Key logger now get someting like my1stANDSOMETHINGNONSENCEmy2ndpass.
After commenting yesterday I saw a subscriber speak about KeeFox and all I can say is THANK YOU! Its a really nice clean replacement for the functionality of LastPass but lets me use KeePass for storage.
I have also read a lot about how hard it is to get your passwords from LastPass to KeePass, I used the CVS export and general CVS import respectively and had no problems so don’t let that put anyone off.
Need to look into the virtual keyboard for KeePass more but this solution is really coming together.
Thanks to all that have posted ideas.
Raymond,
NO WAY is “no online service” a CON!
It’s one of the biggest PROs. I don’t trust anyone (call me paranoid) which is why I never shared a password list with an online service! And I STRONGLY suggested others not to do. No matter who operated it (maybe except myself ;).
One might put ones password file on the servers of 3rd parties in the net (I do), but NEVER on the server of the company who made that file (and might be able to read it).
Yours, Frank
Hi, what about a review of Sticky Password? They have a free version now too.
Hi Raymond,
Can you review another password manager called Lastpass? It is a server based password manager.
Thanks.
Regards
John Lui
Thanks for the review. I’ve been a great fan of LastPass until I bought an Android phone.
Lastpass in Android requires a premium version.
KeePass has a free android version but, it has no online service. So I’m very confused and I’m unable to select a password manager.
May be your further reviews will help me a lot.
so its better to use an onlne password manager?that the thing i dont like in using lastpass :-)
Great article Raymond….i have been using Roboform Pro for Windows for about 6 years now but their last “upgrade” was a freaking joke..i don’t get the feeling they even beta tested, just wanted to hit their users with a $25 upgrade fee which is fine if you bother to improve the damn product, as it has quite a few bugs such as the bar being hidden sometimes for no reason….and they don’t appear to be too serious about supporting Ubuntu (unable to add Logins there and lockups often, just a mess) so i’d like to know which is the better option for cross-platform using Dropbox or a programs’ own online sync function, Keepass, KeepassX, LastPass or some other program…Roboform can kiss my Keep@ss because i wont be reupping with them anytime soon…
I’ve been using Sticky Password 4 and I am very happy with it. I’ve also tried Password Depot but I find it more difficult to learn how to use it.
Can you test Roboform and Lastpass?
I use LastPass and love it. I paid $12 per year. Online access if need to access to your vault anywhere.
Raymond, can you test it? I enjoy your posts and learn little things all the time.
Thanks!
In all password-programms I saw: no way to specify the browser (IE/Firefox …) – if the Website is desigend (“optimized”) for only one browser.
What a pity !
JoMo
@ddthesm: This is a pro to me. What if you urgently need to login to a website but the public computer has disabled USB port and you cannot run KeePass?
I write all my passwords down on paper. I also have a combination of numbers held in my head which I add to each password. That way you don’t lose them and no one can use or guess what the real password is.
“3. No online service
KeePass don’t come with an online service to sync your password or to even check what is your password. The password file is always kept locally on your side.”
For me, this is a pro?
Hello Raymond. This is TheRube from the City of New York, USA.
I hope you and family are doing well.
How about using keyscrambler from qfxsoftware.com/ in conjunction with KeePass to make the keyloggers MORE confused?!?
Keyscrambler is an excellent product as it protects one’s various passwords via encryption at the kernel level!
Thank You,
TR
I recently looked at Keepass and decided their just wasnt enough extra to take me away from lastpass with all the ‘easy mode’ inline features it has.
As you say a onscreen keyboard would be great, a review of all the best managers will be gratefully received.
The biggest thing i didnt like about keepass was using the hotkey it entered your details blindly into any boxes onscreen your cursor was in if u press it at the wrong time, that could be a disaster when using irc or im applications.
@jelson: I did mention a VERY important point about the OSK plugin on the article. Hope you did not miss that.
@all: LastPass review will be next and hopefully there will be a giveaway for it.
Yeah, I’ve been using last pass. Would like to see how this one tests out.
Ooooh. Didn’t know about the cons. Well, you just ruined my day :)
Need Online syncing? (Which I personally dont like the idea of storing my passwords on someones severs encrypted or not.) But if someone needs it they can use this they can use Dropbox to achieve this. see here: makeuseof.com/tag/achieve-encrypted-crossplatform-password-syncing-keepass-dropbox/
Thanks for the review Raymond!
BTW, there is a plugin for onscreen keyboard
keepass.info/plugins.html#osk
BUT it’s only for ver 1
Worried about keyloggers with Keepass? Use Neo’s SafeKeys to defeat keyloggers: aplin.com.au/
Want better Firefox integration? Use keefox: keefox.org/
hey ray what is your opinion for lastpass
Please include last pass in your upcoming test.
Thanks Raymond. I can’t wait for the next review on this topic. Cheers!
LastPass all the way for me.
Thank you for your comments. I have an on-going testing on a couple password managers. Stay tuned for more reviews.
Hmmm, I’ve been using this for a little while now. What would you suggest as an alternative?
Oh, I have been using KeePass for long but didn’t think about the keyloggers. Is there an alternative you recommend?
I recommend S10 Password Vault instead.