Rule number one for using a password is do not repeat using them. If your email got hacked, all your other online accounts will be compromised together because they all use the same password. This is easier said than done because setting a different and complicated password for each online account will only risk forgetting them and then have to go through the time wasting process of resetting it and again, setting a new password.
One way to solve it is to use a Password Manager software where you can set a really long password with a combination of words & letters and the best part is you don’t even have to remember it. All you need to do is to remember a single Master password and “rely” on the password manager to help you login to the other sites. Definitely sounds good but let us think of the real danger in using a password manager. What IF your master password gets stolen? Wouldn’t that be even more riskier because the hacker has a list of all the sites together with your login information? Today let’s take a look at KeePass, a very popular password manager because it is open source (free) and there are no backdoor secretly embedded to the software.
The Pros of KeePass
KeePass has two versions, the installer and portable. Obviously the good thing about the portable version is you can save it on a USB flash drive and carry with you your password wherever you go and able to login to password protected websites on any computer.
2. Free and Open Source
KeePass is open source, meaning anyone can download the source code and check if it is truly clean without secret backdoor. Open source also means that it is free. You don’t need to purchase a license or pay subscription fees.
3. Auto login with TCATO (two channel auto-type obfuscation)
Auto login is very important because it prevents you from using the physical keyboard in the first place to login which can be captured and logged by keyloggers. The TCATO auto login feature in KeePass is smart enough to confuse the keylogger by using the Windows clipboard to transfer parts of the auto-typed text into the target application. I’ve tested it and the keylogger only managed to capture keystrokes like [Back][Left][Left][Right][Right]. Unfortunately the TCATO feature must be manually enabled because it is disabled by default. You can do so by editing an Entry, go to Auto-Type tab and check on Two-channel auto-type obfuscation.
4. Works on all browsers without plugins
KeePass is an independent software and works without installing any plugins to the web browser.
The Cons of KeePass
1. No on-screen keyboard
In my opinion this is probably the most important missing feature on KeePass. When you run KeePass, it prompts you to enter the Master Password. That most important password CAN be captured by keylogger and now all the hacker need to do is to download the KeePass database file saved as Database.kdb (for v1) or NewDatabase.kdbx for v2 and above to obtain all your password. Do note that the OSK on-screen keyboard plugin for KeePass v1 uses the Windows on-screen keyboard which CAN be keylogged. Yes, the Windows On-Screen keyboard is useless and doesn’t outsmart keyloggers.
2. Unsecure Windows Clipboard Handling
It is stated that KeePass has protection against clipboard monitors but during testing the keylogger is able to log the clipboard when I double click on a field of the password list to copy its value to the Windows clipboard.
3. No online service
KeePass don’t come with an online service to sync your password or to even check what is your password. The password file is always kept locally on your side.
KeePass is great especially the TCATO technology. However until KeePass implements an on-screen keyboard to enter Master Key, I wouldn’t recommend anyone to use it. There is no point in making something easier but comes with a huge risk.