This is part 2 of the article "The Ultimate Linux Password Management Guide" and will show you how to use keepassx for managing collections of complex passwords.. Part 1 is available here. Part 1 talks about the importance of relatively complex passwords, several utilities and methods of creating relatively complex passwords, and also lists some of the software we will review for managing relatively complex passwords.
keepassx
keepassx is a Qt password manager compatible with its Win32 and Pocket PC versions. KeePassX is an application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License.
KeePassX saves many different types of information e.g. user names, passwords, urls, attachments and comments in one single database which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database. For better management, user-defined titles and icons can be specified for each single entry. Furthermore the entries are sorted in groups, which are customizable as well. The integrated search function allows to search in a single group or the complete database.
KeePassX offers a little utility for secure password generation. The password generator is very customizable, fast and easy to use. Especially someone who generates passwords frequently will appreciate this feature.
The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key. Therefore the saved information can be considered as quite safe. KeePassX uses a database format that is compatible with KeePass Password Safe. This makes the use of that application even more favorable.
Originally KeePassX was called KeePass/L for Linux since it was a port of Windows password manager Keepass Password Safe. After KeePass/L became a cross platform application the name was not appropriate anymore and therefore, on 22 March 2006 it has been changed.
Running keepassx
You can run the command from the menu entry or simply run the keepass binary. You will be presented with an application window which resembles the image below:
When you first run the program you need to create a new database which will hold all of your passwords. You can create more than one database if needed. Simply select File - New Database (see image below for an example)
Next, you will need to enter a password that will become the MASTER PASSWORD of the database you create. This needs to be very complex and very unique. This is one you will need to remember, so pick a good one with random upper, lowercase, and special characters. IF anyone gets this password and your database, they then have all of your passwords. To use password only to lock the database, enter the password on the first line and confirm it on the next line and then select o.k.
For extra security, you can also specify a key file or directory on external media such as a thumbdrive or usb disk. You will then only be able to access the database once you provide the key file on the external media. If you want to use a key file to unlock the database, you must specify the file on the external media by using the browse button and selecting the path to the file. You can initially create the file locally, then copy it over to external media at a later time. However, doing this will leave your password database vulnerable since the key file will be stored on the computer disk. I do not recommend creating the key file locally - always use an external thumb drive and also make sure you have a backup to some other media too. If the key file is ever lost, you will not have access to your password database.
For the absolute best security, you can specify that a password and a key file is required to open the database. To select this option, place a check mark in the box "Use Password AND Key File".
After you have set the authentication method for accessing the password database, you should then save the database by selecting File - Save Database
I chose a location that I could easily backup the database to external media, such as a thumbdrive. However, don't keep your password key file and database on the same external media.
If you want to change the type of encryption or verify the type of encryption your database is using, select File - Database Settings which will give you the image below. The two types of encryption available are 256 bit
AES and 256 bit
TwoFish. The AES and Twofish links go to the wikipedia web site where you can read more about them and determine which may be the best option for your database.
Probably the next thing you will want to do is add a group since currently none exist. This is done by selecting Edit - Add New Group. You can think of groups like an index of information or categories. For instance, you may create three simplified groups such as Login, Web Sites, Email. Under the Login group, you would place each of your computer login names and passwords. Under the Web Sites group, you would place the url of the web site, the username, and password. It would also be a good idea to add the email address used to validate the account on the web site. Under the Email group, you would place information such as the email username, password, and FQDN of the pop and smtp servers. You can have as many groups as you would like. The groups can be as generic (one group for everything) or specific (many groups) as you like. If you only have a few passwords to manager, one group may suit you fine. If you have thousands of passwords to manage, you will want many groups. Groups simply allow you to filter information easily.
An example of creating specific groups, instead of having the Login group to hold all of your computer usernames and passwords, you could be more specific and create groups for Windows, Linux, Local, Remote, SSH, FTP, etc login accounts.
After selecting the Add New Group from the menu, you will be given an application window similar to the one below. I have already added Web Sites for the group title. After you enter your group title, you can then chose from many icons already provided to serve as a visual reference to the group name. The icon is really optional and is not required for the application to work. If you click on the > button next to Icon, you will receive an image similar to the second image below that shows all of the available icons. After you have the group name and the icon, if selected, you then select the OK button.
After you have created a group, it will show up on the left side of the application screen (currently it is hidden in the image directly below this paragraph by the Edit menu). The group name simply will reflect whatever name you called your first group in the previous step. To add a new entry to the group, select Edit - Add New Entry
The image below is the Add New Entry screen. Here is where you fill in the information required for this particular group. I have selected the Web Sites group in the group drop down menu. If you have created more than one group, you can select the groups from the drop down menu. This is a handy feature to have. For example, lets say that we start out with only three groups and then later we decide to split one of the groups into multiple groups. We can then move the passwords around by editing the password entry and simply changing the group.
In the edit entry screen, you can fill in as much or as little is required for the password entries. One of my favorite features of this software is in this screen. It is located at the end of the Second Password line is is somewhat out of place. That feature is the button that simply says GEN. It stands for generate password and it generates very complex passwords I might add. The second feature I like about this particular screen is the ability to see how strong your password is. As you type a password, or generate a password, there is a quality meter that will show the quality of the password generated or typed. This is useful for telling how strong the password is.
You can select an icon for this password, enter a title for the password (that it will be known as), the username, the url, the password, and then the second line is to repeat the password above. If you automatically generate a password, you do not need to enter the generated password in the first password line. There is also an area where you can type comments or notes. You can also enter a date that the password expires.
You can also attach files to a password. I know that sounds really weird, but this feature is really handy. One of the ways I could find this useful is for example, attaching a ssh keyfile used for remote administration of a computer so that I always have the keyfile and the password in the same place. You could also use the attachments feature to store gpgp files or similar.
Below is dummy information I filled in just so you could see what the screen looks like.
Again, one of the best features is the ability to use the Gen key to generate a strong password. When you select this button, there are some options you can select for the automatically generated password. These options come in handy, for instance, if you need to create a complex password for a web site that does not allow Special Characters. Simply unselect the Special Characters and set the length of the password to generate. When you accept a password, it is automatically entered in the previous Add New Entry screen as the password.
The screen below shows an example password that was automatically generated using the default selections of Upper Letters, Lower Letters, Numbers, and Special Characters 20 characters in length. The password generated was 140 bits.
After
After you have all of the information entered for the Add New Entry screen and select o.k., the entry is added to the group in the main application window. You can see an example below.
You can also add groups within groups as shown in the examples below.
In the event that you have many passwords, you can search for passwords by many different types of criteria. You can enter a text string or word in the search for box, search by using regular expressions, tell the search to be Case Sensitive, and search in various fields for the information.
Keepass also has the ability to import and export information from the database. When importing information, you can import from a PwManager database file (pwm) or a KWallet database file. Below shows the File - Import From menu.
The export menu only has the ability to export to a plain text file. This is useful for example if you want to take a copy of your password database with you but you will not be able to use, or have access too, keepassx. What you can do is export the password database to a text file. However, I would be very careful of using this method and make sure to either encrypt the text file or shred it (not a simple delete it, but shred it by repeatedly over writing the file -- for instance, use the shred application that is part of kgpg).
HOW SAFE IS YOUR PASSWORD DATABASE
Just to quickly solve any questions you may have about how secure your passwords are when using keypassx, I decided to take a look at the sample database I created for this tutorial to see if I could determine any issues that might allow your data to be compromised without knowing the password to open the database. I am looking at this data from a forensics perspective which would include looking at ways to defeat the encryption.
After you first run keypassx, there is a configuration file created in your home folder. Taking a look at this configuration file which will be located at ~/.keepass/config results in only two concerns. The first being that is saves the path to the keepass database that was last opened via the LastFile setting (below). Finding this configuration file would allow a person to determine that you are using a password management utility and will show the last database that was opened. Therefore, we need to determine if there is any issues with the database file. If there is not, then this issue is pretty much moot.
[code]
LastFile=/home/ewiget/keepass-stuff/test-database
[/code]
|
The second issue is that the config file will be stamped with the last access time the application was used. However, this could be disabled via changing the mount options of your home partition.
[code]
-rw-r--r-- 1 ewiget hacker 717 2008-02-01 04:06 config
[/code]
|
Not really a lot of information is really helpful from the two concerns above. Taking a look at the database, I decided to use standard tools that would be used in a forensic analysis, which might include the strings command, a hex editor, and taking a look at the memory while the application is running.
Just to validate these results, my default password used on the test database was simply test4Password (which is definately not a strong password, just something I could remember easily while testing the application). Using a simple password allows me to search for strings that may identify the password using the commands mentioned.
Running Strings
No useful information obtained here:
[code]
~/keepass-stuff $ strings test-database
,We(V
hYnb
P y
K>DW
8&p2PT=
/)~go
ma{}s8
xQ+L
(9(3
[/code]
|
Using a Hex Editor
There was no useful information here either:
Using cat
No useful information here:
[code]
~/keepass-stuff $ cat test-database
٢�e�K�`#�B��Z��K�d�%�a<
��5�����ĩ���h�c#7��,Y��)�l�h�t����<�)��▒
B�{Y���5kR�x>7��%��������Ҥ=o�[�9No.�]▒�Yv�������Y���(�hw��<5{VJM�������Z]V�3oW��S��hYnb����[��`(,▒����-S���▒�^�,▒�wW��
�Kl�Kռ.���R���P�-9E��g���@��P y �����|��u��
<�oY�D�e��T߀�쩢
�m��d�;빅���%����Č�����X�����p
P�5"��5t}��|?�c��O▒��u�K>DW�+�e�c�!�y�G�8&p2PT=��Ԥ�ü
6�xѥ6؍��Q�x�-��;-�1��G���
k˳��*%s�j��o�b�W�+VO�HH��&�|B���*�俄�G
���ք�8�R��7�{<~�2�jm+�r��1�j��C�G؎KA�a���w��/���]
G#����D�ġZn�-�▒��▒�J�4ΐN������7�[������Oێ���"���V���*��'�d���/)~go�.�&K�Ҙ�w�]�%S���`�F��fa�����>��=�^���:�ҕ�z�K��ma{}s8��#��
pS���7��VjJ�xQ+L▒)y/��ݰ2��s��S��>g�dU�PS����}����%FK��*���@ym���Ez▒J��Q�L����i
��߮;EΥ��(9(3�����a@�Ӑ6�ڜ�)(�▒*����xȾ�80V�v��S��doM�3���
�ewiget@urfuct ~/keepass-stuff $ �gR�
[/code]
|
Memory
I am still in the process of analyzing the memory snapshot that was obtained while keepassx was running (this article had a deadline). However, I am fairly confident from the quick analysis that there is no useful information here either. I will update this article once this analysis is finished.
SUMMARY
Keepass wins out of all of the password management applications I have reviewed. It is an extensible via a large collection of plugins and portable application that you can take with you on a thumbdrive and integrates nicely in a heterogeneous network (works with windows, linux, mac osx, pocketpc and other smart devices, symbian and other j2me devices, blackberry, palmos, u3 devices, PE environments, portable apps suite, and is available under the gpl as source code). You can also store the database on a thumbdrive, use either password or key file authorization or a combination of them, use keepass to manage very complex passwords, and to also help you create very complex passwords. Keepass is a very fast application that uses very little system memory. I believe keepass is an excellent application and should be a part of everyones password management routine and rolled out for enterprise level password management for better password management.
Note: Ed Wiget, http://www.edwiget.name, has been a linux/unix system admin since 1995. He has many certifications. He is currently working on a degree in computer engineering, with an emphasis on computer/network security and forensics.
![[x]](themes/mlug/images/pixel.gif "Show/hide content"){kind=tracking}
Community
Content
Support Us
Membership:
Latest: 
New Today: 1
New Yesterday: 0
Overall: 328
People Online:
Visitors: 9
Members: 0
Total: 9
