click to enlarge

Fig 1: KeePass Password Safe Version 1.11

I'm sure everyone out there has had to attend at least one training session on how to create a secure password. If you're a bit rusty on how to go about it, you might want to check out Sara Granger's succinct tutorial on it.¹ It includes a good summary of the many rules that have been expounded for creating a good password, both the things to do and the things to avoid. You'll find that it also includes an extensive bibliography for those curious enough to read further. Microsoft also provides a useful list of password generation techniques.²

click to enlarge

Fig 2: KeePass Password Safe Version 1.11 - Password Generator screen

There are many tricks to help you create a secure password, one of the more popular being to substitute numbers for similar shaped letters, such as the numeral one for the letter 'I' or 'L', the numeral three for the letter 'E', etc., though I suspect that the more sophisticated programs factor in this trick. While you can readily apply your own substitution cipher, this only adds value if no one else knows what it is. Another trick is to concatenate two unrelated words together, ideally then performing some letter substitution, though remember not to include any personal information in it. A fairly strong way of creating a password is to create what is hopefully an easy-to-remember nonsense pass phrase, then use an acronym of the pass phrase as your password. Don't use an actual quote, as that makes it much more likely that an automated system can crack your password.

These techniques all can be helpful when we're dealing with only one discrete password, but how many of us have to remember only one password? After all, if you remember the lecture, to maximize security you should never be using the same password for more than one site or system, as well as change them every 30 to 90 days. Oh, and don't forget that you aren't supposed to write your passwords down anywhere, though I have noticed a trend recognizing the memory issue and just recommending you keep any written versions in a secure location (and that does NOT include on a Post-It note under your keyboard). So, let's see what the implication of that is. We'll definitely need to have at least one domain or system password. You'll likely need one for each of the laboratory informatics systems you deal with, say somewhere between one and a half dozen for most people, even more for a few of us. Oh, and don't forget all of the support and other Web sites on which you have accounts. Heck, for most people that has to be at least two or three dozen, most likely more.

click to enlarge

Fig 3: KeePass Password Safe Vesion 2.10 Login Screen

Now, a show of hands, which of you have been following the password creation protocol decreed by your IT group and used it to assign a unique password to each of these accounts? No. No. I want the honest answer now! And, if we are going to be honest, I think you'll find that there are very few of us, if any, who conscientiously follow all of the directives that it's been decreed that we should follow. And realistically, even when we have the best of intentions, it is next to impossible to follow them: there is just too much unrelated information to track.

click to enlarge

Fig 4: KeePass Version 2.10 About Windows

The tricks that Granger and others describe can help with remembering all of your assorted passwords. But, what we're asked to do frequently just becomes too overwhelming. With the requirements for password length and complexity continually increasing, compounded with increasing frequency of password change requirements, it is no surprise that many people have had to resort to writing their passwords down, frequently leaving them in insecure places, and using the same password in multiple places. The net effect of this is that the more secure IT departments try to make their user authentication system by increasing the complexity of their password policy, the less secure their system actually becomes.

However, all things are not lost. Thanks to a little judicious use of technology, even when it is not officially sanctioned by your internal IT group, you can follow just about any kind of password generation policy they specify and can keep a record of both the passwords and their uses without exponentially increasing the risk of having these passwords inadvertently exposed. The best way I've found to do this is with one of the many password management programs currently available. However, when selecting one of these programs, you need to perform your own due diligence to ensure that the one you select can actually do the job and doesn't have flaws in its encryption algorithm, or even worse, isn't a piece of Trojan horse malware that is actually passing all of your passwords on to a hacker through the network.

Obviously, not everyone out there is qualified to analyze an encryption algorithm, even if you could get your hands on the source code. Fortunately, everyone doesn't have to do that. You can get a pretty good feel for one of the programs by performing a Web search and seeing what's been posted about it. If there is any question about its reliability, the problem is likely to have been posted somewhere. Depending on your needs and the type of environment you work in, you can choose between multiple commercial and open source programs. In most instances, I think you can readily locate a freeware open source application that will meet your needs.

click to enlarge

Fig 5: KeePass Password Safe Version 2.10

While not everyone needs the capability, I highly recommend using one that can be run from a USB or portable hard drive without having to actually install it on the machine you want to use. This makes it much easier to carry your User ID and password lists around with you and is particularly useful when working in environments which restrict the applications that you can install on your local computer. You can readily identify an extensive list of applications from a Web search, but you can get a good head-start by checking the lists of password manager tools, commercial, shareware and freeware on the SnapFiles Web site.

One that I've found that appears to do a fairly good job is KeePass, originally written by Dominik Reichl. This is currently available in two different official versions, both of which are currently in active development. Version 1.x (I tested version 1.11), KeePass Classic, runs under all version of Microsoft Windows from Windows 98 to Windows 7, as well as under Wine on Linux boxes. I have been primarily experimenting with the PortableApps version of this application. The use of the PortableApps platform is not required to run KeePass Classic, it just makes for simpler installation and use.

Version 2.x (I tested version 2.10) consists of a totally new code base incorporating Microsoft's .Net architecture, which is something of a mixed blessing. While the use of the .Net architecture might provide some development gains, the need for the .Net library (v.2.0 or higher) obviously restricts the applications portability as well. If you have a copy of the Mono library (v.2.6 or higher) available, you also can run this version from Linux, the Mac OS X and BSD. While this application is not currently available as a PortableApps application, it still can be run from a USB drive, just unzip the distribution library into the directory you want to run it from, and away you go (as long as .Net is already installed). If you wished, you could still configure it to be launched from the PortableApps menu by simply placing its directory immediately under the PortableApps directory.

It is possible to access stored passwords in multiple ways. In many instances, you can simply drag-and-drop the fields from the KeePass window to your target application. You also can right click on the field and select Copy User Name or Copy Password to copy it to the Windows clipboard, then click on the field in the target application and press Ctrl-V to paste it into the field. Depending on the application and various configuration settings, once the appropriate record is selected in KeePass, you can sometimes have it automatically insert the log-in information into the application fields by pressing the Ctrl-Alt-A key sequence. Multiple configuration options are available to reduce the risk of anyone else being able to extract your passwords from KeePass, these include having the application auto-lock after being minimized or after a defined time interval.

While the overall functionality of these two versions of KeePass is similar, there are some notable differences. For one, v.2.x provides full Unicode support. While both provide security access by password and/or security certificate, v.2.x also provides authentication via the current Windows user account. Additional features to be found in v.2.x include custom field strings, the ability to import external icons, Group notes, scripting, a trigger system, and a history audit system. There appear to be enough nice features in version 2.x that about the only reason not to switch to it would be concern over whether you would encounter a system without Microsoft .Net installed.

click to enlarge

Fig 6: KeePass Version 2.10 Key Creation Screen

Both versions of this application support the use of the Advanced Encryption Standard (AES/Rijndael) for encrypting its password database. Version 1.x also supports the use of the Twofish algorithms, though other algorithms can be added to both versions through the use of plug-ins. Both versions use the SHA-256 hash function to protect your master password. The output of this hash function is used as the key for the database encryption algorithms.

Neither version is an all-inclusive solution for everyone, but this was recognized during the development stage. To overcome this, both versions are designed with a plug-in architecture, very much like the way you can combine add-ons to customize Firefox. This allows you to add features by adding modules that other people have written or to even write your own. A good assortment of plug-in recommendations to get you started can be found on the Lifehacker.com Web site. Popular plug-ins include those to enhance Firefox and Internet Explorer integration, as well as the import and export of the password data base. As a related caveat, keep in mind that you need to carefully research and consider the plug-ins that you install, as these can gain unrestricted access to your password database. This normally shouldn't be a big concern, unless you are already in the habit of installing software of unknown origin on your computer.

In addition to just storing your passwords, KeePass also features a sophisticated password generator. It allows you to set the specifications for the password to generate. These range from its length to whether it contained upper-case and/or lower-case characters, digits, underlines, spaces, 'special' characters (e.g.: !, $, %, &, etc.) and others. It even allows you to specify specific characters to include, as well allowing you to include your own custom generation algorithm. Using a tool like this to generate your passwords gives a more random password, less subject to many of the techniques used for cracking passwords.

click to enlarge

Fig 7: KeePass Version 2.10 Password Generator Window

In addition to these 'official' versions of KeePass, others have ported it to over a dozen different versions supporting a wide variety of platforms, one of the advantages of it being open source. A partial listing of these include KeePass for J2ME/mobile phones (KeePassMobile); KeePass for iPhone (iKeePass); KeePass for BlackBerry; KeyPass for Linux (KeePassX); and KeePass for Android (KeePassDroid). Though do keep in mind that the features ported and the sophistication of the port will vary. Also, for those still not impressed with the KeePass password manager, there are nearly three dozen password manager applications included under the SnapFiles freeware list alone.

Notes:
1: Granger, S. (2002, January 17). The Simplest Security: A Guide To Better Password Practices | Symantec Connect. Security Articles, . Retrieved April 24, 2010, from http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices
2: Strong Passwords | Microsoft Security. (n.d.). Microsoft Online Safety. Retrieved April 24, 2010, from http://www.microsoft.com/protect/fraud/passwords/create.aspx 

John Joyce is the LIMS manager for Virginia's State Division of Consolidated Laboratory Services. He may be contacted at editor@ScientificComputing.com..