2011-03-10

Password Management

Password management is always a pain. We all know that we should be using unique passwords for every site, and that they should be enormously long, unguessable random strings. But even with a memory palace, that's simply not terribly practical. So, just like everyone else I know, I was cheating. I had about a dozen passwords that I used for, well... everything. I kept one particularly weak one for the really junky stuff. Of course I knew this was a bad idea, but I figured "it can never happen to me". Then I watched it happen to Cory Doctorow, and then a friend who shall remain nameless... and finally the great gawker leak. Now, I couldn't remember if I had an account with gawker or any of it's affiliates or not... but either way, it was clearly time to do something about it.

Back in the day at Afilias, we had a gpg encrypted password file. The file was encrypted to all the admin's keys, so everyone with access could read it. Editing it was accomplished via a script. Not an ideal solution, but it worked for us. I wanted something a hell of a lot more user-friendly if I was going to be using it more than a dozen times a day. So, I adopted Callpod Keeper. It's a solid solution, except that it wants $30/year to work in a useful way. Basically, I enter site, userid and password for all my password type stuff into the application on my Mac. Hit save and it encrypts and syncs through the cloud with my (excitingly new) Droid. From there I can copy the password and paste it into the password field in the browser. Problem solved, or at least rendered painless enough that I'm actually following best practices. It worked on my iPhone 3G too, but the lack of easy task-switching on my old 3G and general slow crappieness meant I hardly used the browser side of it anyway.

Those of you who know me know that I'm cheap. Not absurdly cheap, but wasted money bothers me. $30/year rankles. I suspect that Randy Pausch would chide me for squandering my decreasingly free time on something that's not "important" when I could just spend $30/year, but... I can't help but think that the awkwardly named keepass stuff in conjunction with Dropbox would solve this problem... and cost $0... Droid: http://www.keepassdroid.com/ at the market OSX: http://www.keepassx.org/

And sure enough it does. Install both the droid and the osx versions for both keepass and dropbox. Generate a keyfile and put it somewhere other than your dropbox directory, with a copy on both the droid and the mac. Put your password database in your dropbox (in a private section). As long as you use a keyfile and keep it fairly much under wraps, even if someone compromises your dropbox (you're using a proper password for it now, right?), your passwords are still relatively safe.

0 comments: