Heartbleed and Password Safes

After reading about the Heartbleed bug last Monday I felt it was time to stop putting off swapping to a password safe. A password safe is a database that generates and stores passwords, allowing you to look them up when you want to log in somewhere. Using them is a good idea as each password generated is (should be) cryptographically strong, a must to protect against brute force attacks. Best of all you don’t have to remember them.

The choice for website passwords is very important because you can’t be sure how that site will store them. Here is a good video from Computerphile that explains better than I can why you should care about how a website stores your password. People tend to use the same passwords everywhere, and if you use your email address as the username you can compromise all accounts you use that address for. The safe can help with this scenario as each password it generates will be different so if one website is hacked or is malicious, your other accounts will still be safe.

Basically, the Heartbleed bug enables a hacker to trick a vulnerable server into sending back some of its buffer. This can contain things like passwords, credit card information and worst of all private keys. Here is a list of popular websites and if they were affected. Now that most of the services I use have been patched I started to put together a plan for the change to a password safe.

The program I have chosen to store my passwords is called KeePass, an open source application that uses strong encryption algorithms. It can seem a bit counterintuitive to use an open source solution to secure information, but I feel that many eyes help identify and fix issues quicker than closed source solutions can. You can secure the databases with the combination of three different methods; first with a password, second a key file, and third a windows user account.

For my password database I have decided on the following:

  • The Database its self will be hosted on DropBox.
  • The Database will be locked with a key file and a password.
  • I will carry the KeePass Application with me on a USB key/Smart Phone.
  • The USB key/Smart Phone will also contain the key file.

Will post again when this is all up and running with a walkthrough detailing that steps I ended up taking.