As we use more and more applications online, it becomes more important to be able to stay secure after a data breach at any one of them, last thing we want is to find out one of the sites you subscribe to has had a data breach and uses weak encryption, and a hacker uses that password you’ve reused to gain access to other accounts of yours!
Why Use A Password Generator?
One of the main security recommendations is to use a unique password for every application we have. In my case I’d have to remember over 100 passwords! There are some methods that I’ve seen out there to memorize that many passwords including PasswordCard, but even remembering 100+ combinations of colors/symbols can be difficult. Even when I had rotations of passwords it was hard to remember which sites used which passwords.
Until we move onto something like Public-key authentication (Linux has an option to use this), it is best for us to find a software suite that will assist us in following this very important security guideline.
What Is Keepass?
KeePass is a desktop application (there are mobile versions for Android and iPhone available) that allows you to manage your passwords via a heavily encrypted file. This password can be encrypted using a master password, a keyfile, your Windows account, or any combination of the three. Because your KeePass file is encrypted, you can share it using really simple methods such as storing it on a web server, however I’ve found it best to drop it on something like DropBox or your own cloud using SharePlan or OwnCloud.
Managing passwords is a snap, it also comes with an auto-type feature, where you put your cursor in the box on the website, go to KeePass, and click “Perform Auto-Type”.
Additionally KeePass will generate very long and complex passwords, you can tweak the password generation options depending on your need (some sites limit you to a maximum length, very annoying when you have a more secure password you’d like to use).
You can store a lot of relevant data with your KeePass passwords, don’t ever forget a username again (for those pesky sites that don’t use your e-mail address)!
All of the above applications follow the same general idea: store your passwords on the public cloud. They typically have better integration with browsers to auto-fill form fields (KeePass can get “confused” at times due to form layout, and not fill it out properly). Additionally you don’t run the risk of losing your passwords because you lost your KDBX file, and the sharing of your passwords between your multiple devices is simplified.
Software like LastPass offer local-only decryption, which I find is a requirement before I even consider a cloud offering. However LastPass has had a data breach before that resulted in all master passwords needing to be reset, so it’s hard to gauge how secure the system can be when everything is hinging on your master password that you regularly communicate to LastPass with.
PasswordState is a web based application that provides similar features to the above systems, but for a corporate environment on a private cloud, where password lists may need to be shared or be able to be transferred in the event of a staff member leaving. On top of that you’d want a full audit log of users looking up passwords, and PasswordState provides all of this in a slick interface. This doesn’t seem to have the nice accessibility tools for mobile devices that some of the offerings above have, but the price is cheap (free for up to 5 users, and ~$400USD will cover 10 users for a year, with support being ~$70USD) and for stuff like corporate passwords I strongly recommend private cloud solutions, especially where the sharing of passwords between multiple accounts makes it easier for outsiders to crack into it.