Password Management Software

[Strogian]

Just thought I'd share my morning with you. I spent a few hours researching and trying out different open-source password management software. All of them use the same strategy of having a password-protected database file, encrypted with a key derived from a master password. I only looked at open-source tools because something just feels odd about putting all my passwords into a closed-source tool. Here's what I found:

KeePass Password Safe
http://keepass.info/
This is the one I'll use. It's really nice software. Nothing annoying about it in the first 5 minutes. (All the other three just gave the impression of being crap. ) No install required. In addition to password-protecting the file, this will also let you export a key to a file for a sort of "2-factor authentication." So if someone gets ahold of the master password they still need the key to decrypt the database.

KeePassX - Based off of KeePass, but supports more OS's than windows. I didn't try it.

Bruce Schneier's Password Safe
http://www.schneier.com/passsafe.html
A lot of people like this one because it was made by Bruce Schneier. He's a cryptography expert, so there might be more attention to detail in it. I didn't like it because the installer wasn't tested in a multi-user environment. (i.e. it doesn't put an icon in the All Users profile) Not as many features as KeePass either.

Password Gorilla
http://www.fpx.de/fp/Software/Gorilla/
I really wanted to use this one, because it has the coolest name and logo. But unfortunately, it has the least features of them all. Nothing annoying about it though. No install required. Based off of Bruce Schneier's Password Safe, and supports more OS's than windows. (Kind of a pattern here)

Oubliette
http://sourceforge.net/projects/oubliette/
Not sure if this is being developed anymore. In any event, the install was fine -- it put the icons in All Users like it's supposed to. But it doesn't run well without Admin privileges, because it likes to write to the registry and config files while it's running normally. Didn't like it.

In conclusion, I'd recommend KeePass (or KeePassX if you need portability) over anything else. Nothing else even comes close in terms of features. The only other one I'd consider is Bruce Schneier's, only because the password database might be safer if someone else gets ahold of it. But I'll trust KeePass just because I think it seems more popular, so there will be more eyes looking at the source code. It's overall more professionally done than any of the other ones, too.

[ua549]

I use a proprietary package Embassy Trust Suite by Wave Systems. It uses the Trusted Platform Module in my PC to store access keys. It works with biometric devices. My PC has an in-built fingerprint reader. It is quick and easy to use without the need to remember passwords. It is also used for volume encryption. I even use it to log into Windows. The login screen does not even have a place to enter a password which is an added protection.

[phx]

I use a proprietary package Embassy Trust Suite by Wave Systems. It uses the Trusted Platform Module in my PC to store access keys. It works with biometric devices. My PC has an in-built fingerprint reader. It is quick and easy to use without the need to remember passwords. It is also used for volume encryption. I even use it to log into Windows. The login screen does not even have a place to enter a password which is an added protection.

ı read a review that says , fingerprint readers (consumer type) has a %5 false positive rate , so they are not dependable at all. Whats your experience with them? ty.

[ua549]

My reader is part of a business grade machine. Hopefully it is better than a consumer model. So far I've not had any issues.

My PC is not exposed to other people on a day to day basis. The main reason for my use of encryption and biometrics is because of the sensitive nature of the stored data and the potential loss of the unit while I'm traveling.

I also have a proximity RFID module so that when I walk away from the PC it is automatically disabled.

[alwayshungry4more]

thank you for this post! I just decided that I've had enough of keeping track of all the passwords I have.

[Strogian]

Cool. If it helps, I still like KeePass after about a month of use. I don't use the file-based key anymore though, because I realized that's really only useful for a laptop, where you're concerned that someone might steal the computer without stealing the key.

Only downside is when I got excited and made 64-character passwords on my sites. With some of the less robust websites out there, their "change password" page will accept such a password, but you effectively lock yourself out of the system because the login page does not accept it.