I recently remedied a problem that I was having, which was importing my Chrome bookmarks into Keepass. I figure that this could also help some of the folks on HN, so here is the info:
I really like KeepPass and I use it on all of my computers (Ubuntu and MacOSX). It's so awesome that it's available on all three major platforms including Windows. What I'd like to see, though, is iPhone, Android and webapps - all syncing through a remote server (Dropbox, maybe?). That would make this thing absolutely awesome.
There already are versions of KeePass available on Android and iPhone (and windows phones too it seems). So I guess the only thing missing at this point is a webapp version.
Did they ever add a way to make it not clear your clipboard after pasting? I know you could delay the clearing but that just resulted in randomly losing stuff from the clipboard while working, even more annoying than the original problem.
Mono and keepass has been working great for me on linux, you do have to install a few extra things to get it working on ubuntu and xdotool with a higher version than is supplied by 10.10 if you want autofill.
I am seeing buggy behavior on Ubuntu- the File drop down isn't droppping down. It also won't import my version 1 db, telling me that must be done from Windows.
I will probably stick with KeePassX- there isn't anything wrong with it and none of the Keepass version 2 features seem look like game changers.
I did a little noodling around and found it's perfectly practical to use even several thousand iterations of a newer hash algorithm (SHA2-256) to produce passwords, rather than a few dozen iterations of an obsolete one. That should address some of the cryptographic concerns. It's also perfectly possible for the script to accept the master password through a JavaScript popup rather than from a text box inserted into the current page. That should address concerns about a "malicious webmaster" type attack.
So some of the most important criticisms of SuperGenPass (which is undeniably very slick and pleasant to use) are at least addressable.
SuperGenPass is good if all you care about are website passwords. I also need to save passwords for FTP/SSH/Internal Business Apps. SuperGenPass won't be helpful and I would definitely prefer to use one solution for all my password needs.
other sysadmins - don't you hate how all your users end up using very simple or duplicate passwords on everything, causing you eventual security problems?
If so, why isn't this, or something like it, preinstalled on all the client computers you have?
Because most users wouldn't use it. How do you access your passwords on a computer that doesn't have Keepass installed? I think only LastPass has a way of doing this. And sysadmins don't like trusting 3rd party services.
How do you access your passwords on a computer that doesn't have Keepass installed?
- By keeping the pw database in a Dropbox folder, along with a standalone version of keepass itself. No need to ever install.
- By using a phone version of keepass to access the Dropbox pw database, thus always ensuring access to passwords.
- In emergency situations, by downloading the above-mentioned db and software through the dropbox website, ready to use on any machine.
(all of the above are made more difficult by the switch of 2.x series to .Net, a switch without a good reason, too, so caveat emptor etc. Keepass once looked like a great project but this dichotomy is a disaster.)
Well if you're that worried about Dropbox going away and needing access to your passwords in between the point it shuts down and you noticing and setting up a replacement, use webdav with your own server, or hack up an rsync/cron-based concoction that will do roughly what Dropbox does in this context. There are 100's of ways to synchronize a file across computers, it's just that Dropbox is by far the most conveniet at this point in time.
I agree that this is probably a bit to complicated for normal users.
My personal problem with lastpass is that by default your passwords are recoverable which means that by default lastpass or someone with access to their system has access to your passwords (you can disable this and read the source to their obfuscated javascript app for chrome to make sure that it is really doing what they say, encrypting locally then sending).[1]
Keepass at least is opensource and it works well when you use dropbox so long as you aren't accessing it on many different computers on a daily/weekly basis, then it just becomes a pain in the ass.
[1] This may have changed but I don't think they would appeal to many users if it has, and they do have an option to disable it but the obfuscated javascript is what stopped me from looking further.
How do you access your passwords on a computer that
doesn't have Keepass installed?
That's why you preinstall it, or put it everywhere, or use an OS that already has something similar installed (Apple's "keychain" software).
As far as people not using it, that's a social problem that would need to be addressed by company policy. The role of sysadmins in this is providing the tools to allow best practices, and to encourage their adoption.
> That's why you preinstall it, or put it everywhere
That's an unreasonable demand. You can't anticipate which computer you're going to want to check your email on, for example. Now this might be a good idea for just work-related passwords (as they only need to be used on work computers), but the problem there is that for non-web applications, you're probably going to have to copy/paste the password from Keypass.
> use an OS that already has something similar installed
I don't think I actually need to explain this. There are plenty of reasons why using a non-Windows operating system is not an option for many companies.
There's also the issue of installing Keypass itself. I see it has MSI packages available, which I know sysadmins at big companies like. There might be some other technical requirements for the password-storage software itself.
There's also the issue of installing Keypass itself. I see it has MSI packages available, which I know sysadmins at big companies like. There might be some other technical requirements for the password-storage software itself.
I've been carrying around KeePass on an USB flashdrive
for about 3 years now and haven't yet encountered a problem running it on random Windows machines. Deploying it is just a matter of copying 4 files to the target machine really.
Firefox has the problem of not supporting corporate management (MSIs and all that jazz). Chrome would be an option for this, though, as it has password sync and Google is adding support for MSIs or whatever the corporate types need.
writeup: http://alanp.ca/blog/2011/01/01/export-google-chrome-passwor... Github: https://github.com/alanpca/chrome2keepass