KeePass justification

13

2

I personally have about 20 accounts (my personal user id on lots of machines). For shared "system" accounts, there are about 45 per environment; development, test, and production. I have access to 2 of those, so my personal total is somewhere around 115 accounts. Passwords have to be at least 15 characters with some extensive but standard complexity constraints, and have to be changed every 60 days or so (system accounts every year). They also should not be the same for different accounts, but that isn't enforced. Think DoD-type standards. There is no way to remember and keep up with this. It just isn't humanly possible, as far as I'm concerned.

This might be a good justification of a centralized account management system, a la LDAP or ActiveDirectory, but that is a totally different battle.

Currently the solution is an Excel spreadsheet. They use Excel to put a password on it, and then most people make a copy and remove the password. This makes my stomach turn.

I use KeePass for this problem and it manages all of my account very well. I like the features like auto-typing, grouping, plugins, password generation, etc. It uses AES-256 encryption via the .Net framework, and while not FIPS compliant, it has a very good reputation.

The only problem is that they don't allow us using randomly downloaded software. So we have to justify every piece of software on our workstations. I have been told that they really don't want me to use this, because of the "sensitive nature" of storing passwords. sigh My justification has to be "VERY VERY strong".

I have been tasked with writing a justification for KeePass, I would like any input that I can get from the community. What do you recommend? Is there something out there that is better or more respected than KeePass? Is there any security experts saying interesting things on this topic? Anything will help at this point. Thanks.

Jeff Walker

Posted 2010-04-23T20:51:55.797

Reputation: 281

Question was closed 2010-04-24T08:37:42.023

as much as i like this question (though it is a bit subjective and more discussion-y than we aim for), i think it is more appropriate for our sister site for IT pros, Server Fault. don't crosspost; it will be migrated if necessary.

– quack quixote – 2010-04-23T21:26:34.493

Closed already? I probably agree with quack, I wasn't real clear on the diff between superuser and serverfault. I do disagree a bit with the closure, though. Although a justification of password management is a bit narrow, the discussion of justifying password management is needed in the community. Not enough of this is used and/or discussed. Thanks anyway. – Jeff Walker – 2010-04-24T16:52:22.397

Answers

12

I've been a long time KeePass user, and if I were tasked with justification, I'd probably do the following:

  • Skim the sites FAQ for all of their details about security. Everything I've seen there will practically sell itself.
  • Show the longevity and support for the project, indicating it isn't going to be dropped by the wayside anytime soon.
  • Show off a few features, such as the fact that passwords are displayed encrypted by default (not sure if you're putting a mask in the Excel spreadsheet or not). This alone prevents prying eyes.
  • You can double click the password entry to copy it to the clipboard and have it auto flush out in 10 seconds. This keeps the password out of "plain sight" as much as possible.
  • Demonstrate how the password database itself can be locked down via password, key file, or even Windows Account, which allows you to store the password database in a central location and manage it that way.
  • The password generator helps ensure you are getting non "user friendly" passwords that can be generated in nearly any format you want.

The bottom line is that you get a solid database to store passwords that can be managed and transferred without fear of it getting hacked into. In addition there are lots of features that makes password management simpler, which helps in the big picture.

Hopefully this gives you some ideas to consider. I'm not involved with the program at all, I just love it. I use it at home and at work daily.

Dillie-O

Posted 2010-04-23T20:51:55.797

Reputation: 1 363

4I've been a long time user as well. I'd add also add that the developer is responsive to bug reports with the application and tries to get them resolved quickly. – Mike Chess – 2010-04-23T22:45:53.713

I would also mention that the European Commission sponsors bounties for finding security vulnerabilities in KeePass 2.x since 2019 (the EU audit Keepass in 2016); Also https://keepass.info/ratings.html can help to convince as well.

– xaa – 2019-05-21T15:16:35.110

Asked: 2010-04-23T20:51:55.797

Viewed: 1 413 times

Active: 2012-06-15T03:15:28.623