I'm messy and I know it!
I was asked if I was using any of the available password management solutions today, and it made me realize - again! - how much of a mess I have going on with many of my credentials. I have a wild collection of places that I had my passwords in: I used KeePass some time back to store all my really important stuff in, like bank accounts and credit card info, I use my browser for storing everything less important, and I used my Evernote account as a backup solution for everything that my life didn't depend upon.
I was never too comfortable with having many of my credentials stored in a browser, however, since I think those to be the prime target of millions of under-employed young nerds trying to extract my credit card and all other vital info from. I never got around to re-think the whole situation and find a better solution.
So that question I was faced with today made me realize all that, and I embarked on a journey into the abyss that is my password situation and clean it all up for good. I needed something that works:
a) cross-platform and cross-location - on my Windows and Linux boxes, and ideally also on my Android phone
b) browser-integrated - it should fill out password fields for the zillion web services I use at least semi-automatically
c) secure - well, that one's obvious. I need to be able to store EVERYTHING in there, otherwise there's no point
d) not locked in - meaning I want to be able to import / export data with it, so I'm not stuck with my solution forever
e) free - I'm cheap!
I had used Xmarks before and liked it, but then it somehow slowed my Firefox down to a crawl and annoyed me with steady popups if i wasn't logged it. Don't want that. I heard good things about 1Password, but that's very much not free. I used KeePass before, but it didn't seem to do b) well enough.
I started looking to fix the b) part of KeePass and found a bunch of solutions rather quickly. So here ends the blather and begins the how-to:
How to set up KeePass to take care of all your password needs:
1) Download shit!
2) Get KeePass up and running
- Make a new password file and select a decent password for it.
- It's the one key to rule them all, so choose it wisely.
- Write it on a piece of paper and store it in your mother's desk drawer if need be!
3) Put your file in a central location
- I want to be able to access my data from everywhere, so I better have it somewhere online - I chose one of my FTP servers:
- Refer to http://keepass.info/help/v2/ioconnect.html to do so, you can also use WebDAV or HTTP
- Upload your newly created password file to the storage location of your choice and open-from-URL it from within KeePass.
- KeePass will save changes to your server if you use that file from now on! Oldschool syncing, but does the job.
4) Import your passwords
- KeePass can import data from a lot of apps. Just click File->Import and check your options, or look at http://keepass.info/help/base/importexport.html
- I pulled in browser passwords with the Nirsoft utility downloaded as per section 1:
- Export generic CSV in that utility
- Import generic CSV from KeePass - you can reorder the fields accordingly with one important caveat:
- make the URL the NAME of the entry, so you will get good browser integration!
5) Set up browser integration - (I use Chrome mainly)
- get the ChromeIPass plugin from
https://chrome.google.com/webstore/detail/ompiailgknfdndiefoaoiligalphfdae
- Make sure you read the "how to install" in the Chrome Market link above.
It's not trivial but it's worth it in convenience in the long run!
- There is a Firefox plugin here: https://github.com/pfn/passifox/ - I didn't try that yet, so YMMV
- In Chrome, when you have a page with a password, a KeePass icon appears in the URL bar. Don't look for it where all the other extensions are when you're not on a login page - no login, no icon!
- if you did the import right, you should be getting a WINDOWS TRAY POPUP (!!!) when you go to a login page, asking you to grant Chrome access to your KeePass data. Be sure to have it remember that you want to grant access so you won't have to react to the popup again. That popup is a little bit annoying - it disappears way too quick for my taste, so better be prepared!
6) Hints and Caveats
- For websites, make KeePass entries with a name that has part of the URL in it surrounded by asterisks, like *ebay*
- Try to get ALL your passwords into KeePass ASAP. If you're like me, you will never make the jump and get your password mess cleaned up unless you FORCE yourself to use your new solution ;).
- On sites where KeePass isn't sure which the password field is or isn't working in some mysterious way, right-click the password field and you'll get a context menu!
- If the integration worked, you might want to disable the not-so-secure password completion feature of your browser now
Voilá!
You now have a solution that has ALL your passwords from all your browsers in it, and maybe some other things that you were able to import. It will have and keep its data on a server so you don't have to worry about a reinstall as much when you set up a new box. The solution is secure enough to keep all your sensitive data in it, so you have no excuses to have a multitude of "special places" for your stuff.
Writing all this down actually took a lot longer than doing it - so please let me know if it helped you, and spread the link to this article if you found it useful!
