May 13, 2005

Three open source password managers

Author: Lee A. Spain

Finding it difficult to keep track of all your usernames and passwords on Web sites, forums, and portals? Don't start writing them down on scrap paper -- get help from a password manager application. I found three open source candidates for this task: Password Gorilla, KeePass Password Safe, and Oubliette.

Password Gorilla version 1.1, released under the GNU General Public License (GPL), runs under Windows, Linux, Unix, and Mac OS X. Password Gorilla encrypts user data using the Blowfish algorithm. The application is small enough to fit on a single diskette, and the Tk/Tcl-based executable does not need to be installed, but can "run in place" from a diskette or flash drive.

Password Gorilla displays a tree structure listing the entries for which you are keeping passwords. You can create groups for organizing your entries. When you need a URL, username, or password, you simply select the needed entry from the tree, right-click it, and choose to copy the information you want to the clipboard.

I found only two drawbacks to Password Gorilla. First, Password Gorilla lacks a designated field for entering URLs. Instead, users are directed to enter URLs in the notes field and precede these entries with the tag "URL." This works, but it seems crude. The second drawback is more burdensome. The application does not automatically save changes to your password entry file when you make them or when you exit the application. After entering a new username and password, you must manually save your password file. The application asks if users want to exit instead of prompting to see if they want to save before exiting. During one session, I set up a password group and later exited the program. During my next session, I was surprised not to see my new group. I had forgotten to save it. Despite these minor annoyances, I enjoyed using Password Gorilla.

Like Password Gorilla, KeePass Password Safe version 0.99a does not need to be fully installed to run. KeePass can run on any Windows operating system from Windows 95 onward, including Pocket PC, but it does not run on Linux or Mac OS X. KeePass is OSI-certified open source software distributed under the BSD license. The application encrypts user data using either the TwoFish or Advanced Encryption Standard (AES).

You can secure the KeePass database by a master password, a password file (containing password info), or a combination of a master password and password file. For test purposes, I chose to use a combination of both. Selecting a master password is a pretty standard procedure, but generating a key file was interesting. You enter a combination of random mouse inputs and random keyboard inputs until the software has enough bytes of random data to use as a key. Later, when you log into KeePass, you open your password database, enter your password, click "and," and point the software to the drive containing your password key file. While more secure, the process of logging into KeePass has a couple more steps than Password Gorilla.

KeePass works the same way as Password Gorilla, but it provides a dedicated field for saving a URL and another field for notes. The package generally performed well and, unlike Password Gorilla, prompted users to save changes when exiting.

The developers of a third open source password manager, the Windows-only Oubliette version, took a different approach from that of Password Gorilla and KeePass. Aware that office cubicle-dwellers have limited privacy, they have chosen not to display a tree showing the accounts a user may have. Instead, users can scroll through their accounts sequentially using arrow icons or a pull-down menu. While all three programs obscure passwords with asterisks, this extra protection prevents over the shoulder viewers from learning what Web sites and accounts you access. User names are copied via menu options or hotkeys (Ctrl-U, Ctrl-P, Alt-W, etc.). Strangely, the options for copying username and password are found under the Account menu, while the option for launching a URL is found under the Tools menu option. While I suspect that the hotkeys would become second nature for most users, I found them cumbersome. Oubliette offers users a secure way to encrypt their password files using either the Blowfish or IDEA encryption mechanisms. When Oubliette is minimized it hides in the System Tray rather than on the task bar.

All three of these applications are easy to use and do a good job of protecting user account and password information using well-respected encryption techniques. I found myself most comfortable using Password Gorilla. The application is easy to use, portable, and can work equally well in Linux, Mac, and Windows environments.

Ultimately, these applications offer a far better and more secure solution for password overload than those ratty old sticky notes attached to the bottom of your monitor.

Click Here!