A site devoted to discussing techniques that promote quality and ethical practices in software development.

Wednesday, February 17, 2010

Notes on KeePass from a long time user of Password Safe

I have been a long time user of Password Safe and has great appreciation for its simplicity and usefulness. As my database grows over the years, the simplicity of Password Safe (I am using version 3.20) becomes an issue. The most obvious one is that there is no way to find an entry other than to scan one by one. This process becomes laborious with lots of entry nested deeply.

As a result, I have embarked unwillingly on a journey to find a replacement for my trusty companion. I came across the KeePass Password Manager program that operates and looks very similar to Password Safe and is also an open-source project. A search on the Internet does not seem to reveal any vulnerability of this and hence with some trepidation, I decided to give it a road test and below are my experience. It is by no mean an exhaustive comparison or even to gauge its security strength.

While KeePass supports AES-128 in both ver 1.x and 2.x and only supporting Two-fish in ver 1.x, out of the box, the implementation of them is the key to the strength and vulnerability and not so much as the declared algorithm used. This aspect is not examined. The notes below are more a guide for Password Safe users on how to migrate to KeePass painlessly and to become familiar with it.

The good things with KeePass (ver 2.09) vs Password Safe (ver 3.20)

KeePass from a developer's prospective appears to be a more active community than Password Safe and architecturally a better product. While some many argue that the availability of a plug-in architecture can weaken the security of the product, the fact remains that it is there to allow people to extend and to use them when needed. Out-of-the-box, no plug-in.

This plug-in architecture is exploited to the fullest, as described below, in migrating the Password Safe database over to KeePass.

KeePass has a large active community producing a variety of plug-ins while Password Safe is more a closed system. KeePass has also spawned off other projects to produce versions for mobile and other operating systems.

Both KeePass and Password Safe are essentially portable applications that do not need to install into the machine. Both products, only KeePass version 2.x, also produce installers that allow people to install them into their machine and uninstall them when not required. I used the portable version that does not require installation.

KeePass has two versions - ver 1.x and ver 2.x - that unfortunately use two different database technologies introducing compatibility issues. Version 2.x can handle version 1.x databases with no loss of data requiring a forward conversion but a version 1.x KeePass cannot open version 2.x database unless is exported into a 1.x format.

KeePass seems to embrace the Windows Security Model better than Password Safe. While Password Safe performs perfectly in a USB drive environment in which it has read-write access to the directory, in a share machine or machine using LUA, Password Safe is found struggling. Sure, you can use the -g option to re-route the configuration file location. But this is very clumsy that you have to specify each user's profile area.

As a digression, under the watchful eyes of Process Monitor, when Password Safe's program as a limited user, it seems to generate a lot of "Access Denied" error when opening system files such as Shell32.dll and others. Just very unusual and I am wondering if they are opening them with too much privilege.

KeePass understands the LUA principle and Windows Profile. It will automatically re-route the per user configuration files in situation that requires this. Password Safe lacks this capability. KeePass ver 2.x also runs fine in non-Windows environment using Mono.

The other nice touch with KeePass in handling multiple users or sharing between machines is the availability of this feature "Enforced Configuration" that allows an administrator to define system-wide settings that each user will inherit.

The bad part of KeePass

Ver 1.x is a native product while Ver 2.x is a .Net product using framework 2. So if you are taking KeePass on a USB drive to be used on some one else machine, such as in an Internet Cafe, and if that machine does not have .Net framework installed, you cannot run KeePass2. But if you have KeePass1.x you can run it on any machine.

Start up speed of version 2 is also very much in line with a typical .Net application. Once started, there is no noticeable performance difference.

If you intend on traveling and worry about the availability of the .Net framework issues, use KeePass1.x, which is still a supported product. Not as pretty as KeePass2 but as functional as KeePass2.x. The down side is the database are incompatible.

This issue with the availability of the .Net framework is only a transitional problem as all Vista and Win7 machines have .Net Framework 2 and higher installed by default and many XP machines are progressively supporting .Net Framework. It is only a matter of time.

What extra features I would like to see in KeePass

I would like to see an option that allows me to open the database in read-only format until I reopen it without that option. This prevents user from changing the data accidentally.

It would also be a nice feature not to reveal the password permanently until one decides to show it and that stays temporarily until that entry is closed. At the moment KeePass' show or hide state is persistent not only across entries but also for the KeePass installation; Password safe always hide the password when viewing/editing the entry and only shows the password until that entry is closed.

Migrating Password Safe database over to KeePass

If you have a database in Password Safe 1.x, 2.x and 3.x format, you can convert to using KeePass. The process depends on which final version of KeePass to use and below are the steps:
1) Download version 1.09 of KeePass into a temporary directory and unzipped it.
2) Download the Password Safe Import plug-in into the directory containing KeePass ver 1.09. Since this plug-in only works for KeePass versions 1.05 to 1.09, we have to use KeePass ver 1.09. If you drop this into newer version of KeePass, they will not recognize this as a valid plug-in.
3) Follow the installation instructions in the Password Safe Import Plug-in as described in the accompanied ReadMe.txt.
4) Create a new database with KeePass 1.09 and then use "Tools/PwSafe Database Import/Import" to import the Password Safe database into KeePass.

If you are going to use KeePass ver 1.x, you can use this database without any further steps.

If you are going to use KeePass 2.x, you have to import this KeePass 1.x database into ver 2.x format. Once that is completed you can wipe the KeePass 1.x's directories and database. This completes the migration process.


Chad Warner said...

Thanks so much! I wasted a ton of time trying to get KeePass 1.17 to recognize the Password Safe import plugin. I tried exporting from Password Safe to CSV and importing that into KeePass, but it didn't import the notes. I finally stumbled across your post and it worked perfectly.

Anonymous said...

Great tips for migration, thanks.

Anonymous said...

Wow, dude, go back to Password Safe and try using Ctrl+F. Find has been there since I started using PSafe almost three years ago.

You can also create sub-groups to better organize things so you don't have to go looking through all of your entries anyway.

Plus, the Java version runs on the Mac and Linux, so you can have this anywhere. Yeah, Java version doesn't have find or auto-type, but with sub groups and cut/paste it still works, it uses the same data file, and it's there where ever you need it.

I also use PuTTY, and can now add secure logins that use ssh, and invoke them via PSafe's run option. Very nice. (And no, I'm not affiliated with this app, I just like it a lot.)

Anonymous said...

Great write up--thanks very much.

Anonymous said...

Seemed simple enough, but any options to import the PWSafe db are grayed out and unusable. Any ideas?

Anonymous said...

Hi, Nice post. I am just curious what you mean regarding the lack of being able to find entries in passwordsafe. I have always used CTRL+F and F3 to scroll through results. I have never felt limited by this and have over 1000 entries currently. I am currently running passwordsafe 3.25 and have not made the jump to keepass yet.

Blog Archive