The case for Keepass and making strong passwords easy.

evil hackerSplashID servers up and down, why is that important?

A HUGE thing in technology these days is security and a big part of that is passwords. For years, the folks in IT have been trying to come up with creative ways to keep users from using passwords like ‘password’ or ‘123456’ and a big help in this has been password safes like Lastpass, Keepass and SplashID. The advantage of a password safe is that you can easily create long, complex and quasi-random passwords that you could never remember otherwise and have a separate password for everything that you do (one for your Facebook account, one for your Twitter account, one for your eBay account, one for your main email, one for …., you get the idea). That way, the passwords are horribly difficult to crack to start with but, if one of the accounts gets compromised, the attacker hasn’t gained all of the keys to the castle in one fail swoop (and, hopefully, you’ve enabled two-factor authentication on it so they didn’t get anything at all, but that’s another rant). Safes like Lastpass and SplashID have the added advantage of storing the data in the cloud to make access to the passwords easier but that advantage comes at a price.  With the data stored ‘in the cloud’, it’s more available to compromise.  

The first problem that I see with these cloud-based only solutions is that, regardless of the security deployed, the bad guys only have to be right once to gain access and something like a password safe is a HUGE prize.  LastPass is my favorite of these cloud-based safes but even LastPass was breached in May of 2011 and some data was exposed.  To their credit, the breach was detected quickly and corrective action was taken as quickly but the fact remains, having that data in ‘the cloud’ increases the exposure and, with that, the risk.  

The other problem with having all of that data in ‘the cloud’ is made very clear with the SplashID problem yesterday.  Basically, their servers had some problems and had to be taken offline, leaving users without access to the data (hey, what’s the domain admin password so that I can check out the server, what’s the enable password on that router that no one ever uses but is now freaking out, what’s the login to our SPS commerce page so that we can get our money, etc.).  The users using the cloud based storage have, I believe, regained access to their data (the site is in German, so you’ll have to get the Google translation of it if you’re going to read it).  The people who took the ‘safe’ bet and kept a copy of their data locally STILL can’t access the data because of licensing problems.  What’s more, SplashID has taken the user forums down because of all of the traffic that they got from users trying to help one another (and some users *really* being vocal about the problem).

The answer, I believe, is a password safe that you control locally.  My personal favorite is Keepass.  It’s easy to use, free, Open Source and can be hosted locally, on your servers, behind your firewall and it can be baked up.  You can keep it locally on your workstation or you can store the data on a LAN and access it via a network share.  You can even access it via FTP, if you’re so inclined.  With this, you can eliminate access to it to the outside (e.g., it’s not exposed like LastPass) and you can backup the database in your normal backup routine (e.g., a single server failure or corruption of the password file doesn’t kill you) and you’re in complete control of the data.