I haven’t posted in a while and I figured I was due. I usually blog specifically for Linux users, but this really applies to anyone on any operating system (Apple, Microsoft, Android, etc).
I want to encourage the use of a password manager to anyone not already using one. There are a lot of them out there, but I’m specifically interested in focusing the attention on KeePassX. There are a number of reasons why and I’ll eventually get to most of them. But for starters KeePassX is completely free (GPLv2) and as I mentioned above, it works on just about every platform!
It’s sole purpose in life is to remember passwords for you so you don’t have to. It’s used to prevent you from using the same 1-3 passwords you’re using today for everything. Instead of using your birthday, engagement and/or pets name, you’ll use passwords like: JP83bW93wwrJsZ2x6tQy3aD6W or SLJUhoQWPBRtwTwmzsCxWXqOV. Again, I emphasis that the password manager does all the memorizing for you. Not only that, but it’ll easily generate you these passwords too.
Now before you roll your eyes and decide you don’t need such a thing, just here me out. Give me a chance to sell you the reasons why you seriously need to consider this. I’ll attempt to do this with respect to The 5 Stages of Loss and Grief. 🙂
Stage 1: Denial
What’s the point of a password manager? I never needed one before!
A password manager is kind of like social media was to us back in February of 2004. The ideology is the same: “You didn’t know you needed it until it was shown to you”. So trust me when I tell you that you need one now. The thing is, the internet is filled with people whose sole intent is to gain access to your identity and exploit it for their own personal gain. The passwords we’ve all used up to this date are too simple; I know this because we’ve all remembered/memorized them. Even the complicated ones we confidently memorized are no good.
Most of us just acknowledge there is risk, but we do nothing about it. We belive that if no one has figured out our password yet, they never will. Well the scary thing is: some of them might know our password(s) already. But these people don’t want to make that evident to us. Don’t expect someone to advertise themselves once they’ve gained access to something we had protected. Instead, you’re only going to find out once the damage has been done.
Stage 2: Anger
Why would I put all my passwords in one file? Something just sounds wrong with that statement.
You would do it for the same reason you trust a bank’s security with your money. The same reason you trust your wallet or purse with your personal identity. The same reason you go to work and secure all your belongings and pets behind in your home. We put all of our eggs into one basket every day, but we’re all smart about it. We all put trust in the decision that our belongings will remain in tact until we return to it. KeePassX works exactly the same way.
The passwords that reside in your KeePassX database are encrypted, so no one will gain access to it unless you allow it to happen. The encryption means the password database is completely useless to anyone who has it without the keys required to access it. You can even go as far as to lock it using a keyfile (KeePassX will generate for you) as well as a password.
There is no question that if a hacker gains access to your password database and has all the keys he/she needs to unlock it, then you’ve defeated it’s purpose. Your passwords are only as secure as the conscious effort you take to keep them that way. If you keep the keys to your house under the welcome mat, or your car keys in the vehicle they pair with, it’s just a matter of time before you suffer a theft in that regard too.
Stage 3: Bargaining
Can’t I just change the passwords after I read about the compromising?
The answer is No and here is why:
People are attempting to exploit us ever day through phishing, viruses, spyware, false advertising, and even through everyday tasks we didn’t even know we were a victim of. Take Sony and eBay for example. Both are very reputable companies with an entire team of security experts working with them every day, yet they still fell prey when their systems were compromised by a hacker. As a result, it’s the clients and customers that become the victims too (all of us). If you used the same password on these sites as you do everywhere else, then you’re already at risk for identity theft. The point is, sh*t happens and sometimes it’s just out of our control.
We can’t expect every organization to be like eBay and Sony either. Not all of them will alert their customers of the threat they faced or the security breach they sustained. The few that do go public may have been exploited long before they did. Hence, our personal information was at risk last week when they told us today. There are even some companies who don’t want to admit to any privacy invasions to protect their own reputation. Then there are the companies that might not even know they’ve already been compromised. So if they don’t tell us; how will we ever know?
Therefore, consider taking the extra time to change every password on every site you visit once you get KeePassX installed.
Stage 4: Depression
I don’t want to change my password everywhere.
I don’t want the burden of a another application just to manage my passwords.
I was stuck at this stage for a while. It takes a while to change passwords everywhere. But after it’s done, you have to remember that this program does absolutely everything in its power to make your life easy from this point on. You only need to add everything once; so the burden doesn’t linger.
How can such complicated password make my life easier?
Your life ‘will’ be simpler with KeePassX because your every day tools are now accessible by just a few keystrokes:
- Press ctrl-b in Password Manager: Copy the username into the clipboard
- Press ctrl-v in Web Browser or App: Paste the username (into the username field)
- Press ctrl-c in Password Manager: Copy the password into the clipboard
- Press ctrl-v in Web Browser or App: Paste the password (into the password field)
That’s it; don’t worry about the password (you just copied) being left in the clipboard. KeePassX looks after clearing the clipboard after a few idle seconds elapse that you configure (the default is 20 seconds). The point of me explaining this is: instead of memorizing your secret passwords you use everywhere, you only need to remember the 4 key combinations identified above. The same 4 keystrokes are used for all sites/apps you ever use/visit from this point forward. Not to mention that each password is a unique from the other and unguessable by any hacker. I can’t stress enough that the effort level decreases with a password manager. At the same time your online privacy is more secure than ever.
Stage 5: Acceptance
What about my Phone? What about my other computer? Can access my password file on other systems?
Yes! This is one of the most amazing features of KeePassX! People even place their password file on locations such as DropBox or their Google Drive so they can access it between the systems. It’s compatible with Microsoft Windows, Mac OS (including Apple iOS), Android, and Linux (of course!).
So Where Do I Get It?
Microsoft Windows and Mac OS users can just download it directly from the download area at the official KeePassX website here.
If you’re using an Android device then you can find it here on the Google Play Store.
If you’re using an Apple device then you can find it here on the iTunes Store.
For the CentOS and/or Red Hat users: if for whatever reason the links above become unavailable or you want a fast approach: KeePassX can be retrieved from the repository I’m hosting.
Install KeePassX in CentOS and/or Red Hat 6 :
# Make sure you hook up with my repository first: # Visit : https://nuxref.com/nuxref-repository/ ################################################################ # Install our required products ################################################################ yum install -y --enablerepo=nuxref keepassx # You're Done!
- For obvious reasons, password protect your password database. This is the one password you ‘will’ need to remember. So I encourage you to use a new original one, but don’t forget it!
- Consider using a keyfile as well as the password for securing your password database. The nice thing about the keyfile is you can move it with you; keep it on a usb drive that is kept with you or in another location. This way if someone ever did get a hold of your password database, they can’t do anything without the key file even if they know your password.
- Configure KeyPassX to lock itself after it’s been idle or minimized. By default it won’t, but it’s a simple option that will allow you to walk away from your desk and know that no one is snooping where they shouldn’t be.
- Log onto your remote sites and consider changing your passwords every now and then. Even if it’s only once a year. Just changing your passwords annually is still better than never changing them at all! You can optionally configure KeePassX to remind you to change your passwords after they get to a certain age. Just using the built in password generator will greatly simplify your life and keep your passwords complex.
Speaking of Passwords…
Consider that your neighbors (or even someone you don’t know) could be using your wireless network while you’re at work. They could be using it even when your around. Have you been connecting to your wireless router lately to see if you can account for everyone connected to it? Now would be a good time to change this password too!
Pay attention to the sites you use and make sure they use some form of login encryption. For example, logging into a website that isn’t secure means anyone can easily extract your username password combination without your knowledge.
- June 2014 – Evernote’s message forum was just recent hacked exposing 164,644 passwords just 4 days before I created this blog. Sadly their note service was hacked affecting millions of their users back in March 2013.
- May 2014 – Spotify admitted that their data was accessed when breached.
- May 2014 – eBay announces it was hacked and forces all users to change their password on their next login
- April 2014 – Heartbleed Exploit potentially compromised millions of systems and had been doing so since December of 2011. The amount of privacy breaches that occured over the 3 years this bug went undetected for is scary to think about.
- April 2014 – America Online (AOL) had customers reset their passwords in fear of a potential breach
- January 2014 – Yahoo Mail had customers reset their passwords for a potential breach/
- April 2011 – Sony gets hacked and loses 77 million customers passwords to hackers. It took them a full week before they made it public.
Just do a Google search for +breach +password +hacked to get an idea of how many companies are getting hacked constantly and how easy it is for someone to figure out your password and re-use it elsewhere.
Sure, Password Managers aren’t for everyone; don’t worry, I get that. But if you truly want to prepare yourself and prevent having to deal with unnecessary online fraud, or identity theft… If you truly wasn’t to avoid venturing through The 5 Stages of Loss and Grief which follows these awful crimes, then you should consider protecting yourself now. Take the plunge and get a password manager and diversify your passwords.
It’s better to be safe than sorry.
If you like what you see and wish to copy and paste this HOWTO, please reference back to this blog post at the very least. It’s really all I ask.
Here are some other links you may find useful: