Kung Fu for SysAdmins: Use KeePass, Dropbox, and KeeFox for total password management.

I don’t know about you guys (and gals), but I manage a ton of passwords (if I printed them out I’d be looking at well over a metric ton). I have every account on the work domain, my personal network accounts, service accounts on each, equipment passwords, and don’t even get me started on website passwords. For the past 5 years or so I have been keeping them (religiously) in a KeePass 1.x database on my trusty USB drive, but when I’m actually sitting at my desk it’s kind of a pain having to remember to plug it in and fire up the (portableapps.com) menu before I can get to KeePass. Especially considering that I take the USB key with me every time I walk farther away than 10 feet from my computer.

So I cleared out an hour of my day (which is harder than it sounds) and went searching for a better solution. Really the only other viable solution I could find was lastpass. I just can’t bring myself to trust all of my passwords to a web service. They claim it’s secure, but how do I know? For all I know they could be collecting passwords for everything in a plan to overthrow the internet (hey it could happen!). In all seriousness, for my personal passwords I really don’t care, but I’m paid to (in large part) protect the security of our corporate network, not to just float the keys to the castle out on the first web service that comes along looking all hot.

So KeePass still wins out. But there has got to be a way to make it more useful. And I found it.

Quick interjection: I’m switching from KeePass v1.x to v2.x, but v2.x uses the DotNET Framework, so it’s not technically portable (as in take it anywhere on a USB drive, like KeePass v1.x). Don’t get me wrong, I love KeePass v1.x, but v2.x has so many useful features not available in v1.x!

So why switch? Because the people that maintain KeePass have made that kind of a non issue. KeePass v2.x fully supports import and export of v1.x files. So I can install KeePass 2.x on my workstations, and keep v1.x on my USB drive, and just export the v2.x file to a v1.x format daily (I don’t change passwords more often than that anyway – usually).

Still, syncing all those machines is kind of a headache, which is why I just use a USB drive (you see where this is going).

Enter DropBox (full disclosure: if you use that link to sign up for DropBox, I get 250MB of free storage on DropBox at no cost to me or you). If you’re working in IT and you are not using DropBox (or a similar service) shame on you! These kinds of services are really useful, and getting to be ubiquitous. Your users are going to start asking about them, and how you can leverage them to help them do their jobs better and/or easier. If nothing else, learn about them so that you can say “no” and be able to back it up with sound logic about security repercussions (or allow them and help the users get the most from them).

So I save my KeePass database files to my DropBox folder, and then just point all my KeePass installs to that folder (I use the same folder on every computer I use). I also save my KeePass 1.x files to a different folder in DropBox, so I can still use the KeePass Portable. DropBox also has a portable version for use on USB drives (but it requires DotNET Framework 3.5 be installed, so it’s not technically “portable”), if I wanted to I could do this instead.

Now this set up alone is totally awesome, but wait; there’s more!

One of the things I really like about lastpass is that it has a Firefox plugin. Unlike KeePass, which is pretty much IE only on the browser integration side. I don’t count KeeForm for Firefox because you have to install and configure the mozrepl extension for it to work, so that’s now two extensions that I have to maintain, and I’ve had some issues with KeeForm in Firefox too. When it was the only way it was cool on one workstation, but I work from 4-6 workstation on a regular basis. Just not my cup of tea.

Enter KeeFox. KeeFox is a Firefox extension that tightly integrates KeePass with Firefox. Word of warning: it is a beta extension, the developer has not declared it fit for public consumption (but as IT professionals, people reading this should not have any problems), though I’ve not had any issues with it (outside of the one I’m about to explain). KeeFox only works with KeePass v2.09 (or higher), Firefox v3.0.6 (or higher, I have it running on 3.6.3), on the Windows OS platform (works on 7, 7×64 and XP, I have not tested on anything else).

Simply install the latest version of KeePass 2.x and configure as above. Make sure that Firefox is at least v3.0.6 (should be on 3.6.3 by now anyway), and install KeeFox. Restart Firefox to complete the installation.

The one issue I’ve had; the Windows Firewall. It’s good, it works. That’s the problem. See to get KeeFox to integrate with Firefox, it has to communicate across TCP/IP. So you are going to need to make some firewall exemptions, maybe. I didn’t have any issues with Windows XP just working. But Windows 7 changed things with the Windows Firewall (most of the relevant changes actually took place in Vista, but I never used Vista). The Windows Firewall is now bidirectional. This means that it will block traffic that is not part of Windows going either direction (in XP it was only incoming traffic that was filtered).

When I set this up on my main workstation (Win7 x64) it didn’t work right out of the gate, I had to create a firewall exemption for the port that KeeFox uses (12535). But on a Windows 7 x86 workstation, it just worked (other users have reported that it works no problem on Win7 x64, go figure). So add a firewall exemption for port 12535 both inbound and outbound (the exemptions can be restricted to the local subnet only) if you are unable to get KeeFox to recognize that KeePass is running.

That’s it, you are now rocking what is probably the most versatile and secure password management solution ever. As a bonus, when you use KeeFox to save your login information for websites, it will automatically use the site’s favicon as the icon in KeePass (how cool is that?).

As an aside, if you have an iPhone (which I do) you might be interested in the MyKeePass app ($0.99). It is under active development, and supports reading keePass v2.x database files from DropBox accounts (editing is coming soon according to the developer, but I don’t really need the editing capability on my phone).

Advertisements
%d bloggers like this: