Using it from 10 years ago, still use it today, talking about KeePass family password management apps

Posted on Edited on In

I had been in trouble of managing a large number of accounts since I joined the IT industry more than ten years ago. At that time, I had dozens of company and personal accounts to remember. At the beginning, I tried to use the same username and password to manage all of them so that I could deal with a large number of accounts without too many problems. However, the company accounts had to be changed every quarter. For setting the password, it had to be a combination of at least eight letters in upper or lower cases with special characters and numbers. As it is difficult to remember such kind of password, I spent some time to figure out a few passwords which can meet the said criteria. I planned to use them repeatedly. Unfortunately, I found that the system could remember more than ten previous passwords that I used, and, I could not re-use them. I ran out of the prepared passwords very quickly. From then on, I had to create sophisticated passwords for the different accounts from time to time. The more complicated the passwords are, the more difficulties you will get to remember them. In order to find an easy way for me to use the passwords, I started to record them using a document. Initially, I recorded the information in an Excel file in the company laptop which was the most frequently used device. Although it was easy for me to check the passwords, the problem was that I had to send the laptop to the IT department frequently for resolving both hardware and software issues. The IT department usually had the highest system privilege, so it was not safe to store the secure information in an Excel file.

How to choose a password management application

To deal with this issue, I started to search whether there were applications for the password management. At that time, the IT industry was still young. There was not too much software available on the market. There were no software stores like Google Play or Apple Store. Later on, I found a software called CodeWallet. If you search it today, there will not be too much information about CodeWallet. I did try to use a few password management applications until I found KeePass. Thereafter, I stuck with using KeePass for about ten years till today. You may be wondering why I stayed with KeePass or KeePass family software for so long. Well, you will get the answer after you read my following several criteria of choosing password management software.

Safety

After using some password management software, one question always in my mind is that why I can trust them? Do they have any back doors? I believe that the safety is at the top of the list when most of people start to look for password management software. Of course, the developers of the software must be trustable. How can we qualify them? Can the software from a large company be trusted? Since I have worked in multi-national companies for many years, I knew that each department in a big company is just likes a small company. Unless it is a flagship product, otherwise, the product from a big company will have not many differences comparing to that from a start-up company.
Is there a way to overcome this doubt? The answer is yes. We do not have to focus on the qualification of developers only. If the software was open source, we could start from the source code directly. We can qualify the source code instead of the developer in this way. This was the initial motivation that I chose KeePass. The quality of open source software is closely related to the popularity of itself. There are a large number of developers involved in popular open source software, so the quality of source code can be improved from time to time. This is exactly the case for KeePass.

The popularity and quality can, in turn, help to increase the life time of the software itself. The commercial software that I used has been discontinued whilst KeePass is still alive.

File format

With the increase of KeePass popularity, the KeePass data format becomes the de facto standard data format for open source password management software. This is another reason that I stay with KeePass for so long.

There are a large number of derived KeePass applications available on almost every platform that I used. Just like the file format in the office software, even though there are many word processing applications in the market, Microsoft Office still can dominate the market largely due to its file format which is the de facto standard in this market.

In order to help the developers to reuse KeePass to build derived application easily, the author of KeePass separated the major functionalities of KeePass into a library called KeePassLib. This is one of the key reasons why KeePass data format is used widely.

The first KeePass derived application used KeePassLib is KeePassPPC which is a porting of KeePass on Windows CE platform. When Android and iOS become the two major operating systems for mobile devices, the developers ported KeePassLib to both Android and iOS platforms. However, Android uses Java as the development language while iOS uses Objective C. It is time consuming to translate KeePassLib from the original C# language to either Java or Objective C. That is the reason why the development of KeePass derived applications on these two platforms is far behind the official KeePass development on Windows by the original author Dominik Reichl. Till today, the KeePass author Dominik Reichl is still actively working on the KeePass development on Windows and releases new KeePass version frequently. It is a big challenge for the developers on both Android and iOS to keep up with the official releases.

This situation was getting better when Microsoft released Xamarin as a cross platform development environment for Android, iOS, Mac OS X and Windows. The first KeePass application on Android using Xamarin is KeePass2Android. It kept almost the entire KeePassLib in C# and developed KeePass2Android on top of it. That was the reason why I used Keepass2Android for a few years till my own application PassXYZ published on all major platforms (Android, iOS and Windows 10) recently.

Keepass2Android is an Android application rewritten using C# with the help of Xamarin. As it was not written in a cross platform way, the author did not release it on other platforms, such as iOS and Windows. I have iOS devices as well as Android and Windows devices. After waiting for many years, I decided to develop a cross platform KeePass application which can be run on all major platforms using Xamarin. Then, I started to port KeePassLib to Xamarin as a Portable Class Library. This project can be found on the open source repository GitHub under the name KPCLib (KeePass Portable Class Library). On top of KPCLib, I developed the KeePass derived application - PassXYZ. PassXYZ has been released at Google Play, Apple Store and Microsoft Store.

Storage

After discussions on Safety and Data format, let’s talk about another factor that we need to look at when we try to find a suitable password management application. Where do we want to store our secure data? The choices are local data or cloud. How can we decide? There is not a straightforward answer to this question, as it is correlative with three factors which are safety, ease of use and reliability.

But, why the choice of storage location is contradictory to safety, ease of use and reliability?

For the safety of secure data file, we all know that the less people have the access, the more safety the data file has.

For example, why the banks still allow their customers to use 6 digits number as the PIN for ATM? And, why all companies require a sophisticated combination of upper/lower cases with numbers and special characters as the password for their accounts? Does it mean that the company accounts have higher security requirements than that of the bank�s? Obviously not. The complication of the password should depend on the numbers of people who can access the secure data file. There are very limited numbers of persons who can access the secure data file in banks. However, in a company, much more people can access the secure data file. So, it is more risky that the secure data file in a company may be copied by the attackers.

The attackers aiming to a bank account have very limited time and space to attack the target while the attackers to a company�s may have almost un-limited time and space to do so. When the attackers attack the ATM or bank accounts from internet, they may not have chances to run through all the possibilities of 6 digits numbers. On the other hand, the attackers of company accounts may be able to run brute force software anywhere to try out all the possibilities of the password. As such, company accounts obviously require a much more complicated password so as to prevent it from being decrypted by the brute force software.

We learnt from the above that the location you store your secure data file determines how complicated your password should be. If you store your data file locally at home, it may be safe as the bank. But, if you store your date file on the cloud, the situation will be similar to the company.

Definitely, it is easier to use if you store your data on the cloud, but at the same time, you have to be aware of the safety issue. You need a strong master password to protect yourself. If you store your data file locally, you will have less concerns on the master password.

Then, how about the reliability of both local and cloud? The simple answer is that both are not reliable enough. The reliability of your data file, to a great extent, depends on your practices of managing your data file. No matter where you store your data file, you need to backup them frequently. The best practices in data file management will increase the difficulty of usage a little, but you will be in a better position in term of the chance of losing your data.

It is not difficult to use password management software, but it takes time to form a good habit following the best practices. When you are aware that you need password management software to help you, you also need to understand that the knowledge about how to manage your information better are equally important.

I created a PassXYZ Wechat public account when my PassXYZ software was released. This is because I believe all the users of password management software need both software and the best practice of personal information management. PassXYZ Wechat public account is a place that can be used to share the best practices among users.

If you are interested in the personal information management, please add PassXYZ Wechat public account by searching keyword PassXYZ or link it using Wechat name passxyz_kpclib. You can also find more information about PassXYZ on its website and install it from the following links

Apple Store

Microsoft Store

Google Play