Why Web Developers should use KeePass

Published 18 Aug 2009 in Security, Software by ZigPress

This is a very old post. These days I recommend using LastPass.

What is KeePass?

KeePass Password Safe, to give it its full name, is a free, open-source, password manager available on multiple platforms and also suitable for self-contained operation on a USB stick. The official build is for Windows though it has been ported to Linux, Mac, Blackberry, iPhone, etc.

Disclaimer: I have no commercial or other interest in KeePass, or any relationship with its developers.

How does it work?

Essentially KeePass is a simple database program that allows you to store structured and free text information about your passwords, signons, bank details, etc, and categorize them into groups for ease of retrieval. This information is stored in a single file, which KeePass then allows (forces) you to protect by means of a master password and/or key file. A key file is best, though a master password of a reasonable length is probably good enough.

You can download it at keepass.info, or if you’re a PortableApps user, you can download a version that works very nicely on that platform from this page on the PortableApps site.

Why would I want it?

So, you’re a website designer or developer. You create websites on a local PC, then you upload them to some live hosting space when they’re ready, using FTP.

The key word here is FTP. Most FTP programs allow you to store multiple sets of FTP access details, so you can reconnect to sites with a couple of clicks, instead of retyping the server, username and password every time. Most FTP programs call this the “site manager” or some variation on that theme.

Although many FTP programs encrypt these details in some way when they store them, the encryption is weak and has been broken in most cases. Just surf to this site for a moment if you don’t believe me.

And in fact, my favourite FTP program, FileZilla, doesn’t encrypt access details at all, the developer’s attitude being that if you need to rely on FTP site manager encryption as a last line of defence, you’re in bigger trouble than you think.

Why is this a problem? Because there are a huge number of viruses in existence whose sole purpose, should they manage to infect your machine, is to hunt out your FTP program’s site manager data and send it to some lowlife hacker in India, China, the Philippines, or wherever it is that they hang out these days. Said hacker will then run automated scripts to add hidden malware-loaded iframes to all your pages. And with the best will in the world, you could get infected with one of these viruses one day.

However, what FileZilla and a number of other FTP programs will let you do is force them to ask you for the password each time you want to connect to a site. Other details such as the server name, username, active or passive transfer, etc, are still stored to save retyping.

So, all you now need (assuming you make each of your passwords different – and to be honest if you don’t you’re asking for trouble), is a properly secure way of storing and retrieving your passwords. You guessed it – KeePass. Put all your FTP passwords in it, as well as other stuff if you like, such as WordPress admin passwords, database connection details, etc.

Easy as that, eh?

It certainly is. On my main development machine, I have KeePass running all the time, using its secure system tray mode (i.e. it locks its file when you minimise it and asks for the master password again when you click it), and all my sites in FileZilla’s site manager are set to “ask for password each time”.

When I need to connect to a site to upload some new files, I restore KeePass, find the password, reveal and copy it using the mouse, then fire up FileZilla, select the site to connect to, and paste the password in when asked.

I back up my KeePass file onto a USB key every week, which is then kept in a secure place, separate from my development machine. Oh, and I virus check the machine each night.

Overall it takes me maybe 5 extra seconds to connect to an FTP site. In my book that’s a really small price to pay for some extra peace of mind.

Postscript

I’m aware there are other aspects to properly securing a development machine, and perhaps I’ll write about those at some point as well.

8 Comments

  1. On 05 Oct 2009 at 15:28, Bingo Tilbud said:

    Good idea – and especially good that KeePass is free software.

  2. On 17 Dec 2009 at 13:15, Tony McCreath said:

    As a website developer I have 100s of passwords to manage and constantly enter. I ended up using KeePass because you can set it up to auto enter passwords on a key press.

    And they are secure. Many work mates store passwords in plain text files and emails!

    As its cross application you can also switch browsers and it still works.

    I used it so much I wrote a free plug for it to import passwords from Firefox called ClockWork Firefox to KeePass Importer.

    p.s. Andy, It’s Tony from School

  3. On 10 Jan 2010 at 09:10, Baby Freebies said:

    Good tool, thanks for sharing.

  4. On 30 Jul 2010 at 13:11, Olly said:

    There is another virus/trojan doing the rounds thats stealing filezilla passwords from site manager and “recent servers” file (which is all your quick connect entries STORED IN PLAIN TEXT even though you havent asked for them to be saved)

    Im currently having to migrate over 200 websites from site manager to KeePass, and am looking for better ftp solutions!

  5. On 30 Jul 2010 at 13:25, ZigPress said:

    @Olly: yes, that one does the rounds every now and then. The thing is, FileZilla is by far the best Windows-based FTP solution (free or not). Your priority should be securing your PC against trojans – use a good AV with a rootkit detector (I use Avast), keep your firewall up, and never, ever, ever, use Internet Explorer. As the FileZilla developer says, if your system is insecure enough to let a trojan as far as your FileZilla settings file, you’ve got bigger problems.

  6. On 15 Apr 2011 at 10:42, engelkarten said:

    I use keepass now for a year or so and it is great – more secure and all the passwords in the same place! great thing.

  7. On 16 May 2011 at 02:09, Tierra Kaplowitz said:

    To Tony McCreath: Will check it out now. Thanks. To the webmaster: This is an incredibly important post. I’m not a web developer, but everyone would want to know about this. Thank you very much!

  8. On 04 Aug 2011 at 15:55, diewelt said:

    i like this useful tool, though i am sometimes a bit too lazy to put in all my new login data. anyway, it feels much safer to have everything locked away!