Why Web Developers should use KeePass
This is a very old post. These days I recommend using LastPass.
What is KeePass?
KeePass Password Safe, to give it its full name, is a free, open-source, password manager available on multiple platforms and also suitable for self-contained operation on a USB stick. The official build is for Windows though it has been ported to Linux, Mac, Blackberry, iPhone, etc.
Disclaimer: I have no commercial or other interest in KeePass, or any relationship with its developers.
How does it work?
Essentially KeePass is a simple database program that allows you to store structured and free text information about your passwords, signons, bank details, etc, and categorize them into groups for ease of retrieval. This information is stored in a single file, which KeePass then allows (forces) you to protect by means of a master password and/or key file. A key file is best, though a master password of a reasonable length is probably good enough.
Why would I want it?
So, you’re a website designer or developer. You create websites on a local PC, then you upload them to some live hosting space when they’re ready, using FTP.
The key word here is FTP. Most FTP programs allow you to store multiple sets of FTP access details, so you can reconnect to sites with a couple of clicks, instead of retyping the server, username and password every time. Most FTP programs call this the “site manager” or some variation on that theme.
Although many FTP programs encrypt these details in some way when they store them, the encryption is weak and has been broken in most cases. Just surf to this site for a moment if you don’t believe me.
And in fact, my favourite FTP program, FileZilla, doesn’t encrypt access details at all, the developer’s attitude being that if you need to rely on FTP site manager encryption as a last line of defence, you’re in bigger trouble than you think.
Why is this a problem? Because there are a huge number of viruses in existence whose sole purpose, should they manage to infect your machine, is to hunt out your FTP program’s site manager data and send it to some lowlife hacker in India, China, the Philippines, or wherever it is that they hang out these days. Said hacker will then run automated scripts to add hidden malware-loaded iframes to all your pages. And with the best will in the world, you could get infected with one of these viruses one day.
However, what FileZilla and a number of other FTP programs will let you do is force them to ask you for the password each time you want to connect to a site. Other details such as the server name, username, active or passive transfer, etc, are still stored to save retyping.
So, all you now need (assuming you make each of your passwords different – and to be honest if you don’t you’re asking for trouble), is a properly secure way of storing and retrieving your passwords. You guessed it – KeePass. Put all your FTP passwords in it, as well as other stuff if you like, such as WordPress admin passwords, database connection details, etc.
Easy as that, eh?
It certainly is. On my main development machine, I have KeePass running all the time, using its secure system tray mode (i.e. it locks its file when you minimise it and asks for the master password again when you click it), and all my sites in FileZilla’s site manager are set to “ask for password each time”.
When I need to connect to a site to upload some new files, I restore KeePass, find the password, reveal and copy it using the mouse, then fire up FileZilla, select the site to connect to, and paste the password in when asked.
I back up my KeePass file onto a USB key every week, which is then kept in a secure place, separate from my development machine. Oh, and I virus check the machine each night.
Overall it takes me maybe 5 extra seconds to connect to an FTP site. In my book that’s a really small price to pay for some extra peace of mind.
I’m aware there are other aspects to properly securing a development machine, and perhaps I’ll write about those at some point as well.