The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department… Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…
Anyway, when you’re on the internet for a couple of years, you gather some accounts.
Lots of them
LOTS OF THEM……
And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.
But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.
You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…
The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozilla itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…
But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!
But, still, you trust your password with someone else…
Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…
10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”
Anyway, today I present you: THE SOLUTION
You’re own sync tool build around keepass!
I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!
Until today, on my first hit on google: “keepass firefox” 😛
After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!
Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!
The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” 😛
Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!
Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).
Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? 🙂
Maybe it was of laziness, because lastpass just works that handy 😛 But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!
Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that 🙂
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? 😛