In the past 6 months, I was turned on to KeePass Password Safe (keepass.info). It’s a password manager that, given a single master password, allows users to store passwords for all their computing needs. It’s so simple it makes using unique strong passwords/passphrases for all different resources a reality.

KeePass encrypts the password database with AES 256. It allows you to store a password along with some metadata, then CTRL+B on the entry to copy the username, then CTRL+C on the entry to copy the password. The clipboard auto-clears in a configurable timeframe (by default in 2.x, 12 seconds, in 1.x, 5 seconds).

The security concerns with KeePass, as with managers of all kinds, is single point of failure. If the database is stolen and the user does not use a strong (brute-force & dictionary resistant) password, then all the user’s passwords may be compromised. If the database is lost, all the user’s passwords are lost and that’s a huge hassle. My answers to these problems are:

• A single strong passphrase
• Dropbox + PortableApps platform

I use Dropbox to store my PortableApps platform, which allows me to carry my PortableApps on any computer installed with Dropbox. KeePass is one of those apps. Using Dropbox, the same database is always updated regardless of where from I’m updating KeePass (e.g., if I update a password from my laptop, the update will reflect on my desktop automagically). I use a strong passphrase to protect my database and then use KeePass to do the rest of the heavy lifting (in this case, remembering a slew of unique, crazy passwords).

KeePass 1.x does not require .NET, but the plugins are not as cool. KeePass 2.x requires .NET Framework 2.0 or MONO, so keep that in mind when figuring out how you want to proceed. They seem to be functionally the same out of the box (though I haven’t done a thorough feature diff).

An important decision by the U.S. District Court of Appeals for the Northern District of Florida has ruled that your 5th Amendment rights protecting you from self-incrimination also protect you from providing the encryption password to authorities. Yeah, that just happened. (link)

Up to this point, the DOJ claimed such a request was just an extension of prosecutor’s ability to assemble potential evidence during a trial. (link)

The take-away here is that we should all be using encryption more earnestly to protect our privacy (from all potential consumers of that private information) and that what is in your head is still legally protected from discovery by the 5th Amendment to the US Constitution. This isn’t something to take lightly! Here are some tips to help with the effort:

TrueCrypt
GnuPG
Gpg4Win
PGP Whole Disk Encryption
Coding Horror: Passwords vs Pass-Phrases

I found this little gem waiting for me to approve. I get a bit of spam that Akismet doesn’t toss automatically, but this one struck me as an absolute failure to come across as human. It also struck me that Akismet didn’t toss this one automatically.. .:-\

Russ McRee over at HolisticInfoSec.org wrote a great article talking about Mandiant Highlighter that I and Jason Luttgens wrote. We just released a minor bug fix version, 1.1.3. Here’s the link.

holisticinfosec.blogspot.com/2011/10/toolsmith-log-analysis-with-highlighter.html

Here’s the link to the download:

www.mandiant.com/products/free_software/highlighter/

Here’s a link to the forums:

forums.mandiant.com/forum/highlighter

Highlighter v1.1.3 has been released. Check out the sweet blog post by yours truly over at blog.mandiant.com/.