Difficulty: Easy
Geekyness Level: Trendy Nerd
Ingredients: Bit Torrent Sync, KeePass
You have probably heard a good few times that using the same password for various different sites (no matter how strong it may be) is not a terribly good idea. Namely, that if one site has had a security breach, crackers could gain access to other sites you have registered with, based on the assumption that your passwords are all the same, or very similar.
This article aims to give you some food for thought for the various methods to rectify this problem, plus steps on how to follow an approach I use.
Online Password Managers
So the ideal solution is to have a totally different password for each and every site you use, and to regularly change them. However given the plethora of web sites you have probably already registered with, remembering every single user id & password is going to be a challenge.
This is where sites such as LastPass & RoboForm come to play. Centralising all your passwords in one place up in the so called cloud.
Potentially you could be almost anywhere, using any device as long as it has an internet connection and retrieve any of your passwords once your Master password has been verified. Other nice features include prompting you to save your password when you login for the first time. Then when you return to the site, your credentials will be automatically entered. All of this for the grand sum of: £FREE
Bear in mind: some sites will store personal info such as date of birth, your first school, or mother's maiden name, in order to assist with password recovery. It is worth considering that it could be better not to use truthful information. Sarah Palin's Yahoo email account was compromised, simply by abusing the password recovery mechanism and using info gleaned from wikipedia
Different Approach
Personally, I am not comfortable with the idea of storing sensitive data 24/7 in one location, as this approach introduces a single point of vulnerability. Also when using something like LastPass, to a potential adversary the question of 'where' sensitive data is stored is already answered. In 2011, LastPass did announce that there might have been a probable breach and so recommended all users to change their master password.
This is not to say that online password managers are a terrible idea. Aslong as you use make your master password as complex as you can reasonably remember and type in. However I would like to try a different approach which eliminates the need of using a single location & keeping me in firm control rather than relying on a third party.
Bit Torrent to the rescue! And what better way to show that this protocol has many useful and legal purposes other than allegedly single handely destroying the entertainment industry. Our weapons of choice for this exercise is KeePass to be used as the password store & Bit Torrent Sync to synchronise them across multiple devices.
So as you can see in the diagram above, there is no single point of storage, everything is synchronised across all the devices. This also means there is no single location for an adversary to attack. Also there is no single point of failure, so you wont be screwed if you lose your net connection or a server goes down.
KeePass is open source but written only for windows. However there are many ports for different operating systems. For Linux and Mac, KeePass can be run with Mono. Full compatability list and ports here.
Bit Torrent Sync is available for Windows, Linux, Android & OSX.
A Demo For You To Try
Here is a working example of sharing passwords between a PC and an Android device following the approach described above.
Step 1:
Lets first install the software need on the PC side. Fire up your machine, then download & install:
Dedicated How Tos on using KeePass, can be found here and for Bitorrent Sync over here.
Step 2:
Now lets store some passwords. The first time you start KeePass on your PC, you will be prompted to create a Composite Master Key:
This should be treated as the most important password you will ever know. As such it should be as strong as possible, but you must never forget it! How to form such a password goes beyond the scope of this article, there are plenty of guides on Google however my personal favourite is this: 
Step 3:
Now that you have a collection of passwords, in order to share them across devices, we will need to export the database to a file. To do this, select File >> Export. 
There will be a sizeable number of different file type formats to choose from. For the purpose of this exercise, selecting .KDBX (for KeePass version 2 & above) will suffice.
Step 4:
Now install the software required for your Android devices:
Step 5:
Now to share the password database file (.kdbx) that was exported earlier in Step 3.
Open up Bitorrent Sync on your pc, under the "Folders" tab, click on "Add a Sync Folder" at the bottom. The next window to pop up will allow you to generate a secret key for the folder. So hit the "Generate" button, the click on the "Browse" button to locate the folder containing the .kdbx file. Finally hit "Ok".
So far you have made the folder available to be synchronised, but in order to share with other devices, you have to share the secret key. One of my favourite ways of doing that is using a QR code.
Looking at BT Sync on your pc, right click on the folder you just made available for syncing, then click on "Connect Mobile Device". This will form a QR code on the screen. You also have the opportunity to share the folder with full access or read only.
Now get onto BT Sync on Android, and click on the add new folder icon (Hilighted in red in screen shot above). Then select the second option "Scan QR Code" and point your device to your PC screen and that should do the trick.
There your have it! If you want to add another device, say an iPhone or a Linux based PC, just install Bitorrent Sync and KeyPass & share the same secret key that you generated in Step 5.
Now if you were to add or change any of your passwords, BT Sync will automatically synchronise and update all the devices that are sharing that folder.
Some users have used a similar strategy, but using Drop Box as the means of storing the KeePass database file, and the accompanying client software to do the synchronisation.
The Cons?
That looks pretty easy huh? But as the saying goes, there are many ways of skinning a cat & this is not necessarily a silver bullet or even necessarily the best option for you. Here are some thoughts to consider.
Given that the Bitorrent protocol is used, one might think that your sensitive files can be read by other Bit Torrent users. This is not the case with Bit Torrent Sync, because the files being transferred are encrypted and can only be seen by those you have shared the secret key with - i.e. just yourself.
However, what has caused far greater concern is the fact the Bit Torrent Sync is not open source. Thus making it impossible to independently audit the source code and therefore confirm that the source code has not been compromised by the likes of the NSA introducing nasties like back doors. This topic has been discussed to death (just 2 of many links here & here ) and despite considerations to make BT Sync open source, some users remain unconvinced & have even vowed to never use it.
However for this particular objective, I do not think this possible vulnerability will pose much of a problem for the following reasons:
-
Firstly, the way Bit Torrent works (good explanation here), it would be quite challenging for an adversary to be able to intercept the entire KeePass database file.
-
Secondly, unlike the cloud approach, the KeePass database is only online or "out in the wild" when Bit Torrent Sync is synchronising - & this will only happen if any of the passwords on KeePass has been changed. So this means that an adversary will have to try and be in the right place & the right time in order to attempt to intercept the KeePass database file.
-
Lastly, even if an adversary did somehow manage to acquire the entire KeePass database file - it is encrypted. So according to the Snowden revealations, breaking encrypted files is probably only achievable by the likes of the NSA or GCHQ, rather than your average cyber criminal or script kiddie.
It would probably be sensible that your most sensitive logins, such as your primary email, bank account etc (i.e only three or four login accounts), be stored on one of the most underated password managers - your own brain!
Closing Notes
I hope this has been useful and has raised awareness of the issues discussed. But I will always be equally interested in your views and how maybe you would tackle this topic.