Episode: 23
Title: HPR0023: Software Review: K e e P a s s 
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0023/hpr0023.mp3
Transcribed: 2025-10-07 10:23:57

---

What's your name, ringing?
Hello and welcome to Hacker Public Radio. I am Stank Dog with you on this short edition
of HPR today. We're going to be doing a little software review of a handy little application
that I've been using recently called KeyPass. That's K-E-E-P-A-S-S. You can find out a little bit
more about it on your own and download it at keypass.info. That's K-E-E-P-A-S-S.info. What this application
is, as you may have guessed from the name, a piece of software that you can use to store all of your
accounts, user names, passwords, and notes or other information, server names, things like that.
All in one convenient location. Now, you may be thinking to yourself, I already do that. I store
that information in Excel or noted a TXT file or something like that. But the problem with those
is sure they get the job done as far as storing passwords, but they're not really the most
reliable and safe way to store data because it's keeping things in plain text. So even if you
are to attach a password file or attach a password and lock up your Excel S file, for example, it's
still not the greatest algorithm in the world and can be cracked. That's where one of the first
features of KeyPass stands out for me. All of the information is stored into one database.
One database contains all that information and that database is encrypted. That's the nature of
what the software does. So it's going to completely encrypt using a ES 256-bit cryptography
protecting the database itself, which means not just your passwords, but even the user names
and even the site names, every single bit of data is stored in a highly encrypted database.
That's the first thing. Secondly, inside of that database, the passwords are actually hashed.
So they're hashed with a, excuse me, I guess maybe I should clarify here, the password is
hashed with a 256-bit key, and then the actual database itself is encrypted as well. So
you have two things in there happening to protect data once you've opened the application,
and then you have something in case, something that encrypts the entire database in case you were
to, for example, lose that file or somebody were to somehow get access to your computer or
remotely hack into your computer and get the file, the database file itself is encrypted.
So they wouldn't be able to do too much with it with such a high encryption algorithm,
such an advanced encryption algorithm on it. It's going to be difficult for them to crack it,
even if they were to get their hands on it. So that's something very important and actually
very good for even business use. Now I'm using this personally at home, but I also use this
for my job where I have a lot of application or a lot of servers, I guess I should say,
with lots of different use names and passwords. So I've begun storing a lot of that information into
this, a lot of those accounts in this application I should say. So very cool, very interesting
application. The couple other things that it does that are worth mentioning is
all of this is stored into the database file and sure the database is encrypted and all that,
but how do you, as a user, get into it? Well, the entire database is encrypted and you can gain
access to your database one of two ways. Well, one of three ways really. The first and most
obvious way is to put a password on the application itself. Obviously you want to use a strong
password and standard password rules apply here. If you put a crummy password on it and somebody
does get the file and works to just do an old fashioned brute force or guessing of what your
password might be. You know, if you use the word password or any of the traditional things like
that, then not only did they crack into the database and open the file, decrypt the file, but they
also have access to all of your other user names and passwords. So it is a single point of
failure. So you have to notice that and you have to respect that. So you should put a very strong
password in place to protect this. Well, that's where the second thing comes in. The other way you can
also protect this is to actually write a key file and it will generate a random key and you can
store that key file so that you need the key file to access it. So for example, if you were to
install this on a computer machine that you use and store the database on there, it's encrypted,
but only if someone has the key file physically in their possession could they get in and access it.
So if, for example, and just to be hypothetical law enforcement were to get your computer and want
to try to access this database with all your user names and passwords, they would need the key
files to do it. Obviously you don't want to put the key file right on the same computer machine
because then they've got the access to it and therefore anything contained in the database.
So that's where the third thing comes in and the probably the best scenario is to have dual
factor authentication where you have to answer in a known password and be also have that key
file physically available. So this is handy for a couple of ways. Again, the two, I put in
out the weaknesses in the way the other two applications of security fail, but when you combine these
together, you give yourself something interesting. And actually it's very functional in a way,
and let me explain, you can have this installed in multiple locations. You can make the database portable
and carry it around with you on a USB key or and copy it from one system to another and have all
of those in multiple locations in the case you can't get access to another one. Or you can install
the key file, or excuse me, and you can install the key file on a USB key and carry it with you.
That way every computer that you're at, you simply put in the USB key or memory card or whatever
else and have the key with you to open that database. So you can actually install the database
in multiple locations. Just carry that key around with you on your USB key, which is pretty much
the definition of where the word comes from and have access to it. Another thing that you can do
and key pass even offers this on their site, you can download a portable version,
and which does exactly what I described as a Windows installer, but what I use is just the
portable installer and you can install the entire thing onto a key drive and leave the .key file
on the computers and carry the database around with you encrypted and have the .key file
copy that to all the locations where you think you might access it and just put the drive in.
So now you've got the database available, look for the key file on that local drive. So you can do
one of those two ways. So you've got some flexibility there and still type in your password. So
what that does is in any scenario, if you were to lose your USB key or memory card or whatever
storage medium you've used, no one can really do anything with it when they found it because they
don't have the key file and or they don't have the database if they have the key file. So without
them being all together in one place, now that idea of course would be to put all of that on your
USB key, the key file right there with the database so that they have the access. You still got
the password protection, which again like I said if you use a strong password you still have that,
but it's still a bad idea to put all of that together. The best case scenario is to break the key
file up from the encrypted database. Something else that they offer that's kind of cool is that there
this has been ported. I should also point out this is open source software so you can find the
source code, browse it and make sure it is doing what you think is doing, the great thing about
open source of course, or do what other people have done and that is ported. There are actually
versions of key pass for your cell phones, pocket PCs, Windows mobile, six, five, etc, etc.
It's been ported to Linux and Mac OS X. I actually think that's a universal platform independent
version has been ported out of that as well. There's a blackberry version, a palm OS version, etc, etc.
So there's lots of different versions of this, which is great. The main version I guess the most
everybody uses is the Windows installer for obvious reasons, but you could use this in just about
any environment. The other cool thing is you can have multiple user keys which could come in
and you could have multiple people using one application or different key files or different
accounts, etc, etc. It will export. I don't really have the need of that quite frankly. I just
needed one secure place to store all my passwords instead of having them scribbled here or memorized
there, etc. etc. or in different files or emails. Some of these advanced features are not
something that I'll ever see myself using. However, they could come in handy depending on what
your needs are. One of those is that has a lot of great export features. You can export all the
information they use in any password out to different formats from plain old TXT files to XML files,
comma separated value files, etc., etc. and then import them into other applications. So that would
be cool if for some reason you did want to switch software and try something else or convert that
data out into another application or store it in some place else. You're not stuck with your
data stored in a proprietary system and have to type it all over again in a new application.
You can export that data and import it somewhere else and do whatever it is you want to do with it.
So that's pretty cool. Again, I mentioned how portable it is. You can put notes in there to
describe exactly what it goes to help you remember maybe how to use it or what application it is.
There's a field in there to store URL for websites. Navigation is pretty simple. You can put
together a little tree, a traditional tree environment and group things by category. It comes
defaulted with several common ones like internet, email, etc., so you can store email accounts in
one tree and store your internet access accounts to different websites or whatever in another.
But it's customizable. It comes with a bunch of little icons come with it so you can create subgroups
with their own custom icons if that floats your boat and I've actually used that for a few other
things. So all in all, I'd say this is a very good application. Again, if you want to check this out,
you can go to keypass.info. That's k-e-e-p-a-s-s dot-i-n-f-o. Go check it out. Go check out some
the plugins. It does allow your right plug-in support, so that's kind of cool. And again,
it is open source, so that is something we always support here at Hacker Public Radio. Thank you
for listening and we will see you tomorrow. Thank you for listening to Hacker Public Radio.
HPR is sponsored by caro.net, so head on over to caro.nq for all of us here.