Password Safe

Password Safe is a free Windows password-storage utility. These days, anyone who is on the Web regularly needs too many passwords, and it's impossible to remember them all. I have long advocated writing them all down on a piece of paper and putting it in your wallet.

I designed Password Safe as another solution. It's a small program that encrypts all of your passwords using one passphrase. The program is easy to use, and isn't bogged down by lots of unnecessary features. Security through simplicity.

Password Safe 2.11 is now available.

Currently, Password Safe is an open source project at SourceForge, and is run by Rony Shapiro. Thank you to him and to all the other programmers who worked on the project.

Note that my Password Safe is not the same as this, this, this, or this PasswordSafe. (I should have picked a more obscure name for the program.)

It is the same as this, for the PocketPC.

Posted on June 15, 2005 at 1:35 PM • 41 Comments

Comments

ModeratorJune 16, 2005 12:41 PM

I think the comments on this entry must have been set to "closed" accidentally. I've turned them back on.

AnonymousJune 16, 2005 6:58 PM

I wondered why Israel Torres hadn't put some inane comment in here.....

kevJune 16, 2005 10:55 PM

on linux, in the kde environment, there is the 'kde wallet', built in to kde which is a similar concept. any password remembered by any kde program gets stored in the wallet. you must enter a passphrase of course to unlock the wallet. it can be configured to stay unlocked for a while for convenience.

also, OS X has a similar concept (the keychain) but to make it 'simpler' it uses your login password by default (i think you can change it to a different passphrase if you like). the keychain allows you to put arbitrary encrypted notes in it too.

mdwJune 17, 2005 4:30 AM

@hbot

Wil there be a GNU/Linux version to? PasswordSafe 2.11 has GNU/Linux versions.

TobiasJune 17, 2005 8:51 AM

I have a rather dumb question. Why is Bruce claiming that putting a piece of paper with all your passwords in your wallet is a good idea(tm)? The thought lets the hairs on my neck and arms stand upright in utter shock! ;-) Wallets get stolen every day. It is probably more likely that your wallet gets stolen than you get cheated on Ebay.

Take myself for example, I am a rather paranoid person. I only keep things in my wallet that I can afford to lose. I never carry large amounts of money in it. I even make copies of documents instead of carrying the originals where this is possible. And I definetely don't carry valuable information in my wallet.

IMHO it's not a good idea to keep carrying passwords on a piece of paper with you. Imagine you leave your wallet out of sight for just a half a minute. Control yourself and make a mental note whenever you notice your wallet has been accessable for somebody for as much time as necessary to peak the insides. Someone could open it, peak at your passwords and put them back in. You'll never know it! In the age of digital photography (almost every mobile phone carries a digital camera today) it takes only seconds to make a copy of a piece of paper.

I have a small USB stick I carry with me. It houses an encrypted file that I can mount as a loopback device using any Linux system with dmcrypt. If I lose this stick I can be pretty confident, that nobody will be able to read the contents. I have a backup of the file on my workstation at home. The file houses passwords, my SSH keys, GnuPG keys and other information I'm not keen on sharing with a wider audience.

I'm thinking about installing a small graphical Linux installation on a 2.2GB USB stick in addition to the existence of my encrypted loopback file so that I can boot into a trusted system on foreign hardware and mount my file on a trusted system whenever needed. So far, I have been carrying a Live CD like Knoppix with me for this purpose, but I like the idea of security in your pocket which is rather painful in the case of CDs...

regards,
Tobias

Tobias D. RobisonJune 17, 2005 3:31 PM

It would be very useful to have an open source program like this on the Palm PDA and also the desktop. Iwish this program were ported to the Palm OS.

(But note: there are approximately 80 programs that encrypt passwords on the palm. I used to keep a list but lost interest when I had over 70 of them. I could never figure out why someone would write a new one and try to sell it, considering the competition.)
- Tobias D. Robison

SaxonJune 17, 2005 3:52 PM

I haven't downloaded this yet, so it may already have this feature, but is there a way that this can also track the age of the passwords you enter? That way you'll know when one is getting close to needing to be changed. I.e. if your company network password has to be changed every 90 days, when you enter it into the safe, you can also entire the 90-day valid window, and when you get close it will let you know.

Sean BarrettJune 17, 2005 4:15 PM

One idea I've been tossing around for many years is to have the user have a single passphrase for all sites and have the browser (or whatever) hash the passphrase and the domain name together to create the actual password.

This has the advantage that the user can work from any location without having to bring their encrypted password file with them, and several disadvantages--if you want to change the password to one site only, you now have to remember which passphrase you used with which site (it returns use to different passwords per site); people don't need access to your password file to get all your passwords if they get your passphrase; if a site changes its domain name there are issues (although I assume this is no different than SSL certificates?).

I'm not a security expert though so perhaps there are other problems. The reason I've never pursued this isn't due to security but the technical problem of actually getting it into browsers so when you go login at a net cafe the tech is available.

Tim SchmelterJune 17, 2005 4:31 PM

Is anyone aware of a similar utility for J2ME devices? I've done some Googling, but haven't gotten any good hits yet.

Jim HartmanJune 18, 2005 7:06 PM

I went to the 99 cent store and bought a cheap address book. I keep it by my computer, or in my backpack if travelling. I keep the sites and userids/passwords in my little book. It's simple and can't be hacked.

UriJune 19, 2005 2:52 AM

there is another program, also open source. written in delphi and uses twofish to encrypt the database.
multiplatform for both Win32 and Linux called Password Protect. yeah, i know, what a name... :)

anyway, find it here (also more crypto applications)
http://geocities.com/urifrid/cryptosoft.html

if you try it and find any bugs please let me know, thanks

Tim DesjardinsJune 19, 2005 11:51 AM

I also wrote my on in Java, it also serves as a rolodex tool to keep all my phone numbers and addresses and because it's java it's highly portable, I back up the jar and rolo file to my USB flash drive every night, and when I'm on the go I have all my passwords at hand without carrying around alot of stuff, assuming I have access to a computer that supports USB and has the JDK 1.4 installed (I also carry the jdk for various platforms on the drive as well)

jblJune 20, 2005 12:23 PM

I keep my userID / passwords on paper or on my PDA in a "private" file (I know, I've heard it's easy to get around the PDA lock), but the passwords are encrypted with a simple scheme I can do in my head; nothing too sophisticated to break, but enough to deter a casual peeker.

The exception is passwords for anything at work, where written passwords are prohibited.

Laszlo MaraiJuly 2, 2005 12:17 PM

Tim,

this is a shameles plug, I know :), but take a look at freesafe at http://freesafe.sf.net. It's a j2me/midp password manager with OTP generation (just in case you need it :) ). It has about 1500 downloads and a backup facility is in the works.

Israel TorresJuly 7, 2005 6:46 PM

Great to see I still have a fan club out there... anyway I love password safe and recommend it to everyone with the warning that tools like this are out there:
http://www.ninjakey.com/...

that can search and copy passwordsafe encrypted password .dat files to later attempt brute force / dictionary attacks on them. If you are using passwordsafe, make sure you choose a pretty decent passphrase and not something like "My name is Werner Brandes, my voice is my passport. Verify me"...

Israel Torres

RonAugust 7, 2005 8:25 PM

Another method I've used to store passwords is to print them out as barcodes, and use a barcode reader to enter them. Barcode readers are not exactly cheap, but they're not too expensive-- I paid about $70 for mine, and there are several models under $150. Most plug into a PS/2 keyboard port, and have a pass-through port for your keyboard. I bet they're cheaper than any biometric device...

Obviously nobody can steal the barcodes by hacking into your computer. You can print them without human-readable text, to protect from "shoulder surfing". You can print out random barcodes ahead of time, and assign them as needed.

The only risk is that if you leave them lying around, someone could photocopy them-- but they could also do that to your credit cards, which is why you don't leave them lying around (keep them in a card case or something).

One minor catch is that if you use an inkjet printer, you have to use glossy paper to make the bars sharp enough to read. If you use a laserprinter, you can use regular paper.

I have a brief writeup of this at:
http://www.panix.com/~rbean/barcodes/

I generate random passwords with the 'pwgen' program:
http://sourceforge.net/projects/pwgen/
There's a similar program written in Java at:
http://www.multicians.org/thvv/gpw.html

Java ManApril 30, 2006 4:27 PM

The above user is absolutely correct, why does Bruce advocate putting your passwords in your wallet? I rellay like this product -- but this remark should be deleted from this page. Imaging if everyone put thier ATM PIN numbers on a piece of paper along with thier wallet....that wouldn't be very secure.

daveMay 14, 2006 2:17 PM

i'm looking for the davinci code, torrent password, i'm trying to encrypte it, but no way, if you know the password, please provide me

EdJune 11, 2006 9:40 PM

Is there an MD5 hash for password safe. I am leary about putting all my super secret stuff into a program I can't verify on download. So far as I can tell, nothing is found on this site nor on the sourceforge site.

fitzyJuly 28, 2006 9:34 AM

I don't agree that keeping passwords in your wallet is akin to the ATM PIN but I also don't adovcate putting the password in your wallet (other than more passwords which aren't particularly valuable).

As a middle ground you could give yourself a password hint (enough to remind you of the password but without giving the game away too easily). If you lose the piece of paper though you might need to change your passwords

LockedOutSeptember 17, 2006 11:10 AM

One of my kids played with my "PasswordSafe 2.09" and it has now locked me out. Is there a reset, or another way to get the information contained out? I have no back-up and every password I have for the past 5 years is in there.

Please help if you can.

SeanSeptember 20, 2006 3:14 PM

LockedOut: Just restore the database from one of your backups from before the time your children got ahold of your computer.

Pagnotta AngeloDecember 6, 2006 8:01 AM

How can I trust Password Safe ???

I could parse all source files to see if something leaks, but I'm not an expert.... I can try to analyse the behavior of the program once installed on the system, network communications and so on... I'm not an expert too... As I cannot pay for the risk I'm going to run trusting Password safe, because its an open source project, how can I really trust it ? ... please advise

Angelo

Please advise

GreysonDecember 21, 2006 10:40 AM

Angelo,

It is _because_ Password Safe is open source that one may better trust it. Closed source is a 'secret recipe' -- you can't know what you're really consuming. Open source is nearer to a peer-reviewed scientific or medical study. For example, the algorithms behind RSA, SHA, Blowfish and any other widely accepted encryption schemes are "open" and this is why they are trusted (or not, in the case of recently broken hashes).

[This] Password Safe has been around a long time, it's been open for a several years. It is (relatively) widely used and established. It's specifications, encryption strength, and formats are open for review. If you are unmotivated to do your own full review of a security product that you use, then you cannot hold the software or company accountable: the EULA of 99.9% of software has a clause regarding the company, or developer's, limitation of liability To blindly trust anything in a high-risk situation is foolish.

Either way, open source gives you a chance to personally audit the security, and you may be able to rest more easily knowing that many others have taken the opportunity to do their own audits of this particular software.

Obscuring a fact does not make that fact more truthful.

ThomasAugust 17, 2007 8:00 PM

@anitha
"""please tel me the where the code flow starts from in passwordsafe"""

int main(int argc, char ** argv)

Dan R. JohnsonSeptember 16, 2007 11:21 AM

I have appreciated Password Safe but now I have lost my laptop. I do not recall my user name but I do remember the password. When I go to your website, I do not see login request. Will you help.

Dan R. JohnsonSeptember 16, 2007 11:21 AM

I have appreciated Password Safe but now I have lost my laptop. I do not recall my user name but I do remember the password. When I go to your website, I do not see login request. Will you help.

javamannSeptember 22, 2007 8:46 AM

I registered for sourceforge, but I'm very hesitant about providing my email password, Is this absolutely necessary?

Phlip (flip) KromerJanuary 20, 2008 6:01 PM

Another (better?) strategy along the lines of the 'keep em in your wallet' is to keep them in your address book: you have this on your desk, your computer, and your cell phone. Make up a plausible fake address (you can use Perl's Data::Faker, or the http://www.fakenamegenerator.com/) and use the person's name and 10-digit phone number as your banking password. If you sync to Plaxo or Yahoo's address book, you will have access to that entry any time you'd be asked for a computer password. The password is stored in plain sight (as it is in your wallet) but buried among the many similar entries. Only someone who was familiar with your whole social network would be able to identify the fake entries.

For better safety, choose a simple transformation that you can apply in your head (reverse the person's first name, add modulo 5 to the first digit, prepend your simple password, etc.). An attacker then needs not only the physical artefact of your address book but also the transformation you applied. Make sure, of course, that there isn't an obvious mnemonic connection between the account name and the address entry, and don't use a transformation you can't apply quickly in your head.

Phlip (flip) KromerJanuary 20, 2008 6:03 PM

Another (better?) strategy along the lines of the 'keep em in your wallet' is to keep them in your address book: you have this on your desk, your computer, and your cell phone. Make up a plausible fake address (you can use Perl's Data::Faker, or the http://www.fakenamegenerator.com/) and use the person's name and 10-digit phone number as your banking password. If you sync to Plaxo or Yahoo's address book, you will have access to that entry any time you'd be asked for a computer password. The password is stored in plain sight (as it is in your wallet) but buried among the many similar entries. Only someone who was familiar with your whole social network would be able to identify the fake entries.

For better safety, choose a simple transformation that you can apply in your head (reverse the person's first name, add modulo 5 to the first digit, prepend your simple password, etc.). An attacker then needs not only the physical artefact of your address book but also the transformation you applied. Make sure, of course, that there isn't an obvious mnemonic connection between the account name and the address entry, and don't use a transformation you can't apply quickly in your head.

Gene BrayOctober 4, 2011 7:12 PM

Well, I am a noob. Finally figured out (sometime ago) Password Safe runs fine using Wine.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..