Managing access credentials
Key Moments
Whether you need to log into an online store, read your email in the browser, check your account balance, or upload photos to the cloud, most services require an individual account with authentication when accessing the service. This raises various problems.
Using the same passwords on multiple accounts has long been considered a bad idea. However, if you use a separate password for each service, you can quickly lose track of which password goes with which account. At the same time, passwords need to meet certain security requirements to resist brute force attacks. It is important to use uppercase and lowercase letters, numbers, and special characters in a way that prevents algorithms from cracking the password, leading to complex passwords. Last, but not least, users soon forget their passwords for accounts that they rarely use, which makes access even more difficult.
To remedy this, a password manager can store essential information for the respective services along with your access credentials. You then typically only need to remember the password for the password manager. Of course, developers need to effectively secure the password manager itself. Otherwise, unauthorized third parties will gain access to a large volume of individual access credentials in the event of theft. To see what current password managers have to offer, this article looks at four password managers: Buttercup, KeePassXC, Pasaffe, and Password Safe (see also the "Not Considered" box).
Basic Functions
A common practice among password managers is to offer online services and store credentials in the cloud, creating potential vulnerabilities. Such services are often commercial, and users do not know in detail where their data ends up and what data security measures the provider takes.
Many of these services only work as an extension of the web browser on the client side. This makes them vulnerable to malware that compromises the web browser as a platform. A local backup on a workstation computer or an enterprise server without Internet-based access seems far more elegant and secure than using an online service.
Password managers also often to store more than just the plain vanilla authentication data. Thanks to auto-type options, they also complete web pages with access data in a largely automated way, saving users manual input. Different categories help keep track of the stored data.
Buttercup
Buttercup [5], a free, local, multiplatform application, stores and retrieves access credentials both locally and in the cloud. Several RPM and deb packages, as well as two AppImages, are available for installation on Linux. The application supports both older 32-bit and current 64-bit operating systems [6]. Buttercup stores the user data in archives. After installation and first startup, Buttercup opens a window prompting you to create an archive (Figure 1).
Buttercup later saves the access data in the archive; the data should ideally be categorized. Open a file manager to create the archive, and assign a name and storage path for the archive. Be sure to include the .bcup extension in each instance. If you forget it, Buttercup will not create the archive.
Once the archive is created, the software asks you to define a master password. Then the actual program interface opens (Figure 2). The main window is divided into four vertical panes. In the narrow pane on the far left, Buttercup arranges the existing archives one below another. On first launch, only the first archive is found in this pane.
In the second pane, you will find the group list where Buttercup sorts the groups that belong to the selected archive. In the third pane, Buttercup lists entries that belong to the selected group. Finally, in the fourth pane on the far right, Buttercup shows the contents of the selected entry. This is where you can create usernames, passwords, and user-defined fields.
Contents
To fill the databases, first press the New Group button at the bottom of the second pane and create a new group in the input field that appears. Pressing the Enter key transfers the group to the group pane. Buttercup displays all the groups in alphabetical order.
Then select the group to which you want to add entries. The group name is highlighted in green. After clicking on Add Entry in the pane to the right of the group view, a dialog opens on the far right. Now enter a name for the entry followed by the matching access credentials. If required, you can add more information to the current entry by clicking the Custom Fields link. Finally, click on Save bottom right.
The new entry now ends up in the third pane. If you want to edit an entry later on, select the entry and press the Edit button at the bottom of the far right pane. Then save the entry again, so that Buttercup will apply the changes.
If a group contains a particularly large number of entries, you can sort them. To do this, press the bar symbol top right in the entry pane and select the sort order in the pop-up context menu. The software arranges entries either alphabetically (Figure 2) or chronologically, but you can reverse the order for both options.
Browser Integration
If you use a browser extension, Buttercup will also fill in the access credentials directly in the web browser. For Chromium, Firefox, and their derivatives, first install the respective browser extension. After that, an icon appears in the browser toolbar to the right of the URL input box.
Clicking on this icon lets you integrate an existing desktop archive into the browser extension. To do this, click on Add Vault in the add-on dialog. The routine now opens a new page and asks for the source of the archive. You can choose between various clouds, local WebDAV sources, and the Local File option.
If you choose an archive, the desktop application generates a six-digit authentication code in a separate window, which you enter in the Authorization Code field in the browser. Then click on Connect to Desktop (Figure 3); the desktop application must already be open. Finally, transfer the desired archive from a file manager displayed by the desktop application. Browser integration is now ready for use. If you want to link several archives with one add-on in the browser, repeat the procedure.
To access the credentials, the desktop application must be running at initial setup and whenever the web browser is opened for the first time. In addition, you need to re-enter the master password in the web browser to open the desired archive. A special window is displayed to help you do this. The data stored in the archive can only be accessed after completing these steps.
From now on, if you call up a website that has access credentials stored in the Buttercup archive, the software will automatically fill the fields with data. To allow this to happen, click on the padlock icon next to the input line for the username and enter the name of the archive entry in the Find Entries line. Assuming that Buttercup then displays the name of the archive entry below, click on the entry, and the authentication data is automatically transferred to the web browser fields.
The browser extension is not a standalone application. To open and use the archives, you first need to start the desktop application (i.e., unlock the appropriate archives using the master password). Without this step, the web browser plugin will only display an error message when you try to open an archive.
To add new entries to the open archive, you do not have to take a detour via the desktop application. Simply enter your username and password for the website. The add-on will then display a message in the upper right corner of the browser window, asking if you want to save the access credentials. If you press Save, the routine opens a new browser tab in which you can enter the access data (Figure 4).
Under Archive and Group, use the drop-down menus to select the archive and group where the new entry will be stored. After saving, the data is stored in the archive and available for future access to the website via the add-on. You can also open the new entry in the desktop application for editing, if necessary.
Information Exchange
Buttercup imports datasets from several other password managers if required. For this purpose, it supports CSV, XML, JSON, PIT (file type 1), and BCUP; you can use various derivatives of the CSV format depending on the source application. Buttercup also uses CSV to export the existing data. The respective dialogs can be opened via the File | Import or Export menus.
KeePassXC
KeePassXC [7], a community fork of the cross-platform KeePassX password manager, offers a graphical interface and is installed locally. KeePassXC's range of functions goes far beyond that of a conventional password manager. The application includes a password generator and an export and import function that lets you use content in other database formats across applications. KeePassXC also has browser integration for all common web browsers. An auto-type function ensures automated entry of authentication data from the KeePassXC database in various applications and services.
In addition, KeePassXC pays attention to security. It stores all data with AES-256 encryption, which makes it virtually impossible for unauthorized third parties to read the secured access data. The software is available from the repositories of the major Linux distributions and can easily be installed using the corresponding graphical package management routine. In addition, a PPA archive is available for Ubuntu. For the new package management systems, Snap and AppImage, binary archives are also available on the project website [8], as well as a Flatpak package on Flathub [9].
After opening KeePassXC for the first time, you will see a clear-cut program window (Figure 5), where you first create a new database. Alternatively, you can open an existing database or import data from third-party applications in the welcome screen; there are separate dialogs with corresponding buttons for these actions.
If you select Create new database, a new window will open with a wizard that mainly lets you to configure the encryption. To do so, tweak the various basic settings in the Encryption Settings dialog.
To control the cryptographic configuration in detail, click on Advanced Settings in the bottom right corner. This opens a dialog where you can select an algorithm to encrypt your data. AES 256-bit is used by default, but you can switch to the Twofish or ChaCha20 algorithms, which also rely on 256-bit keys. If you have powerful hardware with multicore processors and multithreading enabled, you can also specify the number of threads to be used in parallel in this dialog.
In the following dialog, you can then set the master password for the database.
Finally, you are taken to the main KeePassXC window, which also appears if you are loading a previously created database. At the top of the main window, you will find the menubar with a buttonbar below for fast access to KeePassXC's most important functions.
Below the menubar and buttonbar, the main window is divided into three panes (Figure 6). In the left pane, access credentials are grouped by category in a tree structure. In the upper right pane, KeePassXC displays a corresponding list of the selected group's entries that have individual authentication credentials. In the lower-right pane, you will find the data for the selected entry. Even if you create a new database structure, this program window layout does not change.
Getting Started
First, you must create at least one group. Otherwise, all the entries will end up in an unsorted mess in the tree structure below the Root folder, which quickly leads to confusion if there are multiple entries. The Groups | New Group menu item takes you to a dialog that lets you create a group. Give the group a meaningful name. The group name then appears as a folder in the tree structure in the left-hand pane below the Root folder.
Next, you need to enter access credentials for the individual accounts to the newly created group. To do so, click on the key with the down arrow (or plus icon, depending on your version) in the buttonbar. In the dialog that opens, enter the account's authentication data (Figure 7). Enter a title that is as meaningful as possible as this title will later appear in the upper-right pane. Also enter a username and password, as well as the account's URL. If desired, you can specify whether the access credentials have an expiration date. A free text field at the bottom lets you enter important notes.
Once the settings are complete, accept the entry by pressing the OK button at the bottom right. If you want to specify more advanced options for the selected account, clicking on Advanced in the vertical toolbar on the left opens a dialog where you can add further information, including attachments that you want KeePassXC to store in the database.
Clicking Entry in the vertical toolbar takes you back to the original dialog. After saving the entry, it now appears in the upper right pane, which lists all entries for the selected group.
If you define several groups, each of them will be a subgroup of the last group entered in the left pane. If you want to move a group to a different hierarchical level, click on it and drag it to another position in the tree structure; if desired, you can drag an entry one or more levels upwards.
Within the individual groups, you can enter the corresponding entries in the same dialog. For subsequent changes to entries, first click on the entry to be edited in the upper-right pane to select it. The pencil Entry icon in the toolbar then reopens the Edit entry dialog. You can also remove the selected entry from the list by pressing the delete icon.
Semiautomatic
In addition to the ability to save access credentials in the database and query them when required, KeePassXC also automatically enters the data in the web browser on the corresponding web page if desired. This removes the need for tedious typing, but it requires a few preparations beforehand.
First, you must enable the Auto-Type function for the selected entry. To do this, click on Auto-Type in the vertical toolbar on the left when the entry is open. In the Settings dialog that opens, check the Enable Auto-Type for this entry option. Then click on the wrench (or gear) symbol top right to switch to the application's configuration menu. To link your web browser to KeePassXC, select Browser Integration in the vertical toolbar. In the dialog that opens, select the web browsers available on the system in the box under the Enable integration for these browsers label by checking the boxes to the left of the browser names (Figure 8).
Note that KeePassXC only supports the browsers listed in the selection box. For Firefox, Chromium, and some of their derivatives, you need to download add-ons in the next step and integrate them into the browser. You can do this conveniently using the links available in the configuration dialog. Add-ons are used to connect web browsers and password management. They must therefore be installed before you can use the Auto-Type function mentioned above. The respective add-ons appear in the browser toolbar as small status icons (Figure 9).
Then restart KeePassXC and go to one of the addresses in your web browser that you have set up for auto-type. A small green key symbol will now appear on the chosen website in the fields for entering the access data. Simultaneously, another window will pop up and request the authentication data from KeePassXC for access (Figure 10). Click on Allow Selection; this will autofill the credentials from the KeePassXC database into the fields without requiring any further input from you.
To use auto-type, the chosen website must request the username and password together. If a website opens a new page or a window to prompt you for a password after the username has been entered, KeePassXC does autofill the authentication data.
In addition, KeePassXC must already be running to autofill access data. You can do this in the automatic startup routine at system start time by checking the Start only a single instance of KeePassXC option in the General menu's configuration dialog. Also, if you check the box to the left of Minimize window after unlocking the database window, KeePassXC will be hidden away in the panel when minimized.
Pasaffe
Pasaffe [10] is a small password manager published under GPLv3. Originally developed for Ubuntu, Pasaffe is now also included in various derivatives such as Trisquel and Linux Mint, as well as in Arch-based distributions such as Manjaro. Besides a PPA for Ubuntu, the source code is also available.
Developed for the Gnome desktop, Pasaffe can also be used with other desktop environments without any problems. The straightforward program opens a small window after installation, where you can enter a master password for the new database. Then it creates the database and opens the very simple main window (Figure 11).
Nomenclature
Pasaffe divides datasets to be entered into folders and entries. Folders function as groups in which you store similar authentication data. To create the first folder, go to Edit | Add Folder. The parent folder appears in a window and expects a name to be entered in the Folder Name field.
You can then create additional folders by right-clicking on the newly created folder and adding another folder to the database with Add Folder. Pasaffe always creates the new folder below the currently selected folder, creating a tree hierarchy shown in the vertical pane on the left. If you create additional folders within an existing hierarchy, Pasaffe will insert them in alphabetical order.
You can also delete a folder using the context menu, which you access by right-clicking. However, this will remove all subfolders in this hierarchy without prompting.
If you want to create a new folder and place it in a different hierarchical level, you do not have to switch to the desired level first. Instead, enter the correct path for the new directory in the Parent Folder field. Note that in such cases the hierarchy always starts with the root folder /; you therefore need to enter the full path.
Once the folder structure exists, you can add the corresponding database entries. To do this, use the Add Entry option in a folder's context menu (you can also access this via the Edit menu if necessary). Alternatively, you can open the dialog using the second button from the left in the buttonbar of the main window.
In the input window, you enter a name for the entry, the URL, and the authentication data. A note field also allows free text input of important data for this entry. After a final click on OK, the entry appears on the left below the active folder. In the right-hand pane, you will find the details of the current entry (Figure 12).
Inserted notes also appear on the right, but the password for the respective entry is only shown as asterisks. If necessary, you can make the password visible by clicking on the last icon, Show Confidential, top right in the toolbar (click on the ellipses if you do not see the option). The password now appears in plain text and can be made anonymous by clicking the button again.
Seek and Ye Shall Find
With extensive datasets, you can very quickly get lost in Pasaffe's main window. In this case, click on the magnifying glass icon in the toolbar. In the search field located top right, you can now enter the entry name for which you are searching. The application jumps to this entry in the left window pane and displays the required data on the right below the search field.
In the Browser
Pasaffe does not offer a browser add-on for automatic entry of access credentials. Instead, you need to select a database entry and open the corresponding URL by clicking on the home icon in the toolbar. This will launch the web browser, which then calls up the page for entering the access data. Unlike a browser add-on, username and password input is only partly automated. You need to copy the access credentials to the clipboard by selecting Copy User Name and Copy Password and then paste these into the appropriate fields in the web browser.
Password Safe
Password Safe [11] is based on the Gnome desktop in terms of appearance and ergonomics, but it can also be used with other desktops. Password Safe is available as a Flatpak and can therefore be installed across different distributions.
The installation routine creates a starter in the desktop menu tree. After the first launch, a visually appealing program window appears in which you first need to create a KeePass-compatible database. To do so, press the New button top left in the titlebar (Figure 13) and assign a name in the now opened file manager.
In the next dialog, you can define the access procedure for the database. You can choose from three options: a password, a key file, or both.
After opening the new safe, you are taken to an empty window. Here you can create groups to which you assign individual websites' access credentials by category. To do this, click on the hamburger menu in the top right-hand corner and select the New Group option. In an input dialog, type in the group name and optionally add a note in a free text field. You do not have to save the entered data; the software does this automatically.
To add entries to the individual groups (which are tagged with a folder icon), click on the home icon on the left and then select the desired group. The selected group then appears to the right of the home icon in the titlebar. Now click on the hamburger icon in the right-hand corner of the titlebar and select the New Entry option.
This step opens a dialog for the authentication data. For each entry, you can also store important notes in a free text field. Additionally, the Attachments field lets you store files that might be useful as attachments.
Password Safe automatically saves the changes to the entry data again. When the respective group is called up again, the changes appear in tabular form in the program window.
To switch to another group, first click on the home icon located top left in the titlebar and then select the desired group from the table of displayed groups. The program window lists the entries for the group, while the active group appears in the top right corner next to the home icon.
Settings
The Settings dialog (Figure 14), which you open via the hamburger menu, offers a few options for customizing the software.
Under Safe, use a slider to activate the option Save Automatically. In the Security tab, you will also want to set a different interval for Time threshold for locking the safe if your computer frequently runs in unattended mode. This function locks the password safe if you do not perform any actions in the software for a longer period of time. You then have to enter the master password again for further access.
Multiple Safes
In Password Safe, you can use several data safes in parallel. To create a new one, click on the New Safe option in the hamburger menu and configure it. The new safe then appears as a new horizontal tab in the application's main window, which allows a quick change between the individual safes. You can also block these safes by clicking on the padlock symbol at the top of the hamburger menu's Options dialog, thereby blocking the active safe. If you call up the active safe again, the dialog for entering the master password appears.
Password Safe in the Browser
Password Safe does not have add-ons a for the popular web browsers. Nevertheless, you do not have to laboriously query the data in the application and then transfer it to the web browser. Instead, you can save the usernames and passwords for the individual entries in Password Safe by clicking on the Copy to Clipboard button. The access data can then be called up from the clipboard in the browser whenever you need to fill out the fields on the website.
Conclusions
Local password managers make working with large volumes of access credentials far easier. The four test candidates all cover the basic range of functions for password management, but they focus on different target groups in terms of features (Table 1).
Tabelle 1: Graphical Password Managers
|
Buttercup |
KeePassXC |
Pasaffe |
Password Safe |
|
|---|---|---|---|---|
|
License |
GPLv3 |
GPLv2 |
GPLv3 |
GPLv3 |
|
Functions |
||||
|
Available across platforms |
Yes |
Yes |
No |
No |
|
Desktop application |
Yes |
Yes |
Yes |
Yes |
|
Browser extension |
Yes |
Yes |
No |
No |
|
User guidance |
||||
|
Multiple archives |
Yes |
Yes |
No |
No |
|
Multiple groups |
Yes |
Yes |
Yes |
Yes |
|
Free text input |
Yes |
Yes |
Yes |
Yes |
|
Data import |
Yes |
Yes |
Restricted |
Restricted |
|
Data export |
Yes |
Yes |
Restricted |
Restricted |
|
Password generator |
Yes |
Yes |
Yes |
Yes |
|
Auto-Type |
Yes |
Yes |
Restricted |
Restricted |
|
Security |
||||
|
Cloud backup |
Configurable |
Yes |
No |
No |
|
Encryption |
Yes |
Yes |
Yes |
Yes |
|
Adjustable encryption algorithm |
No |
Yes |
No |
No |
Password Safe and Pasaffe are more suitable for home use, as they do not offer add-ons for common web browsers. Access data must be entered here specifically via the clipboard on websites. Buttercup and KeePassXC are aimed at professional users who want to save themselves typing in their web browsers. Buttercup additionally impresses with a modern, visually appealing interface. KeePassXC converts data to and from other formats thanks to numerous filters.
Despite all the simplifications made by these password managers, cautious users are still advised to keep records and backups of their access credentials to ensure continued access to protected data in the event of an accident.