I asked on Facebook last week about password management tools, and have been playing around with one ever since: KeePass ( http://keepass.info
). I rather like it, and I figured I would share what I found.
KeePass version 2 (not to be confused with KeePassX) runs on Windows (via .NET), Linux (via mono), and OSX (also via mono), and it has some community-contributed versions for mobile devices. I've tried it so far on Win XP, Linux Mint, and KeePassDroid for Android 2.3.
First of all, it's fully free and open source. The "free" part, in terms of not having to pay money, is nice. But the "open source" part I think is vital for a security program like this. The source code can be and has been fully vetted by programmers, so we know there are no secret backdoors, security holes, or anything along those lines. (Of course no software is fully secure, but open source software has the best chance to be free from already-known problems, and has the best chance to quickly fix problems discovered in the future.) Given that I am creating a database to store all of my passwords in one place, a "single point of failure" if you will, I would not trust anything less than fully open software.
Now, with that out of the way, here's what it can do:
* Store an arbitrary number of passwords. With each password, you can store a username, URL, tags, notes, and so on. You can file passwords into folders within the database if you like. The passwords can be your existing ones, or...
* You can create passwords with it. You can set rules to match the rules of a given site (min/max characters, optionally allow or disallow capital letters, numbers, symbols, etc) and just click a generate button. There's also a neat feature called "generate additional entropy", which assures you a "more random" password, but really it's just fun to wiggle your mouse around for 15 seconds because a program tells you to. By default it hides passwords, but you can always show them. You can also one-click copy a password. But the coolest way to actually use the passwords is...
* Global auto-type. When you're logged into your KeePass database, you can press ctrl-alt-A (or whatever key combination you set) when you get to a login screen for a website. It will detect which website it is, and automatically fill in your username and password for you. It can take a small amount of trial and error to get set up for a given website, which I find easy but which you may not want to do. In that case, you can still use the regular copying feature.
* The database is stored in a single file. I keep it in my Dropbox folder, so it's automatically synced across my work and home computers and half-automatically to my phone. You can unlock the database with a single global password (and for the love of all that is holy please make this your most random, most secure password ever), or you can set a "key file", a random other file on your system that you have to choose instead of a password (and for the love of all that is holy please don't ever edit or delete the key file). I wish you could also use securID or something like that for further authentication, but it is what it is.
And that's all! I think it meets all of my needs, and I'm gradually shifting over to using it for most of my websites. I recommend you try it if you're looking for something like this! And even if you're not looking, how much longer will it be until the next time you get one of those "we've been hacked" emails from Zappos, Dreamhost, your bank, or someone else?