How KeePass was modified and deployed in a large enterprise environment
Password policies often pose practical problems for IT users: they must chose passwords that meet the given complexity requirements, shouldn't be reused and password changes are also suggested or even required. How are IT users expected to actually be compliant with such passwords policies? The CISO (Chief Information Security Officer) of a globally operating corporation in Germany asked the author to evaluate and deploy a solution to enable IT users to manage their passwords securely. Server based password safes were excluded from the evaluation phase in order to avoid continuous operational costs. Thus, the software must be available for Microsoft Windows in order to be deployed on thousands of desktops. The evaluation included several commercial and free tools and it was concluded that KeePass was the best fit for the scenario; it incurs no licensing costs and implements almost all the desired features and security mechanisms. However, the abundance of functions implemented in KeePass makes its user interface somewhat confusing to users who just want a place to securely store their passwords. A "mini-mode" was implemented in a joint effort with Dominik Reichl, the project founder and main developer of KeePass. A simplified user interface is the main aspect that distinguishes the "mini-mode" from the traditional KeePass experience. Usability The chosen KeePass configuration includes the automatic start of a KeePass instance after Windows logon. A system tray icon indicates that KeePass is running. Clicking the icon activates KeePass, the first task for the user is to provide a master password which will be used to create an encrypted password database for the user. Subsequent access to the user's KeePass database requires the chosen master password. KeePass provides a group structure for organizing stored passwords (see picture #1). One of the newly implemented features during the customization phase is the ability to configure the initial group structure; users can thus be provided with an adequate initial group structure for their environment. Each password entry is comprised a title, username, password, expiration date, URL and a field for comments. The password can either be supplied by the user or randomly generated. Automatic password generation is a complex subject and requires numerous aspects to be configured (length, required character sets, ...). In mini-mode the generation parameters are read from the configuration and automatically applied to the generation process; users are not subjected to the potentially confusing password generation dialog and generated passwords are automatically password policy compliant. Project overview The creation of a requirements document marked the beginning of the project and involved tasks like the evaluation of potential products, source code modifications and software packaging. The entire effort took about 25 person-days and produced several artifacts aside from the actual software package: a security concept was created to document the organizational and technical risks, an end user manual guides the user through the software and an another manual enables support staff to address user questions. Conclusion Feedback has been very positive; users are happy to have a secure option for managing their passwords securely and the CISO is happy to have found a secure and easy-to-use solution that didn't strain his budget too much. Everybody else should also be happy as all the improvements were merged back into KeePass and are now available in Version 1.11 under the terms of the GPL. |
|
This topic does not have any threads posted yet!
You cannot post until you login.