PwSafe (PasswordSafe) is a
free, open-source program to track your passwords. It protects them all with a single master pass phrase (long
multi-word password). The current version is 3.31 Last revised/verified: 2013-05-11. It has a website, and it is hosted at SourceForge. For each entry it tracks an
URL (Uniform Resource Locator), userid and password. If the password is at the top of
a webpage, you can start the browser, jump to the URL, key in the userid and password all with a single click. If
the password is not at the top of a page, you must navigate to where it is on the page, then
will automatically key the userid and password. You can also get it to copy the password to the clipboard.
- I polled computer programmers, and they recommended this as the best such tool.
- It works in all programs and browsers. You don’t have to teach your passwords individually to each
- Unlike a list of passwords in a text file, a snooping person or virus can’t do anything with the
encrypted PwSafe password repository.
- You can drive PwSafe from a USB-stick, so you are a step more independent of your OS (Operating System)
XP/W2003/Vista/W2008/W7-32/W7-64/W8-32/W8-64. PwSafe is also available for Linux,
using the same file structure. The
password repository files are upward compatible for the last ten years. The USB (Universal Serial Bus) stick makes your passwords
easily portable between machines.
- I have been nervous about entrusting my only copy of my passwords to PwSafe, worried that the program might
stop functioning in some future OS release, and I would not be able to extract my passwords in plain text form
to key into some replacement utility. So I still have other copies in less secure form. This completely defeats
the point of its high security. It turns out it is possible to export the entire database in
XML (extensible Markup Language) plain text at any time, so my fear is unjustified,
so long as I use this feature judiciously. Over-using it compromises security. Under-using it risks loss of
data. Rony Shapiro of the PwSafe team points out that in addition to other implementations of PwSafe being available, the most important guarantee you have about being able to
read the format in the future is that the PwSafe file format is well documented and publicly available.
This means that, in addition to other existing implementations, any experienced programmer can take the
description and write a program that will be able to read your password database (provided you give the
master passphrase, of course). However, even complete loss of passwords is not a total catastrophe. You can
get nearly all of them back by tediously filling in a web form on the associated website for each password
requesting it be sent by email or reset.
- It lets you import passwords in five documented formats:
KeePass V1 TXT and CSV (Comma-Separated Value) Files,
KeePass V2 via KeePass V1 CSV Files,
KeePass V1 and V2 XML Files. You don’t have to rekey all your passwords, just massage them a bit.
- The big problem I have with PwSafe is typing my master pass phrase blind. I find typing blind almost
impossible. I am a very fast DSK (Dvorak Standard Keyboard) typist, and the blindness somehow interferes with my reflexes, and I can’t can stay on automatic.
I am reduced to hunt and peck.
There is no option to type the normal way with keystrokes echoed. There is no one else in the room.
Typing blind provides only a tiny bit of extra security. If someone wanted to spy on me, they would use a virus
key logger which would not be deterred in the least by me keying blind. I presume there is no such option
because people would be tempted to misuse it, in circumstances where snoops can look over your shoulder, thus
defeating the security. Karlo Van der Gucht of the PwSafe team reminds me this limitation applies to all programs where you key
passwords, though as a programmer I note that it is a policy choice whether to force the user to always key
blind. TrueCrypt offers this option. Rony Shapiro is reluctant to offer it because there are spyware
programs that can copy visible text without you being aware of it, so there is still a security advantage in
not displaying the master password, even if you’re alone in the room at all times. I counter that the
choice is not really between keying blind or echoed keying but keying blind or not using PwSafe at all.
- PwSafe is not quite as well integrated as password managers provided by browsers. It thus usually takes more
keystrokes to select the password and get it sent. With many browsers all you have to do is hit Enter. OTOP (On The Other Paw), the integration in a
browser works only for that browser itself, so if you need more than one browser, you have to type passwords
several times for each browser. PwSafe also works in non-browser programs.