PwSafe : Java Glossary

PwSafe (PasswordSafe) is a free, open-source program to track your passwords. It protects them all with a single master pass phrase (long multi-word password). The current version is 3.31 Last revised/verified: 2013-05-11. It has a website, and it is hosted at SourceForge. For each entry it tracks an URL (Uniform Resource Locator), userid and password. If the password is at the top of a webpage, you can start the browser, jump to the URL, key in the userid and password all with a single click. If the password is not at the top of a page, you must navigate to where it is on the page, then PwSafe will automatically key the userid and password. You can also get it to copy the password to the clipboard.

Advantages

• I polled computer programmers, and they recommended this as the best such tool.
• It works in all programs and browsers. You don’t have to teach your passwords individually to each browser.
• Unlike a list of passwords in a text file, a snooping person or virus can’t do anything with the encrypted PwSafe password repository.
• You can drive PwSafe from a USB-stick, so you are a step more independent of your OS (Operating System) XP/W2003/Vista/W2008/W7-32/W7-64. PwSafe is also available for Linux, using the same file structure. The password repository files are upward compatible for the last ten years. The USB (Universal Serial Bus) stick makes your passwords easily portable between machines.
• I have been nervous about entrusting my only copy of my passwords to PwSafe, worried that the program might stop functioning in some future OS release, and I would not be able to extract my passwords in plain text form to key into some replacement utility. So I still have other copies in less secure form. This completely defeats the point of its high security. It turns out it is possible to export the entire database in XML (extensible Markup Language) plain text at any time, so my fear is unjustified, so long as I use this feature judiciously. Over-using it compromises security. Under-using it risks loss of data. Rony Shapiro of the PwSafe team points out that in addition to other implementations of PwSafe being available, the most important guarantee you have about being able to read the format in the future is that the PwSafe file format is well documented and publicly available. This means that, in addition to other existing implementations, any experienced programmer can take the description and write a program that will be able to read your password database (provided you give the master passphrase, of course). However, even complete loss of passwords is not a total catastrophe. You can get nearly all of them back by tediously filling in a web form on the associated website for each password requesting it be sent by email or reset.
• It lets you import passwords in five documented formats: Text, XML, KeePass V1 TXT and CSV (Comma-Separated Value) Files, KeePass V2 via KeePass V1 CSV Files, KeePass V1 and V2 XML Files. You don’t have to rekey all your passwords, just massage them a bit.

Disadvantages

• The big problem I have with PwSafe is typing my master pass phrase blind. I find typing blind almost impossible. I am a very fast DSK (Dvorak Standard Keyboard) typist, and the blindness somehow interferes with my reflexes, and I can’t can stay on automatic. I am reduced to hunt and peck. There is no option to type the normal way with keystrokes echoed. There is no one else in the room. Typing blind provides only a tiny bit of extra security. If someone wanted to spy on me, they would use a virus key logger which would not be deterred in the least by me keying blind. I presume there is no such option because people would be tempted to misuse it, in circumstances where snoops can look over your shoulder, thus defeating the security. Karlo Van der Gucht of the PwSafe team reminds me this limitation applies to all programs where you key passwords, though as a programmer I note that it is a policy choice whether to force the user to always key blind. TrueCrypt offers this option. Rony Shapiro is reluctant to offer it because there are spyware programs that can copy visible text without you being aware of it, so there is still a security advantage in not displaying the master password, even if you’re alone in the room at all times. I counter that the choice is not really between keying blind or echoed keying but keying blind or not using PwSafe at all.
• PwSafe is not quite as well integrated as password managers provided by browsers. It thus usually takes more keystrokes to select the password and get it sent. With many browsers all you have to do is hit Enter. OTOP (On The Other Paw), the integration in a browser works only for that browser itself, so if you need more than one browser, you have to type passwords several times for each browser. PwSafe also works in non-browser programs.