Using Password Gorilla

Table of Contents


Help Using Password Gorilla


Starting

(Open Dialog)

Upon start-up, Password Gorilla shows the "Open Password Database" dialog. It shows a list of recently used password database files, allows you to browse for a different password database file, and asks for the database's master password. Once a file is chosen, and the master password is entered correctly, the password database is opened, and its contents are shown.

To create a new, empty password database, click the "Cancel" button, and then select "New" from the "File" menu. You will be asked for an initial master password for the new password database.

Choosing a Master Password

It goes without saying that the master password should be non-trivial. I.e., the master password should not be a word in any language nor a name. Such trivial passwords are subject to dictionary attacks, in which an attacker could gain access to your master password by simply using "brute force," by trying all the words in the dictionary.

Equally important is that the master password should not be kept in the same place as the password database. Ideally, the master password should not be written down at all, so that it remains in your personal memory only. If you decide to write down your master password, keep it away from your computer(s), in a location that only you know of.

Because the password database is encrypted using your master password (using the peer-reviewed and commercially well-accpted Twofish algorithm, for the technically inclined), it is imperative that you do not forget your master password. It is impossible to recover a lost master password. An encrypted password database can not be "cracked," as long as the master password is not trivial (see above).

Note that Password Gorilla does not try to second-guess your choice of password. It does not check for or complain about passwords that would generally be considered weak.

Organization Into Groups

(Password Gorilla Screenshot)

Logins in the password database are shown as a tree, organized into nested groups. Groups allow you to arrange logins by category. Click on the plus sign next to a group's name in order to view its subgroups and logins that the group contains.

New groups and subgroups can be added by right-clicking on a group name, and choosing the "Add Subgroup" option. (Macintosh users, hold the Control key, and click on a group name.) In the dialog box that opens, the "Parent Group" name will be set automatically, and the name of the new subgroup can be entered.

You can also drag both groups and logins, and drop them on a new parent group, to quickly re-arrange the database's organization.

Note that empty groups are not stored in the password database file. If you save and re-open a file, empty groups will disappear.

Logins

(Login Dialog)

Groups can contain any number of logins. To add a new login, right-click on a group, and choose the "Add Login" option. To edit an existing login, right-click on an login, and select the "Edit Login" option. (Macintosh users, hold down the Control key, and click on a group name.)

The following information is managed for each login:

Group
The name of the group that this login is in. The names of hierarchical groups are concatenated, separated by a dot. A login can be moved to a different group by editing this field -- though dragging the login and dropping it on its new group is more convenient.

Title
The login's title is shown in the main window, so that you can identify the service that this login information belongs to, e.g., "E-Mail."

URL (V3 format only.)
The service's URL, if any. In the tree view, you can right-click on a login and choose "Copy URL to Clipboard" in order to copy this data to the clipboard, for pasting it into your browser's address bar. This field is only available when using the "V3" database format; see the discussion of the V3 format below for more information.

Username
Your username for this service. In the tree view, you can right-click on a login and choose "Copy Username To Clipboard" in order to copy this data to the clipboard, for pasting it into the service's login prompt.

Password
The password that is associated with this login. In the tree view, you can right-click on a login and choose "Copy Password To Clipboard" in order to paste it into the service's login prompt.

Notes
You can use the notes field for arbitrary information that you wish to associate with the login. E.g., you could note questions and answers to a service's security questions (of the "What is your mother's maiden name?" kind). Also, you can use the field for the service's URL. If the notes include a string that starts with "http" or "https", or if they contain the token "url:" followed by a URL (put the URL in quotes, if it contains spaces), then you can right-click on an login and choose "Copy URL To Clipboard" in order to paste the URL into your Web browser.

When editing a login, the password is not shown, for added protection from curious onlookers. You can click the "Show Password" button to toggle visibility of the password.

Clicking on "Generate Password" generates a new pseudo-random password according to the current password policy (which is a per-database setting that can be set using the "Password Policy" option in the "Manage" menu). If the "Override Password Policy" box is checked, you can edit the password policy to use for this one password.

(Password Policy Dialog)

The password policy allows you to set the length of randomly generated passwords, and the characters to use. Check the "use easy to read characters only" option to avoid characters that look similar. This excludes the lower- and uppercase letters 'i', 'j', 'l' and 'o', the digits '0' and '1', and the exclamation mark, pipe symbol, and parentheses. Note: to generate random hexadecimal passwords, the "use hexadecimal digits" option should be checked exclusively, and the password length should be an even number.

The default password policy for the current database can be set using the "Password Policy" dialog from the "Manage" menu.

Preferences

General, database default and export preferences can be configured using the "Preferences" dialog from the "File" menu. Database preferences, which are specific to the current password database, can be configured using "Database Preferences" from the "Manage" menu, when a database is open.

General Preferences

(Preferences Dialog)

Clear clipboard after <nn> seconds
If this value is set to a non-zero value, the system clipboard is cleared, the specified number of seconds after copying a user name, password or URL to the clipboard. This ensures that no password remains in the clipboard forever.

Remember <nn> database names
Makes Password Gorilla only remember the given number of most recently used database file names. If set to zero, Password Gorilla will not remember database file names at all. The current list of file names in the most recently used list can be cleared with the button next to this option.

When double clicking a login
Configures what to do when you double-click on a login. The options are to copy the login's password to the clipboard, to open the login for editing, or to do neither.

Backup database on save
If enabled, then a backup file of the password database is made whenever the database is saved. The backup file has the same name as the database itself, but with the ".bak" extension.

Remember sizes of dialog boxes
Password Gorilla allows you to resize its main window, and most of its dialogs, should you find the default sizes inconvenient. If this option is enabled, Password Gorilla will remember the size of dialog boxes across restarts.

Database Default Preferences

(Database Default Preferences Dialog)

Database default preferences are applied to new databases, but do not affect existing databases. To change a setting for an existing database, go to "Database Preferences" in the "Manage" menu. See the discussion of Database Preferences below.

Export Preferences

(Export Preferences Dialog)

Export preferences apply to the exporting of a password database to a plain-text file.

Include password field
If enabled, the password is included in the exported file. If disabled, "********" is substituted for the password.

Include "Notes" field
If enabled, the "Notes" are included in the exported file.

Field separator
Configures the character to separate fields. This character should not appear in any user name or password. Common separators are ":" (colon) and "," (comma).

Show security warning
If enabled, reminds the user, before exporting the database, that the exported plain-text file is not encrypted or password protected.

Database Preferences

(Database Preferences Dialog)

These database preferences can be configured using "Database Preferences" from the "Manage" menu.

Lock when idle after <nn> minutes
If this preference is set to a non-zero value, Password Gorilla will lock the database after a period of inactivity. In that case, a dialog box opens, prompting for the database's master password. The dialog also allows to exit Password Gorilla. Note that this allows a malicious user to exit the application, discarding changes. However, this is not a security issue: a malicious user, having access to your desktop, could just as well kill the application (e.g., from the console or the the Task Manager). A better choice is to lock your desktop while unattended.

Auto-save database immediately when changed
If enabled, then the database will automatically be saved after each change.

Use Password Safe 3 format
If this option is enabled (i.e., checked), the password database, when saved, will use the new "Password Safe 3" encryption format. The database will be compatible with Password Safe 3, but will not be compatible with versions of Password Safe prior to 3.0, or versions of Password Gorilla prior to 1.4. If this option is disabled (i.e., not checked), the old Password Safe 2 database format is used: the database will be compatible with Password Safe 2.0 or higher, and Password Gorilla 1.0 or higher.

It is highly recommended to enable this option, and to upgrade existing databases to the Password Safe 3 format, which features enhanced security. See below, Information about the new Database Format, for more information.

V2 Unicode support
Whether the database file uses Unicode. This is the default for the Password Safe 3 format; this option only applies if the "Use Password Safe 3 format" option is disabled (i.e., not checked). If this option is enabled, database files containing international characters can safely be exchanged across locales, e.g., when you want to use the same password database in both a Western European and Russian locale. The caveat is that, if you use both Password Gorilla and Password Safe, the latter will not read accented characters correctly. (The database will open, but non-ASCII characters will not show up correctly.) This option has no effect if your database uses only ASCII characters.

V3 key stretching iterations
The Password Safe 3 format supports "variable key stretching", which is a means of protecting a database against brute-force attacks. Key stretching is a complex operation that must be performed when validating a master password for correctness. When an authorized user enters the correct password, this may take a second and is barely noticeable. But it slows down mass-testing password guesses by an automated program. The "iterations" parameter indicates the complexity of the key stretching: the higher this value, the longer it takes to open a database, and the longer it takes an attacker to test one password. It is recommended to leave the value at its default of 2048, which is a good compromise between promptly opening databases and hampering attackers.

Note that this option can only be changed on a per-database basis and does not appear in the Database Default Preferences Menu. This prevents a malicious user from changing the preference in the registry and degrading the protection of future databases.

Information about the new Database Format

"V3" Format Introduction

Password Gorilla 1.4 adds support for a new encrypted format for password databases, as introduced by version 3 of Password Safe -- therefore also called the "V3" format. This new format is based on the years of experience with and analysis of the prior "V2" database format, and features enhanced security (see below, V2 Format Weakness for details). The new format offers:

It is recommended to use the new format, and to upgrade existing password databases, unless you require compatibility with software that supports the old format only, such as Password Safe 2.x, or versions of Password Gorilla prior to 1.4.

Switching between the V2 and V3 Formats

Password Gorilla defaults to the V3 format for newly created databases, but it does not automatically upgrade existing V2 databases. Upgrading, as well as downgrading, a database is accomplished by enabling the Use Password Safe 3 format checkbox in the Database Preferences menu (see above).

Password Safe recommends to use the ".psafe3" extension for V3-format database files, and the ".dat" extension for V2-format files. (Password Gorilla allows password database files in either format to have any extension.)

V2 Format Weakness

In the interest of full disclosure, it should be noted that a potential weakness was discovered with the old Password Safe 2 ("V2") file format. This issue affected the "key stretching" process that is intended to slow down a brute force attack against a database's master password (i.e., repeated attempts at guessing the password). The weakness in the file format's design allowed brute force attacks 1000 times faster than intended. The number sounds worse than it is: a good, long master password is one among billions of billions of combinations, and a factor of 1000 does not make a practical difference. However, the factor may have an impact on the security of password databases that use a short, more easily guessable master password. The Password Safe 3 format avoids this issue by depending on the result of the key stretching operation (which is computationally expensive) as an input to decryption -- therefore, the operation can not be bypassed.


Risks


Just like re-using the same passwords over and over again, or keeping passwords written down on a sticker glued to the bottom of your desk, some risks are associated with the use of Password Gorilla. This section is not meant to scare you, but as an educated user, you have the right to know about potential risks, and to make informed decisions. Risks should not be ignored, but evaluated and addressed.

There are different threat vectors that can be considered:

The Software Itself

First of all, the software itself may be a risk. For all you know, the software's author could be a sociopath who tries to talk you into downloading and installing buggy software that secretly broadcasts your passwords. If you want, you can trust the author, third-party recommendations, you can inspect the source code for trap doors, or trust a third-party code inspection.

Maybe the software is not bug-free. In an extreme scenario, a bug in Password Gorilla could destroy your password database. It is good advice to keep a backup copy of your password database in a safe place.

System Failure

Sometimes, computers have the annoying habit to crash at the most unfortunate time. Many users have lost data due to an unpredicted crash. This can be problematic, e.g., when you just added or modified a login, and did not get around to saving the updated password database. If a password was randomly generated, it may be lost.

The easy workaround is to not confirm your password with the online service before saving the password database. I.e., when creating a new login, first add it in Password Gorilla, and immediately save the database (using "Save" from the "File" menu). Only then go to your online service -- e.g., the Web site that required registration, and complete its signup process. When modifying a login, e.g., changing the password, there is a chance that the computer might crash after saving the database, but before completing the service's password change process. In this case, the old password will still be available in the password database's backup file -- assuming that you have a backup copy, of course.

Other Users on a Shared Computer

Common sense will go a long way in protecting your password database from other users that you share a computer with. Never keep Password Gorilla running when you leave the desktop unlocked. Make sure that the database file is not readable by other users -- while the database format is considered secure, this prevents other users from copying the file, and making a brute-force attempt of guessing the master password offline.

If you follow these precautions, there is nothing to worry about here.

Your System Administrator

If your computer is administered by somebody else than you, then you need to trust the administrator(s). An administrator can bypass the operating system's security measures, and inspect a running program's in-memory data. Password Gorilla obviously needs to have the decrypted contents of your password database in memory, so a malicious administrator could access Password Gorilla's memory, and gain access to your passwords. In an attempt to foil naive attackers, Password Gorilla takes some care by not storing data in clear text, but encrypted using a temporary key. However, because the key is also kept in memory by necessity, a motivated attacker could find both the encrypted password and its key.

Of course, malicious administrators have a wide range of tools at their disposal that invade on your privacy, in order to gain access to your passwords. An administrator could replace the Password Gorilla software with a trojan version that looks and acts the same, but sends your passwords to the administrator's account. Even if you are not using Password Gorilla, the administrator could install a key logger, or monitor your internet connection, to find passwords as you type them.

The added risk of using Password Gorilla is that a malicious administrator could compromise all passwords at once, instead of only intercepting the few passwords that you actually use and transmit in one session.

Viruses, Backdoors, etc.

If your computer is infected by spyware or viruses, then external malicious users may have control over your computer. Such users could use the same attacks as described for a system administrator above. It is a good idea to check for viruses and spyware on a regular basis. Password Gorilla should obviously not be used on a compromised computer.

Putting Risk In Perspective

The above does not necessarily imply that Password Gorilla is too unsecure to use. They are merely a set of risks that need to be considered and evaluated in order to make an informed decision, and to take some common sense precautions. The author believes that using Password Gorilla is a better idea than the alternative of writing down passwords, or of reusing passwords.

As the example of the malicious system administrator shows, there is a wide range of attacks that are possible even if you were not using Password Gorilla.

Saying that Password Gorilla should not be used on a computer that is infected with spyware, viruses, or backdoors, is good advice, but redundant, as the problem is not limited to Password Gorilla. A compromised computer should not be used for anything, especially not for private communication.

Also, while technical attacks receive a lot of publicity, it should not be forgotten that social engineering attacks are usually more effective. In a study that I read about, a sizeable fraction of users revealed their passwords to strangers on the street, for a mere piece of chocolate. In one of the Hollywood movies that treat this subject better than others, War Games, the protagonist gains access not by pressing a magic button, or by bypassing security, but by spending countless hours trying to get into the designer's mind, in a social engineering attack to guess the designer's most likely choice of password -- another reason to prefer random passwords.


(FPX Logo)

Frank Pilhofer, fp -AT- fpx.de
Last modified: Sat Jun 12 22:30:00 2006