Updated 20 April 2007: Password Gorilla’s author, Frank Pilhofer, contacted me to clarify how permissions work and to investigate the problem I was seeing. Talk about great customer service! See update notes below…

I’ve been using Password Safe in Windows for many years to manage my passwords. It seemed credible to me because it was originally designed by Bruce Schneier and made by his company, Counterpane Systems. It uses either the twofish or blowfish block cipher, depending on the version. I respect Bruce’s knowledge and opinions on security and figured it would be a robust application, free from obvious security flaws.

And it was free for use. As in free beer. At some point it was released under the free and open source Artistic License* and a thriving development community has developed around it, regularly releasing new versions with scads of new features and user interface improvements.

I liked the simple interface of the original program and also the improvements made for version two which allowed for better categorization of logons. It has some nice features like locking on minimize or after some number of minutes idle. (In the process of writing about this, I finally got around to updating to version three and it has several new features also.)

In the past few months I had checked for GNU/Linux versions of the software and saw that while there were none at the time, there were other projects that used the same file format so that I was hoping I’d find a suitable program and it would be easy to switch. And now’s the time, I guess.

Password Gorilla

I looked at Password Gorilla first. It is based on Password Safe and runs on GNU/Linux, Windows, and Mac. It uses the GPL v2 license. Since it still feels easier/more comfortable for me to install things on Windows, and since my Password Safe file is on my Windows machine, I tried that version first. It’s simple — a 1.5MB single file. No installation, really.

It worked just fine. It opened my 39KB v2 file that has over 200 entries with no problem, although it was slower about opening the file. It looked a lot like Password Safe without a toolbar. Just what I was looking for.

Password Gorilla looked pretty good, but how healthy and robust is the user community around it? It’s hard to tell from the home page how many people are involved. I typically want to adopt free programs that are well-established and have a large group of users and preferably more than one developer working on them. This is so that if a key developer is unable or unwilling to keep maintaining it, there is a better chance that someone else will step up. And in the case of security/crypto applications, I think it’s even more important to have enough people poking around in a program to uncover possible weaknesses.

In this case, the project home page looks well done and the program was updated as recently as summer 2006 to support the new v3 file format, so I’d be inclined to use the program. I also like the help page that goes in to some of the risks involved. These are things I’m already aware of, but I think it’s refreshing that a page has been provided to help educate people on these things. So I had a warm fuzzy feeling about the program, but as I was evaluating my options, I noticed from the Password Safe SourceForge project page:

Password Safe SWT (Java version)

It’s only at beta version 0.6 as of January 16, 2007, but apparently there is now a cross-platform Java port of Password Safe, released under the Eclipse Public License. Java implies some overhead with the supporting JVM, but that’s an area I’m familiar with and wasn’t afraid of, whereas Password Gorilla uses some tcl-ish kind of scripting runtime and I had some concerns it might be tricky to set up. (This was later proven to be completely unfounded.)

Since this SWT version (which I still don’t know the meaning of — something to do with the Standard Widget Toolkit you get with Eclipse?) is associated with the main Password Safe project, it seemed to me it might be a safer bet to use in the long run.

I again tried it out in Windows first, and discovered two problems; one of them serious. It still looked like the Password Safe I know and love, but the first problem for me was it shows the notes field in the accounts list page, and there isn’t an option to turn it off. I sometimes store auxiliary passwords there and I wouldn’t want them showing up in the list. (And considering that one of the new features I’ve noticed in v3 is that it hides the notes on an individual entry until you click in the notes box, it seems that the main program values privacy there as well.)

That isn’t a crippling problem, but then I realized my category of miscellaneous web page logons wasn’t working. It has the most entries, and for some reason none of them show up. There are about 80 items, which I wouldn’t expect to be a problem, but I notice this in a log that gets created:

java.lang.StringIndexOutOfBoundsException: String index out of range: -1
	at java.lang.String.substring(Unknown Source)
	at org.pwsafe.passwordsafeswt.model.PasswordTreeContentProvider $TreeGroup. <init>(PasswordTreeContentProvider.java:40)
	at org.pwsafe.passwordsafeswt.model.PasswordTreeContentProvider.getChildren (PasswordTreeContentProvider.java:128)

I’m opening a v2 database format, which maybe is part of the problem. I posted a bug report and feature request to the project forums, but for an application like this where I’m not that invested in it, my inclination is to move on. I just want to find a GNU/Linux replacement and Password Gorilla is available so I’m not going to spend more time troubleshooting Password Safe SWT at the moment.

Back to Password Gorilla

Now it was time to see how this thing runs under GNU/Linux. Turns out to be very simple. There are just two files — the Tclkit supporting runtime and the application itself which is a .kit file. Installation is as easy as renaming the files to tclkit and gorilla and putting them in to /usr/bin, so that you can start it from the command line by typing “gorilla”.

I like the application. I’m always happy to find a well-written program that does what it’s supposed to do. The “lock when idle” for N minutes feature is available, although there doesn’t appear to be an option for “lock on minimize.”

I experienced some confusion over the difference between File » Preferences ... and Manage » Preferences ... until I read a note on the file menu one that pointed out it was for new databases and the manage menu was for existing databases.

Both Password Gorilla and Password Safe SWT will overwrite the existing password without warning when you click on the “Generate Password” button.

Permissions Mystery (Now solved!)

Here’s something I ran in to that I don’t understand, almost certainly because of my ignorance of Unix. It’s going to be challenging to manage the transition between these programs, since I’ll probably want to use Password Safe / Password Gorilla both in Windows and GNU/Linux while making the move. I saw some danger in modifying both and keeping them in sync. (Although now I see that the latest version has a “merge” feature that seems to work well.)

I experimented with changing the permissions on the GNU/Linux file to be read-only so that I wouldn’t accidentally update it. When I tried changing a value and saving it, it worked without a hitch. I looked and noticed the program had changed the permissions on the database file from 400 to 644. That seemed a bit presumptuous to me. Shouldn’t Password Gorilla complain that it can’t save the file instead?

Undeterred, I tried making root the owner of the file and setting permissions to 444. I could imagine that since I was the file owner and also was running the program, it had the authority to change permissions on it. But disturbingly, Password Gorilla was able to change the owner back to my regular user and the permissions back to 644.

So then I tried putting a root-owned, read-only file in /root. Now, finally, I was unable to save the file. It occurs to me that since I was the owner of the directory in the first couple of tests, Password Gorilla was somehow able to take over ownership of the file on my behalf.

But in another test, if I make root the owner of some file in my home dir, I can’t do chown scarpent:scarpent some_file. I can delete the root owned file, however.

Anyway, this is way off the password management topic, so enough said. I’m curious, but not enough to investigate further right now. Please leave a comment if you know something about it that I clearly do not.

Update, 20 April 2007: Frank’s emailed explanation:

Let me solve your permissions mystery first. For technical reasons, when you save your database, Password Gorilla writes everything to a new file first. It then deletes the original file, and renames the temporary file. This is done to avoid corrupting the file in case of error: if Password Gorilla started overwriting the original file, and then an error occurred (crash, disk full, etc.), you might be left with a corrupted file. By making the detour via a temporary file, you are always ensured to have a “good” copy in any circumstance.

Now, the new file is always created with permissions according to your current umask (usually 022, resulting in the 644 permissions that you eventually see). The original file’s permissions get lost when that file is deleted. Password Gorilla succeeds in deleting the file despite its read-only status, because the directory that contains it is writable.

Maybe Password Gorilla should proactively detect the original file’s read-only status, and refuse editing such a file. But then, I’d rather leave it to the operating system to sort out permissions. That would be another potential can of worms.

Sounds reasonable to me, and I agree with the philosophy of keeping things simple where possible.

Password Safe, Version 3

Password Safe is a static app for me — it does what I want just fine and I don’t really need all the additional features they’ve been adding. I see that the 2.06 version I’ve been using has been out since 2004, and I haven’t felt deprived at all by using it. I’ve now subscribed to the release announcements to keep an eye out for security problems, but I really don’t need the new features.

However, they’re kind of cool. They continue to improve the interface and add interesting features. (At the expense of some increased complexity, which I don’t mind. It’s still easy to use and intuitive, in my opinion.)

I saved a v3 file from the latest version (3.06), and tried opening it in Password Gorilla, which complained about an unknown option and would not open the file. Rats. I exported to a v2 file and the Gorilla opened it ok. So that will probably work, if I don’t start using/relying on the new v3 features like password history. Since I’ve already been using the notes field for that purpose, I won’t miss it that much.

Update, 20 April 2007: This was the part that Frank was concerned about. He asked me for a sample database file with the error that he could use for testing, but I couldn’t reproduce it.

A couple of weeks went by and he asked if I might create a copy of my password database, empty it out, change the password, and send it to him. I was impressed that he really cared about fixing this potential bug in Password Gorilla. I was too cautious to send my file out this way, but I was inspired to experiment until I finally found a way to reproduce the error.

It happened when I had a database where the password generator was set to use 33 characters. That wouldn’t open in Gorilla. 32 characters worked fine. Frank quickly identified it as a bug in Password Safe 3.0.6 and 3.0.7 and reported it to the Password Safe developers along with a suggested fix, which Rony Shapiro just as quickly implemented.

Ah, the beauty of free and open source software development! For now, I can live with 32 character random passwords. For later, it’s good to know that Password Gorilla is actively maintained.

I had written that I’d keep an eye on the SWT java port and possibly switch if they make it as pretty and functional as the current Windows version, but now I feel more loyal to Password Gorilla. I really don’t need any more bells and whistles on this one. A password program only needs to do so much. Thanks again for your help, Frank!

* Licensing Questions

It can be difficult to find clarity on the license for free/open source software projects. Apparently the original Artistic License was judged too vague by the Free Software Foundation to be called a free (as in free speech) license. There is a “clarified” Artistic License that is considered to be a free license. There is also an upcoming Artistic License 2.0 that is free and also compatible with the GPL.

Looking at the SourceForge project page for Password Safe, it links to an opensource.org license page that looks to me like it might be the original Artistic license. (It differs from the clarified Artistic License linked to from the FSF page.) Let’s hope the program is truly free; I’m confident that was Schneier’s intention. The terms are good enough for my purposes at the moment.