Updated 20 April 2007: Password Gorilla’s author, Frank Pilhofer, contacted me to clarify how permissions work and to investigate the problem I was seeing. Talk about great customer service! See update notes below…
I’ve been using Password Safe in Windows for many years to manage my passwords. It seemed credible to me because it was originally designed by Bruce Schneier and made by his company, Counterpane Systems. It uses either the twofish or blowfish block cipher, depending on the version. I respect Bruce’s knowledge and opinions on security and figured it would be a robust application, free from obvious security flaws.
And it was free for use. As in free beer. At some point it was released under the free and open source Artistic License* and a thriving development community has developed around it, regularly releasing new versions with scads of new features and user interface improvements.
I liked the simple interface of the original program and also the improvements made for version two which allowed for better categorization of logons. It has some nice features like locking on minimize or after some number of minutes idle. (In the process of writing about this, I finally got around to updating to version three and it has several new features also.)
In the past few months I had checked for GNU/Linux versions of the software and saw that while there were none at the time, there were other projects that used the same file format so that I was hoping I’d find a suitable program and it would be easy to switch. And now’s the time, I guess.
I looked at Password Gorilla first. It is based on Password Safe and runs on GNU/Linux, Windows, and Mac. It uses the GPL v2 license. Since it still feels easier/more comfortable for me to install things on Windows, and since my Password Safe file is on my Windows machine, I tried that version first. It’s simple — a 1.5MB single file. No installation, really.
It worked just fine. It opened my 39KB v2 file that has over 200 entries with no problem, although it was slower about opening the file. It looked a lot like Password Safe without a toolbar. Just what I was looking for.
Password Gorilla looked pretty good, but how healthy and robust is the user community around it? It’s hard to tell from the home page how many people are involved. I typically want to adopt free programs that are well-established and have a large group of users and preferably more than one developer working on them. This is so that if a key developer is unable or unwilling to keep maintaining it, there is a better chance that someone else will step up. And in the case of security/crypto applications, I think it’s even more important to have enough people poking around in a program to uncover possible weaknesses.
In this case, the project home page looks well done and the program was updated as recently as summer 2006 to support the new v3 file format, so I’d be inclined to use the program. I also like the help page that goes in to some of the risks involved. These are things I’m already aware of, but I think it’s refreshing that a page has been provided to help educate people on these things. So I had a warm fuzzy feeling about the program, but as I was evaluating my options, I noticed from the Password Safe SourceForge project page: