When it comes to logins and passwords most, if not all, security sites tend to repeat those two important tips:
“use a two factor authentication, if available” and “use a different password for each different site/service”.
While for the first tip I can’t help too much since every site use a different type of authentication (some by text/sms, some by using a one-time password generator, some with a time based generator) I can tell you how I deal with the second one.
How do I use different password on different websites and how do I remember them all?
The answer is simple: use a password manager.
Now, the one included in browsers are sufficient for self use, but they are still somewhat vulnerable. For example if you store them in Firefox and your colleagues/family/friends have access to your computer, they can simply open Firefox and see your passwords with some easy steps. Same goes for Chrome and similar. I usually use those two browsers only on all operative systems, but the same applies for other browsers.
My family won’t steal my passwords!
When it comes to passwords, trust no one. If it’s a family computer and the same user account is shared between multiple people, you can’t know who is gonna use it. Your parents friends, your we-see-once-a-year cousin, your 14 year old sister’s boyfriend may have full access to it. You don’t want this to happen.
So, how do I protected my passwords?
Yet again, the answer is simple: password protect them.
Enter KeePass, the best (my opinion, ymmv) password manager out there. Do you know the best part about it? It’s 100% free and licensed under open source GPLv2.
Continue reading to learn more about KeePass and how it can help you protect your passwords.
Part 1: first steps with KeePass
What is KeePass and how does it work?
KeePass is a password manager, it stores your passwords in an encrypted database file, keeping them safer. It can lock itself when you minimize it, so other users cannot access it even if you left your pc on and logged in. It can generate random passwords for you, so you can have a new password for each site you register to. By default it works on PCs only (anything running .NET2.0 or Mono 2.6 at least: Win, Linux and OSX), but there are plenty apps for iOS, Android and WP8.
Let’s see how to get started. First thing to do is going to the download section of KeePass site. Donwload the Professional Edition (version 2.26 at the time of writing). Downloading the exe installer or the portable zip file is up to you, my suggestion always go for the zip file. If you decide to store the databases on your USB stick, you can also store the application on the same stick.
After you have installed/unzipped, launch the .exe. You will come to this window
Go to File -> New Database and select a database name and where to store it, a new window will appear
I recommend checking both Master Password and Key File. If you select both, to open the database users will be prompted to type the password and to link to the Key File. We are actually using a two factor authentication to access this database, meaning that if you forget the pass or lose the key file, you will never be able to open the database again. I suggest to not use Windows User as it will lock the database on different devices.
A good password is something rather complex YOU will remember (or remember how to get it) and other people shouldn’t be able to guess. Your or your daughter birthday is dumb, your car license plate is dumb, WifeNameIloveYou is really dumb.
A good system for creating a complex password is using a phrase you can easily remember, like a film or song quote. In this example I’m using the first two sentences from a Monthy Phyton and The Holy Grail quote.
First shalt thou take out the Holy Pin. Then, shalt thou count to three.
I’m not telling you to use the entire phrase, it will take ages to type it everytime, but to extract a password from it. In this example the password will look like this
Make sure to include special chars like punctuation and to use numbers or hacky numbers (eg: to = 2, E = 3, S = 5, skate = sk8, etc). KeePass will show you an estimated quality value, the higher the better.
For better result, nobody should know about the fact you like this particular quote. Being paranoid is always better.
You can click the button with three dots to show hide your password.
Key File / Provider
A Key file locks the database exactly like a password. If an user can’t point the program to where the file is, KeePass will not unlock the database. Make sure you don’t store it in the same directory as the database file. You can create one or use any existing file, in the image above I was using a .jpg file, a photo with my dog Ariel and me.
If you prefer you can generate it by pressing create, it will prompt where to save it and open another window
To generate a file, you can move you mouse in the left field and type/paste some junk text in the right area.
NOTE: You can move your file on different folder and/or drives to keep it more secret but it is mandatory that you NEVER modify the Key File. Doing so will cause KeePass to not load your database.
After you are done setting you password/keyfile, press ok and let’s see the next window
Name your database and press OK.
You can explore and look at the other tabs, default values are usually good for most setups.
As the database loads, you will see two example keys, delete them by right-clicking -> delete or selecting them and pressing DEL.
We just learned how to delete entries, proceed to next page to learn how to create and use them.
Registering to a new site and storing the password
Note: Adding your existing accounts to KeePass is 99% similar to this process, I will not make a separate guide for that.
If you use the web you will most likely use social network. We will make our example by creating a Twitter account and storing the user and password into the Internet section.
Click on Internet section on the left and the on the Add Entry button (yellow key with green arrow icon, alternatively you can press Ctrl+I).
As you can see the program creates a new empty entry, with a pre-generated password. This comes useful when you are registering to a new service, as you will have to fill the username box and copy that generated password into the service registration form.
Title this will be the name showed inside the KeePass app, use something short and clear, “Twitter” is the simples option.
Icon usually every new entry inherits the section’s icon, you can change that for one that describe the site better.
User Name let’s suppose you are registering as ExampleTwitterUser.
Password and repeat password pre-generated by the program. If you are adding your existing account instead, you can delete the pre-generated values and type in your current password.
URL the url of the site, or the url of login page. In this case https://twitter.com/.
Notes self explaining. You can write here whatever you want, from a referrer code, to a comment like “It’s a social site”.
Press ok and we are done for now. You can explore other tabs if you want, but you will find nothing useful for casual use.
Let’s open Twitter then, right click on Twitter entry -> URL -> Open (or select and Ctrl+U) will open you default browser at that page. In the signup section, write
Type in the signup User and email.
Now get back to KeePass, select your twitter entry and press Crtl+C, the password will be copied to your clipboard, with a (default) 12 second timer. Click back to you browser window, click on password field and press Ctrl+V. Et voilà! You actually used a password without typing or even knowing its contents.
Another good feature about KeePass is that not only you won’t have to remember your passwords but you actually don’t need to ever read one.
Another awesome feature about KeePass is auto-typing. Using it is super simple: go to login page, click on user box (withouth typing it), bring to front KeePass, select the site credentials you want to use and press Ctrl+V, KeePass will take care of logging.
To further increase the security offered by KeePass, you can literally lock the application to prevent unwanted eyes on your passwords. In the top menu go to Tools -> Options, the first tab that open it the one we’re looking for: security.
In my screenshot example every time I minimize KeePass or I leave it open for too many minutes, KeePass gets in a locked state, meaning that both master password and key file are required to unlock and access my passwords again.
Depending on the location and use of the PC you may want to use different lock options, like always exiting instead of locking if you are using a shared computer/user account.
Why is it important to use different passwords?
Passwords gets stolen every day. From social networks, from online games, from banks, from ecommerce sites, from every place that has a login.
If one account is compromised, every other one that is sharing the same user/mail and password combination is compromised too. This means a cracker can get into your email to send spam or to read your mails and stole other account registered using that email. Most of the time is annoying (like a cracked social network account), but in some cases it might get bad (cracked homebanking).
Why do you think KeePass is the best password manager?
First off I’m a big fan of open source software, the best part about open source software is that anyone can improve the code, in this case anyone can improve the encryption algorithm.
Another good point is that you are in charge of storing this database file. Everything can be hacked, but some other password manager offer online services that are stored somewhere with public access, while a file on your PC or an USB stick cannot be accessed from the web.
Still it’s my personal preference, if you don’t like KeePass there are a lot alternatives, it just happens that I like and use this software.
Is it 100% safe? Can you store all the passwords there?
No and no. As I said before, being paranoid is better. Even if you try 100% to keep stuff safe, the database might still be stolen. For security reasons, I don’t store my homebanking and PayPal passwords. There is some sensible saved data like my national health service number, but the best crackers can get is when I got my lower back surgery.
Can I synchronize it across devices using Dropbox or similar?
Yes, but make sure you don’t sync it along with the Key File.
Since the key file MUST NOT be modified after database creation, you can manually copy it in a secret location on each device and then start syncing the .KDBX database file using your beloved sync application.
Are you that paranoid in real life too?
Depends on the matter, usually yes. Passwords is one of those matters.