How to protect your passwords with KeePass

How to protect your passwords with KeePass
KeePass is an open source password manager that aims to take the hassle out of logging in to websites

How many passwords do you rely on every day to live and function online? Think hard about all the accounts you have to log into – we're sure it reaches a dozen, including news sites, forums and others.

Do you leave them all logged in or do they generally all have the same password?

It's an uncomfortable question, because password management skills are something to which most of us would rather not draw attention. People in offices, for example, often write passwords on whiteboards.

The need for passwords is a problem that won't go away, but as we've seen recently, some cross-site scripting vulnerabilities rely on you leaving yourself logged into online accounts to do their fiendish work.

Luckily, there are ways of securely and portably managing all of your essential passwords. Why passwords?

Passwords have been around since antiquity. Guards would challenge people trying to enter restricted areas and only let them pass if they knew that day's word – hence the term. Used correctly, they're still an excellent method of securing access to resources.

The problem is that the need to remember so many of them means vulnerabilities quickly creep in. Today we have so many passwords and there are so many people trying to gain access to them that using some form of password management tool is becoming essential. The results of not doing so can be embarrassing to say the least.

How many times have you seen Facebook friends post shocking status updates, only to discover that a friend or family member had taken advantage of the logged-in account for a laugh? Beyond the embarrassment, reputations and even whole identities can be taken, and the rightful owner locked out, simply by changing the password on an account that's been left logged in.

Management tools

There are several excellent password management tools that will help you keep track of all the passwords you need for life online. They fall into four basic categories.

First, there are those that store your passwords securely on a local storage device and let you access them via a secret master key.

Next, there are those designed to run on mobile devices, such as smartphones. With the rise of cloud computing, there are now several password managers designed to follow you anywhere, which are accessed through a web interface.

Finally, there are hardware password management devices integrated into services, such as those used by banks which generate complex sequences of challenge and response codes to authenticate you.

What all these password managers have in common is the simple requirement to remember a single, master password that grants access to all the credentials they store. Many password managers will even fill in web forms for you, making login procedures more convenient.

Introducing KeePass

avast

ANTI-VIRUS WARNING: Opt to run KeePass normally, otherwise the database won't be saved

KeePass is a free password tool used by millions of people every day. More importantly, it's open source.

Where your passwords are concerned, this is a good idea because it means that anyone can inspect the source code, compile their own executable and be sure that no keylogger or malware is lurking and skimming off their credentials.

KeePass is available from http://keepass.info. Click the link to download Portable KeePass Version 2.17 (the stable edition). This requires no installation and will let you store passwords on a USB stick. This in turn lets you carry your passwords around securely wherever you go.

Once the file is downloaded, open it and look at its contents. Drag and drop all the files onto a USB memory stick, then close the zip file to discard it.

To run KeePass, simply double-click KeePass.exe. After a few seconds, the interface appears.

The first thing we need to do is create a secure database to store our passwords. To do so, click File > New. Navigate to the USB memory stick, name the database if you like, and click 'Save'.

A new window appears. Enter a password in the 'Master password' input box. This is the password that will be used to encrypt the database and is the only one you'll need to remember. Make this as long and as varied as possible.

As you enter the password, KeePass will calculate its strength. Enter the password into the 'Repeat password' box then click 'OK'.

A new window appears allowing you to configure various database settings. The defaults should be fine for the moment, so simply click 'OK' to continue.

The main window changes to show two example password and username pairings. KeePass refers to these as 'entries'. In the left-hand pane are convenient groups into which your passwords will fall. You can rename these, delete them or create new ones by right-clicking this pane.

Add passwords

Keepass interface

STRENGTH RATING: Adding a password to KeePass lets you assess its strength

To add a new entry to a group, select the group then right-click the main panel and select 'Add entry'. A new window opens. Enter a title, username and the password.

Again, KeePass will judge the strength of the password for you. Enter the URL for the login page where the credentials will be used, and finally click 'OK'. Now save the database by clicking the floppy disk icon at the top.

The most immediate way to use usernames and passwords saved in the KeePass database is to click on one, then click its URL in the lower pane of the user interface to bring up the relevant login page, and finally drag and drop the username and password into the input fields of the website. You can also right-click an entry, select 'Copy username' or 'Copy password' and paste the text into the input box on the website.

Note, by default, you have 12 seconds before the clipboard entry is erased to prevent malware stealing the pasted credentials.

You can also have KeePass attempt to automatically fill in the username and password fields when you visit a website and want to log in.

To do so, right-click the relevant entry and select 'Edit/view entry'. This makes the same window appear as when you added the entry's details. Click the 'Tools' button at the bottom of the window and a small drop-down menu appears.

Then click Select field reference > In username field. A new window appears. Due to a glitch, you must select the entry you want to modify again. Click both the radio buttons marked 'Username' in the lower part of the window, then click 'OK'. Click 'OK' on the parent window.

When you select the entry in the main user interface, the details including the URL appear in the lower pane. As before, click the URL to bring up the login page.

Return to KeePass, right-click the entry and select 'Perform Auto-type'. Back on the login page, the username and password fields should fill themselves in and log you in.

Most login pages allow you to enter a username then press [Tab], enter the password, and finally log in by pressing [Enter]. This is also the default action of Auto-type.

If you need to add an extra tab between username and password for Auto-type to log you in properly, you can edit the sequence by right-clicking on the entry, selecting 'Edit/ view entry' and clicking on the Auto-type tab on the resulting details window. Click the 'Override default sequence' button and you can add a new '{TAB}' to the sequence.

Securing KeePass

Securing keepass

SIMPLE FORMS: You can make KeePass fill login credentials automatically by setting up the Auto-type facility

KeePass has a lot of options for customising its behaviour, chief among which are the security settings. To access these, click 'Tools | Options'. The resulting window has several tabs. Ensure the Security tab is selected.

The four most important checkboxes are at the top of the pane, and relate to the length of time before KeePass locks itself after periods of inactivity.

However, there are also some very useful options in the lower pane. Among these are the options for locking the interface and exiting KeePass instead of locking. These are very useful in situations where you need to get KeePass off the screen as quickly as possible and have it secure itself.

Also make sure you tick the box that locks KeePass if you suspend the computer. That way, if you're running it on a laptop when you're out and about, you can simply close the lid and the program will be locked and secure when you (or anyone else) next resume operation.

If you visit lots of websites every morning when you first boot up, you can also have KeePass run automatically when the current user logs in. On the 'Integration' tab, simply click the box marked 'Run KeePass at Windows startup (current user)'. If you use this option, you will have to remember to have your USB memory stick inserted when you boot up the computer.

Many of the other options might seem as if they've been included simply because they're possible, but lots of them are actually very useful. One such option is on the Interface tab. Clicking 'Drop to background after copying data to the clipboard' brings the window behind KeePass to the front. If this is your web browser, it's a convenient way of grabbing focus to paste a username or password into a website's login page.

keepass master password

MASTER PASSWORD: After you set KeePass to run at boot, the master password window should appear

So, KeePass can securely look after all your passwords, thereby requiring you to remember just one. It's easier to change just one password on a regular basis rather than needing to change perhaps several dozen, but change it regularly you must. In fact, you should do it every few weeks or so.

It's easy enough to do by going to File > Change master key. As long as you remember to take your USB memory stick with you, you will never forget the passwords to your accounts no matter where you are and no matter how many times you change their individual passwords.

-------------------------------------------------------------------------------------------------

First published in PC Format Issue 262