Monday, November 07, 2005

Why (and how) I use a password manager - KeePass

I often find myself telling my friends why they should use a password manager and how it should be set up to make it work at its best.

Why:
  • you shouldn't use short and simple passwords or, worse, the same password for every account: a managing utility helps you handle (and create) several true 'random' passwords and passphrases you won't need to remember; you'll only have to learn a master password in order to enter your database;
  • even if your passwords are strong enough (well, in this field 'enough' is a nonsense) and you have good memory, a keylogger (in an internet cafe or lurking in a friend's computer) could easily record your key strokes, stealing your login data: some password managers come with an auto form fill feature which will recognize the site you're on and perform the correct login for you. Oh, in case you're wondering, many tools are protected against clipboard-spies too.

What:

I've tried a good part of the password managers out there, and I've always went back to KeePass.
Why? (see also the feature list):

  • It's OpenSource: for me this is a condicio sine qua non. If I'm to entrust my personal data and keys to an application, the tool must be as transparent as it could be. I simply couldn't live with the worry of a hidden backdoor;
  • It's standalone: you won't need to install it on your system;
  • It supports the AES and Twofish algorithms; SHA-256 algorithm is used to encrypt the master password;
  • Passwords are protected against clipboard spies;
  • It supports Key Disks: KeePass generates a key-file you can put in a USB or floppy and use the drive as a real 'key'. You can even use a master password and a key disk at the same time, for maximum protection;
  • The auto form fill feature works like a charm and it's easy to set up;
  • A Pocket PC version is available too;

How:

Let's try the tool:

  1. download KeePass and unzip the file somewhere on your system;
  2. Set the master password: once the program is launched, go to File -> New Database: you'll be prompted for a master password: you can enter one of your choice, or click on "Generate One" to let KeePass create a password for you (see pic) (you'll still be able to chose length and set of characters); the "collect entropy" option will give extra-strength to the keyword. A quality-meter will show in real-time how strong your password is. At this stage you make KeePass generate and use the optional key-file, checking the proper box and selecting the drive where the file will be saved; (see pic)
  3. Open the database: File -> Open Database (or Ctrl+O, or the usual yellow folder on the tool bar); select the database (in the Options panel you can set KeePass to remember the last opened database) and type the master password (if available, select the key-file drive); optionally, in the same panel, you can set an expiration date for the password;
  4. Add entries: Edit -> Add Entry (or Ctrl + Y, or the 4th icon); select a group for the password (e.g. internet, homebanking, e-mail etc) in the dropdown menu; fill the form with title, user name, URL, password (the same procedure seen for the master password); as usual, the quality meter will be a good reference point; (see pic)
  5. Set the Auto-Type feature: in the Notes field, type Auto-Type-Window: word* (where 'word' is the first word on the title bar of your browser, when you're on the login page of you choice: e.g. for blogger.com, the word will be Blogger*; the asterisk is used as a wildcard); you can set the auto type feature to store infinite custom fields and sequences of entries, TAB and Enter keys; for further explanations, click on 'URL' and 'Auto-Type' besides the 'Notes' field;
  6. Click OK and the floppy icon on the toolbar (or Ctrl-s or File -> Save Database);
  7. Now browse to the web site you want to login, place the cursor in the first field of the login form, press 'Ctrl + Alt + a' on your keyboard and KeePass will perform the auto-login with the correct pair of user ID and password for that site;

IMPORTANT: Remember that if you lose the master password, the database or the key file, your passwords will be LOST forever and you won't be able to recover them!

Categories: , , , , ,

4 Comments:

  • Awesome article! You are tempting me to get rid of my old freeware version of AI Roboform.

    Clif
    http://clifnotes.net & http://clifnotes.tk
    Devoted to promoting Freeware and Free Information

    By Blogger Clif, at 01:19  

  • I just mentioned keepass in my short list of things people should do to have safer computing - check out:

    http://blog.monkeywork.net/2006/01/17/safer-computing/

    By Anonymous Anonymous, at 01:38  

  • What happens if you already have a keylogger when you set the master password? ;)

    By Anonymous Anonymous, at 16:52  

  • The bauty of KeePass is that the master password is completely useless without the Key-file! ;) In a strong configuration you need both in order to access the keys :)

    If you opt to rely just on the master password/passphrase, you'd better - as always - meke sure to set it on a clean machine.

    By Blogger Carlo, at 21:07  

Post a Comment

<< Home