Last week I wrote about increasing the security of select online accounts by turning on two-factor verification with those services that offer the option. This week I want to walk you through using a password manager to further enhance the sanctity of all of your online accounts. Password managers help you do all kinds of important things: generate long, complex, random passwords meeting any criteria (length, allowed characters, etc.); use unique passwords for every site (this safeguards your other accounts in the event that one of your accounts is compromised); remind you to change your passwords regularly for all accounts; expedite the log-in process; track all your accounts in one convenient location; and all you have to do is remember one master password.While it takes a little work to set up, it will save you tons of effort and heartache in the long run.
The following is a walkthrough of how to setup KeePass and use it to manage your online accounts. There are a few very sound password managers out there, but I like KeePass for the following reasons: it’s totally free, it’s open source, it’s extraordinarily secure, it’s flexible and easy to use, and it’s available on every pertinent platform that matters to me (Windows, Android, Linux, iOS, Mac OS X, etc.) Want to know more? Check out their features page. First thing’s first: you have to download KeePass. Whether using the Classic or Professional edition (depending on your operating environment), I recommend snagging the Portable version thereof. It’s always nice for things to be portable.
Next, unzip KeePass to wherever you’d like it to reside and then run KeePass.exe (double click the file with the nice icon of a lock in a blue circle).
When you first run KeePass, it will be very boring and look like this:
To create a new password safe, click File and then New… The first thing you’ll have to do is pick a file location for your password safe to reside, and give it a name (default is NewDatabase). Next, you need to set the master password and/or create a key file to unlock the safe:
The key for your safe is extremely important–if you lose it, there will be absolutely no way to recover the contents of your safe. If you opt to only use a master password, make sure it’s reasonably long and complex, and that you will remember it. Write it down and put it somewhere safe. In addition to, or instead of using a master password, you can also create a key file. This is kinda fun, though if you go this route, you will need to keep that file safe and accessible from wherever you want to access your account credentials. The fun part is adding entropy:
You do this by using your mouse to twitch your pointer throughout the visual noise field and by tapping random keys. This information is then used to seed KeePass’s random number generator in the creation of your key file. Keen!
Okay, so now you’ve created the only password you’ll ever need to remember (until you change it!); next you can do some modest configuration to bolster your safe’s integrity. To do this, go to the Security tab of this window:
The useful part here is that you can amp up the number of key transformation rounds. This introduces a delay between password entry attempts, stymieing any efforts at brute-forcing your safe open should it fall into the wrong hands. You can click 1 second delay to get a decently large number; multiply it by 3-10 to make things even more uncomfortable for ne’er-do-wells (going beyond this point may be slightly annoying for you each time you want to open or save your safe).
Now you’re ready to go about adding keys (account credentials for the various sites and services you use) to your password safe. This is straightforward, and the really crucial part is updating your passwords for each service as you go and using KeePass’s generator to do this, so that each of your passwords will be unique and extremely strong.
Here’s how it works: first select the folder you want to create a new key in (Network, Internet, eMail, Homebanking, etc.)
For Title, enter the service you’re creating a key for (such as Gmail or Amazon). Under User Name you want to provide the ID or email address you use to log into the service. For URL provide the address of the site or the specific log-in page if it has one. Now for the fun part–password generation! Click the shiny new key icon and select Open Password Generator.
The above settings are quite good for most purposes. Change your settings to something like those depicted above and click the save icon. Click the down arrow and select (Automatically generated passwords for new entries).
This will now be your default password profile. You may run into some sites that will have a shorter character limit or that won’t allow certain types of characters–you can always go into the password generator and nerf the settings to match their weaksauce security restrictions as required. What do these spiffy passwords look like? Here’s a preview shot:
Very nice! F#pogn, indeed.
Okay, so that’s how you automate strong password generation, now for an obvious, yet important point: this isn’t actually your password until you change it with the service provider (Gmail, Amazon, etc.) So for accounts where you’re not just signing up, you will need to sign in and change your password to what you’ve generated in KeePass. While you have the Add Entry screen open, you can click the ellipses button to view your generated password in the clear, allowing you to copy and paste it into the site (we’ll look at easier ways to log-in, shortly).
You can also designate expiration dates for your passwords. This will remind you to change them regularly, another sound and sage practice. Now that you’re done, click OK.
Lather, rinse, and repeat, until all of your online accounts have been added to your password vault, and all with strong, randomly-generated, long, complex passwords.
Now that you have that accomplished, let’s get to the best part–using your keys! Here’s a view of a folder with a couple email account keys in it:
There’s some really useful things you can do from here. If you right click anywhere on any part of a key’s entry, you will get options to do things like open a URL with the browser of your choice, copy your username or password to the clipboard (this data will automatically be erased from the clipboard after 12 seconds, by default), or better still, Perform Auto-Type which will enter your username and password into the log-in screen for you.
Outstanding. You can also double click the various fields to different ends: if you double click the URL field, the website will open in your default browser. If you double click the User Name or Password for a key, the corresponding information will be copied to the clipboard for 12 seconds, so you can paste it elsewhere. If you double click the title of a key, you’ll open it up for editing, just like when you created it.
When you close KeePass, you’ll see the following prompt:
If you haven’t previously saved your keys, definitely do so now. If you’d like, you can make this the default behavior.
Now, this is all well and good for the machine you created your password safe on, but how do you go about accessing your account on different machines? You have options. KeePass is a portable application, so it can be run from a flash drive; you can through your safe and the program on a little USB drive and carried with you wherever you go. I wouldn’t recommend having your only copy on a flash drive, though, as the risk of losing it is dear; keeping multiple copies of your database in this way can be awkward, too, as you want to make sure that you’re always carrying an up-to-date copy. Not ideal in some regards, but it certainly can work and it’s very safe.
What about using cloud storage? This is actually a pretty comfortable option–KeePass is designed with this possibility in mind. If your cloud storage account has two-factor verification enabled and a very strong password, you have little to worry about as far as anyone gaining unauthorized access to your safe. Moreover, the safe itself is strongly encrypted, so even if anyone can access it, they’d still need your master password and/or key file to be able to make use of it. Incidentally, the integration with DropBox is functionally ideal. Since KeePass is a portable app, you can also just throw it in a folder in DropBox and run it from there.
I mentioned earlier that KeePass works with mobile devices–here are the download links for the apps on all supported platforms. If you are using DropBox and have the app on your phone or tablet, you’ll be in wonderful shape.