Password management with Keepass

Most internet users are probably aware that they should create complex passwords for online services they use, even though there are also regularly articles telling us that we may not be very good at just that.

The issue often is that some passwords, which we humans perceive as complicated, may not take long for a computer with the right tools to crack. Moreover, “complicated” passwords are often very hard to remember, which again increases the chance of us humans taking less wise shortcuts to make it easier for ourselves, for example by using the same password on all websites we use. And from time to time, “scandals” are unraveled, where some well-known company has had their user data databases compromised.

• “To millioner passord på avveie” -NRK
• “Over 90.000 Foto.no passord kan være på avveie” – VG
• “Millioner av LinkedIn -passord på avveie” – E24
• “Hackere stjal 150 millioner passord fra Adobe” – Dagbladet

But what can one do? This is how I try to handle the challenge.

Is there a miracle cure?

If you’re extremely disciplined and have a good memory, you can of course, use tips found online to create good passwords.

• “How to create a secure password” – TV2
• “How to create good passwords” – NRK

I quickly recognized my own limitations, however, and therefore searched for a technical solution in the form of a so-called password vault. Simply put, this refers to a program or a service that generates and stores strong passwords that are hard for computers to crack. I’ve previously used both the online service Lastpass[Multi-platform] and 1Password[Mac,Win,iOS], but finally landed on a solution called KeePass. This is an open-source solution that offers many possibilities through support for many platforms, and at a price that’s hard to compete with. It should be mentioned that Lastpass is also free in the basic version, but when I want to take extra care of security, I prefer the control to lie fully and completely with me.

So, what’s the deal with KeePass?

• It has an encrypted database, which means that passwords are unreadable to unauthorized parties.
• Supports both master password and key file, or both used together, for increased security during encryption and decryption.
• Can be used as a portable Windows application, meaning it can be run from a USB stick if desired.
• Multi-platform. Supports Windows, Mac, Linux, iOS, Android, and many more[http://keepass.info/download.html].
• Can automatically fill out text fields and dialog boxes.
• Generates very strong passwords for you when you need it.
• Supports plugins, which further extend functionality.

Ok, what do I do?

The short version is as follows:

1. Download KeePass from their website [http://keepass.info/download.html]. You’re looking for the one called Professional Edition (version number 2.25 or higher), and can choose between “Installer” (installed on the computer) and “Portable” (have the program on a removable USB stick). I’m basing this on the Windows version, installed on the computer.
2. Find the downloaded file (KeePass-X.XX-Setup.exe, where X.XX is the version number), and double-click to install. Follow the instructions throughout the entire process.
3. Start KeePass. You will now create a new database by clicking on the icon of a white square with a star in the lower right corner. Give the database a file name and save it where you want. For extra security, this could, for example, be done on a separate USB stick.
4. The next window you encounter is where the basis for secure storage is laid. Here, you should enter a secure master password, which is the only password you MUST remember. If you forget it, your passwords are, for all practical purposes, lost. You get an indicator of the password quality below the text field, and here you just have to use all the tricks in the book. To increase security further, you can create a key file by checking “Key file / provider”, and pressing “Create”. You then have to give the key file a name and save it at a location of your choice (which you obviously have to remember). For extra security, you can save this on a separate USB stick, separate from the database.
5. Follow the instructions about moving the mouse pointer over the image of noise, as well as fill in random characters in the text field. Below the image, you can see how much data it has gotten for the key. This key file will, together with your password, make your database practically uncrackable (note that it can theoretically still be cracked, of course). [Brute force hacking attempts on KeePass files – Youtube]
6. In the next window, you can give the database a name, write a short description, and enter a standard username it should use when creating new entries.
7. When the new database opens for the first time, it’s filled up with some standard entries. You can delete these if you wish.
8. IMPORTANT! Go to the “Tools” menu option and “Options”. Choose the “Advanced” tab, and check the box for “Automatically save when closing/locking the database”. It’s extremely important that the entries you create are actually saved in the database, so you can find them again later. Also, make it a habit to save every time you make a change in an entry.
9. Click on the icon of a key with a green arrow to create a new entry. Give the entry a title, a username, and a URL. The password is generated automatically. Press ok and save the database.

Was this everything?

No, of course there are many possibilities with KeePass that weren’t covered here. I will follow up with a later post where I’ll discuss some of the available features.

This turned out to be the super difficult second post, but it got out eventually even though it went through an excessive number of revisions first. I really appreciate feedback that can help me further, whether it’s about the format, language, or something else about the post that could’ve been better, and I hope you will take the time to let me know if you see something.