If you’re like me, you probably have dozens of accounts on various different websites. Hopefully that also means you have dozens of passwords, right? Using one password is one of the quickest ways to have your entire digital life go up in flames, because most sites will track your account by your email address (which is often used as your username, or can be used to find your username), and this can quickly become a series of cascading failures. Attackers will leapfrog from one system to another, and if they get access to your email account itself, then it’s usually game over with how most password reset forms work. For a very scary account of how bad things like this can be, check out this article here covering what happened to a Wired reporter.
But who can keep track of multiple passwords in their head in a truly secure fashion? I know I can’t. For a long time, I used a three-tier system: one quick and dirty password for sites I didn’t care about, another for sites that I used a lot, and then a few specific passwords for individual sites (like my email) that I wanted to keep ultra-secure. But as time wore on, I realized that some of the sites that I considered disposable became anything but, and human nature (read: laziness :)) meant that I wasn’t “reclassifying” them with a newer tier of password security.
When I started working at Livemocha, I was introduced to a wonderful tool called KeePass. KeePass is a simple piece of software that allows you to create an encrypted database to store your passwords in. I’d seen similar things before for PDAs, back in the PalmOS days, but KeePass is open source software (in this case, meaning free as in beer) and is supported on virtually every major operating system out there: iOS, Android, OS X, Linux, Blackberry, Windows (including Windows Phone), and a generic version for devices running J2ME. They also offer a version for Windows that is portable, so you can toss the software onto a USB flash drive along with your database and access it wherever you go.
The main downside to KeePass is that they assume that you know how to use it. There’s no introductory wizard that I’ve found, no walk through to get you familiar with the application, they just dump you in and expect you to figure out your way around. While it’s not exactly an un-intuitive UI that they use, it’s not exactly simple, and it can be overwhelming to someone trying to use it for the first time. Really, it’s much simpler than it looks, and I will hopefully be able to show you how to use its various features without fear of their learning curve.
KeePass is what I use to manage my passwords at this point. I’ve since seen other services aimed at doing the same kind of thing, such as LastPass, but one advantage that KeePass has over online services is that it’s not online unless you put it online, which means it can’t be attacked if people can’t reach your database file. If you carry it around on a USB drive (insert obligatory disclaimer about flash drive failure rates and the need to back up your data), then it’s very hard for someone to attack it when it’s unplugged from a computer. They would have to have access to a computer you plugged it into and copy it while it was inserted, and then they’d still have to deal with the formidable encryption that KeePass offers. Given that LastPass had a security breach a while back, that was a selling point for me.
I do compromise a bit myself; I use multiple computers, multiple operating systems, and multiple devices. I can’t plug in a USB drive to my phone, but I can run KeePassDroid on it. My solution was to store my KeePass database files in Dropbox. Dropbox (which I plan on covering in more detail in a future blog post) allows me to synchronize my files across all of my devices and computers, which means that I can access my KeePass database on any of them as well. I’ll be more than happy to answer any questions about how to handle that kind of setup in the comments if you want.
So, that said, how does one use KeePass? For illustration purposes, I will be using the KeePassX client for OS X in my screenshots. I also use the 1.x KeePass protocol, as it is supported better across different platforms than the newer 2.x protocol.
First, you need to create a database. When you do so, it asks you for a “master password”. Choose something secure!! If someone finds this key, they’ve got access to your entire vault. That is, needless to say, a Very Bad Thing. You can also specify a key file, which will need to be used in addition to the password. (KeePass does not allow you to use a file instead of a password, only in addition to, in case you need an extra layer of security. If you are storing the file on a network share of some kind, you could save the key file on a flash drive and/or your mobile devices to increase the difficulty someone would have in order to crack the database.)
After you repeat the master password and finish that up, it will create a basic database like so:
The first thing that you want to do is to create a set of folders (KeePass calls them groups) to organize your passwords so that you can find them quickly. But also notice that there is a search box up top as well; that’s come in very handy for me in the past, especially for the database I use at work with credentials of all the accounts we have with various vendors and such. Here’s what my personal database looks like:
Obviously your folder structure will vary. This is my personal DB, I have one that I use at work, and I also have another household DB that my wife and housemate also have access to (via Dropbox sharing). You can move entries between folders readily, so don’t sweat the structure too much, just do whatever makes sense to you, and reorganize it later if you want/need to.
Once you’ve got that sorted out, you’ll want to create a new entry to add in an account to your database. You can right click on the right entry pane, or use the keyboard shortcut (Command-Y under OS X, Control-Y under Windows). You’ll get a window with a bunch of fields to fill out. Here’s an example of one of my entries:
This is my account for the digital section of Seattle Public Library (SPL). I’ve slightly obfuscated the username, since the account uses a 4 digit PIN, and I don’t really want someone trying combinations until they get in. But you get the basic idea. The title explains what the entry is for; username/password are obvious. Not all passwords you want to store have to be for websites; I have used it to store things like server room door combinations and the like in the past. However, if it is for a website, it just makes sense to put in the URL so that you can easily open it with a click when you’re looking up the password. The comments field is very handy to store additional information, such as what answers you put in for security questions, or serial numbers for devices, whatever you fancy. I haven’t played around with the expiration feature personally, but I assume it warns you if a password is nearing expiration when you open the database.
You can also attach files to an entry. This is very handy if you want to store non-standard information securely. Once the file is attached to the entry, it is encrypted along with the rest of the database. I’ve used this in the past to attach text files with information about gift debit cards, where I needed to provide more information than KeePass natively allows for the fields, especially if the entry was the login information for the site managing the cards.
Note the quality bar. This is a very handy feature of KeePass, in that it gives you a quick and easy visual indicator of how secure your password is. Obviously, a 4 digit PIN is, well, less than secure. To choose a secure password, I highly recommend using one of two methods, depending on the site in question.
Option one: the password generator located at http://passphra.se/. This is a tool based on the principles explained in this comic. The basic gist is that the longer a password is, the more secure it is, so it’s more secure to have a password based on 4 distinct words than it is to have a shorter password mixing cases, numbers, and special characters. The comic covers the math involved for those who are curious. The upside is that not only is it easier to type and more secure, but it’s also easier to remember (particularly handy for places when you can’t paste the password in, one of my personal pet peeves…).
Option two: the password generator included in KeePass itself. Just click on the “Gen” button and adjust the properties of the password you want to generate to the policies of the site in question. (For example, Blizzard Entertainment’s Battle.Net system has a maximum character limit of 15, which is somewhat surprising. Others will allow or disallow special characters, etc.) There are a lot of options to tune in this generator, but I can guarantee you’re not likely to remember this kind of password– but that’s what you have KeePass for, isn’t it? To see the password generated, you need to click on the eyeball icon to reveal it– it’s a handy security feature for preventing people from looking over your shoulder.
That’s a basic intro to password security principles in general and KeePass in specific. I’m sure that you all will have questions about aspects that I didn’t cover, and I’ll be more than happy to address them in the comments. Fire away!