How to set and use passwords in a safety way

Passwords are like underwear, you change them frequently. Do not share them and do not show them”

Well maybe some people like to show part of their underwear, but let’s say the previous statement suits most people. 😉

Nowadays we have to deal with hundreds of places where we have security access through a username and password. To use a different username and password is a suggestion that we have surely heard of, and probably tried, but when we have to remember access details for services we access everyday, a lot of people end up using the same username and password. Even if we use a strong password with upper and lower cases, numbers and signs, if one of these sites has a security problem (remember the cases of YahooLinkedIn and Dropbox, …) all the accounts using the same password will be jeopardised

So, it is clear that the most secure solution would be to use different, strong passwords for our accounts. But how can we deal with all this information?

thinking

One of the solutions is provided by password managers. This tool stores all of our passwords in an encrypted database and the only thing we have to do is to remember one strong password (a master password), usually incorporated within a long sentence. Once we have entered this password, we will be granted access to all the account details.

There are two types of password managers: the ones where the database is stored on servers and the other ones where we locally store the database. It is clear that the first ones are easy to use. We only have to create the database on their cloud and access from any device we want. You might be reluctant to hold your database on their servers, and you are probably right, because some providers were hacked into in the past, for example LastPass.

So we are going to focus on the password managers group where they do not provide a centralized database feature. That does not mean we are not able to use the same database in different devices but we have to use a cloud service to provide this synchronisation.

In this article I will explain how to setup and use the KeePass, the free, open source, light-weight, easy-to-use password manager, with a lot of awards. You can use it with Windows, Mac OSX, GNU/Linux, Android, iPhone/iPad, Windows Phone, Blackberry, Chrome… You can check the ports list here. As a cloud service I will use Mega and FolderSync Lite to synchronise the database to my mobile device and Keepass2Android Password Safe to get the database on my Android.

I will take for granted that you have already installed the KeePass version for your operating system, that you have some cloud service installed and that you have already created an account. The steps are the following:

Start KeePass and create the database

Start KeePass

kp1

The first time you will need to create a database

new

The system will ask for a name and a location. Remember to store them into the folder where the cloud service has been setup.

mydb

Create the Master password and the Key file

This is the MAIN and MOST important password, and the ONLY ONE you have to REMEMBER. It is a good idea to use a sentence instead of a word, use capital letters, numbers and special characters, like the one below:

My f4th3r w@s 4 great p3r$0n. 1 admire h1m!

As you can see, I am combining capital letters, numbers and especial characters, trying not to use the same pattern (I am not replacing all the vowels for numbers in all the words). It is a complex sentence, but you only need to remember this one. I recommend you to click on the 3 dots button to avoid repeating the sentence twice and ensure the Master password typed is the one you want.

IMPORTANT: In case you forget your Master password, you will not be able to open the database.

The estimated quality will show you how secure the password you have typed in is. Try to reach the 192 bits.

createmp

Key file (optional)

In case you want to setup an additional security level, you can create a Key file. You will need both (if checked is required), a master password and a key file to unlock the database. We have to specify where we want the Key file to be stored.

mykey

And then help the system generate random bits in order to increase the entropy of the computer. Move the mouse over the field until Generated bits bar reache 256 bits. Type random keys inside the Random keyboard input field. Then click OK button.

entropy1

You can only check the “Key file” option, but I will not recommend it to you, as anyone who has your key file will be able to open the database. I suggest using Key file as an additional security level.createmp

Set database settings

Here we can set some database settings, like name, some description and additional parameters.

dbsetting

In case you are using the key file option, you can enable a change key reminder and an expiration date, to force that key to be changed. By default both settings are deactivated.

dbsetting2

Once you click on the OK button, you will have the database opened and ready to create new entries. You have 2 samples.

dbnew

Please, take into account that the database name in the main title window has an asterisk, meaning that the changes are not saved yet.

Adding a new entry

To add a new entry in the database, just click on the key button

The fill the main fields:

  • Title. Something to link with the account

  • User name. The user name of the account

  • Password: In case you want to ensure the password you are typing in, I will hardly recommend you to click on the 3 dots button

screenshot_20160501_202710

  • URL: The address of the site, in case the account is related to one website. If you write without the subdomain (www in the www.wikipedia.org for example), this entry will be able to login inside any subdomain of wikipedia.org, like en.wikipedia.org, ca.wikipedia.org.. and so on.

Since there is no need to remember the password you have created, this is a good way to start using a strong password. Create strong passwords manually is not advisable, since maybe we have some (unconscious?) pattern, so it is better to delegate this task to the software. Just click on the key button and several options will be displayed.

screenshot_20160501_202858

In case you want to personalize due to some constraints on the password, just click on the “Open Password Generator…” option

screenshot_20160501_202956

Below you can set which type of character set you want to appear on the password. For a strongest password, I suggest enabling Upper and lower-cases, Digits, Special characters. Check the “Collect additional entropy” option which will show you the Entropy collection window we have already mentioned above.

screenshot_20160501_204100

Inside the Advanced tab you can specify some additional constraints. Like excluding the look-alike characters (Capital I and lower-cases L, vowels o and number 0…). You can also exclude some characters. Please remember that these options and rules may reduce the security of generated passwords.nocaracters

The Preview tab will show you some examples of the passwords generated matching the rules specified on the fist tab.

screenshot_20160501_204152

Clicking on the OK button will generate the password matching the options and rules. It is a good idea to specify inside the Notes field the email linked to the account, just in case you need to.

screenshot_20160501_205456

Now you have a database stored in a cloud service.

Browser integration in computer

The easiest way to be used in a trusted computer is by using a browser add-on. The one I use it is PassIFox, since I am using Mozilla Firefox as a main browser, but  chromeIPass can be used in case you use Chrome browser.

passifox

Following the instructions you will find the website to install and configure the add-on.

Once connected to your database, just visit the site where you have already set up an account, and in case the user name and password are not filled in automatically, click inside the username or password field and click with the right button. The “Fill User & Pass” option will appear.

wiki

Coming soon: (How to use KeePass with Android)

2 thoughts on “How to set and use passwords in a safety way”

  1. Good day! This is my first comment here so I just wanted to give a quick shout out and say I really enjoy reading through your articles.

    Can you suggest any other blogs/websites/forums that deal with the same topics?

    Many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.