“Passwords are like underwear, you change them frequently. Do not share them and do not show them”

Well maybe some people like to show part of their underwear, but let’s say the previous statement suits most people. ;-)

Nowadays we have to deal with hundreds of places where we have security access through a username and password. To use a different username and password is a suggestion that we have surely heard of, and probably tried, but when we have to remember access details for services we access everyday, a lot of people end up using the same username and password. Even if we use a strong password with upper and lower cases, numbers and signs, if one of these sites has a security problem (remember the cases of Yahoo, LinkedIn and Dropbox, …) all the accounts using the same password will be jeopardised

So, it is clear that the most secure solution would be to use different, strong passwords for our accounts. But how can we deal with all this information?

One of the solutions is provided by password managers. This tool stores all of our passwords in an encrypted database and the only thing we have to do is to remember one strong password (a master password), usually incorporated within a long sentence. Once we have entered this password, we will be granted access to all the account details.

There are two types of password managers: the ones where the database is stored on servers and the other ones where we locally store the database. It is clear that the first ones are easy to use. We only have to create the database on their cloud and access from any device we want. You might be reluctant to hold your database on their servers, and you are probably right, because some providers were hacked into in the past, for example LastPass.

So we are going to focus on the password managers group where they do not provide a centralized database feature. That does not mean we are not able to use the same database in different devices but we have to use a cloud service to provide this synchronisation.

In this article I will explain how to setup and use the KeePass, the free, open source, light-weight, easy-to-use password manager, with a lot of awards. You can use it with Windows, Mac OSX, GNU/Linux, Android, iPhone/iPad, Windows Phone, Blackberry, Chrome… You can check the ports list here. As a cloud service I will use Mega and FolderSync Lite to synchronise the database to my mobile device and Keepass2Android Password Safe to get the database on my Android.

I will take for granted that you have already installed the KeePass version for your operating system, that you have some cloud service installed and that you have already created an account. The steps are the following:

Start KeePass and create the database

Start KeePass

The first time you will need to create a database

The system will ask for a name and a location. Remember to store them into the folder where the cloud service has been setup.

Create the Master password and the Key file

This is the MAIN and MOST important password, and the ONLY ONE you have to REMEMBER. It is a good idea to use a sentence instead of a word, use capital letters, numbers and special characters, like the one below:

My f4th3r w@s 4 great p3r$0n. 1 admire h1m!

As you can see, I am combining capital letters, numbers and especial characters, trying not to use the same pattern (I am not replacing all the vowels for numbers in all the words). It is a complex sentence, but you only need to remember this one. I recommend you to click on the 3 dots button to avoid repeating the sentence twice and ensure the Master password typed is the one you want.

IMPORTANT: In case you forget your Master password, you will not be able to open the database.

The estimated quality will show you how secure the password you have typed in is. Try to reach the 192 bits.

Key file (optional)

In case you want to setup an additional security level, you can create a Key file. You will need both (if checked is required), a master password and a key file to unlock the database. We have to specify where we want the Key file to be stored.

And then help the system generate random bits in order to increase the entropy of the computer. Move the mouse over the field until Generated bits bar reache 256 bits. Type random keys inside the Random keyboard input field. Then click OK button.

You can only check the “Key file” option, but I will not recommend it to you, as anyone who has your key file will be able to open the database. I suggest using Key file as an additional security level.

Set database settings

Here we can set some database settings, like name, some description and additional parameters.

In case you are using the key file option, you can enable a change key reminder and an expiration date, to force that key to be changed. By default both settings are deactivated.

Once you click on the OK button, you will have the database opened and ready to create new entries. You have 2 samples.

Please, take into account that the database name in the main title window has an asterisk, meaning that the changes are not saved yet.

Adding a new entry

To add a new entry in the database, just click on the key button

The fill the main fields:

Title. Something to link with the account
User name. The user name of the account
Password: In case you want to ensure the password you are typing in, I will hardly recommend you to click on the 3 dots button

URL: The address of the site, in case the account is related to one website. If you write without the subdomain (www in the www.wikipedia.org for example), this entry will be able to login inside any subdomain of wikipedia.org, like en.wikipedia.org, ca.wikipedia.org.. and so on.

Since there is no need to remember the password you have created, this is a good way to start using a strong password. Create strong passwords manually is not advisable, since maybe we have some (unconscious?) pattern, so it is better to delegate this task to the software. Just click on the key button and several options will be displayed.

In case you want to personalize due to some constraints on the password, just click on the “Open Password Generator…” option

Below you can set which type of character set you want to appear on the password. For a strongest password, I suggest enabling Upper and lower-cases, Digits, Special characters. Check the “Collect additional entropy” option which will show you the Entropy collection window we have already mentioned above.

Inside the Advanced tab you can specify some additional constraints. Like excluding the look-alike characters (Capital I and lower-cases L, vowels o and number 0…). You can also exclude some characters. Please remember that these options and rules may reduce the security of generated passwords.

The Preview tab will show you some examples of the passwords generated matching the rules specified on the fist tab.

Clicking on the OK button will generate the password matching the options and rules. It is a good idea to specify inside the Notes field the email linked to the account, just in case you need to.

Now you have a database stored in a cloud service.

Browser integration in computer

The easiest way to be used in a trusted computer is by using a browser add-on. The one I use it is PassIFox, since I am using Mozilla Firefox as a main browser, but chromeIPass can be used in case you use Chrome browser.

Following the instructions you will find the website to install and configure the add-on.

Once connected to your database, just visit the site where you have already set up an account, and in case the user name and password are not filled in automatically, click inside the username or password field and click with the right button. The “Fill User & Pass” option will appear.

Coming soon: (How to use KeePass with Android)

Poor scientific methods may be hereditary

IN 1962 Jacob Cohen, a psychologist at New York University, reported an alarming finding. He had analysed 70 articles published in the Journal of Abnormal and Social Psychology and calculated their statistical “power” (a mathematical estimate of the probability that an experiment would detect a real effect). He reckoned most of the studies he looked at would actually have detected the effects their authors were looking for only about 20% of the time—yet, in fact, nearly all reported significant results. Scientists, Cohen surmised, were not reporting their unsuccessful research. No surprise there, perhaps. But his finding also suggested some of the papers were actually reporting false positives, in other words noise that looked like data. He urged researchers to boost the power of their studies by increasing the number of subjects in their experiments.

Wind the clock forward half a century and little has changed. In a new paper, this time published in Royal Society Open Science, two researchers, Paul Smaldino of the University of California, Merced, and Richard McElreath at the Max Planck Institute for Evolutionary Anthropology, in Leipzig, show that published studies in psychology, neuroscience and medicine are little more powerful than in Cohen’s day.

They also offer an explanation of why scientists continue to publish such poor studies. Not only are dodgy methods that seem to produce results perpetuated because those who publish prodigiously prosper—something that might easily have been predicted. But worryingly, the process of replication, by which published results are tested anew, is incapable of correcting the situation no matter how rigorously it is pursued.

The preservation of favoured places

First, Dr Smaldino and Dr McElreath calculated that the average power of papers culled from 44 reviews published between 1960 and 2011 was about 24%. This is barely higher than Cohen reported, despite repeated calls in the scientific literature for researchers to do better. The pair then decided to apply the methods of science to the question of why this was the case, by modelling the way scientific institutions and practices reproduce and spread, to see if they could nail down what is going on.

They focused in particular on incentives within science that might lead even honest researchers to produce poor work unintentionally. To this end, they built an evolutionary computer model in which 100 laboratories competed for “pay-offs” representing prestige or funding that result from publications. They used the volume of publications to calculate these pay-offs because the length of a researcher’s CV is a known proxy of professional success. Labs that garnered more pay-offs were more likely to pass on their methods to other, newer labs (their “progeny”).

Some labs were better able to spot new results (and thus garner pay-offs) than others. Yet these labs also tended to produce more false positives—their methods were good at detecting signals in noisy data but also, as Cohen suggested, often mistook noise for a signal. More thorough labs took time to rule these false positives out, but that slowed down the rate at which they could test new hypotheses. This, in turn, meant they published fewer papers.

In each cycle of “reproduction”, all the laboratories in the model performed and published their experiments. Then one—the oldest of a randomly selected subset—“died” and was removed from the model. Next, the lab with the highest pay-off score from another randomly selected group was allowed to reproduce, creating a new lab with a similar aptitude for creating real or bogus science.

Sharp-eyed readers will notice that this process is similar to that of natural selection, as described by Charles Darwin, in “The Origin of Species”. And lo! (and unsurprisingly), when Dr Smaldino and Dr McElreath ran their simulation, they found that labs which expended the least effort to eliminate junk science prospered and spread their methods throughout the virtual scientific community.

Their next result, however, was surprising. Though more often honoured in the breach than in the execution, the process of replicating the work of people in other labs is supposed to be one of the things that keeps science on the straight and narrow. But the two researchers’ model suggests it may not do so, even in principle.

Replication has recently become all the rage in psychology. In 2015, for example, over 200 researchers in the field repeated 100 published studies to see if the results of these could be reproduced (only 36% could). Dr Smaldino and Dr McElreath therefore modified their model to simulate the effects of replication, by randomly selecting experiments from the “published” literature to be repeated.

A successful replication would boost the reputation of the lab that published the original result. Failure to replicate would result in a penalty. Worryingly, poor methods still won—albeit more slowly. This was true in even the most punitive version of the model, in which labs received a penalty 100 times the value of the original “pay-off” for a result that failed to replicate, and replication rates were high (half of all results were subject to replication efforts).

The researchers’ conclusion is therefore that when the ability to publish copiously in journals determines a lab’s success, then “top-performing laboratories will always be those who are able to cut corners”—and that is regardless of the supposedly corrective process of replication.

Ultimately, therefore, the way to end the proliferation of bad science is not to nag people to behave better, or even to encourage replication, but for universities and funding agencies to stop rewarding researchers who publish copiously over those who publish fewer, but perhaps higher-quality papers. This, Dr Smaldino concedes, is easier said than done. Yet his model amply demonstrates the consequences for science of not doing so.

From the print edition: Science and technology

This article originally appeared on The Economist

Perched on the Shoulders of Giants…

How to set and use passwords in a safety way