“Passwords are like underwear, you change them frequently. Do not share them and do not show them”
Well maybe some people like to show part of their underwear, but let’s say the previous statement suits most people. 😉
Nowadays we have to deal with hundreds of places where we have security access through a username and password. To use a different username and password is a suggestion that we have surely heard of, and probably tried, but when we have to remember access details for services we access everyday, a lot of people end up using the same username and password. Even if we use a strong password with upper and lower cases, numbers and signs, if one of these sites has a security problem (remember the cases of Yahoo, LinkedIn and Dropbox, …) all the accounts using the same password will be jeopardised
So, it is clear that the most secure solution would be to use different, strong passwords for our accounts. But how can we deal with all this information?
One of the solutions is provided by password managers. This tool stores all of our passwords in an encrypted database and the only thing we have to do is to remember one strong password (a master password), usually incorporated within a long sentence. Once we have entered this password, we will be granted access to all the account details.
There are two types of password managers: the ones where the database is stored on servers and the other ones where we locally store the database. It is clear that the first ones are easy to use. We only have to create the database on their cloud and access from any device we want. You might be reluctant to hold your database on their servers, and you are probably right, because some providers were hacked into in the past, for example LastPass.
So we are going to focus on the password managers group where they do not provide a centralized database feature. That does not mean we are not able to use the same database in different devices but we have to use a cloud service to provide this synchronisation.
In this article I will explain how to setup and use the KeePass, the free, open source, light-weight, easy-to-use password manager, with a lot of awards. You can use it with Windows, Mac OSX, GNU/Linux, Android, iPhone/iPad, Windows Phone, Blackberry, Chrome… You can check the ports list here. As a cloud service I will use Mega and FolderSync Lite to synchronise the database to my mobile device and Keepass2Android Password Safe to get the database on my Android.
I will take for granted that you have already installed the KeePass version for your operating system, that you have some cloud service installed and that you have already created an account. The steps are the following:
Start KeePass and create the database
Start KeePass
The first time you will need to create a database
The system will ask for a name and a location. Remember to store them into the folder where the cloud service has been setup.
Create the Master password and the Key file
This is the MAIN and MOST important password, and the ONLY ONE you have to REMEMBER. It is a good idea to use a sentence instead of a word, use capital letters, numbers and special characters, like the one below:
My f4th3r w@s 4 great p3r$0n. 1 admire h1m!
As you can see, I am combining capital letters, numbers and especial characters, trying not to use the same pattern (I am not replacing all the vowels for numbers in all the words). It is a complex sentence, but you only need to remember this one. I recommend you to click on the 3 dots button to avoid repeating the sentence twice and ensure the Master password typed is the one you want.
IMPORTANT: In case you forget your Master password, you will not be able to open the database.
The estimated quality will show you how secure the password you have typed in is. Try to reach the 192 bits.
Key file (optional)
In case you want to setup an additional security level, you can create a Key file. You will need both (if checked is required), a master password and a key file to unlock the database. We have to specify where we want the Key file to be stored.
And then help the system generate random bits in order to increase the entropy of the computer. Move the mouse over the field until Generated bits bar reache 256 bits. Type random keys inside the Random keyboard input field. Then click OK button.
You can only check the “Key file” option, but I will not recommend it to you, as anyone who has your key file will be able to open the database. I suggest using Key file as an additional security level.
Set database settings
Here we can set some database settings, like name, some description and additional parameters.
In case you are using the key file option, you can enable a change key reminder and an expiration date, to force that key to be changed. By default both settings are deactivated.
Once you click on the OK button, you will have the database opened and ready to create new entries. You have 2 samples.
Please, take into account that the database name in the main title window has an asterisk, meaning that the changes are not saved yet.
Adding a new entry
To add a new entry in the database, just click on the key button
The fill the main fields:
-
URL: The address of the site, in case the account is related to one website. If you write without the subdomain (www in the www.wikipedia.org for example), this entry will be able to login inside any subdomain of wikipedia.org, like en.wikipedia.org, ca.wikipedia.org.. and so on.
Since there is no need to remember the password you have created, this is a good way to start using a strong password. Create strong passwords manually is not advisable, since maybe we have some (unconscious?) pattern, so it is better to delegate this task to the software. Just click on the key button and several options will be displayed.
In case you want to personalize due to some constraints on the password, just click on the “Open Password Generator…” option
Below you can set which type of character set you want to appear on the password. For a strongest password, I suggest enabling Upper and lower-cases, Digits, Special characters. Check the “Collect additional entropy” option which will show you the Entropy collection window we have already mentioned above.
Inside the Advanced tab you can specify some additional constraints. Like excluding the look-alike characters (Capital I and lower-cases L, vowels o and number 0…). You can also exclude some characters. Please remember that these options and rules may reduce the security of generated passwords.
The Preview tab will show you some examples of the passwords generated matching the rules specified on the fist tab.
Clicking on the OK button will generate the password matching the options and rules. It is a good idea to specify inside the Notes field the email linked to the account, just in case you need to.
Now you have a database stored in a cloud service.
Browser integration in computer
The easiest way to be used in a trusted computer is by using a browser add-on. The one I use it is PassIFox, since I am using Mozilla Firefox as a main browser, but chromeIPass can be used in case you use Chrome browser.
Following the instructions you will find the website to install and configure the add-on.
Once connected to your database, just visit the site where you have already set up an account, and in case the user name and password are not filled in automatically, click inside the username or password field and click with the right button. The “Fill User & Pass” option will appear.
Coming soon: (How to use KeePass with Android)