Wednesday, July 22, 2009

KeePass 101

This is a posting I’ve been wanting to do for quite a while and just haven’t found the time. Well, now I’ve found the time.

I’ve posted in the past about my love for KeePass, which is a fantastic tool for managing passwords. The most secure thing you can do when it comes to creating accounts on sites (besides just not creating an account) is to have a unique password for each site. This becomes rather problematic, as trying to remember them all is impossible.

Now a bigger concern is the security questions that sites ask you as a backup for your password. Forget your password? Not a problem – just answer these general knowledge questions about yourself and we’ll give you a new password. What drives me crazy is most questions they ask are ones that nearly anyone would know, meaning nearly anyone could access my account if I answered those questions honestly. The end result of “security questions” is decreased security, as was demonstrated recently in the hacking of a Twitter administrator’s account.

In an effort to try and aid people looking for a good solution to this problem, below is a walkthrough on how to setup KeePass and create an account with it. What I love about KeePass is that it does not need to be installed on the local system; you can just place the files in a folder and run it out of the folder. You can then either put the folder on a flash drive and make it portable, and synchronize the folder with Mesh for safe keeping.

(BTW – you can download KeePass here. I’m demoing version 2)

Step 1: Create a database

When you first launch KeePass you’ll be presented with the following screen:


The button you want is the one on the far left (the one that looks like a piece of paper with a sunburst on it). That will allow you to create a new database. The database will store all your usernames, passwords, URL’s and other notes.

After clicking on “New…”, you’ll be presented with a traditional “Save As” dialog asking you where you wish to save the database. For ease of use I place my database in the same folder as KeePass. Choose whatever name you wish here.


Step 2: Encrypt the database

After choosing the name of your database, you’ll then be asked to secure the password. You’ll have the option to provide a password, create a key file, or map it to your Windows account. The last option is a tad problematic as it makes the database non-portable, so I choose the first two options.


The key here is the password. You need to ensure it’s going to be something very secure. It should be a sentence with punctuation, and realistically at least 20 characters. It can be something about yourself, but it would need to be something that absolutely nobody knows. When you create the key file, you’ll be asked for the location first (just another “Save As” dialog).


After choosing the file you’ll be asked to generate entropy, which for the most part is a fancy way of saying “we need something random we can use for encryption purposes”. Just move your mouse around the little box on the left until the bar below it fills up.


Step 3: Configure the database

After creating the entropy and clicking on OK on that screen and the Create Composite Master Key screen, you’ll be asked to configure the database. There’s a couple of tabs of note here. First is the General tab, where you can set your default username. Most sites now just use your email address as your account name, so you can specify that there.


Next will be the security tab, which will ask you how encrypted you’d like your database. If you click on the “1 second” link it will set it to take one second to load and save the database, which is generally pretty good.


Last but not least is what you want encrypted in the database. What I like to do is encrypt the notes as well, as I store my “security question” and answer in that field so I can create random answers.


Step 4: Create a new account

Congratulations. You’ve now created a database and you’re all set to go. To create a new account, simply click on the little key with the green arrow on it.


You’ll then be asked for information about the account. Put the username you’re going to use in the first field, and then any notes (such as that security question and answer) down below.


The ellipse icon next to the password simply indicates if you want the password to be hidden on this screen. The little keys allow you to create a new password randomly, which is by far my favorite feature of KeePass. Simply click on that and choose “Open Password Generator” and you’ll be presented with the following screen:


From here you can choose the password length and what characters you want to include. You should choose any special characters the site will let you, as well as the maximum length. What is annoying is many sites won’t tell you right up front the restrictions they place on passwords (something that drives me crazy), but when they do take advantage of it. For instance, here’s the account creation screen from Yahoo:


You’ll notice that I can use up to 32 characters and no spaces. So I’d want to type 32 into the size, and choose Minus and Underline as well as Special. Then simply click on OK on the first screen and then OK on the second. This will bring you back to the main screen (mine is pictured below, slightly “fuzzed out”).


To put your new password into Yahoo, simply click on the entry and hit “Ctl-C” (the copy command). What’s nice is it will put the password into your clipboard for 10 seconds, which is long enough to paste it twice into the password and confirm boxes on the account creation page.

Congratulations – you’ve now set up KeePass and created your first account.

Step 5: Use KeePass

To use KeePass going forward on a day to day basis, there’s just a couple of things to keep in mind. When you open KeePass you’ll be prompted for your password and key file. Simply type your password and choose your key file on this screen.


To use your passwords, you can simply click on the entry in the screen and hit Ctl-C to copy it. Another great trick is to bring up the screen you need to enter your username and password in, click in the username field, and then bring up KeePass. Click on Ctl-V (paste), which will switch windows back to the one you were last on, and then put in your username, tab, and then your password, and then hit enter for you. Pretty slick.

Making the move to KeePass will take a little getting used to, but once you do you’ll be more secure online, and very pleased with your decision.

No comments: