April 29, 2012

Keeping track of passwords: KeePass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Most people who use passwords do not use them correctly.  This is because the way passwords are supposed to work has very little in common with the human mind.  The best passwords are long and random and contain symbols and other things that are just dumb to remember!  Even worse, so many different locations demand their own logins, which under best practices means you need a new password for each.  That quickly turns into worst practice as users get fed up with making/memorizing new passwords and simply re-using an old one.

It's a good thing this is a solved problem!  There are tons of programs that will remember your name/password combos for you, of varying complexity and completeness.  After digging around for a day or two, I found one I really really like: KeePass.  KeePass is open source under GPL v2, meaning it's both kinds of open.  It uses an encrypted datastore so that, without a master password, other people can't get into it.  And most importantly, it's got enough base features to be really easy to use, even when I'm doing complicated things!

Since I like it so much, I figured I'd write a quick guide for how to use it effectively.  It does automate a whole bunch of stuff, but takes a touch of work to get it into the right place.  Also, there are a few tips and tricks I learned to make the whole process more enjoyable.  Install it, and I'll go from there!


Using KeePass For The First Time

Alright, KeePass uses an encrypted file store, so the first time you use it you'll need to make a new one.  Go to File->New, and specify a master password.  You'll need this password every time you want to open the file store.  Note how KeePass tells you how strong your password is (pick one that's better than 40 bits).  You should also pick a keyfile, turning it into a something-you-have + something_you_know situation.  Check the checkbox and pick an existing file or make a new one.  Just make sure it's at least a kilobyte in length and that it won't change after you start using it!  I snagged some output from /dev/urandom and made it my keyfile (I protect it in other ways).

Once you do this, the keystore will be made.  On the left you can see the organizational structure for a new store, and you should just delete all those entries (take a moment to familiarize yourself with the icons at the top).  You can organize your keys in whatever fashion you like.  The left-hand panel uses a folder-like hierarchy, and it goes Group->[Sub_Group->][..]Keys.  So, a key has to have a top-level folder, but depth and breadth are to your personal taste.  If you prefer tagging instead, you can add your tags in the notes and search by them.  Easy!

So... you can add groups (top-level folders) and sub-groups by right-clicking in the left panel.  Make a group now.

After you do that, click on that group and then click the icon that is a key with a little green arrow.  This is how you create new keys for a group.  There's a ton of stuff in this window, but it's actually really easy to use.
  • The title is what the key is for (ie: Netflix).
  • User Name: the login name for the account
  • Password/Repeat: holds your password, whether you type it or generate it
  • Quality: How much your password does or doesn't suck
  • URL: Where you made the account
  • Notes: Any generic junk you want.  Tagging terms can go here
I haven't used Expiration or Attachments, but I'm sure they do what you'd think.  These things are all pretty evident.  The excitement comes from clicking the icon just below the '...' button.  Since making random passwords is something you should totally be doing since KeePass remembers them for you, the program automates this for you!

 So after you click the button for it, the Password Generator pops up.  Create a new profile and call it Convenient Random Passwords or something.  Set your length of generated password to 20, then make sure 'Generate using character set' is checked.  Check every box EXCEPT 'Space' and 'High ANSI characters', then click Generate at the bottom.  Don't worry about how many bits it has, it has enough.  Press Accept.

You're back on the Key Creation page, if you're following along correctly.  If you press OK here, your key is made!

I Have Keys, What Now?

If you want, add more groups/subgroups/keys.  Once you're ready to actually use a key, find it in search or the left-side menu, then right-click the key and choose Copy Password.  Ctrl+C also works.  Go paste it into the web form you're logging into.  It should let you log in, without having even seen your password in letters, and using a random+safe password at that!  After you paste it, KeePass, will clear its clipboard buffer, meaning you won't be able to paste it twice... into a live chat, for instance.  This is most of how you'll be using KeePass.

Configuration Considerations

KeePass has a ton of settings to fool around with, but here's a quick run-down of the really important ones.  Open the options by going to Tools->Options.
  • Security
    • Lock workspace when... (2)
    • Lock workspace after...
  • Memory
    • Check Enhanced
  • Advanced
    • Start and exit (these are to taste, but I'd go insane without them)
      • Remember Last Opened File
      • Automatically Open Last Used Database On Startup
      • Automatically Save When Closing/Locking The Database
      • Limit To Single Instance

Final Tips And Tricks

The previous stuff is about using KeePass in everyday situations.  However, sometimes further considerations are warranted.

KeePass is capable of importing/exporting to a whole bunch of formats, including PasswordSafe and other KeePass databases.  It's super-easy to use both sides of these features in my experience (although it makes sure you really want to export your passwords and stuff in plain text).  You should keep a copy of your database file somewhere other than your main computer, just in case.

Since importing/exporting is so easy, I've made a habit of keeping a central password store in my safe file scheme, and then tailoring my local KeePass database to only what I need on the specific machine.  For instance, my work computer has remote server logins and logins for nearby/delivering fast food places, while my home machine has my video game logins.  Keeps things nice and tidy!

For the especially paranoid, you can configure KeePass's encryption setup by going to File->Database Settings.  There you can increase the times the encryption key is calculated (more = longer static time = harder brute-forcing) and the algorithm (although it's only AES or TwoFish, and AES is publicly unbroken).

There's a whole bunch of other things to noodle around with, so don't be afraid to mess around with the settings!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQBPnfDVdzdg8zBNoIARAprOAKCNdNsP3E3Cr2WtSAMHW7yMN/4p6QCfckBH
eUwtCzB9WgBy7ATMyTpw0DU=
=2/7E
-----END PGP SIGNATURE-----

No comments:

Post a Comment

Let others know what you think.