Last year (I’m having that usual ‘new year’ thing where ‘last year’ doesn’t actually feel that long ago, sue me ) I wrote a post introducing the password manager KeePass and stated it would be the first in a series. Finally, months later I am getting around to part 2 which will explain how to get started.
I feel I should point out that effective password management comes down to you, the user. You could use the most advanced tools in the world to lock up your passwords but unless you have secure passwords and good security habits, the strongest locks will not save you. Nagging out of the way, lets get started.
First you need to get a copy of KeePass (available free, with source from http://keepass.info/), and install it. If you are a Linux or OSX user, fear not as even though KeePass is written in .NET, it is compatible with Mono (instructions available here: http://keepass.info/help/v2/setup.html#mono) . KeePass is also available to run from a USB drive as portable software (http://keepass.info/help/v2/setup.html#portable)
Once KeePass is installed start it up and you will be presented with an interface that looks like the following.
Now we need to create a database which is done by either hitting the button on the toolbar or going to File -> New. You will then be asked for a location and a filename for the new database.
Once you have selected the location of your database you will be asked to create a master key:
Master keys are composite as the dialog suggests, they can be a mixture of a master password, a key file and a Windows user account. The simplest approach is to just use a password, a ‘one password to rule them all’ type approach which, while simple, can decrease the security of your database if this password is too easy.
A key file is exactly that, a file which acts like a master password in file form and can contain anything, they could even be existing files from your computer. Key files are a lot more secure than a password however since they don’t live in your brain, they are harder to keep locked down or secret.
A good option is to combine a master password and a key file since it increases the work required to break into the database, especially if you are diligent.
More information on keys can be found on the KeePass site and really provides an in depth explanation of the options available to you (http://keepass.info/help/base/keys.html). If you are considering using a key file but don’t have the time (or patience) to read the KeePass page on keys then at least consider the following:
Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where youknow something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn’t increase security at all, because it’s very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.
Upon creating your composite key you will then be asked for the settings your database should use. They are fairly self explanatory and allow you to add a name, description, compression, master key change policy and most importantly, security options.
It is worth having a look at the ‘Key transformation’ section of the ‘Security’ tab as this relates to how many times the content of the master key is transformed (re-written to obscure the original content). The more transformations the key has to go through the harder it is for guessing attacks to run against the database however it also adds a delay to save/load operations. On my quad core AMD Athlon II X4 955 (3.20 ghz) processor a 1 second delay covers 6744064 transformations. Using the 1 second delay link provided you can decide how much of a delay you want to add.
Once created, your database will be opened and on the left you will have a list of pre-defined ‘groups’ (folders) and on the right will be a couple of sample entries. Double clicking an entry will copy the password to your clipboard as will the shortcut ‘Ctrl + C’ which is handy for quickly copying the password. To copy a username you can use the shortcut ‘Ctrl+B’.
Groups can be easily added, removed, edited, etc. by right clicking on them and taking action as required. You can nest groups simply by dragging and dropping and icons can be assigned/changed from the ‘Edit Group’ menu option.
You can add new entries to a group by first selecting the group and then right clicking in the right-hand panel selecting ‘Add Entry…’ (or by pressing ‘Ctrl + I’) which will bring up this screen:
This should be simple enough to work through but one nifty feature I want to draw attention to the is the password generator (highlighted in the images above and below).
This is one of the great features of KeePass for me, being able to randomly generate a strong, secure password which can not only be adapted with criteria but also be quickly stored against the account information I wish to use it with. The generator even lets you preview a selection of passwords the settings you choose will generate and if that isn’t enough, you can save patterns as profiles which can be easily reused. Nifty eh?
The ‘Advanced’ tab of the Add Entry screen lets you add your own custom fields and file attachments which are all encrypted inside the database. You can quickly access custom fields from the context menu for any given entry to save you opening up the details to get at them.
Auto-Type is something I haven’t personally used yet but is a very powerful feature of KeePass, you can configure it from the ‘Auto-Type’ tab and more information on it can be found at http://keepass.info/help/base/autotype.html
Any changes made to an entry are shown in the History tab and you can view/restore changes from here which can be helpful when multiple people have access to the same database.
Hopefully this post has provided an idea of how to get started with KeePass and highlighted a few things to be thinking about when creating your databases and master keys. The next post will be looking at configuring web browsers to automatically (and securely) communicate with KeePass to provide auto-login capabilities.
If you have any questions please feel free to comment and I will do my best to answer them.