Tag Archives: Passwords

KeePass Part 2 – Your First Password Database

Posted on by | Leave a reply

KeePass

  • Part 1 – An Introduction
  • Part 2 – Your First Password Database
  • Part 3 – Browser Integration
  • Part 4 – Auto-Type
  • Part 5 – Plugins

Last year (I’m having that usual ‘new year’ thing where ‘last year’ doesn’t actually feel that long ago, sue me ;) ) I wrote a post introducing the password manager KeePass and stated it would be the first in a series. Finally, months later I am getting around to part 2 which will explain how to get started.

I feel I should point out that effective password management comes down to you, the user. You could use the most advanced tools in the world to lock up your passwords but unless you have secure passwords and good security habits, the strongest locks will not save you. Nagging out of the way, lets get started.

First you need to get a copy of KeePass (available free, with source from http://keepass.info/), and install it. If you are a Linux or OSX user, fear not as even though KeePass is written in .NET, it is compatible with Mono (instructions available here: http://keepass.info/help/v2/setup.html#mono) . KeePass is also available to run from a USB drive as portable software (http://keepass.info/help/v2/setup.html#portable)

Once KeePass is installed start it up and you will be presented with an interface that looks like the following.

keepass_basic_interface

Now we need to create a database which is done by either hitting the button on the toolbar or going to File -> New. You will then be asked for a location and a filename for the new database.

Once you have selected the location of your database you will be asked to create a master key:

keepass_master_key

Master keys are composite as the dialog suggests, they can be a mixture of a master password, a key file and a Windows user account. The simplest approach is to just use a password, a ‘one password to rule them all’ type approach which, while simple, can decrease the security of your database if this password is too easy.

A key file is exactly that, a file which acts like a master password in file form and can contain anything, they could even be existing files from your computer. Key files are a lot  more secure than a password however since they don’t live in your brain, they are harder to keep locked down or secret.

A good option is to combine a master password and a key file since it increases the work required to break into the database, especially if you are diligent.

More information on keys can be found on the KeePass site and really provides an in depth explanation of the options available to you (http://keepass.info/help/base/keys.html). If you are considering using a key file but don’t have the time (or patience) to read the KeePass page on keys then at least consider the following:

Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where youknow something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn’t increase security at all, because it’s very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.

Upon creating your composite key you will then be asked for the settings your database should use. They are fairly self explanatory and allow you to add a name, description, compression, master key change policy and most importantly, security options.

keepass_database_settings

It is worth having a look at the ‘Key transformation’ section of the ‘Security’ tab as this relates to how many times the content of the master key is transformed (re-written to obscure the original content). The more transformations the key has to go through the harder it is for guessing attacks to run against the database however it also adds a delay to save/load operations. On my quad core AMD Athlon II X4 955 (3.20 ghz) processor a 1 second delay covers 6744064 transformations. Using the 1 second delay link provided you can decide how much of a delay you want to add.

Once created, your database will be opened and on the left you will have a list of pre-defined ‘groups’ (folders) and on the right will be a couple of sample entries. Double clicking an entry will copy the password to your clipboard as will the shortcut ‘Ctrl + C’ which is handy for quickly copying the password. To copy a username you can use the shortcut ‘Ctrl+B’.

Groups can be easily added, removed, edited, etc. by right clicking on them and taking action as required. You can nest groups simply by dragging and dropping and icons can be assigned/changed from the ‘Edit Group’ menu option.

You can add new entries to a group by first selecting the group and then right clicking in the right-hand panel selecting ‘Add Entry…’ (or by pressing ‘Ctrl + I’) which will bring up this screen: keepass_add_entry

This should be simple enough to work through but one nifty feature I want to draw attention to the is the password generator (highlighted in the images above and below).

keepass_generator

This is one of the great features of KeePass for me, being able to randomly generate a strong, secure password which can not only be adapted with criteria but also be quickly stored against the account information I wish to use it with. The generator even lets you preview a selection of passwords the settings you choose will generate and if that isn’t enough, you can save patterns as profiles which can be easily reused. Nifty eh?

The ‘Advanced’ tab of the Add Entry screen lets you add your own custom fields and file attachments which are all encrypted inside the database. You can quickly access custom fields from the context menu for any given entry to save you opening up the details to get at them.

Auto-Type is something I haven’t personally used yet but is a very powerful feature of KeePass, you can configure it from the ‘Auto-Type’ tab and more information on it can be found at http://keepass.info/help/base/autotype.html

Any changes made to an entry are shown in the History tab and you can view/restore changes from here which can be helpful when multiple people have access to the same database.

Up Next

Hopefully this post has provided an idea of how to get started with KeePass and highlighted a few things to be thinking about when creating your databases and master keys. The next post will be looking at configuring web browsers to automatically (and securely) communicate with KeePass to provide auto-login capabilities.

If you have any questions please feel free to comment and I will do my best to answer them.

KeePass Part 1 – An Introduction

Posted on by | 3 Replies

KeePass

Update (30/07/12): Troy hunt has broken down the security anti patterns used by Tesco, this is the other side of the password security issue that internet users are facing and is well worth a read - http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html

Internet Security is a growing concern in these modern times. Identity fraud and password theft are on the rise and the last 12 months has seen some of the global technology giants including Sony, LinkedIn and Yahoo hit by hackers and security breaches.

Passwords are not the best security, as we know they can be easily guessed or brute forced if they are too short but if we make them too long or too complicated they become almost impossible to remember. Some people write down their passwords next to their computer, I’ve been guilty of this; just jotting down something you tell yourself is ephemeral and is still sitting on your desk 2 years later. There are some great strides being made in developing alternatives to password-based security but we are far from solving this problem and in the mean time internet users need to take steps to protect themselves.

There are a ridiculous number of ways to generate “secure” passwords but the fundamental flaw here is that the majority of internet users suffer from password reuse (XKCD comic, reading is mandatory) and this is a very bad thing. Ideally we should be creating a new password for every site or service we create an account for but surely the management of this is going to be a nightmare? Well, maybe not. This is where password managers come in.

KeypassEnter KeyPass

The password manager space is a busy one but you don’t get far on the subject without hearing about KeePass, a plugin for KeePass or a derivative of KeePass and this is not a bad thing in my view.

From the KeePass website:

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

KeePass locks up all of your important passwords and secure information behind a customisable “Master Key” which is made from one or more of

  • Master password
  • Key file
  • User Account

This allows you to decide exactly how access to the encrypted database is managed as sometimes you may want something more secure than just a password or even to have access locked to a specific user account.

Key files are something I will speak about later in the series; however, they are essentials files containing an encryption key as used in technologies like SSL and SSH. Using a key file means you must have access to the actual file (not just a file of the same name, it must be 100% identical to the file used to encrypt) in order to open the database.

What I love about KeePass is the flexibility which again, will be covered in much more detail later in this series but essentially KeePass is a toolbox and for the most part, lets you decide how and what information you want to store alongside your passwords. As well as usernames and passwords KeePass allows you to store other information in each entry such as notes, URLs, expiry, key/value pairs, file attachments. It also has a number of built-in password generators to help you generate secure passwords of varying length and complexity.

For situations where the out-of-the-box experience is not enough (such as hooking up to browsers), there is a good collection of plugins available to fill in the gaps.

KeePass Main Dialog

Now obviously, like any security system the success or failure of KeePass depends on the user. If you don’t take precautions to keep the master key to the database out of harm’s way then obviously this is no better than just handing over a text file to a would-be computer hacker and asking them to rob you blind. Like many things on the internet, it requires thought on how best to use and implement it but when it is done right, you will reap the benefits of organised, easy to access passwords.

What about LastPass?

One of my colleagues uses LastPass and is pretty happy with it. He spends much of his working day logging in and out of web-based administration systems which is why LastPass works for him. One complaint he has though is that when you have multiple logins for the same URL, LastPass can’t cope and takes the one it has remembered over the one you actually want to use. This is not something I have found to be an issue with KeePass.

Having a look at LastPass myself I found that it seems to be focused on having passwords to hand in the browser which is great but not all of my passwords are used online. I have RDP passwords, computer game login passwords and even software serial keys which I want to keep safe, LastPass is not as well suited to these requirements.

Another factor in my choice not to use LastPass is where my passwords are stored. With KeePass I am responsible for where I put the databases and any key files I create which means I am in control of them. With cloud services like LastPass you are highly dependent on their infrastructure for both security and reliability. Now LastPass may still work without access to it’s online service but you certainly wont be adding any new passwords to all your devices if the service goes offline temporarily.

The security angle may be paranoia:

We use firewalls and best practices to protect the servers and service, but our best line of defence is simply not having access to data even if someone got in. If LastPass can’t access it, hackers can’t either. A large number of PBKDF2-SHA256 rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible.

But I have no proof of this, i’ll bet there are thousands of people out there who trusted Sony, LinkedIn and Yahoo and look what happened there. So while one could argue that having the databases so close to me could also be considered a security risk, at least I know how well protected they are and have the ability to destroy them if I have to.

A final, small, point on LastPass is that to use it on mobile devices you have to pay. This is not the case for KeePass since Android has KeePassDroid (and various others), iOS has MiniKeePass (again, others are available), both of which are free and even Windows Phone 7 has joined the KeePass party (granted, not for free) with 7Pass. Why spend money on something that you can have, legitimately and legally, for free?

And 1Password?

This one for me really just comes down to cost. I can’t see a “killer feature” in 1Password that is worth $49.99 and can’t be fulfilled using KeePass, a plugin or a mobile app. If you feel I am wrong, please feel free to point out what you think is worth the money and I will be happy to re-evaluate. Some may call me a cheapskate but I don’t see the point in senselessly spending money on something that has a tried, tested and free alternative.

Up Next

Hopefully this has served as an introduction to KeePass and explained why such a tool may be of value. In my next post I will be demonstrating how to get started with KeePass, setting up your master key and we’ll have a look at some of the data you can store inside. Continue to Part 2