Remember when you used to have passwords Post-It noted to your monitor? Then you got all stealth and hid the sticky notes under your mouse pad? Then graduated to a notebook locked up in a drawer? And finally to a spreadsheet that has very little protection other than you have to hunt all over for it when you really need it? Yeah, been there! But that was “so 2009”. We all struggle with password management, but I found an end-all, multi-security-layered solution: KeePass Password Safe.
So here are the basic features, KeePass is FREE. It is Open Source and OSI certified. It is portable so it can be installed on a flash drive. It uses real security-AES, Rijndael and the Twofish algorithms-to encrypt its password databases. SHA-256 is used as password hash. It has an auto-type feature. It auto locks after a few minutes. And it has a password generator feature! Throw this all together and it is pretty sweet!
I installed the portable version on a USB drive and I used double authentication right away. The program requires a master password (or one per database) and you can also create an encrypted file for the program to authenticate against. I keep this key file on a different USB drive. So already one must have both USB drives to use the program, a hacker would have to brute-force the password and then figure out where the key file is to make the program usable. I also saved a backup of the database and key file to a third USB drive that does not have the KeePass program on it. Layered security.
First I simply added a few existing accounts to KeePass. I use IE & Firefox at work. I use tabs in each browser and have specific tabs open everyday in each browser. Some are company Intranet pages and some are Internet websites. You have to build your database in KeePass, but once you do it is very easy to use, once your mouse is at the login prompt you type a few keys (Ctrl+alt+whatever) and KeePass fires off its auto-login feature, login, tab, password, enter! And Wham, you are logged in! The script is customizable as well. KeePass uses the title of the page to determine what account it should use. KeePass also works with programs.
Have multiple Facebook accounts (hey, sometimes I just feel like a 14 year-old girl)? No problem, highlight the account in KeePass and type Ctrl+C and the login and pass for the individual account is automatically used. (I was kidding about the 14-year-old girl thing…really…)
I was one of the suckers who had a RockYou.com account that got hacked (I used to use it to store eBay pics) And yep, the login and pass I used was pretty much the same one I used for everything! To their credit they sent out several emails letting their users know what happened. About this time I was testing the waters with KeePass, so I decided to step things up a bit. I used the password-generator feature to not only create a password that was random, but it was whatever length I chose, and I had the option of mixing uppercase, lowercase, digits, underline, minus, space, special, brackets and even high ASCII characters! How is this for ugly: Ì?:-Ôð?µg¤É;³$®7u?z??Êi¦×á_?Ñ? Or this: ë¶>aG»q ?ÜT?ú-©Îç mvÀ/Reí$D? So now I have a randomly-generated password that is ugly that I couldn’t remember it if I wanted to! PERFECT! KeePass saves the password as asterisks, but you can toggle to plain text if you actually wish to see the password.
The next step was to use the program as I signed up for new accounts, spideroak.com, snapfish.com, animoto.com, etc. Yeah, I’ve been messing around with online storage and picture sharing lately, but I digress. I don’t know the passwords to any of these new sites! But I feel secure that they are safe in KeePass!
A bonus is that you start to get a feel for how secure websites really are. Picturetrail.com limits passwords to 6 characters and only alphanumeric. But zumodrive.com allows 20-characters and I was able to add brackets and special characters.
Lifehacker.com likes KeePass and wrote this article about KeePass plug-ins.
OK, yep, if I lose the USB drives I am kinda screwed-they are all on the same keyring (not smart). But only until I get the backup db and file (maybe from a file sharing site? Yes, after I use the “forgot password” button) and download the program again. But then I will actually have a neat list of all the passwords that need to be changed, plus a password-generator to assist!
I encourage you to check out KeePass, ease into it and then THINK LAYERED SECURITY!