The Problem

If you use the same password on your e-banking website and some random forum site, hackers don't have to bypass all your bank's security, they just have to hack that one forum site.  Once a hacker has your login name and password combination, he can take that combination and try it on other sites to see if it works.  The XKCD comic strip has an excellent summary of this problem here in strip 792.

Now, many of you will be saying that you use two (or a few passwords), a "good" password for banking sites or sites that store credit card information, and an "easy" password for all the accounts that don't matter, like Facebook or Twitter.  But even if you do, there is no guarantee that one of the accounts that uses your "good" password won't be breached. In May, Sony's Playstation Network was breached, and over a million passwords were divulged.  This breach was even worse because the passwords were not encypted or securely hashed on Sony's server.  Even if a site does securely hash their passwords, they can be reversed once the password database is downloaded by the hacker¹.

Even non-financial sites like Twitter, Gmail, and Facebook carry more risk these days.  If someone gains access to your Gmail, they can probably use the password reset feature to reset your password to other sites, including your bank account.  Then there's a risk that a hacked Facebook or Twitter account will be defaced with child pornography or other unsavory things.  Your boss and your coworkers are probably your Facebook friends, right? Even if you can eventually show that your account was hacked, it will still take you a while to get it all sorted out.

To make matters worse, many websites use OpenID to allow you to log in with your Google, Twitter, or Facebook account.  That mean that if your facebook account is breached, all the others are also.  Password management gives you a better way for managing multiple online identities without having to put all your eggs in one basket.

A Solution to the Password Problem

Given all this, the best way to protect your online accounts is to use a different password for each account.  But trying to remember all those passwords is a pain, especially for sites that you only use occasionally. Password management is not the only answer, but it is one of the best and most easily implemented.  KeePass is an excellent tool for securely managing a large number of passwords.  It offers the following benefits:

• Security:  the password database is encrypted with a single strong password, which is the only thing you need to remember.
• Strong password generator: Keepass will generate strong passwords automatically, so you don't have to think of a new one each time.
• Multiple users: multiple users can access the same database with their own passwords.  My wife and I share a password database so that we can both access all of our shared online accounts.
• Ease of use: with the "auto-type" feature, you don't even have to type your password.  You can also easily copy and paste usernames and passwords.
• Store additional information: Each password entry comes with a URL and a notes field so that you can easily store the website that the password is used for, along with other information like security question answers and confirmation numbers.  All this is encrypted for storage along with the password.

Getting Started with KeePass

I recommend using the KeePass Professional (2.16) Portable version, which you can download here: http://keepass.info/download.html  Or you can link directly to the Portable version.

Once you've downloaded the zip file, extract it by using a ZIP utility or the built in Windows ZIP feature (right-click, then choose "Extract All" from the context menu). I usually keep all my portable applications in a folder under "My Documents" called "portable apps".  After extracting the files, click on KeePass.exe to launch KeePass.  You can get more information on installing KeePass here.  You can also use KeePass on a Linux / MacOS computer, but you'll want to look at these detailed directions.

Before we go on, a note about security:  If you accidentally delete your password database, or you forget the passphrase you used to encrypt it, your passwords will be LOST FOREVER.  I recommend you write you passphrase down and keep it in a safe place.  You should also regularly back up your password file.  One simple way to do this is to create a Dropbox account and store your password file there.  Not only is easy to access from elsewhere, but it is automatically synced and backed up online.  If you do sign up for dropbox, please consider using my dropbox referral link.

Creating a New Password Database

When you launch KeePass for the first time, you'll the basic KeePass gui, as in Figure 1.  Follow these steps to create a new password database.

Figure 1

1. Select File > New.  Choose a location to save your password database.  I prefer to save it inside the KeePass folder in my "portable apps" directory.
2. Now you will be prompted to create a composite master key.  Choose the checkbox next to Master Password, then type a long password or passphrase into the box.  Repeat the password in the second box, then click the OK button.  I usually use a phrase from a favorite book or movie that is easy to remember, like "It was the best of times, it was the worst of times."  Be sure you remember the capitalization and punctuation you use!
3. Now you will be presented with some choices for database settings.  Enter a database name.  You can leave all the other default settings and click the OK button.
4. Now you will see a set of default entries groups, like General, Windows, Network, etc in the left pande and a single sample entry in the right pane.  Click the blue disk icon on the toolbar to save the database (see Figure 2)

Continue on to the next section to learn how create new password entries.

Figure 2

Creating A New Password Entry

Follow these steps to create a password entry.  You should repeat these steps for each online account you use.  Note that you will still need to change your password for each program or website using whatever account screen each website or program provides.

1. Choose a password group from the left pane and click on it.  For this example, we'll use the "Internet" group.
2. Right click in the right pane (which will be empty if this is your first password) and choose "New Entry".  You should see a new window pop up that looks like Figure 3.
3. Fill in a title and username.  For example, the title might be "www.example.com user login" and the username would be "myusername".
4. Note that the password field is already filled in with a unique, strong password. If you want to view or edit the automatically generated password, click the button with the three dark dots.  If you want to change the way passwords are generated (for example, to include or exclude symbols and numbers), click the button just to the right of the "Repeat Password" field.
5. Fill in the URL of the website that uses this account, for example "http://www.example.com"
6. Add any notes.
7. Click the OK button.  This closes the "Add Entry" box.
8. Click the blue disk icon to save your changes.
9. Go to the website for the entry you just created.  Log in using your old password and navigate to the page or screen for changing your password.
10. On the webpage or program, enter your old password in the old password field.
11. In KeePass, right click on the password entry and choose "Copy Password to Clipboard". 
12. Navigate back to your web browser or program and paste the 
13.  

Figure 3

Use KeePass to Log In

Follow these steps every time you want to log in to a program or website whose username and password are stored in KeePass.

Method 1: auto-type

1. Select the password group from the left pane.  In our example, this is the "Internet" group.
2. Select the password entry from the right pane and right-click on it.  Choose URLs > Open URL in Browser.  A browser window should pop up and take you to the website.  (Note that you must use a real website, like Google or Facebook.  www.example.com is not a real website.)
3. Place your cursor in the username field for the website.
4. Press the alt-tab (or command-tab on a mac) to switch back to KeePass.  It's important that you not select any other appliction in this step, or the auto-type feature won't work.
5. Right-click on the password entry and choose "Perform Auto-Type".  KeePass will automatically switch back to the other page and attempt enter both the username and password.  Now you should be logged in without needing to type your password.

Note:  This method works by sending keystroke characters to the browser window in the form of USERNAME[TAB]PASSWORD[ENTER].  This combination works on 90% of websites and some programs as well.  If it doesn't work for you, proceed to Method 2.

Method 2: copy and paste

This method is useful for websited that do not follow the standard field layout for auto-type.  

1. Select the password group from the left pane. ·In our example, this is the "Internet" group.
2. Select the password entry from the right pane and right-click on it. ·Choose URLs > Open URL in Browser. ·A browser window should pop up and take you to the website. ·(Note that you must use a real website, like Google or Facebook. ·www.example.com is not a real website.)
3. Switch back to KeePass.  You can still use alt-tab (or command-tab on a Mac), but it is not required for this method.
4. Right-click on the password entry and choose Copy Username to Clipboard.
5. Switch back to your web browser and place your cursor in the Username field.  Press Ctrl-V (or right-click and choose Paste) to paste the username.
6. Switch back to KeePass. ·You can still use alt-tab (or command-tab on a Mac), but it is not required for this method.
7. Right-click on the password entry and choose Copy Password to Clipboard.
8. Switch back to your web browser and place your cursor in the Password field.  Press Ctrl-V (or right-click and choose Paste) to paste the password.
9. Click the Ok or Login button on the website.  Now you should be logged in.

Note: You can also use this method for programs on the desktop that require a username and password.  Just access the desktop program through the start menu and skip steps 2 and 3.

Taking KeePass with You and Staying in Sync

KeePass is incredibly useful, but what about when you're away from your home computer?  And if you are using KeePass on multiple computers, how do you keep the password files in sync?

Method 1:  Dropbox (or another online file storage service)

Dropbox is a great service that syncs your files online and between multiple computers.  It is free for up to 2 GB of storage.  You can find out more about Dropbox here.  If you do sign up, please consider using my dropbox referral link. Because your password database is encrypted, you do not need to worry about Dropbox administrators accessing your passwords, even if they were to access your files on Dropbox.

 Once you've set up dropbox, simply copy the entire KeePass portable folder (including your password database) into your dropbox folder. The files will automatically be synced across all your computers and uploaded to the dropbox website. You can even get apps for Android, Blackberry, or iOS devices to sync to your mobile devices.

If you're using a friend's computer (where you do not have dropbox installed), you can always download your password database and keepass files from the Dropbox website.

If you're using a mobile device, you can get a KeePass app for Android or iOS that is able to open your password database.

Method 2: the thumbdrive method

If you prefer not to use Dropbox, or you frequently use public computers in a computer lab or library, you may prefer to keep your KeePass folder on a USB thumb drive.  KeePass files are very small (less than 5 MB in most cases), so even an inexpensive thumb drive will do.  Many are small and easy to carry on a keychain or in a purse and can be purchased for less than $10.

Once you've copied your KeePass files (including the password database) onto your thumb drive, you can carry them with you and use them almost anywhere there is a computer.  This is also convenient because there is just one version of the password database, so you don't need to worrry about password files on different computers getting out of sync.  Just like the Dropbox method, because the password database is encrypted, there is very little risk of someone getting your passwords if they steal your thumb drive (or if you lose it).

Important note:  You should REGULARLY backup your KeePass files to another computer in case you do lose your thumb drive.  Unlike the dropbox method, there is no online backup for the thumb drive.

Conclusion

There are a lot of security risks for computers today, especially where the Internet is concerned.  No solution is perfectly secure, but using KeePass to maintain a separate password for each website is an inexpensive, usable way to manage your accounts online and reduce your risk of exposure. 

Footnotes:

1.  Even if a site does hash passwords, rainbow tables can be used to reverse the hashes with desktop hardware.