One of the most exploited vulnerabilities that happen in an untargeted manner are passwords. Oftentimes, they’re easy to guess and if they aren’t, they’re often re-used with only slight variations. That’s not that astounding, seeing as I’m a security expert myself and I didn’t follow my own advice for the longest time. It’s too much effort. Or so I thought.

The most difficult part for me is to remember a complex string of characters that does not make any sense. I am not even going to think about remembering many of them. Even if XKCD is funny, it’s not a practical solution. The average internet user has anywhere between 10 and 50 passwords. Try the XKCD method times fifty. However, rephrasing the question makes «How can I remember ten to fifty random strings of characters?» into «Must I remember ten to fifty random strings of characters?»

We assume that we must know our passwords, but that’s wrong. There’s this thing, uhm, device that makes our lives easier – it’s called computer. So get a program that remembers passwords for you. These programs are called Password Safes. While they don’t solve all the problems related to passwords, they do take care of the remembering of passwords.

Installation of Password Safes KeePass

One such solution is called KeePass. Installing is easy. In Windows, you download the installer of the professional version from the official KeePass Website and you follow the installation menu.

In Debian based Linux distributions such as Ubuntu, use the following line in Terminal.

$ sudo apt-get install keepassx

or go with a graphic installation tool.

For Mac OS X, the software is available here and a double click starts installation.

The First Start

After the first start of KeePass, you will have to create a database in which the passwords are being stored. This happen by clicking the image under file.

Next, KeePass asks you what the password for the database should be. This is the only password that’s relevant to remember as it will be required at every start. It should be a very secure password.

Confirm it:

Save the database now. Click on File —> Save Database

Usage

Most of us have many passwords. There are two different ways how to go about changing these. Either you log into everything at least once and change the password and then save that in the database. Or you change it one by one, every time you need a service. The way you go from insecure passwords to secure ones in the database doesn’t matter, though. Start with your e-mail password, as it’s one of your most important ones. For our example here, we’ll use Facebook, though.

Click on Entries —> Add New Entry...

A dialog pops up where all the relevant data can be entered.

The button labeled Gen. opens the password generator.

There are various settings for the password that’s being generated. Length, complexity, characters and so on. After entering the settings, click on generate and that fills out the password field as well as the confirmation.

After a final click on OK you’re back to the main screen.

If you want to enter the password you generated into a website’s password field, simply doubleclick the asterisks in the list of passwords. Then you can just paste them into the password field. A nice side effect of this is that the password is never displayed on screen and the password is only stored in the clipboard for a short period of time, which eliminates attacking the clipboard as a vector.

In case you want to see the setting up of a KeePass password in a video:

⇒ YouTube Video

Addendum

If you’d rather have you passwords stored on a portable device such as a USB stick, you can use the portable version that can also be found on KeePass’ official website. There, you’ll also find a list of unofficial versions running on Android, Windows Phone and Blackberry.

About the Author

Veit Hailperin has been working in information security since 2010. His research focuses on network and application layer security and the protection of privacy. He presents his findings at conferences.

Links

• http://keepass.info/download.html
• http://www.keepass.info/download.html
• https://www.keepassx.org/downloads