Password Security Tip

not so gray matter · 24 Apr 2010

I'm sure that most of you have your computers fairly secure with Anti-Virus, Firewall, Anti-Keyloggers and everything else you can think of. One thing some might overlook is password security. Specifically the fact that without a password manager it's pretty difficult to store multiple passwords in your head that have the length and variability to be secure passwords.

Keep in mind that having one password for everything is a very bad idea. Once an intruder cracks that one password, he/she has access to everything. Another bad move that most people make is storing their passwords within their browser. This is very risky move. None of the browsers have enough password security to be able to protect your stored passwords.

The solution to both of these problems is a password manager with real security. It not only allows you to store all of your passwords in a safe place, but it also allows you to use passwords that aren't easy to remember yet are very secure.

There are many products on the market in this area, but here's a free solution I've come across.

Information

KeePass Password Safe

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

Supported operating systems:
Windows 98 / 98SE / ME / 2000 / XP / 2003 / Vista / 7, each 32-bit and 64-bit, Mono (Linux, Mac OS X, BSD, ...).

Prerequisites:
Microsoft .NET Framework ≥ 2.0 or Mono ≥ 2.6.

The keepass software stores your passwords in a secure database. It requires up to three different log-in credentials. The options are a password, a user account and a key file. You can use multiple combinations of those choices, but take extreme caution with the user account option. The reason I do not recommend the user account method is because the software requires that all selected keys (password, file, account) are used and if you use user account authentication, there is no possible way to recover passwords if you lose the user account. If you lose the account and don't have a backup you cannot get back in. It will not accept a new account with the same credentials. The key-file and a decent password are more than enough security.

So, for the best security, set up your keepass database to require both a password and a key file. Anyone who wishes to access the database will need access to both items. This means that even if someone guesses or finds your password, they would still need the key file. Storing this key file in removeable media as well as in a secure backup location will allow access your passwords, and protect you from losing the database in the event that the removable media malfunctions.

Once you've started up a password manager it's a good idea to go through and change your passwords to become hard to guess and quite complicated. Personally, I use a password that contains uppercase, lowercase, numbers, symbols, spaces, high ANSI and is 64 characters long. Not all websites will allow you to use a password like this, but most will and most restrictions are related to length (16-32 characters) if anything. Some will require you not to use some symbols as well.

Here's an example of a password rated by Keepass at 512 bits:
*ë÷3ÑiŠ¸lI¹-í'Œ›,"žÌ%-²êæw( +iXí4lÐ©ôþfyûÚ©ø+ƒ¡/Ü?YÅàž¬Gå¿Rã¤‡ôÃøÄ=äí¿È9"

An average password like quake375gamer is rated at 59 bits. If you're serious about password security, there's simply no possible way to remember a set of passwords that have at least 128 bit security and aren't made up of dictionary type words.

One last tip: Even if you use complicated passwords on your main accounts, don't forget to use a decent password on junk e-mail accounts. These accounts may not have any information you think is important, but you may store a few contacts in these accounts unknowingly. If someone manages to access this account, you'll end up sending out unsolicited emails to these people.

Tip

If you'd like to test the security of your current passwords, you can use this link to do so. If you don't get atleast a STRONG rating on each and every password, you should consider a password manager with a password generator. Also, do not use dictionary words. If you're using a word that can be found in any dictionary in any part of your password, create a new one.

https://www.microsoft.com/protect/fr...s/checker.aspx

Tews · 24 Apr 2010

Good advice Al!

MWRed · 24 Apr 2010

I've used Keepass for a couple months now. So so so much better than trying to remember pw's. Got it on a usb stick.

Lordbob75 · 24 Apr 2010

Thanks a lot.

My password security is rather lax in that regard, mostly because there is no way I could remember different usernames and passwords for each site, let alone WHICH site.
I will give this a try.

Would you recommend INSTALLING the program to each computer I use, then put a keyfile on a USB drive?

~Lordbob

not so gray matter · 24 Apr 2010

Yeah, put the key file in a usb drive, but put it in a couple of backup locations as well. This is because if you lose the key file you lose your passwords. If you're using the software the way it was intended, this means losing your passwords because they're probably a combination of nonsensical characters.

thefabe · 24 Apr 2010

Thanks for posting this it is great advise. Fabe

Lordbob75 · 24 Apr 2010

notsograymatter said:

Yeah, put the key file in a usb drive, but put it in a couple of backup locations as well. This is because if you lose the key file you lose your passwords. If you're using the software the way it was intended, this means losing your passwords because they're probably a combination of nonsensical characters.

Thanks much. Will do this.

Is it possible to backup the database on my main computer and export it to other computers, so that my laptop can have all my same passwords backed up?

~Lordbob

not so gray matter · 24 Apr 2010

Yep lord bob it is. You can move the database anywhere you want as long as you don't use the user account authentication. You can then access it from that other location. You can also download the portable version of the software which can run without being installed. This will allow you to keep everything on a flash drive and access your passwords on any computer you go to.

Keeping all of your files on one flash drive isn't recommend though because a would be attacker could get this device and all they'd need to access your passwords would be your database password unless you encrypt or disguise your key file. I'll post another thread on TrueCrypt, which is a software you can use to encrypt drives and files.

Here's the link to the portable version of Keepass classic and professional (both free)

Classic Portable
Download KeePass Password Safe from SourceForge.net

Professional Portable
Download KeePass Password Safe from SourceForge.net

FranzB · 29 Aug 2011

Hello to all, A very late reply but I am a bit stunned now that I finally read it (I am new to this forum and am looking at many postings). Why on earth do you have to store your passwords ON the computer? Why not use a pen and a notebook (the paper one) with all kinds of stuff in it? No stranger or burglar is ever going to waste time browsing through your notebook. It is just as fast i.m.o. as hiding it somewhere on the computer but no one will ever find them in your notebook. I mean, hells bells computers are fine but for everything?

bigcitycat · 29 Aug 2011

Using it for a long time. Great program. Love the fact that I can put my password file on a zip drive and never lose my passwords again.