Switching to a password manager

Its amazing the number of people I know who still use the same basic password for everything in their life. There have been a number of high profile security breaches in the last few months. If you had an account with any of the companies that was attacked every single account you have online is at risk. So I'd like to go over a few ways I have that you can start using unique passwords for everything you do and don't have to remember any of them.

The program I'm going to recommend is KeePass. Another popular one is LastPass but I have some concerns about using that one. KeePass will generate and manage passwords for anything you need. I have mine keeping track of passwords for websites, computers on my network, and even cd-keys for software I've purchased. KeePass saves all of your information in a database file which you can bring along with you to be able to access from outside your home. I'm not going to get into detail about how to use KeePass since there's some excellent guides on their site. I will go over some of the features that I think are important that might be overlooked.

Before setting up KeePass you need to figure out how you're going to access your passwords when you're not at home. The two ways that I recommend are; carry around keepass with your database on a flash drive, or sync your database to all the computers you use with DropBox.

KeePass + Flash Drive
If you're going this way, I recommend using KeePass 1.xx. It is much lighter-weight than 2.xx and doesn't require .Net which every computer might not have. You'll want to download the ZIP package and uncompress that to your flash drive. From there KeePass will work like a normal program but save all the settings on the flash drive instead of the local computer. With your database saved on there as well you'll be able to pull up your passwords on any Windows computer.

KeePass + DropBox
This is what I use and is better if have a set of computers that you always use. I recommend KeePass 2.xx for this method. The computers you'll be working on you'll have more control of so install feature rich programs should not be an issue. 2.xx also has a wonderful synchronize option when saving that makes sure you don't overwrite changes done on another computer. Use the installer to put KeePass 2.xx on the computers you use. Create your database and save it inside your DropBox folder.

One thing I strongly recommend you do if going this route is create your database a key file. This will be a small 64byte file that will be required in addition to a password to unlock your database. We're doing this because your database with all your passwords is going to be floating around online. If anyone were ever to get access to it they would be able to brute force their way into your database. By using a key file its like adding a second password that is 64 characters long, adding a huge layer of security. On home computers you can save this locally. For computers outside the safety of your home, I recommend carrying a copy of your key file on a flash drive that you'll need to plugin when unlocking the database.

Other Access Methods
While both of the above methods are fairly versatile, you might find times where you are without access to your passwords. The best solution that I have is to access KeePass using a phone app available for iOS, Android, and most other phones through J2ME. If you are using the flash drive method, you'll have to make sure to copy the latest version of your database to your phone when you make changes. If you're using DropBox, both iOS and Android have DropBox clients so you'll be able to pull the latest version of your database as long as you have internet access. You'll also need a copy of the key file on your phone if you're using this method, so keep that in mind.

A very important thing no matter which method you use is to keep a backup of your database. If you're using DropBox it will keep old versions of the file on record, but you'll still want to have a local backup just in case.

After you get comfortable with using KeePass, I recommend setting your passwords to expire after a preset amount of time. I have mine set to every 90 days. If a password expires, I won't worry about it until I go to use it. Then I'll use it one last time to log into the site, and change my password to a new one generated by KeePass. This creates a stagger so that you're not overwhelmed one day with all of your passwords being out of date.

Auto-Type is a wonderful feature where KeePass looks at the name of the window you're currently using and sends your password to that window. It requires a little bit of setup for each password, but if you give good names to your password entries it will do most of the work on its own. One thing I would recommend is change the default auto-type string to exclude {enter}. This will prevent your username and password from accidentally being sent if you are not in a place expecting you to log in.

I hope this helps. Feel free to leave any feedback or questions in the comments.

No comments: