I have been postponing the installation of a decent password manager on my computer for quite a while now. The main reason is that I didn’t really see it as a key priority and installing the one I selected, KeePass can be a bit of a hassle to set up. I think it’s more about procrastination than “priorities” in the end so I decided to stop all the presses related to other stuff and to set up
KeePass and to finally work with it. I don’t want to lag behind with cybersecurity. Especially not with the increase of security breaches and the fact that it’s getting easier for cybercriminals to hack passwords that are more and more complex by using brute force attacks. By not committing myself to a password manager, I also broke two basic rules while handling passwords:
- Always use complex passwords, preferably generated by an algorithm
- Use a different password for every account
It’s also a bit hypocrite I guess: posting articles about cybersecurity and not having the most basic form of protection on your own computer. So let’s do this!
Why should I use a password manager?
Good question. Most people, use very weak passwords and use the same passwords on all websites. The main reason that you use the same passwords is that it is pretty difficult to remember all the different passwords you are using.
If you re-use a password a lot, the exposure to a possible cybercrime increases in case of a password leak. In that case, a cybercriminal obtains an e-mail address, username, and password combination that they can try on different websites. If you always use the same login information, these cybercriminals have access to all your accounts. By accessing one website they also might be able to use password-reset links to access other websites, for instance, to your account on Amazon (including credit card details) or Paypall (if you have a Paypall account).
To check if one of your accounts has been leaked you can go to this site: https://haveibeenpwned.com/ and enter your login information. The site will show you if there are details leaked.
You might be up for a surprise there because a lot of people have been breached at least once.
Why KeePass?
I like KeePass because it is a completely free open-source password manager. This means that the source code of KeePass is available to anyone. The “source code” is that part of the software that you and I probably will never see: it’s the code that computer programmers can manipulate to change how KeePass works. This might sound bad because you think it is “unsafe” that just any kind of person can tinker with the software but it is actually good: everybody is free to add features or fix parts of this source code which means the program improves over time. After someone improves the software, it is offered to the community that can analyze the improvements and after approval and bug-testing it can be implemented in a new version that will be released on a central platform. Open source eliminates the constraints of having a fixed team of developers working on a project. The number and variety of people participating in popular open-source projects will outscore a fixed team of developers most of the time. It also gives all people who want to participate in an interesting project the opportunity to join in order to improve their own skills.
Because of the fact that KeePass is open-source in combination with a very dedicated KeePass community, you will be surprised about the number of features it offers, the security strength, and the versatility.
The learning curve is a bit steep but after this step-by-step guide, you will be able to use one of the best password managers without a problem. Don’t stop if you don’t get a hang of it immediately. It’s like learning how to ride a bike: there might be a few setbacks and bruises (in this case of your ego) but once you know how to use it you will be able to use it without a problem for the rest of your life.
Installing KeePass
In order to be able to install KeePass, you need to download the KeePass software. You can find the software here: https://keepass.info/download.html.
Always select the last version because it has the most updated features available. Currently, KeePass is on version 2.49:
After downloading the program, you can run the setup and select the language you would like to use:
Keep all the boxes checked and click on “next”:
If you want to have shortcuts on your desktop, select the shortcuts you want to have and click on “next”:
After that, the install process starts, and then you can launch KeePass. You get into this starting screen:
Setting up a password database
First, you need to create a new database/encrypted file. To do this you click on File and New:
Click on OK after that:
Now the next step is critical in this. KeePass asks you now where you want to save the encrypted database. In order to be able to synchronize it with all devices you are using, you need to select a storage location in the cloud. There are several options for this, like Microsoft OneDrive, Google Drive, and Dropbox.
Keeping a backup file is critical though. The reason for this is that in case you accidentally delete the file from Dropbox, you will lose all your passwords by losing the database. So in addition to storing the file in Dropbox, I suggest you also make a backup of the database that is stored in Dropbox. You can copy a backup on your local computer or on a USB flash drive. Make sure to encrypt your USB flash drive with an encryption program for instance, Bitlocker.
After that, you create a password. This should be a very strong password. I advise the following: think about a sentence that you will always remember and then replace some letters. For instance: I_Go_To_My_Work_Every_Monday_Until_Friday!1 After that, replace the “o” with a “4” and you get I_G4_T4_My_W4rk_Every_M4nday_Until_Friday!1 It might be a bit annoying to use this password but it’s the only password you will need to use afterward:
Nowadays a Multifactor Authentication (MFA) option is available for many applications that use passwords. I think it is important to use this option if it is there because it is an extra security layer. With Multifactor Authentication you need to do a second test on top of the password in order to verify your identity and to be able to log in. This is also the case with KeePass.
If you check the box, “Show expert options”, you will be able to integrate Multifactor Authentication into KeePass:
I suggest selecting the first option of the MFA options, the “Key file”. Personally, I would never use the second option: “Windows user account”. If you use the Windows user account as a verification tool and you lose your Windows account, you have no option to access the database. The “Key file” on the contrary is not bound to a specific Windows account so I would select only the “Key file”.
This is how the Key file works: in order to open your password database, you need to enter your Master password. But in addition to that, you now need to import a separate “key” as well in the form of the key file that you have stored. This is the extra security layer you have on top of the password. It is a bit like getting into your house by using a key to enter (the key file) and entering an alarm code (the password) after that once you are in.
Select it by checking the box and press the “Create” button:
In the next screen, select the recommended option:
You will get into “Entropy Collection”. First, move the cursor of the mouse over the black and white spots of area 1, and after that put in random keyboard input in area 2. After you are done, you can click on “OK”:
You need to do this assessment because computers can’t produce real random passwords themselves. A computer has to be trained and this is done by the random mouse input and the random keyboard input.
Now you can save your master key. I advise against storing this in the same location as your database (in my case that is dropbox) because of safety reasons. In case someone gets access to the location where you store the database, having the master key there as well would be a nice gift for them: the only thing they have to guess then is the password. If you separate the master key from the database you mitigate that risk. Make sure to save your master key in a safe location that is easily accessible for you. In addition, you might want to consider a backup of the master key on a separate USB flash drive (protected by Bitlocker) as well. I would not save it on the same UBS flash drive as the one that you use for your password database because and I suggest you never store the key and database in the same location. However, this is up to you of course.
After the master key is saved, you can configure your password database. First, you have to name it and in addition, you also need to enter a Default user name for the new entries. I would suggest entering your e-mail address to make things easy.
After you have entered a suitable password it’s time to move to the security tab. The only thing I would change in there is the number of iterations. The more iterations you use, the harder it is to guess passwords. Make sure to push the test button as well to see if the delay is not too high. For me, 0,04 seconds is sufficient:
The next tab, compression, shows how data compression is done. I suggest you keep it at GZip:
I would always use a recycle bin (see the recycle bin tab). You never know if you need to restore a file in your database because you accidentally deleted it. Mistakes happen and this is a good way of covering up for mistakes you don’t want to make:
In the last tab, you can build a recurring pattern of changing the password of your database. It’s up to you to use this option or not. If you use it, you build in an extra form of safety because you will be using a completely fresh password after every cycle you have set up. After you are done with setting everything up, you can click on OK. We are almost there now but you will see a box popping up after pressing “OK”:
This box gives you the option to physically print an emergency sheet. You should always do this. Print the sheet on a local printer and store it in a very safe place. If you lose your password and your database key, this is your lifeline. So press print and voila: the first part of setting up KeePass has been completed. Congratulations!
What is next?
Now that we know how to set up the password database, I will show you how to set up the password manager itself in my next post by showing you the best functionalities of KeePass and how to use these.
In case you have questions about installing KeePass and setting up the password database, just let me know by contacting me. Any other tips/advice is also most welcome. If you want to keep in the loop when I upload a new post, don’t forget to subscribe to receive a notification by e-mail.
