Password Management and Security

Password management has been a thorn in my side for a long time. I’ve been aware that my passwords were not optimised for security as much as they should be, mainly because I needed to be able to remember them! For a long time I’ve used browser methods to store passwords and to synchronise across devices (laptop, tablet, phone). I used Firefox and Chrome for this purpose, and while it was reasonably satisfactory there were some significant downsides. Firstly, with both methods there were some sites that simply don’t store/retrieve passwords within the browser – for example PayPal. Then there were the inevitable glitches in synchronising passwords. They were also prone to duplication of passwords for the same site, which caused confusion for passwords which I’d changed and then was unsure as to which was the new one. Then there was the issue of sharing some passwords while keeping others private.

Initially our solution was to have multiple instances of Chrome, one signed in as Coppertops and one signed in under our private account. This solved the issue of sharing some while keeping others private, as long as we were extra careful about which version of the browser we were using. It more or less worked for storing and synchronising passwords. But there is no doubt that this solution is far from ideal in terms of security.

So then the heartbleed situation arose, which did some of us a massive favour if I’m honest! it forced the issue and pushed us to find a more secure system to manage our passwords.

When I first started searching for a tool to use I realised how many there are and how poorly most of them work for our needs. The ones that would work seemed to be unnecessarily expensive.

Then I happened to stumble across KeePass, which we have set up and are using fairly effectively for some time now. While it is pretty straightforward to set up, I thought I’d post up a quick run through of exactly how it works. (So there are no more excuses!)

Our setup has a Coppertops database, plus each of us has our own personal database loaded as well. It is linked in to Chrome and we have also connected our Android devices.

Download the software

KeePass logo
This is the KeePass home page and the download is available here – download the most recent Professional Edition.

Install the software and set up a new database using the “New” icon to the left of the toolbar, or click ctrl+n. You will be asked to select a location to store your database – for ease of synchronising across devices, I suggest saving this to your cloud storage (dropbox, copy, google drive, etc)

The next dialogue box allows you to create a Composite Master Key – this is where you can really lock down security on your password database. You can add 1, 2 or 3 elements to secure your database – password, key file and link to your windows user account. I would suggest using a strong password plus a key file.

KeePass composite key
For the password, remember that this is the one password you will need to remember so go for the most complex mix of letters, numbers and symbols that will be memorable for you.

And for the key file, again to synchronise across devices this should be on cloud storage but for security if you can I would suggest storing to a different cloud provider. That way even if somebody gains access to the storage where your database is, they won’t be able to access it without the key (and vice versa). If you do need to give another user access to the database, they’ll need to connect to the database file plus they will need the password and the key file to open it.

If you need to create multiple databases, just run through the New Database process again. Under file, use the Open/Open Recent to re-open databases which you’ve closed.

Create a Password

To add a new password, click the “Add Entry” icon (yellow key with a green arrow).
KeePass Add entry
For most passwords you will require a title (so you can pick it out of your list), a username, password (use the “Generate a password” icon (yellow key with orange sun) and choose an option. If you generate a password in KeePass, make sure to update the relevant user account to match as remember this is a random password so you will not be able to guess it later (nor will anybody else!)

Use the search bar to find a password you’ve already saved by typing in a word from any of the fields. You can also store your passwords in groups to make them easier to find, there already some groups in your database but you can add, delete or modify these to suit your own needs.

Link to your browser

OK so now you have your passwords database all set up, what next?

For me, the next thing I needed to do was to get the passwords I’d already stored in my browsers into KeePass. I had visions of spending HOURS typing them, if I’m honest, before I found this nifty tool to do the job a whole lot quicker than I could! Web Browser PassView by NirSoft automatically extracts passwords from all of your browsers and saves them into a file which you can then import into KeePass. You may have a little tidying to do, for me the biggest task was removing irrelevant passwords which I no longer used, but the bulk of the heavy lifting is done for you.

The next job was to link KeePass to my browser (for me, Chrome) so that I could easily save passwords from websites and enter passwords into websites from KeePass. This was a little tricky to figure out, but is actually a pretty simple thing to do so hopefully I can explain it properly and save you some time on this step!

Firstly, download an plugin for KeePass called keepasshttp – available for download at keepasshttp.plgx. Save this file to a folder called “plugins” in the KeePass directory, something like C:\Program Files (x86)\KeePass Password Safe 2\plugins. Restart KeePass once the plugin is saved to this location

Next, install the extension in your browser. For Chrome, the extension is ChromeIPass while for Firefox the extension is PassIFox. You will then need to connect the extension in your browser to your database. Click the icon on the toolbar in your browser and it will go through the steps for you.

Usage in browser

When you load a webpage, one of two things should happen.
If you have a login saved for the site, KeePass will bring up a dialogue requesting permission to fill in your login details.
If you don’t have a login saved, the keyword generator icon will be visible beside the password field. You can generate the password automatically and copy to clipboard. Usually the ChromeIPass icon will turn red at this point, allowing you to automatically save a new entry. If not, you can manually add a new entry in KeePass and paste in the password that you have set.

For websites with multiple logins saved, you will see a drop down list in the username field of your browser. The title you have saved in KeePass will appear in brackets, making it easy to select the correct option (as long as your titles are filled in properly)

Link to your Android device

Keepass2Android logo
There are a number of apps and methods for doing this, I will go through the one that worked for me.

Firstly, I installed the KeePass2Android app on my mobile device. This app does not allow connection to multiple databases, but is easier to use than others that I tried which for me is more important.

This is where it comes in handy to have saved the database and key file to cloud storage, because it allows you to connect the app to them easily as long as I have those storage apps installed on my android device. Go through the steps as prompted by the app to connect. You will only need to do this when your device has been turned off, as there is a Quick Unlock function allowing you to log back in using just the last few digits of your password the rest of the time.

To get around the issue of not being able to connect to both work and personal databases using this app, I make use of the copy/paste entry in KeePass. If you right click on an entry in the KeePass application there’s an option to copy it. You can then paste it to a different database. I copy any of the entries I will need to use on mobile to my personal database using this tool.

Usage on Android

To use a password from KeePass on your Android device, click in to the username/password field and change keyboard to the Keepass2Android option. You can then select an entry from the database and enter the User or Password into the relevant fields with a click of a button. You also have the option to copy/paste the User/Password fields.

In summary…

So there you have it! KeePass allows you to generate secure passwords, store them securely, access them easily and synchronise across multiple devices. With a little tweaking to create multiple databases you can share a subset of your passwords with another user without compromising on security or ease of access.

Andrea

Andrea

Owner at Coppertops
With my IT background and love of good design, I take pride in putting together highly professional websites that work well for their owners. My coding background lets me hook things together for effectiveness, efficiency and ease of use. My history with data management means I have a good understanding of search optimisation. I mainly use WordPress as a baseline to ensure all of these qualities, with customisations to suit.
Andrea