Password Managers: Why You Should Use One

Tuesday, September 15, 2015 @ 6:15 pm

Passwords are something that have become second nature to us in today’s world. Create a new account, type in a password. Log into an account, type in a password. Our brains can only remember so many characters and passwords. This is where a password manager comes in handy. In this post I will be giving a review/tutorial on KeePass and an honourable mention to LastPass.

Updates since initial post:

  • 2017-03-29: Updated number of LastPass security incidents from 5 to 6. Info.
  • 2017-03-23: Updated KeePass information and screenshots to reflect new secure algorithm/key derivation options in v2.35. Also updated number of LastPass security incidents to 5.

Why a Password Manager is Essential

I know some of you at this point might be going, “Pfft, what’s he talking about, I can remember my passwords, I don’t need a password manager.”

Believe me, I was the same a couple of years ago. I had 3 passwords that I used: one for throwaway/junk accounts (“bubbles“), a slightly more complicated one for sites I frequented often (“bubbles123“), and one for critical accounts like my main email account, bank accounts, and government accounts (“bubbles123!@#“).

Here are the benefits of using a password manager:

  • You only need to remember one password. The one password you need to remember is the password that will unlock your password manager to access your passwords. This password should be a passphrase rather, for example: “I just LOVE cats! I want 2.” This passphrase is memorable, contains a nice mix of characters (uppercase, lowercase, numbers and symbols), and is 27 characters long. It’s not short like “Hunter2” or “123456”, which are bruteforceable in a couple of milliseconds from prior experience.
  • Opportunity to use stronger, unique passwords. Since the password manager will be doing the hard work of remembering passwords for you, you are able to go crazy with your passwords. My main email account’s password is 100 characters long and looks similar to n+=|qp=oKt6gn>aa@Z-47IGmv^ v’azp>~-TwD ‘[1_HAR“]ooBebV}UtRSW7vX_Gk=a0oFLev-CyC,D{<“BcrN+$m4:kWuX-=”. My alternate, private email accounts have passwords that are 250+ characters long. A chain is as strong as its weakest link. If you use the same password for more than one site, and one of the sites has a data breach (and there have been quite a few, which is only going to increase), there’s nothing much you can do except scramble to change your passwords, see what damage has been done, and literally react to the bad news. With a password manager, you can generate very strong passwords. More importantly, you can create unique passwords for every account you have. With unique passwords, if one site has a data breach, the damage to you is limited to that one site. And you’d be proactive, not reactive.
  • Autofill Goodness. The two password managers I will be mentioning in this post (by the way, I am not affiliated with either in any way), offer autofill features where you can quickly log into your accounts with the click of your mouse or hitting some keys.
  • Centralization. A password manager allows us to see which sites we have an account on and identify accounts that are unused and can be deleted (MySpace for instance). Have a LiveJournal account you almost forgot about with embarrassing posts? You would be able to log in and either delete those posts or delete the entire account with the help of a password manager (unless you have the password written down on a piece of paper or saved in a text file somewhere).

And just to be clear, a browser’s autofill/remember passwords feature != a real password manager. In my opinion, you should avoid using these features since browsers usually save remembered usernames/passwords unencrypted. Don’t believe me?

Sounds great, which password manager do you recommend?

LastPass: for Beginners, but taken with a grain of salt*

If you’re just starting out with a password manager, I would recommend LastPass. It’s free, straightforward and easy to get started with. They do take their work and product seriously and have been around since 2008. I especially like how they allow people to audit their passwords. The key thing in the generated report is the section that identifies which of your accounts use the same password. This is a nice guide on LastPass’ features and how to get started.

*It is worth noting that LastPass is a cloud-based service. Your data is stored encrypted on a server “in the cloud” and it is heavily integrated with web browsers which in of itself poses security risks. LastPass had six security incidents, the sixth and latest one occurring in March 2017. Because of this I personally use KeePass (next section) and not LastPass.

"The Cloud"

If you still want to use LastPass, I highly recommend you enable Two-Factor Authentication.

Once you more or less have established yourself on LastPass, I recommend you run the LastPass Security Audit.

KeePass: password manager extraordinaire

The password manager I would recommend is KeePass. They’ve been around since 2003.

KeePass works very similarly to LastPass, the key difference being you have absolute full control over where you want your password database to be stored: offline on your computer, USB stick, phone/tablet, or in the cloud (note: if you do put your password database in the cloud, I highly recommend requiring a key file to access your password database in addition to a password – which I explain below under “Setting up KeePass”).

Pros:

  • You have full control over your password database. It is not in “the cloud” unless you put it there.
  • KeePass is free, open-source, and has versions for different operating systems and even mobile devices.
  • You have the flexibility of increasing the security of your password database by setting a “key file” that must exist in order to successfully unlock your password database.
  • Naturally promotes the use of strong, unique passwords by automatically generating a password when adding a new entry.

Cons:

  • It is completely up to you to make sure you don’t lose your password database (e.g. hard-drive crash, accidentally deleted).
  • May overwhelm new users with technical jargon like “key derivation function” and “parallelism” (don’t worry, I’ll walk you through on how to get started below).
  • KeePass is not as seamless as LastPass, but has some shortcuts which I will go over below.

I recommend LastPass to people who are just starting out with a password manager mainly because of the first con I listed above.

At this point, if you think LastPass is the right one for you, you can stop reading.

Continue reading if you want to set up KeePass!

Setting up KeePass

  1. Download KeePass. The latest versions can be found here. Get the Professional Edition. You can choose between either the Installer or the Portable version. The difference between the two is the Installer installs KeePass into your Program Files while the Portable version is a version that you download, extract to any folder, and run. I would recommend the Portable version.
    1. Android: Keepass2Android, Linux: Keepass2 (found in Software Manager)
  2. Open KeePass and go to File => New…
    Create a new database
  3. Choose a folder to save your database file in (which you can then copy to Dropbox).
  4. Next you’ll see a “Create Composite Master Key” window. This step is very important so read closely!
    Securing your KeePass database
  5. For your Master Password (1), I recommend coming up with a memorable passphrase (e.g. “I just LOVE cats! I want 2.”). You will need to enter this in both boxes if you don’t click on the “…” button that shows what you’ve typed in.
  6. I strongly recommend setting a key file/provider (2). This added protection means you can store your KeePass database safely on Dropbox and use it, as long as you keep your key file separate from your KeePass database (i.e. not in the same folder or in “the cloud”). As soon as you’ve created your key file (“Create…” button (3), move your mouse/type in random keys then click on OK), copy it to a USB drive, your phone, another computer, etc. Keep this file offline and not in Dropbox or in “the cloud”. This key file is to your KeePass database as house keys are to a house, you don’t want your keys left at your front door.
  7. Leave “Windows user account” unticked and click on OK.
  8. Next you can configure the database. Type in a name/description if you wish (I left mine blank).
  9. Next, click on the Security (1) tab, choose ChaCha20 (256-bit key, RFC 7539) (2) for the Encryption algorithm, Argon2 for the key derivation function (3), and click on the “1 second delay” button (4) to increase the key transformation values to be more secure.

    1. Compression tab: leave as GZip.
    2. Recycle Bin tab: I recommend ticking “Use a recycle bin”. This just lets you safely restore entries if you accidentally delete them.
    3. Advanced tab: I left the values as is.
  10. Click on OK.
  11. You should now see something similar to below. KeePass has gone ahead and created sample groups as well as two sample entries.
    Congrats!

Congratulations! You have created your very own password database with secure settings and are ready to add your passwords! At this point you can leverage KeePass to generate secure passwords for you, change your passwords on your various accounts, and save them in the database.

Below is a screenshot of my actual password database.

Andrew's password database

Note how you are able to add as many groups as you want, set icons for each, and also sort them alphabetically (right-click on the bolded parent label, hover over “Rearrange”, and click on either of the Sort options). In KeePass, you are able to securely attach files and/or create entries with anything you want! For instance, you can even start a diary:

Dear Diary...

Overview of My Configuration

I keep my KeePass database on Dropbox, along with a copy of Portable KeePass. The password for my database is around 29 characters long and consists of letters (upper and lower case), numbers, and symbols.

My database is set to both require a password and a key file to be unlocked. Since it requires a key file (and assuming I’m keeping the key file offline), I can safely store it on Dropbox without worry. If I did not set my database to require a key file, I would not be storing it in “the cloud”.

My key file is not on Dropbox or in “the cloud”; I have an offline copy of it on my USB, on my phone, and on my computers. The key word here is offline.

KeePass Shortcuts

  • CTRL+ALT+A: click in the username/e-mail box on a login form and press these keys to have KeePass autofill the box. This works only if your entry title in KeePass matches the window title of the login page. This is the equivalent to LastPass’ autofill feature.
  • CTRL+ALT+K: opens your database.
  • CTRL+V: single-click on either the username or password column in KeePass for the account you want to copy/paste into then press CTRL+V. If you clicked on the username column, it will switch to the immediate second window (ALT+TAB), and paste in your username and password. If you just clicked on your password, it will just ALT+TAB and paste in your password.
  • CTRL+C: pressing this copies the password for the highlighted entry into your clipboard. The password is cleared from memory after 10-12 seconds.
  • CTRL+F: quickly search your entire database.

Tips

  • For KeePass’s autofill feature to work properly, ensure the “Title” field of a KeePass entry matches the title of the log-in form on the site. If you migrate from LastPass to KeePass, you may need to go through all of your entries and update the imported entries.
    • Alternatively, you can enter the title of the log-in form of the site under Properties => Tags for an entry, and then enable “An entry matches if one of its tags is contained in the target window title” in Tools => Options => Advanced
  • You may need to modify the Auto-Type key sequence for some login forms. The default sequence is {USERNAME}{TAB}{PASSWORD}{ENTER}. To edit it for an entry, open the entry up (double-click on the Title of it), click on the Auto-Type tab, tick “Override default sequence” and edit away. For example, for one of my banks I’ve customized it to {USERNAME}{TAB}{TAB}{PASSWORD}{ENTER} because it has a Help link between the username and password boxes.
  • The “Notes” field for each entry is very handy. For example, it allows you to enter completely random secret questions and answers when registering an account which further protects your account from people who may know your personal details (e.g. mother’s maiden name, high school mascot, etc.):
  • Where you double-click is important. If you double-click on the “URL” column in KeePass, KeePass will open the site in your browser (if it has a URL set). If you double-click on the user name column, it will copy your user name to your clipboard. Double-click on the Title column to open the KeePass edit window.
  • Add the QualityColumn plug-in to add a column (View => Configure Columns…) which shows the quality of the password for your entries so you can see which are weak and need to be changed.
  • Some sites place limits on what you can use for a password. Banks are notorious for placing ridiculous limits that lead to insecure passwords.
  • If you need to change your password at any time, you are able to have KeePass derive a new password based on your existing one (same length and character set):
  • For added security:
    • Enable the 2 “automatic lock after inactivity” options under the Security tab in Tools => Options as well as the “Enable master key on secure desktop” option:
    • Optional: under the Interface tab, enable “Close button [X] minimizes main window instead of terminating the application” and “Minimize to tray instead of taskbar

Creating a Custom Password Profile (for advanced users; optional)

  1. In KeePass, you can create your very own password profile, which is a ruleset by which new passwords follow. Below are steps on how to create one using my personal settings.
  2. Click on Tools => Generate Password…
    Accessing the Generate Password dialog
  3. Below is a screenshot of my preferred personal configuration. Note the yellow areas in the picture. You do not need to follow it exactly.
    Super Strong Settings
  4. Click on the Save icon beside the top drop-down
  5. Type in a name for the custom profile and click on OK
    Profile Name
  6. Now when you add a new entry, if you click on the “Generate Password” icon, you will be able to select the profile you just created
    Voila, our new custom profile.

Note: by default this profile will create 250-character long, alphanumeric + spaces + symbol passwords. When changing your passwords, double/triple-check password limits. For instance, Google has a 100-character limit. After you “successfully change” your password on the site, log out and log in before saving it in KeePass to make sure it worked and that the password field doesn’t have a “maxlength” value set.

Migrating from LastPass to KeePass

  1. Log in to LastPass
  2. In the sidebar, click on Export under Tools => Advanced Tools
    Exporting Your LastPass data
  3. You may be prompted to enter your master LastPass password as a security precaution. Enter it and then a .CSV file should be downloaded
  4. Assuming you have already created a KeePass database, click on File => Import Import a password file into KeePass
  5. Scroll down until you see LastPass CSV and select it:Select LastPass CSV
  6. Under File, click on the folder icon and browse to the CSV file you just downloaded and click on OK
  7. You’re done! Now you should securely delete the CSV file.
  8. Optional: you can either wipe out your LastPass account or delete it entirely