While they don't solve all our problems, password managers can significantly improve the security of our online accounts and provide some organization for sensitive information.
There's a ton of options out there, all with their own pros & cons, but I'll be going over KeePass in this post and explaining why I have found it to be the best for me. Also, I'll be taking a close look at some of the options available in KeePass that can further improve security and functionality.
There are two versions, 1.XX and 2.XX. You can see the differences here, but there's almost no reason to be using the Classic, 1.XX, Edition.
There is also the option between an Installer or a Portable version. I recommend using the Portable version, especially for steps later in this post.
The newest version as of writing, and the one I'll be using in this post, is Professional Edition 2.36, Portable.
Creating a Database
Once you extract the KeePass contents from the .zip file, you should have all of these files:
Run the KeePass.exe application, and select whether or not you'd like to enable the automatic update check. I recommend Enabling this.
You should now see the KeePass application:
Choose File -> New... to begin creating a new KeePass database.
Name the file something appropriate, and save it wherever you'd like. If you're using KeePass Portable, then I'd recommend saving the database inside the KeePass folder containing the application and other files.
Next, you will see the Create Composite Master Key dialogue box. This is where you will create the master "key" that unlocks all your passwords and information stored inside the new KeePass database.
You have three options that can be used and combined to create your master key:
- Master password - This should be a strong & unique passphrase that is resistant to brute-force attacks, dictionary attacks, and social engineering.
Remember: password strength is not related to how hard it is to remember or type in. Length & complexity will defeat brute-forcing, so make sure you're using upper and lower case letters, and numbers at a minimum.
A good way to get more length on a password without making it hard to remember is to use a passphrase. When using a passphrase, avoid using common words to prevent dictionary attacks. Common words for English can be found here and here.
Avoid using words and numbers that come from personally important dates, hobbies, names, or anything somebody could write if they had to do a 10,000-word essay about you.
- Key file / provider: - Key files are essentially a master password stored within a file.
You have to be able to access the key file when opening the database, but it's a bad idea to store the key file in the same location/drive/computer as the database (since that doesn't add any security).
If you lose or delete the keyfile, you will not be able to access your database (even if you know the master password).
Using a key file properly can add a lot of security since it will keep your database protected even if your master password is sniffed by a keylogger.
- Windows user account - I don't recommend this option for general use of KeePass. It's good for something like a company that only wants users to store certain password on a work computer, but not good for what we want.
Now you will see the Create New Password Database - Step 2 dialogue box.
General tab - Database name, description, color, and default user name for new entries options. All can be changed later.
Security tab - Sticking with the AES/Rijndael encryption algorithm is recommended, as well as the AES-KDF Key derivation function.
IMPORTANT: click the "1 Second Delay" button to perform iterations of the key transformation function for one second. This will make accessing the database take longer (one second), but helps prevent attacks on the key. On my system, I got 17,728,256 iterations in one second, and I rounded this up to 20,000,000.
Compression - This will help reduce the size of the database.
Recycle Bin - Keep this option enabled. It is not referring to the Windows recycle bin, but to an internal one for deleted entries. You can remove the KeePass recycle bin category at any time later.
Advanced - Options for templates, history maintenance, and master key regeneration.
Once you've browsed through the options, click OK to proceed to the database.
You can return to this menu by going to File -> Database Settings
Exploring the Interface
You should now be at the main KeePass application with your database open:
I'm only going to point out some options I find notable, but you should explore each menu and experiment with anything with a function that isn't readily apparent.
File -> Import / Export - These are used for importing and exporting the database contents. You can use several encrypted KeePass formats, or plaintext formats like HTML files.
File -> Synchronize - This option allows you to sync your database with another, adding any missing entries to your database that exist in the other.
View -> Show Entry View - Disabling this will hide any notes or contents in the KeePass entry. I recommend this so that nobody can view information in an over-the-shoulder attack or screen recorder.
Tools -> Generate Password... - This takes you to the Password Generator dialogue box:
Here, you can select different existing password profiles like 40-bit Hex Keys. A good idea is to create a custom profile that you use to generate your random passwords for accounts. I recommend these settings for a strong password that will not have issues with most sites:
Checking the "Collect additional entropy" option will help to randomize the generated password, making it harder to guess.
Remember to save the profile.
Creating Entries and Groups
Select Edit -> Add Entry.... From here you can name the entry, input username/password information (including generating a random password with the profile created above), add a URL, notes, and expiration dates.
One nice thing about KeePass is under the Advanced tab, where you can attach files to the entry. This is great for keeping sensitive documents safe inside KeePass, even if there isn't an account associated with them.
Once you're done creating your entry, you can organize them within the database's groups on the left side panel. Creating new groups can be done in Edit -> Add Group.
Once you have created your database, you need to back it up so that you don't lose all your information if the database file is corrupted, deleted, or lost.
Storing the database on the cloud is not insecure, contrary to what some people think. The database is encrypted, so your cloud service provider can't access the contents. I like keeping the entire KeePass folder stored on Microsoft's OneDrive, including the database. Then I use local copies of this folder to run KeePass & access the local database, and use the sync function to update the cloud database.
You can also keep a history of the database stored on more secure systems that are offline, encrypted, or otherwise secure, but these databases will not be updated with new entries from the local database.
KeePass isn't a hard application to use, but there's some options tucked away that can elevate your security:
- Create a database using a key file that is stored on a separate drive/computer to defend against keyloggers stealing your master password.
- Increase the key transformation iterations: File -> Database Settings -> Security -> 1 Second Delay
- Utilize the sync feature to keep backup databases up to date.
- Create a strong custom password profile: Tools -> Generate Password... -> Settings below at a minimum -> Save