Sunday, July 22, 2018

KeePass 2 password manager

I've been recycling passwords based on two themes from past experience that aren't particularly clever. My strat is not swoll, and it keeps me guessing as to which permutation belongs to which account.

This is the experience and modus operandi of many when it comes to online security--bank accounts, the email account you use to change ALL of your passwords with, bill paying, online vendors, social media, work benefits, etc.

What if you lost access to that primary email account? Would you be excited and capable to start from scratch? I'm going to be frank--for me it would be devastating.

Fortunately password managers have been around for quite some time. There are feature-rich, subscription services and more spare, manual intensive (sometimes free) offerings, and everything in between.

Recently I started using KeePass 2.

This manager uses a locally stored, encrypted file to house passwords. It is opened with either a master password, or a master password + unique key file.

I'll detail my setup, because I think it's flexible enough for anyone to use it reasonably easily (security geeks will cry because it totally mitigates KeePass 2 advantage of having a local file, but I'm ok with that because I'm a nobody, and this is very convenient).

Requirements:
USB drive (cheap, probably laying around)
Dropbox (or other cloud storage drive--most are free to use for the basic version)
KeePass 2 software (open source, free to use)
KeeAnywhere (free to use plugin | getting started)
HaveIBeenPwned (free to use plugin)

Process:
1. I downloaded the latest version of KeePass 2 to my primary desktop at home. This will include the ability to use multiple computers, and even a work computer. You can use the "Installer for Windows" .exe file if that's appropriate for your system. There are many supported systems.

2. After install, you need to create a database for your passwords: File > New. This is where you will set your master password. YOU MUST NOT FORGET THIS PASSWORD, BUT IT WILL BE THE ONLY ONE YOU NEED TO REMEMBER (and you can add a key file if you choose--don't lose that either if you choose to go that route).

First steps

To follow the method I use, you should save this database file in a cloud storage drive (Dropbox, Google Drive, etc.). The installation you did on your home computer will allow you to select it locally if you have Dropbox or another cloud storage program installed on your computer.

3. Now that you have a database you can start adding to it. I did this by looking at the passwords I was storing in my browser, and adding those first--then remove them from your browser! You can add them all at once, or slowly accumulate them as you remember which accounts you actually have. You're now set up to use the software with your current passwords without relying on an unsecured browser to remember them, or you can use the built-in password generator to change to better passwords.

4. To use the same synced database on multiple computers however, we have to (maybe) use a plugin. This is the KeeAnywhere plugin linked above. It lets you open a database file from cloud storage.

On the second computer you will be using (maybe a laptop), install KeyPass 2.

If you already have your cloud storage accessible locally on this computer (e.g. you're running Dropbox) then you're all set, and can just open your file from wherever your Dropbox files are stored.

However, if you don't have your cloud drive running with local files on your computer you'll need KeeAnywhere.
Go to the "getting started" page I linked above and add the plgx file to your "Plugins" folder located wherever you installed KeyPass 2 to (probably in "Program Files" somewhere. To install the plugin, you'll need to close then re-open KeyPass 2.
It usually requires admin access, so you may not be able to do this at work (Side note: my work IT allowed me to install KeeAnywhere because they support using password managers--it never hurts to ask).

5. After re-opening KeyPass 2, go to: Tools > KeyAnywhere Settings...
This will take you to a dialog that will let you link to accounts (first steps). You can then open your database file: File > Open > Open From Cloud Drive...

6. Cool. Now you can save your database from this computer, and because it opened the file from your cloud drive it also saves the file to your cloud drive--both computers have access to the same database. Keep in mind that this method relies on you (or the nice people at Dropbox, Google Drive, etc.) to keep your database file backed up.

7. If you want to take your database anywhere and use computers where you might not have install permissions (e.g. at work, the library, a friend's house), we can solve that too. Get out your USB drive and plug it into your computer.

Go back to the downloads page and instead of the .exe version, download the "Portable" .zip file and save it on your USB drive.

After you extract the files on your USB, you can run the program directly from the USB without needing to install it on a work or public computer.

8. Go through the same process of installing the KeeAnywhere plugin to your USB "Plugins" folder and adding the cloud drive and database of your choosing.

VOILA--now you have access to your computers in multiple locations.

===================================================

But your passwords are terrible and you really need to get those cleaned up.

"Ohhhh, but I don't want to," you whine, "nobody will care about stealing anything from little old me."

It's funny you should think that. Your passwords have already been stolen--you've been pwned. Don't look at me! I didn't steal your data! Though I'd love to...all that sweet, juicy data :P

They were stolen from Adobe, Dropbox, LinkedIn, Gawker, Tumblr, AND SO MANY MORE!

You can even check if your email info was breached, from here.

Now that you've got a sweet database of your passwords though, let's use a plugin to check the security of your passwords, so you can change any that have been compromised.

This is when you put the plgx file from the HaveIBeenPwned plugin into the "Plugins" folder of one of your installations. You'll need to install it separately in each installation of KeePass 2 if you want the plugin available on all your computers.

After re-opening KeePass 2, go to: Tools > HaveIBeenPwned.

You can check your database by site/service, username, or password.

Use the plugin to check against both available databases provided, and then change your passwords if you haven't already. You'll have to log in to each separate account and do it manually from there.

There may be some false positives due to the way the search is run, but you can be pretty confident that if you used the password generator to change one and had between 15 and 32 characters (upper and lower case with numbers--and maybe even special characters), that your password is secure.

Happy safe passwords.

AND REMEMBER TO DEFINITELY NOT FORGET YOUR MASTER PASSWORD.
Put it in a safe or something if you need to.