Douglas Crawford

Douglas Crawford

May 13, 2014

One takeaway from the ‘catastrophic’ Heartbleed Bug fiasco is that once the vulnerability has been patched (and preferably once all SSL certificates have been replaced as these may very well have been compromised) everybody really should change all their passwords!

Unfortunately (and shamefully) many servers are at the time of writing still using versions of OpenSSL that are vulnerable (versions 1.01 through 1.0.1f inclusive), and likely untold more have not refreshed their certificates even if they have patched the vulnerability.

The best thing you can do about this is to contact companies where security is important to you, and ask whether they were vulnerable to the bug, and if so what they have done about it (we compiled a list of VPN providers’ responses at the time the Bug was discovered, and TorrentFreak has more recently followed suit).

Once a server is secure then you should change your passwords. These should ideally consist of a long string of random letters, numbers, and symbols, and you should use a different password for each website or service (!!!). We do have some suggestions on how to make passwords more secure but memorable using conventional means in our Ultimate Guide, but for maximum security you should use a password manager program.

LastPass is the most well-known and popular of these, but it is proprietary software (as are many other password managers out there). KeePass however is fully free and open source (code available here), which immediately recommends it to us.

KeePass

KeePass in its basic form is a Windows-only program, but KeePassX, is an open source (and fully compatible) clone available for OSX and Linux, as are iKeePass for iOS and Keepass2Android for Android.

Using KeePass

Download the latest version of KeePass. Note that Versions 2.x are referred to as ‘Professional Edition’, while older versions are known as ‘Classic Edition’. We downloaded KeePass 2.26.

1. Create a new encrypted password database (stored in a . kdbx file) by clicking in the icon to the top right of the main window. You can save it anywhere, but (as we discus below) choosing a Dropbox (or similar) folder will allow easy synching across devices.

 KeePass 1

2. All passwords in a .kdbx file are protected either by a mater password or by a key file. Key files are usually more secure than passwords and can be carried on a USB stick, but it is vital not to lose them! For now we’ll stick with a master password. Make sure you choose one which is secure, because this is the weakest link in the entire process (i.e. do not choose 123456 or the name of your cat)!

KeePass 6

3. Database settings – You can fill in the ‘General’ tab as you see fit.

 KeePass 3

By default KeePass 2 uses strong 256-bit AES encryption with an SHA-256 password hash function to authenticate the data. ‘Classic’ KeePass also supported the TwoFish cipher, which we prefer because it is not NIST certified. This can be easily added to KeePass 2 using an optional plugin (just unzip the plugin into the KeePass install folder).

KeePass 4

4. The other settings can be left alone. Click ‘OK’ to create your secure password database and open the main KeePass window. Create a new password by clicking on the ‘Add Entry’ icon.

KeePass 8

KeePass will automatically generate a secure password for you., and you can link it to a particular website and set an expiry date.

KeePass 6

By clicking on the ‘Generate a password’ icon next to the ‘Quality’ indicator, you can tailor the password to be generated. This can be useful with websites (etc.) that are fussy about what password is used.

 KeePass 7

The main screen allows various password management functions. The ‘Open URL’ button will open your default browser at the webpage linked to the password.

KeePass 5

Unlike commercial managers such as LastPass, KeePass does not integrate with your bowser. However, once you have cut and pasted your password into the browser, its built-in password manager should remember it. If using Firefox and your PC is accessible to anyone who is not trusted, you should set a master password to prevent just anyone peeking at your passwords in Firefox’s options dialogue (Chrome does not include this option).

One handy feature of KeePass is that it can import passwords from a wide range of sources, including from the Firefox password manger.

 KeePass 9

A portable version of KeePass is available that can be carried on a USB stick, and while it does not support automatic cloud syncing across devices, similar functionality can be had by a storing the .kdbx file in a cloud storage folder (such as a Dropbox folder). The only real catch with this is that you will have to re-open the .kbdx file to update with the latest passwords.

Conclusion

Despite lacking browser integration and automatic synching across devices, KeePass is a very easy to use password manager.

Storing the database in Dropbox (or similar) works well for synching, and remember that the file is  immune from Dropbox spying thanks to the strong encryption applied before uploading). We also found that when used in tandem with a browser’s built-in password manager, we did not find the lack of full browser integration much of an issue.

What you do get with KeePass is a robust and highly secures password manager, that thanks to its open source nature is unlikely to contain any backdoors or other nasty surprises. It’s also completely free!

As we noted earlier, open source clones of KeePass are available on a number of platforms, and we will take a closer look at the Android version, Keepass2Android, in a companion article.