In today’s home computer security post I’m going to end up talking about KeePass. It is a free open source password vault program which I recommend everybody use. First though some background:

With a significant increase in the number of services offered online it seems that every website, service and even application now wants you to authenticate. In terms of protection that is a good thing. You should WANT to be protected. In terms of usability it’s a nightmare.

Within corporations this kind of trend has been an ongoing issue for InfoSec departments as more and more systems come online which don’t participate in a directory security model. Users often have dozens of different user IDs and passwords for the various systems they have to use. This is now no different at home. If you do internet shopping every retailer has their own account database. If you do email of any sort you of course have a password there. You might also have one just to get on the internet with your Internet Service Provider.

You need all those passwords. For security you also need all those passwords to be different. You want them each to be as secure as possible too. If your online bank allows you to have a password with numbers, upper and lower case letters and up to 12 characters in length then you should absolutely have a password that is the full 12 characters in length and has all three type of allowable characters in a random sequence. If your IRA or 401k administrator has a website you can log into and they allow a similar password, but up to 15 characters in length then you should want a different password from your online bank which is the full 15 characters in length.

The problem with that kind of thing is that there is no way you can actually remember all those passwords. If you are diligent and actually change them on a semi-regular basis the problem gets even worse (YES, you SHOULD change your passwords on at least an annual basis). A normal person can’t be expected to keep up with that many passwords… so people cheat. You might write down your passwords on a post-it attached to your monitor. You might have them in a word or text document.

If you aren’t already securing your passwords using some kind of password vault then I recommend KeePass.

When it comes to security products for use at home, generally the cheaper the better. If it costs too much then you won’t be encouraged to use it. KeePass is free. It’s also Open Source, which means that the code has been validated by a lot of developers and that there are a lot of ports to different operating systems available.

Click to see larger images.

It’s not hard to use and there isn’t a lot to it. Once you get it installed open the help contents (F1) and read the Introduction and First Steps Tutorial.

Here are some tips I have beyond what it says in the tutorial:

• Some passwords should be very secure and you should be in a position to use them only if you are in a place where you feel safe using them. For example… your online banking. Don’t go visiting your online bank from just anywhere. Those kinds of passwords should be as safe as possible, should change on a semi-regular basis and should be randomly generated by KeePass.
• Some passwords need to be secure, but also need to be memorable. For example, your password for KeePass needs to be something you can remember since you won’t be able to copy it out of KeePass when you need it. Likewise the password you use to log into your computer will need to be safe but memorable. Here is some guidance on passwords you’ll need to remember.
• Make a separate folder with all the challenge/response questions that various different sites now ask for. A combination of those questions is usually used as a password so you need to keep those just as safe (see the screenshot above for my example).
• If you want to get extra secure, make different user names for each different service. If you use the same one everywhere then a hacker only needs one more piece of info to get into your account. If you have different ones everywhere then that makes two things that have to be discovered before they can steal your information. This isn’t required everywhere, but is worth considering for things like your financial websites and passwords.
• You can store additional information along with the user name and password. Consider keeping additional relevant information in KeePass (see the screenshot above for my example). You could even take scans of your credit card which is associated with a particular login and attach it as an image file.
• You can drag or copy passwords out of KeePass to use while logging in so get used to having it around.
  
• Get used to having KeePass around. If you aren’t in the habit of locking your computer when you walk away from it then set KeePass to lock itself after a period of inactivity. The database files are encrypted so if necessary you can take them with you to have available at the office and at home. Fortunately once you have all your passwords entered the actual database won’t have to be changed that often.

Password safety is not hard, but you do usually have to make some changes to the way you normally work to stay safe. There may come a day where Federated Authentication allows us all to have fewer user IDs and passwords, but until that technology has been proven and is widely used we should all be using something like KeePass to help us secure ourselves.