PW Managers: KeePass on Windows

Today I’m going to take a short break from the iOS 10 series. This post is a brief tutorial to help get you started with KeePass on your Windows machine. Last week I covered KeePassX, and much the chagrin of Mac users like myself, KeePass actually offers a few more options.The first step is to download the application from http://keepass.info/ and install it. On opening the application you will see the interface shown below:

KeePass on Windows

The next step is to create a database. this is similar to creating a new document in a word processor application; the database is the encrypted file that stores your passwords. Click File >> New.

KeePass on WindowsNext, you should save your database file. You can save this anywhere you want to. I put mine into an encrypted container for an added measure of security, but this is not truly necessary. KeePass organically encrypts the database with AES-256.

KeePass on WindowsYou will be prompted to create a “Master Key” for your new database. This may consist of a password, key files, or both. Because your Master Key will protect all of your passwords and other login information make sure it is a good one! Also make sure you will not forget it; you may wish to write it down on a piece of paper until you are certain you have committed it to memory.

KeePass on Windows

After you have created the Master Key, click “OK”. On the next screen you will be given the opportunity to select some options for your new KeePass database. The only one of these that I worry with is the Key Transformation option, located in the Security tab. This controls the number of “rounds” that the password undergoes before being usable to unlock the database. A higher number can drastically slow brute-force attempts, but can also slow logins. Click the “1 second delay” button will assess your system’s speed, and set the number of iterations that will cause a 1-second delay. This delay on each login is tolerable to the user, while increasing security by a huge margin.

KeePass on WindowsClick “OK” and your database will be created. Initially it will be empty, except for two sample entries. The next step is to create entries in your database. Each entry will contain the login information for one account. To create an entry go to the Mac Toolbar and click Entries>>Add New Entry or click the “new entry” icon at the top of KeePass’s interface (the gold key with green “down” arrow).  A new menu will appear with fields for the new database.

KeePass on WindowsFill in each field as required.

  • Title: This field is used for organizational purposes and let’s you keep track of your entries. Examples of titles you may want to use are “Personal Email Account” or “Bank Account”.  If you have a lot of entries (as I do) you can add numbers to the beginning of the title to keep them in a certain order. For example: 001 – Personal Email, 002 – Business Email, etc.
  • Username: Enter the login username for the account.
  • Password: See the next section.
  • URL: You should visit the page in question, copy the URL from your browser’s address bar and paste it into this field. Later when using the entry his will allow you to select “Open URL”, which prevents you from mis-typing it and going to a forged website.
  • Note: Use this field for anything relevant to the account, like the phone number or email address you provided, your two-factor backup codes, the birthdate and other biographical data you gave the site when you signed up, etc.
  • Expires: Your password can be set to expire in a user-defined amount of time to remind you to change it.

To set a password click the “Gen.” button. This will expand the options for passwords as shown below.

KeePass on Windows

The password options allow you to choose a length. Note that the slider only goes up to 64 characters but the numerical field allows you to input numbers as high as 999. I recommend selecting every option under “character set” to make your passcode more complex – with the exception of High ANSI Characters. I don’t recommend using these because many websites will not recognize them. When you have selected your password click “Accept”. When you are finished in the entry click “OK”. Your entry should now appear in the KeePass database.

To use the entry, simply right-click on it. I usually select “Copy password”. Once the password is copied I right click again and select “Open URL” to open the page in my default internet browser. I paste the password into the browser, then toggle back to KeePass to get the username.

KeePass on WindowsThis post does not address all of the functionality of KeePass on Windows, but this definitely enough information to get you going with a password manager.

If you enjoyed this article please sign up for my Operational-Security Newsletter.

5 thoughts on “PW Managers: KeePass on Windows”

  1. For things such as phone numbers, email addresses, two-factor backup codes or birthdate (or rather birthdates : never volunteer the real one, unless you really have to !), rather than putting them in the Notes field, I prefer using the Advanced tab and Add a String Field.

    This makes for quicker copy and paste, since you don’t need to open the account entry for that. You just right-click on it, Copy String, then select the appropriate field. This also, alledgedly, adds a level of security in case you are infected by malware, provided you tick the Enable In-Memory Protection box relative to that string.

    Still, the Notes field is very useful. I always find myself putting there a lot of free-form information which is necessary. In particular, I always put on top the date of creation of the account. This is automatically recorded in the History tab, but I like it to be shown upfront.

    High ANSI characters are indeed hit-and-miss, and many sites don’t accept them. However, I find that many sites don’t accept other options as well (and they rarely state it upfront, if at all).

    In fact, the only safe options that I found will work all the time are Uppercase, Lowercase and Digits. Even Special Characters are risky, since some sites accept some special characters but not others.

    There’s also the issue of password length. Many sites limit this, often at absurdly low levels, and most of the time without advertising the limit. I’ve found that the best solution is to systematically test this by typing 1 to 0 strings in the site’s password field and counting, before letting Last Pass produce a password — and possibly fail.

    It’s nice to have a powerful password manager such as Last Pass, but websites also need to do their bit to promote security, and right now there are many of them implementing absurd limitations which can’t even possibly have any positive implications for them.

  2. Why not just use your own JavaScript based AES/Rijndael script to encode a text area that contains all your passwords with a “master key”? For example:

    http://www.movable-type.co.uk/scripts/aes.html

    If you keep the encrypted text in a TXT file and call it “Recipes.txt” – separate from the JS file, a hacker could find it but not know what to do with it. And even if he did, he’d still need the master password.

    1. That seems like it would be great if you only had to manage a few passwords. However, my primary manager contains hundreds of entries, each with several fields. I would be giving up the ability to organize into groups and sub-groups. I would also give up features like the ability to open a direct URL with a single click (which reduces my chances of mis-typing and going to a look-alike site), copy a password with a simple right click (some of my passwords and quite long and highlighting them first would certainly take time), etc. And, everything is still protected with AES-256. I don’t care if a hacker knows what to do with it – he or she still needs the master password and a second authentication factor.
      Justin

      1. I guess I should give KeePass a try before dismissing it, but my two concerns with it are that if someone knows my Master and has access, I am SOL – and that it’s local only. The JS is available anywhere there’s Internet, and no one knows where it is – or what to do with it – so it’s not a fat target like LastPass. I think it’s only a matter of time before LastPass is compromised. As for groups, you could have multiple encrypted TXT files for different categories. Also, a single encrypted string of ~10k chars, which (I think) would be much harder to crack than a series of 100 char rows from somewhere like LastPass. I also like the do-it-yourself unconventionality of the JS.

        Hey – thanks for all your hard work on the site and the great podcasts. I’m on Episode 3 and learning a lot!

Leave a Reply

Your email address will not be published.