Categories
Security Tech

First steps with KeePass

Starting out with Password Managers

As we move into 2021, it would be excellent to see better password hygiene for all users, technical or not. When people ask me why it’s important to avoid password reuse, I will refer them to services showing past exposure; namely Have I been pwnd. Finding that your accounts were exposed to breaches often leads to the realisation that the same password was used for insecure services as for more sensitive elements, such as banking or private email. I’ve seen their eyes suddenly shine with hope as they come up with an incredible strategy: “Uniquely complex passphrase to which the service gets appended”. From a password complexity point of view this seems relatively good; you have a long password meeting most service requirements to which you are adding additional complexity by appending the service name. You’ve increased your password / passphrases length making it hardee to guess. While this strategy means you are not reusing the exact same password accross the internet, it means you are trusting the companies to encrypt your credentials. Sadly, even tech giants fail to do this as shown here by Forbes.

After seeing how little tech giants care about your privacy and security, the next question that comes up is “Why can’t I use the password manager from my browser?”. The truth is a browser based password manager is better than no password manager. If users are using this, then that is better than nothing, and some browsers will go so far as to provide breached account warnings. Firefox provides this through it’s Monitor service. The primary disadvantage from the user’s perspective is accessing your passwords for services which are not run in your browser, such as company software not connected to SSO. There are many cloud / app password managers and these will allow you to segregate your accounts from your browsing history. Further, you can access your passwords from accross multiple devices, including mobile. Haveibeenpwned recommends 1password. Whether you decide to go for a cloud/app based password manager or a local storage such as KeePass will depend on your own use case and threat model.

2FA/MFA

You can store your Keepass databse on an USB drive, meaning that in order to access it you’d be needing the drive and the means of unlocking it. 2 Factor Authentication for your password manager. While this feature does not protect your other accounts, it does make KeePass highly portable across operating systems & devices. There are plugins for TOTP making KeePass a viable “1 stop shop”for certain users. It is worth noting that these plugins render the 2nd factor irrelevant, as it only takes access to the database to obtain both the password & TOTP. Some applications will allow linking to biometrics such as fingerprint readers / facial recognition. While the biometrics do make use and access easier, it is worth researching how and where the data is stored in order to avoid exposing your identity beyond what you may require. Choosing a solution for your authentication should include a balance of the usability & security the solution provides. However, this goes beyond the scope of “First Steps” with any password manager.

Why KeePass?

There are many password managers that provide the same service as KeePass while additionally providing backup & synchronisation accross devices. What does KeePass bring to the table?

For people with no previous use of password managers, KeePass is free. Free as in free puppies, not as in free beer. It will require some work to set up, but the default settings do provide decent security.

Additionally, if you are showing this to family members for whom you may need to provide support in the future, they can revoke your access to the database by changing the master password as opposed to learning a complicated management interfaces.

Finally, KeePass does not require yet another account. You can segregate all of your online accounts / aliases by storing separate databases with the single program. If you have some accounts which you want to access from mobile devices but others to stay offline, you can have 2 databases, and sync the mobile through cloud storage to your mobile devices.

First Steps

Hopefully, the above comments convinced you to give KeePass a try. It is a free solution so first thing is to get the KeePass client from their downloads page. Select the local installer or portable binaries depending on your use case. Version 2.X (2.46 at time of writing) is recommended unless you have specific reasons for using 1.X.

After installing or running the local binaries, create a new database. KeePass prompts you through the creation of the database:

KeePass New Database windows prompting where the database will be stored & recommending regular backups on separate storage media

Once you have selected a place to save the database, KeePass presents the authentication method. Master Password is checked by default, but the database can be linked to Windows accounts.

KeePass Create Master Key window with Expert Options showing. Expert Options shows Key file / provider with the warning that if the file is lost or contents changed, the database cannot be opened anymore. Expert options also show Windows user account, with the warning that if the user account is lost, it is not sufficient to create a new account with the same name and password.

From this window multiple elements can be selected, but at least 1 must be chosen to move forward. Connecting to the Windows user account can be a good solution for home users, only needing to access their device in order to access the rest of their passwords. I do not recommend this setting in enterprise environments – I have seen cases of bad GPO deployment where databases were lost due to changes to the account from external providers.

Selecting a master password should include using something memorable rather than a mix of random letters, numbers & special characters. [XKCD] There are random passphrase generators, namely Correct Horse Battery Staple, but ideally you would be using something unique to you and adding entropy through the substitution of some characters. The longer your passphrase the better, given additional characters increase the strength more than increasing complexity (use of special characters).

Once an authentication method is chosen, the creation process continues:

KeePass – Create New Database Step 3 window in the General Tab. Database Name shows “Demo” and Database description reads “This is a demo KeePass database”

Enter identifiable information for the name and description, particularly if running multiple databases. Then move onto the Security tab.

KeePass – Create New Database Step 3 window in the security tab. All settings are on the default

By pressing the ‘1 Second Delay’ button, the number of iterations is updated such that it will take 1 second for each attempt to open the database. This reduces the risk from brute force attacks, as each attempt requires 1 second, as opposed to an attacker being able to try multiple combinations per second. The compression tab allows to use GZip to compress the database, or use no compression.

KeePass – Create New Database Step 3 window in the compression tab. Default setting is GZip
KeePass – Create New Database Step 3 window in the Recycle bin tab. Default setting is to use a Recycle bin & create a new group for deleted entries

If you want to immediately delete entries uncheck the Use a Recycle bin option. Otherwise, leave as-is and control deleted entries as necessary. Finally, the advanced tab. Here the options to recommend & force changing the master key can be found. My recommendation is to check both the “Recommend changing the master key” and “Force changing the master key” and setting both to 180 days (approx 6 months)

KeePass – Create New Database Step 3 window in the Advanced tab. All settings are on their default selection, no elements checked for changes to the master key.

Once you are done with this, KeePass will suggest printing an emergency sheet. This is the only recourse for accessing your database if you forget / lose the master key. If the master key is changed / acces methods modified, this document will need to be generated again. It is important to store this document securely in a safe when printed. The sheet contains instructions to where backups are stored and what the master password is. Both entries are to be filled out by the user.

KeePass Emergency Sheet window explaining that the emergency sheet will contain all the important information required to open the database.

Once this procedure is over, KeePass shows the main window.

KeePass main window after creating a new database

Before starting to create unique passwords all the online accounts, it’s important to create the template. Otherwise, the system will defer to defaults which may not include the standards you or your organisation may be aspiring to. In the tools menu, select Generate password. From here we’re going to establish the defaults for new passwords. First, increasing the length of generated passwords to 40 or more characters. (Length > complexity). Then increase complexity by including all alphanumerical characters, minus, underline & special characters. “Space”, Brackets & Latin-1 can also be picked, but be wary some services may have difficulty processing these characters. Additionally, if you are going to be using these to log in to other devices, these characters may not be available on the keyboard.

KeePass Password Generator window in the Settings tab. ‘Generate using chaarcter set:’ is selected with length of password at 40 characters. Alphanumerical characters are selected, along with ‘Minus’, ‘underline’, and ‘Special’.

Optionally, thinking of the situations where you may need to type out the password rather than copy-paste from the manager we move to the Advanced (!) tab and check ‘Exclude look-alike characters’.

KeePass Password generator window in the Advanced (!) tab, with ‘Exclude lookalike characters’ marked.

From here return to the settings tab and click the ‘save’ icon.

Save icon in the Generate Password tab
Save as Profile prompt after clicking the ‘save’ icon. Profile name holds the (Automatically generated passwords for new entries) profile name.

In the save as profile you can click the arrow on the right, and select the ‘Automatically generated passwords’ so that KeePass will use this for all new entries. Alternatively, if you have multiple requirements, you can save repeat the previous steps and save the profiles according to your various needs. For most users, setting this as the default will provide sufficient security, and default complexity can always be increased in the future by following the same steps.

You’ll want to save your database and start creating your entries.

KeePass window with the save icon highlighted.

In order to create a new entry, click on the keys icon which opens the ‘New Entry’ window.

Keepass toolbar with the ‘New Entry’ icon highlighted
KeePass Add Entry window

In the Add Entry Window, fill out the fields ‘Title’, ‘User name’, ‘URL’ with the relevant information. If there is additional information for the account this can be stored in the ‘Notes’ field. For example tools using SSO you can mention to ignore the password and rather which credentials need to be used. Additionally, in the Notes field you can mention which method of 2FA/MFA you are using for that entry. Finally, click on the clock at the bottom and select when you want the password to expire.

KeePass Add Entry window with the ‘clock’ icon highlighted

Selecting a time frame will then mark the password entry with a large X in the main window when you are looking to use it next. Default expiry times are 1 & 2 weeks, 1, 3 & 6 months as well as 1 year. My recommendation is 1 year for basic web services and 3-6 months for more sensitive items. This can also be used if you are testing out services, to delete your profile if you are not using the service rather than keeping an inactive account.

If the website / program complains your password is too long or uses characters it doesn’t accept you can change the password manually by clicking the 3 dots next to the password field which will make it legible as plaintext:

KeePass Add Entry window, with the 3 dots highlighted and the password shown in plaintext.

You can remove the problematic characters, and reduce the password length. If you have set an expiry date, it will be better to select the key icon, open the password generator and modify the defaults for the entry.

KeePass Password Generator window for a specific entry, Length reduced to 18
KeePass Password Generator Advanced Tab showing the Exclude characters line
KeePass Password Generator showing ‘Derive from previous password’ as the password profile

Now, when you are updating the password for this entry, the password will be derived from the previous requirements.

Cloud Sync

The official installers work for Windows 7, 8, 10 or Server editions. For Linux distributions, KeePass is available in most default repos making it particularly easy to install and deploy. There are community ports to mobile devices such as Android, iOS, and MacOS. These can be found in the downloads page. As mentionned above, one of the advantages of KeePass, is being able to have multiple databases. If you need to provide support to family, they can share their database with you through a cloud storage service. Likewise, if you want to access certain accounts through your phone, you can do this with any number of cloud storage providers or even your own file server.

Things to keep in mind:
1. Sharing your database & master key with other people means they can access all of the accounts in the database. Segregate as needed (ISP credentials are not as sensitive as say, banking).
2. While the database is encrypted once locked, that does not mean people with access to your cloud storage can’t make a copy and brute force their way to your passwords. Select a strong master key and segregate which accounts you want to access from mobile device and which ones only from your PC:
3. If using a mobile port of KeePass, be mindful of how your cloud sotrage managed version control. You can quickly end up with a very different database on your phone than that which you are using on your computer.

Nice to know

You can store your password entries in the order you want. Keeping your entries organised according to what the services provide will help you find them faster. It is however not necessary, as KeePass offers a search bar which will show you all entries that match that description.

KeePass main window, with search bar & sorting pane highlighted

By default, KeePass will offer to autofill forms for you. I have had instances where hardware issues led to credentials beeing sent out on messaging applications. If this is an issue, it can be removed by opening the Options window (Tools->options) and selecting the integration tab. By changing all shortcuts to ‘None’ credentials are only stored in the clipboard when you actively select to copy them.

KeePass Options window with all System-wide hotkeys set to ‘None’.

Finally, if you are setting expiry dates on your credentials, you can let KeePass show you which passwords have expired or will expire soon on startup. The entries appear as follows:

KeePass main window showing expired and soon to expire entries

To set this, in the Options window (Tools -> Options) select the Advanced tab. Scroll down to the “After Opening a Database” group and select both entries.

KeePass Options window, Advanced tab showing the ‘After opening a Database’ group with both options checked.