KeePass for Daily Use Justin Mason 11 DEC 2017

The number of web services that a person uses continues to rise. These services may be directly linked to your finances and sensitive information but social media sites can also have severe implications if compromised. They are used to determine your character, reliability, liability to a company’s image, etc. They build a profile of you. It is unrealistic to create and remember secure, unique passwords for each of these and remember them on your own.

Most people, until recently myself included, may use a fairly secure password for their bank or primary email but will probably end up reusing a password on many different sites. If one site is compromised an attacker may be able to come up with other sites that you use and compromise them as well; the damage or the fact that they’ve been compromised may not even be immediately obvious to the victim.

So, what can we do about this? Obviously there has to be a compromise between usability and security; the best security practices are the ones that you will actually use. There are other choices like LastPass or BitWarden that are significantly better than nothing, are easier to use, live in the cloud, and I wouldn’t knock someone for using them. Personally though I get piece of mind from having complete control of my password database and backups. Of course that also then places the burden of regularly backing up my database on myself, and if I ever lose access there’s no coming back. Another user-friendly feature that I choose not to use is any kind of browser add-ons or extensions that autofill passwords on a site; this just increases the attack surface and chance of compromise.

KeePass is the solution I chose for managing my passwords, but it has much more utility then that. You can store account recovery information, sensitive hyperlinks, certificate private keys, or any other information that you don’t want to store in cleartext. You can even attach binary files to an entry… though I wouldn’t get too carried away with the database size as it has to load this into memory.

You will use two different methods for inputting your password into a site; on your windows PC KeePass will use either auto-fill (most secure, simulates a keyboard) or the clipboard (which should only be used if autofill is not compatible with a program) and on your Android phone you will use a special (virtual) keyboard that does password entries (similar to auto-fill) without using the clipboard as this can be particularly insecure on android. In the future the phone app may instead use an API google implemented for just this purpose.

Prior to setting up KeePass with the rest of this guide you will want to plan to change all of your existing passwords (which we will generate within KeePass) and come up with a new password or passphrase that you have never used before that is ideally 16 or more characters long. A complex password such as 3v&oJ;Q!A, coming in at 59 bits, is significantly harder to remember and less secure than “This is the passphrase to secure my database.” which comes in at 156 bits… Many orders of magnitude higher in cracking resistance. If using a passphrase one should avoid using lyrics to a song or other known phrases. The more vivid the passphrase and the better you can visualize it, the easier it will be to remember.

One common argument against a password manager is that if the single password used to access it is ever compromised then all of your passwords will be compromised. This is true, however at the point that your computer is compromised and a keylogger is put in place the attacker will eventually gather all of your credentials anyway.

Setting up KeePass on Windows is a lengthy but rewarding process; once that’s done the android setup is pretty straight forward.

Windows 10

Go to https://keepass.info/

Download the latest version, for this guide we’re using the installer, version 2.37.

If you wish you can verify the file using PowerShell and Get-FileHash:

Run the installer, follow all the defaults for a full installation, create a desktop icon.

Open KeePass, go to file -> new (creates your database) Read the information and choose ‘ok’ if you understand

Enter your not-previously-used passphrase:

Choose ‘OK’ and leave every on the next screen default as well

I recommend its recommendation of printing out an emergency sheet so you never forget the passphrase. You could keep this in your fire safe

or a security box at a bank.

You will then come to the main screen with two sample entries. Note the asterisk next to the database name. This means that your database is NOT SAVED.

We’ll talk about this more in one of the next steps.

You can right click on both entries and choose to delete them.

I also like to delete all the groups and keep everything under the root of the database,

you can right click and delete those as well if you wish:

Now go to Tools -> Options Check the following options under security:

Scroll down to get this one too:

Uncheck anything that isn’t necessary under policy:

Scroll down:

Make these changes to interface.

This will minimize it to your tray.

Under integration set it to run at startup:

Under the advanced tab tell it to start minimized and locked.

You can also choose to automatically save the database, and though it prevents you from accidently loosing changes if you forget to save, I prefer not to use it. I want to make the conscious decision of

when to save my database and it keeps me cognizant of that all-important file.

Also check:

Now make sure to click “OK” to save all these changes. Also go to Tools -> Triggers, and uncheck the box to enable trigger system.

The last setting to change is for autotype. Right click on the root folder and go to ‘Edit Group…’

Go to the Auto-Type tab, select Override and type {Password}

The default will try to enter both the username and password, and then try to submit it. Simpler is safer; you enter everything except the password and then choose when to submit the entry.

Now right click on the arrow near your tray, go to settings, Choose “Select which icons appear on the taskbar”:

Toggle KeePass:

Now it will always be on your tray to double-click:

Now that setup is complete (and you shouldn’t have to change these settings often) we can move on to actually creating password entries.

To create a new password, with your database root folder highlighted, right click and choose Add Entry.

Here you can set the Title, Username, URL and notes as you see fit. Click Open Password Generator.

Check special characters and any other character sets that you want. Click the save icon, select the entry from the list and choose “OK”

Click “Collect Additional Entropy”:

Squiggle your mouse around the dotted box. Computers are inherently not random; this introduces actual randomness

into the generation of your password. Click Ok and Ok.

Now SAVE! The ‘Save As’ will also let you save a copy elsewhere for safekeeping!

Now that you have everything set up, and an entry added, there are two methods to use the password:

The clipboard (copy and paste), or the most secure, Auto-Type.

To use the clipboard simply open KeePass and double click the asterisks in the password field. This will copy the password to your clipboard for 12 seconds.

Simply paste it into the password box of whatever you’re trying to use.

There are two ways to use Auto-Type. The first is to simply click in the target password field and press the predefined global shortcut

ctrl+alt+a. It will match the title of the window to the titles in your database and let you select the entry. If this doesn’t work, click in the password field, open KeyPass, select the entry and press ctrl+v or right

click and select Perform Auto-Type.

For additional security against certain keyloggers, edit your entry, Go to Auto-Type and enable TCATO. This has to be done per-entry.

And Save Again!

Android

For starters plug your phone into your computer and set it up to transfer files:

Create a folder on your device or use an existing one. Copy and paste your database file on your PC into this folder. I treat this as a one-way sync; I copy files from my PC to phone but never from my phone to

my PC that way there’s never any divergence in the databases.

Go to the play store and look for Keepass2Android Offline. The online version is for using a database on a remote server like dropbox or google drive.

This guide will have you manually sync your database file. If you have just a single, shared, “online” copy and it gets corrupted #RIP

The security of that file is also out of your hands.

Open your database file, enter the master password.

First go to Settings -> Database -> Fingerprint unlock

Enabling it for just quickunlock does not store your master password on the device.

In Settings -> Application -> Security Check these options.

In Settings -> Application -> Password Entry Access Uncheck Clipboard Notifications if it isn’t already.

In Settings -> Application -> Keyboard Uncheck Auto-Fill.

To use a password, click in the keyboard icon and switch keyboards to KeyPass:

Then click on the lock icon, choose select entry, click the entry:

Finally click the password button and it will fill it in:

When you’re done, open KeePass, lock/close the database and then “kill application process”.

(which also prevents a constant KeePass notification)