With passwords still being the most common method of authentication remembering or keeping them in a safe place can still be a challenge. While there are third party services such as LastPass that can help tremendously in this regard you might not be inclined to trust or depend on a third party for such an important task, or may simply have a preference for a solution that puts you in total control.
Keepass is a free open source password manager that comes close to such services, but puts you in the driver’s seat while not being much more difficult to set up and maintain. You can save all your passwords in it, as well as any accompanying notes, and set it up so your passwords are available to you anywhere while still being secure. Here is all you need to know to set it up.
1. Get and install KeePass 2
Keepass is cross platform so you can use it regardless of whether you’re on Linux, Mac, or Windows. You can download it from Keepass.com or if you use Linux install it using your package manager. Just make sure to get Keepass 2, which is the latest and most powerful version, and what this guide is focused on.
2. Create a new password database
Once you launch Keepass the first thing to do is create a password database where all of your passwords will be saved. To do so go to File > New, pick the name and location where you want to save the new database file (.kdbx), and it will then display a dialog for creating the master key and/or password.
Come up with a password that is strong yet still something you can remember. This is the only password you will have to actually remember to get to the rest of your saved passwords. You can optionally uncheck the “Master password” option if you want to use only the key.
Enable the “Key file / provider” option to begin setting up the master key, which is a must if you wont be setting a password, and very much recommended even if you do set the password. Then click the Create button, and choose the name and location where you want to save the key file. Note that you can move your password database file and the key file later on at will or make copies for backup.
You will then be prompted with an Entropy Collection dialog where you simply need to type a bunch of random numbers and characters while moving the mouse within a designated field, the one displaying noise. As you randomly type and move the mouse it will be generating bits until it reaches the 256 bits for best security.
Once this is done hit the “Ok” button to save the key. Windows users may notice a “Windows user account” setting which would use the current Windows user account for authenticating to the database. It’s good to read the warning that accompanies this option to ensure you know what you’re doing. If you lose your current Windows account you lose access to the password database. We recommend you don’t use this option as the password and the key file should be quite enough.
When you’re satisfied with everything click OK to continue to Database Settings.
3. Configure Database Settings
In the Database Settings dialog you can set some options regarding your new password database. It’s fine to leave all of the settings as they are. You may only want to enter the name of the database and a description. It’s not a bad idea to take a look at the other tabs just to see what options are available and if you might want them.
For example, in the Advanced tab, you can limit the number of history items per every password entry in the database, which is the number of modifications that it will remember.
Once you’re done with Database Settings click OK to move on.
4. Add new password entries and groups
Now that you have a secure database file you can start filling it up with passwords you want to keep. You can organize your entries in groups for easier navigation. Some groups are already pre-defined, like General, Windows, Network, Internet, eMail, and Homebanking, but you can modify or remove these or add new groups as you wish.
To add a new group just right click anywhere on the left sidebar and choose “Add Group”. To add a new entry right click on the right side of the window and choose “Add Entry” or click the “new” icon, which looks like a golden key with a green arrow.
The “Add Entry” dialog is pretty straightforward. What you’ll most often want is to set the title which identifies what the password is for, the username, and the password you want to save. If it is login details for a web site or any other network location you want to save enter the URL in the URL field. You can also use the “Notes” text area field to write down any helpful notes regarding your details.
You can also explore and consider other options like setting an expiration date for your entry, custom icon, custom colors, tags, additional field values to save in “string fields”, and so on.
5. Getting your password database online, safely
If you chose to use the master key in addition to the password your password database is encrypted with strong 256bit encryption. That means that even if you were to put it online in a publicly accessible location your passwords would be safe, much safer than anything that is only password protected.
What would not be advisable is to make your key public especially if you haven’t set the master password. and the key is all that’s needed to get in.
What you could do instead is place your key on one SFTP server and your password database on another. Then anyone who would want to break into your password database would first need to find out where the key is, and then break through the password of your server, and then break the password of your password database file. That’s three significant obstacles to get through.
If you don’t have an SFTP server you could do this by combining a couple of cloud storage services, say Dropbox and Box.net. When you launch Keepass on your computer you would download the key from a private Dropbox folder to unlock the database you’re saving in Dropbox, or vice versa. This allows you to unlock your passwords anywhere you have access to the internet without compromising the security of your passwords.
Keepass has a built in “Open URL” feature that allows you to enter the address of your password database file, and if it is an FTP server, authenticate to it right there in the program.
Also, with the KeeCloud plugin you can more easily access databases on Amazon S3 and Dropbox as well. To install the plugin download it, unzip it, and put it in the same directory as the KeePass executable. Then just restart Keepass.
6. Using Keepass anywhere
With your password database encrypted and online, and your key password protected and in a private storage folder at a location only you ideally know of you can get to your passwords anywhere you have internet access.
It’s not advisable to unlock your passwords while using someone elses computer though. If you ever do that, however, be sure that the computer doesn’t save your passwords (especially if using a browser to log in to Box or Dropbox), that you’ve logged out of everything, and that you delete the key as soon as you’re done.
With that said using Keepass to get to your passwords is then a simple three step process:
- Launch Keepass
- Download the key
- Enter your master password and tell Keepass where it is, then enter.
Browser integration
You can use Keepass in your web browser to autofill your passwords for you. You unlock them the same way as using the Keepass program, and then it can conveniently fill out your passwords for you. For Chrome the extension is called chromeIPass, and for Firefox it is KeeFox.
Many More Things
Keepass is a powerful program. For example you can use “Triggers” (Tools > Triggers) to automate certain actions when a given event occurs and under certain condition. This gives more advanced users a lot of flexibility in automating their workflows when they include secure use of passwords.
There are also plugins that can add a wide variety of additional features from the mentioned integration with cloud services to enhancements of existing features (like search) to additional security features like generating passphrases consisting of words or automatically locking keepass when it’s minimized.