Cryptographically secure pseudorandom number g...
Cryptographically secure pseudorandom number generator (Photo credit: Wikipedia)

The Problem:

It doesn’t take long to accumulate a mass of passwords throughout the Web. You have one for email, one for each of several (or multitudinous) websites, shopping sites, your bank, retirement accounts, education…how do we remember them all?

Unfortunately, our methods for keeping track of our logins and passwords usually entails one of the following:

1. Pick something easy to remember and use it everywhere.

2. Use different passwords for different places but keep them written down in a notebook. We carry it around or in a text or word processor document clearly titled “Passwords.” (I was recently shopping in a well-known bookstore and saw a whole rack of little notebooks with the title “Internet Passwords.” I wanted to pluck out my eyes and un-see it.)

3. Sticky notes.

The Solution:

Obviously I’m about to tell you that these are all bad ideas. There exists a near-universal dilemma around the need for strong passwords and the need to not have to write them down. The solution is actually much simpler than you might expect.  The collective name for it is a password manager.

I’ve known about password managers for much longer than I’ve actually been using them. My favorite security gurus sing their praises quite often. I knew that eventually I would start the process. About a year ago our workplace made one available to us.  Got it installed, opened it up, promptly got swamped with work. I also got intimidated by the set of instructions that I wouldn’t be able to implement in a five-minute span of time. (Read on–it really didn’t take much longer than five minutes to get started). So I forgot all about it until several months later, when a colleague mentioned how much he likes it. I bit the bullet and made a promise to myself that I would learn how to use this program and concept.

KeePass

The program we have at work is called KeePass and it’s very simple to use.

You start by creating ONE password that you will need to remember or write down. This is the LAST PASSWORD YOU WILL EVER NEED TO REMEMBER OR WRITE DOWN! Write it down, then practice typing it in Word or Excel or Notepad or some method of getting used to typing it. It still needs to be a nice secure password.  (If you haven’t seen my post already about how to create a strong secure password, check it out before you try to create this one.)

Getting Started

You will want to create this password in the Master password field. The other options are Key file / provider. You would use this if you wanted to store the key on a thumb drive or in a file (no, you don’t want to store it in a file on the computer), and to use the Windows user account. I don’t recommend doing that because when you move to another computer, moving the database that stores your passwords can be complicated that way.

If you look to the right of the Master password field, you’ll see a button with three little dots. By clicking on that button, you will activate the “Show Password” action.  You won’t have to retype the password. But do take the time to verify visually that what you have typed is what you want it to be.

You’ll be taken to a series of tabs where you can select things, most of which you don’t need. The one you really want to pay attention to is the General tab, and the Database name. Give it a name that is general but that you will be able to identify. It doesn’t matter if other people know that it’s a password database. They will still need the master password to get into it. If you decide to create more than one database, you may want to use the description field. You’ll see in just a minute why you probably won’t need more than one for your personal use.

Now you can see why you don’t need several different databases for your personal passwords. You can use the categories that KeePass provides, and/or create your own. This is the part that can take some time initially, but after the initial setup, it becomes a matter of maintenance: you just add passwords as you create them.

Add your Passwords

So to get started, in the left column you select the category in which you want to create the password. Then in the icon bar across the top, select the one shown below that says Add Entry.

To add a category, highlight the name of the database, and right click to bring up the context menu. Select “Add Group.”

If you’re already in the category you want to use, you can right-click in the big blank field, and select Add Entry…

 

Give it a name (normally the name of the website or application you need to log into), type in your user name, type in your password. Again, if you click the button with the three dots, it will show you the characters you are typing and you won’t have to type it again to verify it.

Generate Good Passwords

Now this is where it gets truly valuable–you don’t have to struggle to figure out how to create strong secure passwords to populate KeePass with. KeePass has a password generator that will generate a nice random password based on certain criteria you can specify. Or you can go with the defaults. For most uses, the defaults are fine. However, some websites have tighter requirements like no special characters and such.  In the Add Entry screen, click on the icon of the key with the little starburst on it, and select Open Password Generator.

And here you can see the options you can select or deselect depending on the password requirements:

When you “OK” back to the previous screen, you can see the strength of your password. The more characters you use, and the special characters increase the number of available characters so use them, the stronger your password will be. There’s math behind why this is so, check out my post on it.

Using the Passwords:

Using KeePass to fill your passwords is very easy. You keep it minimized but not closed, so that it’s always available when you need it. When something calls for your password, you bring it up and highlight the item that is asking for your password. If your username for that item is not something you remember easily, you can copy it from KeePass and paste it in, and then do the same for your password. That’s all there is to KeePass, it really is that simple.

LastPass

I was so happy with how this process works that I went on a hunt to see how many password managers were available (bunches). First, I wanted to see how easy they are to use (extremely, but to varying degrees). Also, I needed to know and how much they cost (very little, ranging from no cost with no features on one device to a fistful of dollars on several devices–on a personal level.  Enterprise pricing is very different). I settled on LastPass for several reasons: It is easy to use, and for a few dollars a year ($99) I can use the same password database on all my devices. This means that my family can all use the same piece of software on their computers, phones, and tablets. And even on a school or work computer, the database of passwords, which is stored encrypted at the vendor, can be accessed through a browser.

I can’t install LastPass on my work computer and my kids can’t install it on their school computers. However,  we can all access it using the one master password through Firefox or Safari or Chrome or Internet Explorer (as long as you are using a fairly current version of Internet Explorer). It works as a browser plugin on my home computer, but if I want to use my training material at work (which is acceptable under our Use Policy), I can use the web-based LastPass to get my passwords from it. And as long as you are using the premium version, you can use an app on your mobile devices.  You will have to do a copy and paste of your usernames and passwords on your mobile devices, because there isn’t an integration into other apps yet. I don’t know if they are pursuing that, but at this time none of my apps will integrate directly with the LastPass app. It’s still a massive facilitator!

However:

A word of warning: don’t all of a sudden abandon your current method of keeping track of your passwords the minute you implement a password manager. Each of these programs has a bit of a earning curve. Until you fully understand how it works, you don’t want to rely solely on it. Do not burn your ships on this one. If something happens and you lose or can’t remember your master password, you will not have access to that database, and you will be resetting passwords all over the web.

Security experts all seem to agree that passwords are about the worst way to try and implement security. There are a number of efforts at improving user-end security. Steve Gibson, the principal behind Gibson Research Center, is in the final stages of developing a secure login program called SQRL. It stands for Secure QR Login, and it will use QR codes and your phone for website logins. He’s working on making it work with non-mobile devices (laptops and desktops) as well. Users will have one master password to remember, like KeePass and Last Pass.