KeePass
KeePass is a free password tool used by
millions of people every day. More importantly, it's open source. Where your
passwords are concerned, this is a good idea because it means that anyone can
inspect the source code, compile their own executable and be sure that no
keylogger or malware is lurking and skimming off their credentials.
KeePass is available from http://keepass.info.
Click the link to download Portable KeePass Version 2.17 (the stable edition).
This requires no installation and will let you store passwords on a USB stick.
This in turn lets you carry your passwords around securely wherever you go.
Once the file is downloaded, open it and
look at its contents. Drag and drop all the files onto a USB memory stick, then
close the zip file to discard it. To run KeePass, simply double-click
KeePass.exe. After a few seconds, the interface appears.
The first thing we need to do is create a
secure database to store our passwords. To do so, click File > New. Navigate
to the USB memory stick, name the database if you like, and click 'Save'.
A new window appears. Enter a password in
the ‘Master password' input box. This is the password that will be used to
encrypt the database and is the only one you'll need to remember. Make this as
long and as varied as possible (see 'Avoiding password entropy'(right) for
reasons why, and how to generate a memorable one). As you enter the password,
KeePass will calculate its strength. Enter the password into the 'Repeat password'
box then click 'OK'.
A new window appears allowing you to
configure various database settings. The defaults should be fine for the
moment, so simply click 'OK' to continue.
The main window changes to show two example
password and username pairings. KeePass refers to these as 'entries'. In the
left-hand pane are convenient groups into which your passwords will fall. You
can rename these, delete them or create new ones by right-clicking this pane.
You can make KeePass fill login
credentials automatically by setting up the Auto-type facility. It's quick and
convenient, saving you time and effort
Adding a password to KeePass lets you
assess its strength
Avoiding password entropy
Currently, some of the strongest passwords
you can create consist of the initial letters of every word in a line from your
favourite song or poem. This makes them very easy to remember and long, but far
more random than using full words. It's all to do with a property of passwords
called entropy.
In information theory and cryptography,
entropy defines a precise mathematical measure involving password complexity
and length. The entropy of a password is therefore a good indication of how
difficult it is to crack. The implication is that the more possible characters
that can occupy any position in the password, and the longer the password, the
better.
Think of it this way: if you have an
eight-digit password and each digit is a byte, then you have 64 bits that have
to be repeatedly tested to see whether they are the correct patterns of ones or
zeros. This represents 264 combinations (18,446,744,073,709, 551,616 in total).
Cryptographers say that the password has 64 bits of entropy. However, because
of the way password crackers work, if your password has two consecutive digits
the same, the entropy decreases.
You can test the entropy of a password
using free toots such as the online Haystack Calculator from Gibson Research
Corporation (http:// bit.ly/lq JSIJ). It will help you select passwords that
can only be cracked after an exhaustive search through huge numbers of
possibilities. In other words, it helps you discover how big a conceptual
haystack of possibilities your password is hiding in, hence the name of the
site.
Discover the strength of your
password by checking how much entropy it contains
Purge passwords from web browsers
Firefox is considered to be more secure
than Internet Explorer, but is this true in all cases? The following hack
suggests otherwise.
Bet a Firefox user that you can log into
any of their web accounts. Flave them look away and then click on the orange
Firefox pull-down tab at the top left. Select 'Options' and click the
'Security' tab in the resulting window. Click the 'Saved passwords' button, and
a long list of saved websites and usernames appears. Click ‘Show passwords' and
confirm your action, and these also appear. Select one, then right-click and
select 'Copy password’. Surf to the relevant website, enter the appropriate
username, paste in the password and log in. Internet Explorer doesn't let you
see individual passwords, but password recovery tools, such as PassView
(http://bit.ly/9i5Vsp) will.
In Firefox, you can unclick 'Remember
passwords for sites' on the Security Options tab and add some exceptions, but
this still isn’t very secure. You can add a master password that will lock
those stored passwords, which is a better option.
In Internet Explorer 8, you can remove
passwords as follows. Open the Control Panel and click User accounts and family
safety > User Accounts, then click 'Manage your credentials'. Select a
credential and either click 'Edit' to change its details, or click ‘Remove from
vault' to delete it.
Uncovering passwords in Firefox is
easy and can lead to some embarrassing situations
