One of the biggest mistake on the Internet is having the same login information for all your online accounts. If someone got hold of your username and password, this would mean that they are able to access all your email accounts, social accounts, and etc. They get to read every email you’ve sent and received, damaging your reputation on your social accounts by impersonating you, or even change all your passwords! Having a different password for all your accounts is not enough and it has to be a combination of upper case, lower case, numbers and even punctuation marks up to at least 8 characters.
With the 2 guidelines mentioned above, it is nearly impossible to memorize each and every password containing just random characters. This is when a password manager comes into play by storing all your login information in a secured encrypted vault which can only be unlocked with a master password or a key file. Some people are against the idea of using a password manager due to the risk of the encrypted database being stolen together with the master password that instantly gives the hacker access to all of your accounts.
There are quite a number of password managers available to use and KeePass is one of the most popular because it is free, open source and very extensible, thanks to the plugin framework. In this article we’ll be taking a closer look at KeePass and best practices in keeping your database of login information safe.
As mentioned earlier, KeePass is open source which is a good thing because anyone can audit the source code to ensure that the login information stored in the password vault is safe and doesn’t contain a backdoor to decrypt the encrypted database. KeePass being open source also encourages many unofficial releases such as KeePassX which is a KeePass clone for Mac OS X and Linux operating system.
Local Database Storage
KeePass is focused on being a locally stored password manager although there are plugins to sync with online storage providers such as DropBox, Google Drive, OneDrive and etc. Some people prefer KeePass over cloud based password manager such as LastPass because they do not like their encrypted password stored on cloud as they do not know for sure if the employees has a master key to unlock the encrypted database.
The KeePass program is also portable and does not store anything on the system. So even if there is no cloud support, one can easily carry KeePass along with them in a USB flash drive and configure it to use together with a portable version of web browser that is also stored in the USB flash drive.
While most password managers aim to make their program very user friendly and as easy as possible to use, KeePass would require manual configuration on most, if not all options as it doesn’t come with a setup wizard that guides you step-by-step. For example, an advanced user would logically know that the first step after running KeePass the first time is to create a new database by either clicking on the “New” icon or go to File from menubar and select “New”. A novice computer user probably doesn’t instantly know what is the next step to take after running KeePass if they don’t read the online first step tutorial.
Unlike the LastPass extension installed on a web browser that automatically prompts you to save the credentials on a successful login, you’d need to manually add an entry in KeePass and command it to perform auto type action from the program itself by pressing Ctrl+V or from the right click context menu. Fortunately this feature can be extended with the available plugin which is mentioned below.
Flexible and Extensible
In terms of flexibility and extensibility, KeePass is excellent in this area and wins hands down thanks to the plugin framework. While KeePass isn’t directly integrated into web browsers, it can be done with an available plugins such as KeeFox that can automatically prompts you to save your username and password after logging in to a website, and also automatically fill up your username and password on login forms.
Other plugins that can add more feature to KeePass related to backup, synchronization, integration, transfer, import, export, cryptography, key providers, resources, automation, scripting, and utilities can be found at the official KeePass plugin webpage. Installing the plugin is as easy as copying the downloaded .PLGX file to the KeePass folder and it will automatically recognize and install the plugin at next run.
Safety and Security
While features are important in attracting users to use the product, the most important thing is actually the safety and security of the program since a password managing software stores very important data that cannot fall into other people’s hands.
The Master Password is the most important thing to protect because this is a key that opens up to the list of login information stored in the program. The KeePass database (.KDBX) can be stolen by a hacker if the computer is infected by a RAT trojan and enabling a keylogger module can capture the master password. When the hacker manages to obtain both your master password and KeePass database, they have access to all your passwords. Here are a few ways to protect your Master Password.
1. On-Screen Keyboard
A logical way to protect your master password from being captured by a keylogger is not typing your password from your keyboard, but instead use a software based application known as on-screen keyboard. We must stress that not all on-screen keyboards are safe especially the one that is built-in to Windows operating system as they can also be captured by a keylogger.
There is a plugin for KeePass that automatically enables the On-Screen Keyboard when typing the Master Password, but it simply launches the On-Screen Keyboard that is built-in to Windows which can be captured by keylogger. So do take note that it is NOT safe to use the on-screen keyboard plugin for KeePass.
A more effective method to protect your keystrokes from being captured by a keylogger is by using a keystroke encryption software such as KeyScrambler or Zemana AntiLogger Free. Neo’s SafeKeys drag and drop method of entering password is also very safe against keyloggers.
2. Secure Desktop
Another method that is included in KeePass to protect the Master Password is by enabling the Secure Desktop option. The Secure Desktop will only be activated when you want to enter your master password and you will notice that the background is grayed out which is similar to the Windows User Account. When the Secure Desktop is activated, keyloggers cannot capture your keystrokes, hence keeping your Master Password safe.
We’ve tested the Secure Desktop option against a low-level Elite Keylogger and can confirm that the keylogger wasn’t able to capture the master password.
To enable the Secure Desktop option, click on the Tools menubar and select Options. At the Security tab, look for “Enter master key on secure desktop” and tick the checkbox.
3. Key File, Windows User Account, Two Factor Authentication
For additional security, it is best to use both a master password and a key file that is stored offline in an external device such as USB flash drive. So even if your master password accidentally got stolen, the KeePass database cannot be decrypted without the key file.
The Windows User Account option may work as well so that the KeePass database can only be unlocked from the same user account on a particular computer. There are some drawbacks in this option whereby if your user account is corrupted or deleted, it won’t be possible for you to access your KeePass database.
Two Factor Authentication is also very effective but will require an additional plugin, configuration and another device such as YubiKey, etc.
KeePass can help you to automatically type a username and password into a login form on a website, but this would mean that the keystrokes can be captured by a keylogger. The Secure Desktop option only works during entering of the master password but not in this case. Fortunately a unique technique called “Two-Channel Auto-Type Obfuscation” (TCATO) has been developed by KeePass to fool the keyloggers. For example, the username “Michael321” and password “12345” is only captured as “hal321” and “123” by the keylogger.
The Two-Channel Auto-Type Obfuscation doesn’t work on all applications especially the ones that don’t support clipboard operation. Hence there is no universal switch to turn on or turn off the TCATO option and has to be explicitly enabled for each entry. At the Edit Entry window, go to Auto-Type tab, tick the “Two-channel auto-type obfuscation” checkbox and click OK.
Final Notes: KeePass is an excellent free password managing software that is very flexible and extensible but obviously more suited to advanced users rather than novice users.