I’ve spent the morning trying to access my newly approved online banking account. The vendor is fairly atrocious from a design and interface perspective. I sent an email to the site explaining some security issues and received a prompt response. Essentially, two things were laid out: one, they use a third party vendor for the online banking (big surprise, most banks do) and two, their customers are idiots and they are trying to reduce their hand-holding overhead. However, the latter issue comes at the cost of security which is not good. The social engineering aspects were ignored in the response.
In light of this, I found it to be a good opportunity to share about Keepass and some ways to use it. After loading it up (I prefer the portable version so I always have my keys with me), it’s fairly intuitive to navigate and use. Create a long password for the database. I suggest using a quote, song lyric, anything that is substantially long and easy to remember. By “substantially long,” I’m referencing the fact that my password is over 25 characters. Using spaces, punctuation, capital letters, etc are all suggested. Note, this password does not have to be random and you don’t need to substitute numbers for letters like most password creation recommendations suggest. The reason for this is due to the sheer length of the password. For example, using lowercase, uppercase, and digits there are a total of 62 (26+26+10) possible characters. Taking a 10 character, convoluted password would give a theorectical 10^62 combinations (or 10 followed by 62 zeros). Let’s take a simple, lowercase and uppercase only password that is 25 characters long. This gives a total theoritcal 25^52 combinations (or 4.9 followed by 72 zeros). The “easy” to remember password is significantly stronger than the shorter, convoluted password.
The reason you want this to be a strong password (more commonly referred to as a “passphrase” these days), is that it is the single thing stopping people from accessing all of the passwords stored in this new database. Once the lengthy password is entered, everything else is up for plundering.
So, now that you have a long password securing a new database, it’s time to start adding entries. The process is straight forward. But, what to add? Surely your email accounts and Windows login. Windows login? You might be thinking how useless this is since you would have to login into Windows before accessing your password management system. But, if you are using the portable version, simply go to another machine and confirm your login. Or, if you have the KeePass mobile app installed, check your phone (Android, BlackBerry, iPhone, and PocketPC).
What about adding serial numbers for software? Being able to copy that key is much easier than digging out the slip of paper and manually typing it in. How about membership numbers? This makes online shopping easier as you can copy in the ID number for more store credit. Speaking of shopping, what about credit and debit card numbers? Sure, this will simplify odering, but what about storing the CVC number, expiration date, and name of the card? This might help with checking out even quicker, but if you add in the telephone number printed on the back of the card you have all of the information required to suspend a stolen credit card. Adding in PINs (voicemail, PO Box, bicycle chain locks, etc) is another idea. For work voicemail, I actually have the entire process enumerated out in the notes since it is ridiculously convulated.
Some other information you might think about adding could include the email address registered to the account, sales representatives that you have spoken with about your account, co-pay amounts for your insurance carrier … anything that may be of value. In fact, adding enough information that if you became incapicitated in some way an authorized user could close out your accounts, say farewell to social communities, and stop monthly service fees would be a good idea. Who you trust with your life and how you impart this to them is another thing altogether. Naming the password for your database (or a copy of the database including things you wish to have managed) in a Will and storing the actual database in a safe is one idea. Completly trusting another person is another way. Instead of storing it in a safe, how about with services such as DropBox and a private link to the file? This way, if your wallet, USB device, and backup storage media were all stolen, you could still access your accounts. Presuming you set your DropBox credentials to something you can remember; but not insecure. Using a service such as DropBox will ensure you always have the most current version of your KeePass database with you as DropBox is available as a cross-platform client, web interface, and with mobile apps.
Now that you have all of you accounts entered and saved, it might be a good time to audit them. Prior to using KeePass, I know many of my passwords were short and possibly even written down somewhere. This is a good time to go back through everything and begin creating new, random passwords. One aspect that many people forget is the username portion of their credentials. People think of this as an easy way to remember their account, but why not make it random too? This works best for new accounts as most places do not allow you to modify your account name, but it’s worth considering and looking into. Remember those security questions that some sites (especially banks) ask? “What was the name of your first pet?” You did add those into your notes section, right? Why not go back and make those random as well? Even if you don’t supply random answers, do not answer with “Pedro” and then dedicate an entire Facebook album to Pedro. Use a fake name or something like “Pedro is the name of my first pet dog.” This is easy to remember if you are consistent with rephrasing all of the questions and provides much better security.
Once you begin using it and are comfortable with it (KeePass or any password management system), you will begin to see new things to add and new ways to [ab]use it. The above are some things I have come up with after using mine for a while. At first I was simply amazed at how many entries I had (approaching 200) and excited that each one could be unique from the others. Every time I thought of a new note to be adding, I had the “why didn’t anyone tell me about this before” sensation. Hopefully this will not only introduce someone to KeePass or alternative, but to give you ideas on things to add and possibly more long term considerations such as helping people cope with your accounts after you can no longer tend to them.
Found on LifeHacker: Why You May Want to Avoid Non-ASCII Characters in Your Passwords