Jesus Christ, Use a Password Manager Already

12/14/2010 6:03:00 PM - technology, tools

Another day, another website security breach. Fortunately for me, I didn't have an account at Gawker, but even more fortunately, it wouldn't have mattered to me much if I did. I use a strong password for every website account I have, and every password is unique for each and every account. So not only do I have strong passwords, but if one is compromised the damage is minimized because that password is not used anywhere else. This is standard password "best practices", but millions of people don't adhere to it.

Why? Convenience and laziness. It can be a real pain to remember a truly strong password, and almost impossible to keep your passwords straight if you use a lot of different ones. So most people either use weak passwords that are easier to remember (short, lack of mixed case, lack of punctuation, even lack of numerals), or if they do make themselves memorize a stronger password, they only memorize one or a few and re-use them from site to site. A password manager obviates all of these problems, and can give you not only strong security but convenience as well without taxing your memorization ability. If you're not already using one, it's time to start.

Can't I just use my browser's password manager?

Sure, it's better than nothing I guess. It's better than re-using passwords for more than one application. It's better than using weak passwords because they're easier to remember. And it's definitely better than writing your passwords down because they're strong but you have a lot of them. But it's not the best solution. Some browsers don't utilize a master password that unlocks the use of your saved passwords, meaning if your computer is stolen and they can log onto it with your normal Windows user account (most people don't put a password on this account, or if they do it's very weak because it has to be logged into every time the computer reboots), they have access to all your browser passwords. Some browsers store the passwords with weak or no encryption, sometimes so weak a script kiddie can get at them just by running a freeware app. And a browser's built-in "saved passwords" feature doesn't help you with passwords for desktop applications, only websites, nor does it help you if you use more than one computer (without an app for syncing the data, at which point you might as well use a real full-fledged password manager).

Wait, desktop applications?

If you're like me, more than 90% of the passwords you use are web-based. But most of us have password-like information that should be kept secure on one or more desktop applications, or in real life. Your accounting database, whether you use Quickbooks or something else, should be secured, likewise your tax software. You also have PIN numbers for your debit and credit cards, and you probably have "security questions" associated with your financial accounts, whether you wanted to use them or not (they add very little security value). You may or may not need this kind of info to be entered automatically, but you still need to have access to it, unless you really think you can keep all that in your head and remember the PIN number for that card you haven't used in more than a year.

Alright already, tell me what I should use (I have a feeling you're going to)

Right you are. Being a software developer, website entrepreneur, and just a regular all-around guy interested in technology, I have a TON of accounts. Hundreds. They've accumulated over time, of course, but it wasn't long before they got to the point that there was no way I could keep them all secure and still remember them. Like most people, for a long time I resorted to reusing passwords, or introducing little variations that made passwords slightly different from each other but still memorable. Eventually I realized how insecure it was, and even with re-used or similar passwords it was still sometimes troublesome to recall just which variation of which password I used for a particular site. I was spending valuable minutes each day or longer not only remembering login details but typing them in as well (I refuse to let my browser save passwords).

For productivity reasons alone I started using a password manager, and for a long time my choice was RoboForm. It was designed for my browser of choice at the time, Firefox, and although you had to pay for it to get full functionality, the time and hassle it saved me was worth it. That it made me more secure, by using unique passwords for each site (I didn't bother much with the "strong" part at that point), was just a bonus. And it's a good program.

But when I finally pulled the trigger on switching full-time to Chrome a while back, I had to find a new password manager. I explored and researched several of them, looking for one that was free yet secure, user-friendly yet versatile. I ultimately decided on one in particular that I felt gave me the best of the possible tradeoffs, and after using it for a few months now I couldn't be happier. That choice was KeePass.

Where to get it and Why you should

KeePass is free and open-source. When it comes to security, open-source should give you some warm fuzzies because the code is published and freely available for inspection to anyone and everyone. When it comes to price, there is no better price point than free when you're a buyer. And it doesn't suffer from a lack of quality features despite its price point.

You can store all your account info, including usernames and passwords in it, as well as anything else you want like your PIN numbers or alarm codes. It's all stored in a single database file encrypted with a block cipher, which is generated by hashing your master password with SHA-256, encrypting the result a default of 6000 times with AES, and then hashing it again. This protects your database from brute-force attacks because of the number of encryptions required to check if the password matches, and adds only a small amount of time to opening the database (less than a second). There's lots of other security measures taken, including in-memory process protection, and has options for even greater security like using a key file in addition to a master password, and using alternative means of entering the passwords like combining keyboard entry with clipboard pasting.

There are versions for almost every operating system/platform imaginable, from Windows and Mac/Linux to iPhone and Android. There's even a portable version you can keep on a USB stick so you can take your passwords with you if you need to securely login on someone else's or a public computer. (Although you should be VERY careful about logging in to sensitive sites on a public computer and might want to look into KeePass's advanced security features.)

You can download KeePass here.

Quick Tutorial

Install KeePass and run it, then create a new database and choose a master password for it. This is the password that protects all your other passwords, so make it a strong one by throwing in some mixed case and a punctuation mark or two if you don't normally do that. And make sure it's nothing like any of the passwords you currently have or have ever used in the past, and ideally at least 10 characters minimum. You have to enter the master password whenever your computer has been idle for a few minutes, so you'll have no trouble remembering it after the first couple of days if you use your computer daily.

You can go into the options and configure all sorts of things like the idle timeout delay, and whether to use any of the optional advanced security features (which aren't really necessary). You can organize your passwords into different folders in your database so they're easier to manage.

By default, it looks for the name of the entry in the current application window title or the browser's page title to match the passwords to the sites that use them; just name your entry "facebook" and it will know to use that username and password when you're on If a particular website or application has an ambiguous or unclear page title (my bank login page just says "Please login"), you can name the entry appropriately and in the Auto-type tab choose the right window for it. You can also in the Auto-type tab define custom sequences for logging in if it's not the normal "username – tab – password – enter".

To actually use the passwords you've set up, whenever you're on a login form just hit CTRL-ALT-A and KeePass will enter your login information and submit it. (If you've been idle, it'll prompt you to enter your master password, then it will do it.)

Best Practices

Using a password manager is certainly convenient, but the best part is that you can really utilize those password best practices that are always preached but rarely practiced. After getting KeePass set up and confirming it worked with all my accounts, I then went and changed my password on each and every account I had (yes, this took a while). Better still, I used the password generator built into KeePass to generate very strong, unique passwords for each site. I went with 12-character, upper and lowercase letters, numerals, and punctuation across the board. Yeah, if I did have to type in a password manually it would not be the easiest thing to do (I'd probably have to look it up and repeat it to myself a few times just to remember it for a few minutes), but I never have to do that so it's no big deal. But I did go with 12-character passwords because it's not so long that it's incredibly hard to type it in manually if I had to, like if I wasn't going to take my laptop somewhere and didn't want to bother with the portable USB version of KeePass either, but still needed to log into something at my destination.

Yes, I feel comfortable telling the whole world that all my passwords are 12 characters long. Usually it's not a good idea to give any information, even partial, about your password (let alone all of them), but in this case I'm not worried because 12 characters is still pretty long and the passwords are random with lots of possibilities for each character. It would still take a long time to brute force such a password even if you knew it was exactly 12 characters. Additionally, the passwords are totally unique so if one was compromised, it doesn't affect any of the others.

How comfortable are you with your password security? Do you use weak passwords because you have so many of them? Or do you use the same strong password for multiple websites? And how many seconds or minutes are wasted each day typing them in, let alone remembering them? Use a password manager and get the best of all worlds. If you haven't tried it by now, it's about time. Get a real password manager like KeePass and give it a try; trust me, you'll never go back.