Thread: Securely carry personal passwords

There is a concept known as a "life password", which is a common tendency amongst computer users. Most people use the same password for all the websites that they use, including forums, social networking sites, image hosting sites and for the whole host of services that Web 2.0 has to offer. This is actually a very risky thing to do, as if a single site gets compromised, or you are misled into signing up on a bogus website, all your accounts are compromised. Your e-mail account is a step away from your financial details, which are enough to scam you. Another, marginally more secure approach that people have is to use high-level passwords for the more sensitive sites, and low-level passwords for all the other web sites that they frequent. This too, is not as secure as having a different password
for different sites.

The total number of passwords a modern computer user has to keep track of, can quickly get very complicated and hard to manage. For this purpose, people use a password "safehouse", such as KeyPass, to keep their passwords secure and available at any point of time. KeyPass stores all the passwords for all your accounts in one secure location. The passwords are stored in a database, for retrieval whenever necessary. KeyPass encrypts the files with the passwords
that it stores, so it would take considerable time and effort to decrypt the password file, even if the attacker has a lot of computer resources at his disposal. It is possible to choose a combination of protection for your passwords, that all the present computing power allocated to cracking the encrypted .text file for the rest of the lifetime of the universe would not be able to crack it. KeyPass is very secure, but the users will have to be careful of two things, the master password to access the password database, and the key file, if the user decides to make one. A keyfile is a block of randomly generated data, that is used to codify the passwords, and to decode them when they are to be retrieved.

The benefits of using KeyPass are twofold. Apart from securely storing all the data in an encrypted database, KeyPass can be used to enter in login and password information automatically. In case the computer you are using has a software or hardware keylogger installed, to monitor internet usage and extract login details for accounts, then KeyPass is very effective at going around such keyloggers. In fact, KeyPass uses a process called obfuscation, that sends a strong of random characters to any keylogger, and in that sense is more effective than using a virtual keyboard.

The first time you start up KeyPass, you will have to set it up in a number of ways. On first run of the software, you will have to choose two key aspects of your security. The first is the master password, which gives you access to all the passwords.

The longer the master password, the harder it is to crack. Remember that a lot of intrusion occurs from people the victims know of in real life. So choose something that people who know you cannot guess as being your password. Also, keep its length above 12 characters at least, and use capitalisation, numerals and symbols. Once a password is created, KeyPass throws up a "strength" of the password, which is a measure of how tough the password is to crack using brute force methods. Anything over the 50 bit strength is good enough for most purposes. The second, is the keyfile. A keyfile is not strictly necessary, but is a far more secure way of encrypting your data than the master password. Say your master password is even 20 characters in length, which is very difficult to remember and very long, brute force efforts can still break through the password. "Brute Force" or "Dictionary" approaches to password cracking use every possible combination of letters and numbers to get in, and while time consuming and laborious, it is very efficient. This is where the added security of a keyfile comes in.

Keyfiles use incredibly long strings of random data, and are tougher, if not impossible, to crack using brute force methods.

KeyPass generates the key file for you, if you choose to go for one. There are two methods for generating the keyfile, and they appear side by side in one window.
The option on the right allows you to move the mouse randomly over a field. The second option lets you key in a string of random characters. Both these approaches are preferred over a computer approach at generating a random key, because computers have a very limited ability at generating truly random data. The erratic movements of the human is a far more random element, and therefore a stronger source of random data than what the computer can generate. It is generally preferable to use the mouse movement as a mode of input rather than typing out random keys, as typing out random keys wont be as random as moving the mouse in a random fashion.

Now the database is opened up, and you can go about adding the relevant details. Add in the website, the account information, and the login details. Enable auto-type for the frequently used entries. KeyPass is portable, so you can take these settings with you when you move between computers. When you enable Auto-type, a warning will pop up that Auto-type will not run on all windows. Auto-type just does not work in some very obscure scenarios, such as when a user is using a text based browser, or when using a command line interface. However it is unlikely that a lay user will run into such applications.

While enabling Auto-type, there is a check box for enabling obfuscation. Obfuscation is the feature that bamboozles keyloggers. Targeted programs can be written to bypass the obfuscation, but these are rare. When you enable obfuscation, a prompt will appear that warns you that obfuscation does not work all the time, this is for the command-line scenario, so you can ignore it.