KeePass Version 1.15 Tutorial and Review

Copyright 2003-2009 Dominik Reichl – http://www.keepass.info

Review by: 2nd Lt WiTcH.DoKtA

KeePass is a utility that allows you to create different super-secure passwords for each website you visit and also for each program that requires one. After creating the different passwords, it stores them in a highly encrypted database with one master password. It is also extremely hard to crack because you can customize the encryption rounds as well. All in all, KeePass allows you to KeeP your ass out of the hands of identity thieves. If you don’t get it yet, just keep reading, I think this is one everyone will love!

Installing KeePass

First off, you will need to download the KeePass-1.15-Setup.exe file from www.keepass.info and run it.

Select your language and click OK.

Click next, accept the EULA, and click next.

Choose where you want it to be installed (if you want to be paranoid, I suggest maybe installing it into a TrueCrypt volume) and click next.

Click next again unless you want to put it in a different Start menu folder.

Select the check boxes you want, but make sure to UNCHECK the “associate KeePass with .kdb extension” box, unless you want someone who gets into your system to know what kind of file your password database is…then click next.

Click Install to install.

After it installs a page will open up asking you if you want to visit the plugins page to download the browser integration plugins, and also to Launch KeePass. I suggest you download the plugins if you are using Firefox. If you are using Internet Explorer, it’s insecure, so I wouldn’t bother. So now you are finished with the install, let’s learn how to use KeePass!

Using KeePass

Start the program up from the start menu or desktop.

The main interface will pop up, click File at the top, and select New.

OK, you need to come up with a master password for your database now, choose something that’s not easy to crack! For example use one consisting of alpha/numeric/symbols like 5y3o4u6r!n1a7m3e@h9e3r0e&. For ease of access, as you can see, I used a pattern consisting of number, letter, number, letter, until the end of a word, then used a symbol to separate words. This is actually a very secure method as only you will know which words, which numbers, and which symbols are involved, and more importantly which order they are in. The example I gave is a 130 bit password, which is pretty secure if you ask me, and with the customizable encryption rounds, it would take a very long time to brute force!

OK, after you have picked your password, before you type it in there is a box with 3 dots on it beside the entry box. If there is no one looking over your shoulder, go ahead and click it so you can see your password. If not, be sure you type it in VERY carefully! Then click OK

Verify the password again then click OK.

The main interface opens back up, and you have access to various tabs in the left pane, associated with different types of passwords including Windows, Internet, Network, Email, and Home banking, do me a favor and DO NOT BANK FROM HOME!!! Sorry if it offends anyone, but only an idiot is going to use the Internet of all things to log in to their life-savings. You might as well go around posting your social security number, signature, and bank account numbers on the side of a semi and drive around town all day like that retard on TV, his day will come, arrogant fool!

OK rant being over now, you can also make your own categories by right clicking and selecting add group.

Right now in the right pane, right click and select add entry, all right?

A box pops up and asks for all kinds of stuff, lets do one at a time.

First, select which group the new password will fall under, we are going to set up a fake login to a website, so select Internet.

Next click on Icon and select an icon for that password if you want.

Title is where you put a name for the stored password, lets use fakesite.org login.

In the user name box, lets put john doe, or something stupid, doesn’t matter we are just gonna delete it in a minute.

In the password box, don’t put anything, instead lets use the security features of the program, the very reason I am reviewing it. Click on the little box next to the Repeat Password box that looks like uhh, the one under the box with the 3 dots like earlier.

This pops open the goodies page, or Generate Random Password page. Take my advice and select only the following checkboxes from the list; Uppercase, Lowercase, Digits, Underline, and Special, if you select some of the others, certain websites and stuff wont allow the characters in the passwords, and it will defeat the purpose.

Now at the very top of the window next to “Profile” click the button beside it to save a new profile, that way you wont have to specify your setting each time you make a new password, name it something like Ab9&_ to let yourself know which set of characters it uses and click OK.

Finally click on Generate to get your new secure password.

Enter the URL to the site, http://www.fakesite.org/login , note that this is the page where you actually put your username and password in, like http://mail.yahoo.com and not the main website http://www.yahoo.com

Under notes, put something like, this is the login to the fake site from the tutorial.

Another cool thing is that the passwords can be set to expire after a set amount of time, useful if you have whole slew of passwords that you want to periodically change like once a week for added security. Just leave it alone for now.

Finally click Accept. This will bring you back to the programs main interface.

Now click on the Internet tab, and in the right pane you will see your created password.

Before you do anything else, we are going to secure our database from crackers, so click File at the top again, and select Database Settings.

Now you need to select your encryption algorithm, if you have read any of my previous articles on security, you will know that I am strongly against using the AES algorithm because; 1 it has been cracked a few times, 2 it was developed by the US National Security Agency, and 3 I’m 65% gray hat, and the other 95% black hat and I don’t like the government, besides, Twofish is more secure, so select that.

Now there is a little button with a circle in it next to the number of encryption rounds box. This will analyze your processor and adjust the encryption rounds accordingly. This makes it exponentially harder to crack your database because after you click it, it will take 3 seconds between brute force attempts. We are going to be jackasses and set the number manually to 3,000,000. Sure it may take a maximum of 15 seconds to load the database, but imagine how long it would take a cracker when they have to wait 10-15 seconds between trying 0000000000 and 0000000001 as your password! BUHAHAHA

Click OK, or put a general user name in if you use the same one for all your stuff.

OK, in theory, if there really was a www.fakesite.org, to use the program, all you would have to do is right click on the password entry and select Open URL. That is why we used the http://www.fakesite.org/login as the URL in the key setup, because that would be the login page and we could go straight to it from KeePass!

So you would get the www.fakesite.org login page in your default browser, then you type your user name in, and just DRAG AND DROP your password!

Yup it’s that simple people, another excellent tool that any security minded person should have in their toolbox. It’s pretty simple to use, super secure, and uncrackable!

And if you really want to be secure, use a key file along with your password and store the keyfile on a USB flash drive. Then write a simple batch file by opening notepad and typing: START ” KeePass.exe “C:\My Documents\MyDatabase.kdb” -preselect:USBDRIVE:\keyfile.key where “USBDRIVE” is the drive letter that your flash drive shows up as, you can also use a floppy or cd-rom for that matter

Click File and select Save As. Save it to the Desktop as something easy to remember but not obvious like database.bat and delete the shortcut for KeePass off your desktop and out of the Start menu.

When you run this file, it will automatically search your USB Drive for the key file, and if found, will ask for your password. If it doesn’t find it, then it will give you an error and you won’t be about to get in to your database. Handy if you always carry your flash drive with you, as someone can’t get into your house and into your database as long as you have the key with you!

For added security, like I said at the beginning of this article, install KeePass to a TrueCrypt volume and store your database there, that way even if they did get into the TrueCrypt volume(very unlikely), they would still have to brute force your password database!

I give KeePass 5 out of 5 shrunken heads because it’s the perfect tool to have for anyone, super secure, helps prevent identity theft, no bugs, and comes with a pretty thick manual with everything you need to know about the program and its inner workings, and even has a SDK!

Be sure to check out next month’s issue where I will teach you how to hack into the FBI’s database and wipe all of your criminal records! Just kidding, trade secret ;) LOL

May CyberArmy Rise Again

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14