Do yourself a favor and use Password Safe

01 Dec 2012
Posted by Kiran

We live a large part of our lives online these days. The services that we use carry sensitive and personal, data on their servers - data, which, if lost or compromised, can cause us a whole lot of worry.

We use passwords to protect that data. Many users have had their data compromised due to weak passwords and then have a hard time getting their lives back on track. I have seen many of my friends & family suffering such data compromises and the resulting embarrassment and even financial loss.

Experts reiterate a three-point security rule to ensure that loss due to a single compromised password is minimized:

  1. Have a unique password for every website - i.e. use a different password for every online account
  2. Make your passwords a combination of random alphabets, digits and special characters
  3. Don't write down or share your passwords with anyone

Those rules are all good and truly help us stay safe. However, users still choose weak passwords, reuse passwords across sites or keep a written record of their passwords in some diary or piece of paper somewhere. Why?

The reason obviously is that those rules are to too damn hard to live by. I was personally guilty of reusing passwords across sites; that was before I started using Password Safe.

What is Password Safe?

It is a simple tool that allows users to generate and store passwords securely. The tool uses Twofish encryption to securely store the password database. The passwords in the database are secured using a master-password; the one and only password that the user has to remember.

What can it do?

The key features of Password safe include:

  1. Generate passwords using a combination of upper and lower characters, numbers as well as special characters.
  2. Ability to store usernames and passwords in logical groups inside a securely encrypted database
  3. Enforcement of password policies at a database level as well as for individual password entries
  4. Automatically typing the username and password into another screen on the desktop
  5. Track periodic password expiry and prompt users to change the passwords at the defined frequency

Is it available on Mobile?

Yes, Password Safe has been ported to Android. You can download it from the Play Store. You can find compatible versions for other platforms at the Related Projects page. You can also use Dropbox to sync your password database between your Desktop and Smartphone.

What are the steps to configure it?

To quickly setup your password safe:

  1. Follow the Quick Start Guide to create your password safe
  2. Choose a strong master-password and create your password database
  3. Create a few Password Policies for use with your password entries
    • Some examples
      1. 4 Digit Numeric for ATM Pins etc.
      2. 16 character alphanumeric password with special characters
      3. 24 character alphanumeric password with special characters
      4. 32 character alphanumeric password with special characters
  4. Create logical groups to store your passwords in
    • Some examples
      1. Finance
        • Banks
        • Insurance
      2. Social Media
        • Google
        • Twitter
      3. Other Web services
        • Dropbox
  5. Create entries for all your web-accounts
    1. Add an entry into an appropriate group
    2. Choose a password policy for this entry - make sure to choose a password length that is supported by the service provider
    3. Generate a new password and change the password on the website using the generated password as your new password
    4. Set an expiration date for the entry in your Password Safe; I recommend that you set password expiry for every 100 to 200 days even if the service provider does not enforce a password expiry timeframe

Why should I use it?

The primary reason is simple: it allows you to follow the three-point formula recommended for security experts while still not having to remember all passwords yourself.

So does this mean that Password Safe is the perfect solution?

No. As you may have already guessed, this approach depends on you choosing a sufficiently strong master-password which you can still remember.

There are two primary risks that you need to understand:

  1. If you choose too weak a master-password, then should anyone malicious obtain access to your password database and be able to crack your master-password, they could potentially gain access to all your accounts. In effect the password database can be a single-point of failure for you. Hence, it is important that you choose a master-password of at least 16 characters.
  2. If you choose too complex a password, you may forget it! If you do, there is absolutely no way for you to regain access into your password database. In effect you will lose all your passwords permanently and will have to reset passwords for all your online accounts.

Some tips for choosing a master password

  1. Don't make it a password; make it a pass-phrase
  2. Make it a combination of random, unconnected words. Yes, something like that xkcd strip that some of you may have seen
  3. Further strengthen the pass-phrase by appropriate character substitutions

For example:

  • broady brooch is at lisbon to find a tailor
  • bro4dy br0och i$ @ lisb#n t0 fi^d a tailor!
  • bro4dy bR0och i$ @ Lisb#n t0 fi^d a Taylor!

Anything else?

If you do decide to use Password Safe, let me add a few more tips for you to follow to protect yourself around the web:

  1. Don't reuse the same username across websites; Password Safe remembers the username as well, why not choose a different one for each service?
  2. Use the longest password that is allowed on that particular website - Password safe allows you to create a password policy unique to each entry.