Use random passwords and quit remembering them.

Sounds like a crazy thing to say, but one might consider the plain-old, pedestrian password the most fundamental and common security control ever seen in the modern world. More password-capable accounts exist than do door locks, ignition keys, and preteen diaries. Most support lengths in to hundreds of characters, can be complex to include upper case, lower case, numeric, and special characters.

And yet, we highly-intelligent and business-savvy people insist on using the same few combinations of letters. Over and over again. Anytime we use a password. On all of our devices. For all of our accounts. At work and at home. Year after year.

Because passwords are hard to remember.

First of all, that is really bad practice. Let’s just be honest. You know it and I know it. The entire Internet knows it.

Secondly, and more to the point of the Critical Armor strategy, you must have secure passwords to protect your children. Parents should not use passwords, any passwords, known to their children (except those purposefully given). Ever. Parents should furthermore make an effort to use different passwords on all devices and accounts.

Yes, I’m being serious.

I hope I didn’t scare you away. If you’re still reading, let me assure you that this doesn’t have to be difficult to do. In fact, once set up properly, it only requires one extra step. So, only the smallest amount of effort and the benefits more than outweigh the cost. If the Critical Armor Zone Strategy is a door, then the password safe is the hinge. So, one might ask, “What is a Password Safe?” Imagine a key ring into which a person keeps all of his or her keys. House keys, car keys, safety deposit box keys, and so forth. This person understands the importance of that key ring and consequently stores it in a locked box. Each time the person needs to open a door, the box must be unlocked, the proper key retrieved, and then placed back after use, with the box locked once more.

A password safe is an encrypted database, or locked box, filled with passwords.

However, if we do it right, that “locked box” travels anywhere the user goes, because we will synchronize that database with phones, computers, and tablets so we will always protect our keys but never end up without them. And it can be done for free, so there’s that too.

Critical Armor will deal with this in two parts. First, in this article, we will download, setup, and configure a software called OneDrive from Microsoft. If you already use a cloud-based synchronizing technology (Google Drive, Dropbox, iCloud, etc.) then please continue. The only caveat being, it must have a client that can be installed upon your particular smartphone. A second article will instruct in the process of sharing a KeePass database between many devices.

Please note: Only a one computer need have KeePass installed. There will be no reason to install it on children’s computers or devices–in fact, doing so will somewhat lessen security. KeePass only stores the passwords for the reference of the parents–it doesn’t secure computers.

A word about alternative password safes: There are several software options for password safes. Keepass generally receives consideration as among the first rank, but other good options certainly exist. Some cost a small amount of money, others are free. Any user reading this post who already has a password safe configured or feel equal to the task of setting one up, please feel free. Keepass itself is not special or irreplaceable in the Critical Armor Zone Strategy. Critical Armor selected it as a recommended technology for the following reasons: 

  Keepass is among the most common solutions found in lists of password managers
  Keepass supports most (if not all) modern platforms and smart phones.
  Keepass has a long track record of updates (over ten years), so it probably won’t disappear from the Internet tomorrow
  Keepass uses a separate database file
  Keepass is not a browser-based solution or an online-only (cloud) based solution
  Keepass has a long list of plugins, ports, and third-party developers

These reasons support the Critical Armor philosophy of the least expensive solution with the broadest application.

Housecleaning

From the Keepass website: 

  Neither KeePass nor any other password manager can magically run securely in a spyware-infected, insecure environment. Users still are responsible for the security of their PC. Do use anti-virus software, keep security-critical software up-to-date, use a proper firewall, only run software from trusted sources, do not open unknown e-mail attachments, etc.

Well, he’s right.

So, start either fresh with a new computer or clean rigorously. Windows, Macs, and Linux are all capable and known to have malicious software aimed squarely at them. Please don’t believe the hype that viruses are impossible on certain platforms. It isn’t true (see here and here).

If uncertain, it may be worth the hourly fee at a Geek Squad or Staples location for a second opinion.

Install OneDrive Figure 1

Figure 1 Figure 2

Figure 2 02-keepass-password-safe

Figure 3

Skip this step if the home already uses another cloud technology, such as Google Drive, Dropbox, or Apple iCloud. Critical Armor recommends Microsoft OneDrive as one of the more flexible options to the majority of home users with Windows computers. For one thing, if you have a Windows 10 machine you already have OneDrive. And for another, it also uses the same Microsoft Account setup in a previous post (http://criticalarmor.com/2016/windows-10-restricted-user-accounts/). This account may be used for many useful free offerings from Microsoft, such as the excellent OneNote, and users may later choose to purchase Office 365.

For older Windows or MacOS computers, go to http://www.onedrive.com and click download (Figure 1). Follow the install without much deviation (Figure 2). Place the “OneDrive” folder inside the “My Documents” folder if not already defaulted to that location.

Once complete, right-click on the new “cloud” icon in the system tray, and select settings. The settings dialog (Figure 3) reveals the ability to selectively synchronize folders. Microsoft provides 5GB for free, so selectively synchronizing folders may be key to prevent filling up the space (this article primarily concerns itself with a folder in which to store the KeePass database).

Make a folder inside the OneDrive location (on your computer’s hard disk) called “Security” or something similar.

Install KeePass Figure 4

Figure 4 Figure 5

Figure 5 Figure 6

Figure 6

Go to http://keepass.info/download.html and find the latest version. For Windows, the install should work without any surprises. MacOS and Linux machines must also install an opensource .NET library called Mono. Both sites maintain really good documentation on the process for installation, therefore, we will not attempt to duplicate their work here in a place that will fall quickly out of date with newer versions.

Keepass provides a backwards-compatible 1.x version for existing Windows-0nly users, but for our purposes the 2.x version will work best. While it says “Professional” the project is open-source only and therefore has no cost. Figure 7

Figure 7 Figure 8

Figure 8 Figure 9

Figure 9

The 2.x version comes in two options, a full install and a portable version. Windows users should just use the full install for the sake of simplicity. The MacOS and Linux install processes require the portable version. Please follow the additional steps detailed by the guides found on the KeePass website.

As seen in Figures 4-9, allow the defaults to remain. If desired, the user may elect to create desktop shortcuts or not (Figure 7). Critical Armor recommends that KeePass start with Windows automatically. Doing so allows the database to be ready at all times and prevents issues or delays in synchronizing the data. The following section of this post provides instructions auto-start configuration as well as other settings.

Creating a KeePass Database Figure 10

Figure 10 Figure 11

Figure 11

To begin, the user must first either login for existing KeePass databases (Figure 10) or create a new KeePass database (Figure 11). When creating a new database, as most reading this article will, remember to place the database into the OneDrive folder created earlier (Figure 3).

The OneDrive synchronization will continually ensure that a backup copy of the password database exists on the user’s Microsoft Cloud. This one, most important, step provides the real value of using KeePass to support the Critical Armor Strategy. Namely, having all of the passwords available at any time through the use of a smart phone, tablet, or computer.

So remember: Whatever the name of the “security” folder, place the new KeePass database inside.

Next, the database requires a password. Consider this the MASTER password. It serves as the skeleton key for all other passwords. Therefore, it should never be shared or written down. It should be memorable but not guessable. For best results, use a pass phrase rather than a password.

Passphrase means a “memorable sentence distilled down to a complex password.” For instance, the sentence might be “I remember America’s Bi-Centennial in 76 at Grandma’s house!” The password could be “IrAB-C76aGh!” Following the same rule, the sentence “My football jersey #32 was Blue and White” becomes “Mfj#32wWaB” when condensed down to a passphrase.

Always use upper case letters, lower case letters, numbers, and special characters.

Configuring KeePass Figure 12

Figure 12 Figure 13

Figure 13 Figure 14

Figure 14

KeePass defaults to only the most basic settings. To make things more effective for the purposes of Critical Armor, certain features must be enabled. Open KeePass, go to the Tools menu and Select Options.

Follow the suggested settings as seen on the Security Tab (Figure 12). Most of these settings deal with locking the database automatically so that another person cannot use it if accidentally left unattended.

On the Interface tab (Figure 13), select the options as seen to allow KeePass to operate in the background (minimize to the System Tray).

Finally, on the Advanced tab (Figure 14), set KeePass to automatically start with Windows, minimized and locked.

Create a Password Entry

The next section creates an entry in the database to record a password. Remember, this password does not interact with websites or the user’s computer–it is only a secure way to record or “write down” a password so a user will not forget them. Changing a password in KeePass (other than the master password in KeePass itself, naturally) in no way changes the account password on a website!

A section below will provide directions on how to deal with simple passwords already in place. This section only discusses creating a new entry. Figure 15

Figure 15 Figure 16

Figure 16 Figure 17

Figure 17

Click the “Key” icon on the menu bar to create a new entry.

On the first time, Critical Armor recommends building a new password profile to include special characters and numbers. Drop down the indicated button in Figure 15. Set KeePass to use the displayed settings on the Password Options (Figure 16) and then save the profile with a recognizable name (Figure 17).

In this case, Critical Armor recommends all Upper Case and Lower Case characters, Digits, and certain Special Characters. Do not select Spaces and High ANSI. Spaces can confuse some websites and software, while High ANSI characters will be very inconvenient to input using on-screen keyboards used by smart phones and tablets. With the profile saved, all new entries may use it by dropping down the “Key” button again and selecting that profile by name (Figure 15).

Once again, do this only the first time–the profile will exist on that computer until the user removes it. Do note, however, that the password profile does not seem to be stored inside the KeePass database, so any additional computer set up this way will need a profile created as seen in Figure 16 and 17.

KeePass Tips 18-keepass-password-safe

Figure 18

Many websites use Password Recovery Questions to enable a password reset, in case the user forgot or lost the original password. Critical Armor recommends these be viewed as additional layers of passwords. Be aware, older children will likely know a mother’s maiden name and a parent’s birthplace city.

Therefore, when setting up accounts on websites with password questions, use random answers as seen in Figure 18 and record them into the notes field of KeePass. These notes will stay with the password record in the database and will synchronize to OneDrive.

Simple steps such as this will not only keep a family safer but also help prevent data or identity theft from external actors. After all, some of the questions these sites use are relatively simplistic and not very obscure from a simple Google search. It isn’t a very big leap of logic. A Facebook profile showing a person living for years in a sizable city might just indicate that the person was also born in that same city.

Process for Accounts

Over the course of the next several days, weeks, or months; go to each important website or system and change passwords. When changing, use KeePass to generate a random password or make up a new one and record it in the database. Follow this process:

  1. Login to website / account and browse to the account settings for that site or system. These are sometimes a little difficult to find, so it might take some time.
  2. Unlock KeePass and create a new record. Fill out the form, copy and paste the login link, name it in a way that is easy to remember.
  3. Assign a random or unique password and save the KeePass entry. Always do this first, to ensure the new password gets saved before changing the actual password in the site or system.

Wrapping Up

Another post will follow to discuss the use of smart phone clients to access the KeePass database on the OneNote cloud from anywhere. Using the smartphone clients really amplifies the value of KeePass within the Critical Armor protection scheme.

Keep Building the Castle.