I normally only use one or two login passwords
and so, previously, I have never bothered to check out password
encryption programs. However, recently, I seem to have had to consult
my "top secret" hard-copy file of web site passwords in order to access
various obscure sites that I use only infrequently. While this file
folder is a useful resource for storing multiple passwords, the
difficulty comes when needing to locate a given password. Typically
this means leafing through multiple printouts of login credentials for
a wide range of web sites that aren't arranged in any kind of logical
sequence. I suppose I could organize these listings in a loose-leaf
binder, rather than using a simple file folder, but it is probably even
more efficient to use a computer-based password manager.
The essence of these software systems is an encrypted database, opened
by means of a master password, that contains listings of individual web
sites and their associated login credentials. Even better, most of
these programs offer a way to enter a userid and password for any given
site more-or-less automatically, thus expediting the login process.
My password manager of choice is KeePass, primarily as it is
open-source software that garners good reviews, but also because the
Windows version has a Linux equivalent (KeePassX) which means that I
can use the same password database on both platforms. There are both
1.x and 2.x versions of KeePass with Version 1.23 being compatible with
KeePassX. Consequently, it is KeePass Version 1.23 that is reviewed
By default, KeePass offers to store passwords for three groups of
applications, namely Internet, eMail and Backup systems. I only require
to store passwords for web sites and so opted to set up a new database
in the Internet group. The only requirement is to select a master
password with which to access the database. Optionally, one can also
specify a "key file". This is an additional security measure since both
the master password must be entered, and the specific key file must be
present, before the password database can be opened.
With the database open, a new set of login credentials can be entered
by selecting "Add Entry", either by clicking on an icon, or by using
the program's edit menu. The subsequent dialogue box has fields for
Title, User name, Password, URL and Notes. An icon is associated with
each listing and this can be selected from an available set of icons or
a custom image can be used. The entry can be set to expire on a given
date and time; however, by default, the expiry date is unchecked.
that is entered (and repeated as a double check) is encrypted in the
final database and is displayed as a series of asterisks. A button
(three dots) lets you see the actual password string behind the
asterisks (when the encrypted database is open). The "quality" (i.e.
strength) of the selected password is roughly indicated by the length
of a horizontal bar, and an indication of the number of bits used in
the string. For the paranoid amongst us, there is a built-in password
generator that will produce (presumably) incredibly secure passwords.
My test used a 256-character string producing a password with a full
horizontal bar and 535 bits.
Clearly, one could
use KeePass purely to store login credentials. The web sites are listed
in alphabetical order so retrieving a given record is quite simple. One
could then copy and paste the userid (User name) and password (having
used the "three dots" button to extract the encrypted text) from the
data record into the login prompts on the web page. However, as noted
earlier, KeePass provides an option for the program to "fill-in the
blanks" on the login screen. This process is a little non-intuitive
and, in my case, required reading through a section of the web-based
KeePass Help Center (Help - Help Contents - KeePass Help Center -
Features - Auto-Type) a couple of times before I clued in on the
The first trick is to hit the drop-down "Tools" button in the
lower-left corner of the data record for any given web site. With the
desired web site open in the browser at the login page, one clicks on
"Auto-Type: Select Target Window". Then, one uses the second drop-down
menu to select the appropriate listing which in my test case was
"Ottawa PC Users' Group (OPCUG) Inc. - Mozilla Firefox".
The second trick is to navigate to "Tools - Options - Advanced -
Auto-Type" in KeePass's main menu and enter a keyboard shortcut in the
"Global auto-type hot key combination" field. I opted for Ctrl + Alt +
P as the keystroke combination that would automatically populate a web
site's login credential fields.
Even then the process turned out to be somewhat hit and miss. For
example, I couldn't get the system to work for OPCUG's web site as
KeePass returned the login credentials for a different entry. And, in
my DropBox account, KeePass selected the correct entry, but populated
the E-mail field (effectively the userid) with my DropBox password
instead of the user name! However, the auto-type process worked fine
for some other web sites, e.g. National Capital Freenet.
While the automatic login process appears to be fraught with
difficulties, KeePass does at least let me store my infrequently-used
web site login credentials in an electronic format, and provides a
readily-available resource for this information when it is needed. So,
no more leafing through dozens of pieces of paper for me!
KeePass Password Safe (Open-source)
Author: Dominik Reichl
Originally published: January, 2013
top of page
expressed in these reviews
do not necessarily represent the views of the
Ottawa PC Users' Group or its members.