Navigation


Content

Tip: keyboard shortcut Ctrl+F searches in the page contents.

Password Safe

How to use Password Safe for storing and auto-filling user names and passwords securely in Windows XP, Vista, 7, 8 and 8.1

By . Last modified: 2014-05-03.

In current digital world every person has about a gazillion accounts - online banks, personal and work e-mails, work computer, many web site accounts, etc. Add mobile phone and credit/debit card PIN-s, door access codes at workplace, maybe security code for home surveillance system, etc.

Phew! How are people supposed to remember all these access details? Using the same password for each account? Using the same PIN code? No, you should never use such approach!
Suppose your Facebook account gets hacked and you have that same name and password for all other accounts. Cybercriminals would now randomly test your username/password combination in Twitter, LinkedIn, Google, Yahoo, Amazon, iTunes etc and they would break into each account you have. This can easily end up with credit card frauds and identity thefts!

And then think about password policies that suggest changing passwords at least twice a year. Or that using web browsers' features that remember user names and passphrases for web sites is a really-really bad idea, because malware is able to steal the stored credentials within seconds.

The very best strategy is to create unique and strong passwords for each account. While this makes breaking in difficult for cybercrooks, it also makes it hard for you to remember all those passwords. See guidelines for creating strong passwords.

This is where you can use a password manager program - Password Safe in this example. When using Password Safe, you basically need to remember only two passwords - first, your Windows logon details, and second, access to your password database.
Never use the same passphrase for both!

Password Safe keeps all your user names and passwords in an encrypted file (using Twofish encryption algorithm) that can be accessed only by using the correct password.
It can also fill in your user name and password on web pages you visit, and it keeps password history.

Password Safe was designed by renowned security and encryption technologist Bruce Schneier and it has many ports and readers for different operating systems (Android, iOS, Mac, Linux, Unix, etc), plus Disk-on-Key Versions (storing both the program and database on same USB key). So whatever the platform you are using, you can at least read data from your password database.
Latest versions of Password Safe work with YubiKey, too.

To protect your user credentials while you're already using a web service, see the Trusteer Rapport/Endpoint Protection tutorial.

Downloading and installing Password Safe

Open Password Safe download page and click the Download pwsafe-<version number>.exe link.
Password Safe download page. Click the 'Download pwsafe' link.

Windows Vista and later will pop up a User Account Control Warning about Password Safe being unidentified (again, this is because of the lack of digital signature). Click Allow or Yes.
Windows Vista, User Account Control warning about Password Safe. Click Allow.

Password Safe setup starts. Click OK to accept English for the setup language.
Password Safe setup, Installation Language. Click OK to accept English.

License Agreement page opens, click I Agree here.
Password Safe setup, License Agreement. Click I Agree.

Click Next to accept Regular installation.
Password Safe setup, Choose Installation Type. Click Next to accept Regular installation type.

In Choose Components page, scroll down, deselect Install desktop shortcut and click Next. As Password Safe starts automatically, you do not need to overcrowd your Desktop with unnecessary icons.
Password Safe setup, Choose Components. Untick the 'Install desktop shortcut' option. Then click Next.

As default destination folder is fine, click Install.
Password Safe setup, Choose Install Location. Click Install.

Click Close after setup is complete ("Completed" is displayed above progress bar).
Password Safe setup, Installation Complete. Click Close.

Starting Password Safe for the first time - creating a new database and setting options

Password Safe does not start automatically after setup is complete - it starts automatically only after you log off and back on, or restart your computer.
In Windows XP, open Start menu by pressing Ctrl+Esc keys on your keyboard or by clicking Start button. Expand All Programs, Password Safe and click Password Safe.
Windows XP, Password Safe. To run Password Safe, open Start menu, expand All Programs, Password Safe and click Password Safe.

In Windows Vista and 7, open Start menu by pressing Windows Key and type "password" into Search box. Then click Password Safe.
Windows 7, Start menu. To start Password Safe, type 'password' into Search box and click Password Safe.

In Windows 8 and 8.1, press Windows Key+Q to open Apps Search/Search everywhere, type "password" and click Password Safe in the results.
Windows 8, Start menu, Apps Search. To start Password Safe, type 'password' into Search box and click 'Password Safe' on the right.

First you need to create a password database. Click the New Database button to do that.
Password Safe, Safe Combination Entry. To add a password database, click New Database.

Password Safe creates a folder named My Safes inside your My Documents/Documents folder and gives your first database a name - pwsafe. You can change the folder and file name, if you want to.
As defaults are fine, click Save.
Windows XP, Password Safe, Please choose a name for the new database. Click Save to create a password database in your My Documents\My Safes folder. Windows Vista, Password Safe, Please choose a name for the new database. Click Save to create a password database in your Documents\My Safes folder.

Next, you'll need to assign a password for the new password database. Make it strong and remember it well - if you forget the password, you will have no access to the database! Do not use the same password as your Windows logon password here! See this tutorial on guidelines for creating strong, but memorable passwords.

Type the new password in Safe Combination and Verify fields and click OK.
Please note that in the picture below, the password is deliberately too short and will cause a warning!
Password Safe, Safe Combination Setup. Type a password for the password database file in 'Safe Combination' and 'Verify' fields. Then click OK.

In case you typed in a weak password (too short, no mixed-case characters, numbers or punctuation characters), Password Safe will inform you of this. Click No and type a better password - at least 8 characters long, using numbers, punctuation characters and mixed-case letters.
Password Safe, Weak passphrase. If you enter an easy-to-crack password for the new password database, Password Safe will warn you of this. Click No and enter a password at least 8 characters long, using numbers, punctuation marks and mixed-case letters. Password Safe, Weak passphrase. If you enter a short password for the new password database, Password Safe will warn you of this. Click No and enter a password at least 8 characters long, using numbers, punctuation marks and mixed-case letters.

A blank password database will be created.

Changing Password Safe options

Now it is time to set Password Safe preferences using keyboard shortcut Ctrl+M or by opening Manage menu and clicking Options.
Password Safe, to change program preferences, open 'Manage' menu and click 'Options'.

Backup tab opens. Tick the Save database immediately after Edit or Add check box for extra safety after your password changes. Note that Password Safe displays non-default options in blue.
Password Safe, Options, Backup tab. Enable the 'Save database immediately after Edit or Add' option.

Next, click the Misc tab. First, select Autotype from the Double-click action combo box. The default action for double-clicking an entry is copying password to Windows clipboard, but as clipboard contents are often monitored by password-stealing trojans, there is no sense in using the feature. Besides, Autotype is a very convenient feature in Password Safe.
Then clear the Use as default username and Query user to set default username check boxes. This will prevent the annoying pop-ups asking whether you want to set the entered user name as the default one.
Password Safe, Options, Misc tab. Select 'Autotype' from the 'Double-click action' combo box and clear both 'Use as default username' and 'Query user to set default username' check boxes.

Move on to the Password History tab. Click to turn on the Save ... previous passwords per entry feature. The default number, 3, is fine.
In case you have used Password Safe before and opened your previously created file, select the Start saving previous passwords option from the Manage password history of current entries section to enable the feature for older entries, too.
Password Safe, Options, Password History tab. Enable the 'Save 3 previous passwords per entry' feature.

Click to open Security tab. Turn on the Lock password database after 5 minutes idle option for enhanced security. Then clear the 'Browse to URL' copies password to clipboard check box. This will protect your credentials from password-stealing malware.
Finally, slide Unlock Difficulty to 10 or more.
All other options are fine by default.
Password Safe, Options, Security tab. Tick the 'Lock password database after 5 minutes idle' check box. Clear the 'Browse to URL copies password to clipboard' check box and set 'Unlock Difficulty' slider to 10.

Open System tab. After you've populated a password database, you rarely need to change it. Turn on the Open database read-only by default option to prevent creating loads of unneeded intermediate backup files.
You can always start changing the currently open database by opening File menu and clicking Change to R/W. You must enter database password to enable read-write mode.
Click OK to close Options window.
Password Safe, Options, System tab. Enable the 'Open database read-only by default' option and click OK. Password Safe, File menu. To enable writing changes to the currently read-only database, click 'Change to R/W'.

Setting Password Policies in Password Safe

Next, you need to modify the default password rules for program-generated passphrases.
Generating random passwords comes handy when your mind is blank and you need to create a unique and strong passphrase. Password Safe can do this for you, and auto-fill your user name and password the next time you need to log on to the account.

Open Manage menu and click Password Policies.
Password Safe, Manage menu. Click 'Password Policies' to enhance the default one.

In the Manage Password Policies window, make sure that the Default Policy is selected and click View button on the right.
Please note that this screenshot already displays a modified policy.
Password Safe, Manage Password Policies. Click 'View' button.

First of all, never enable the Use Hexadecimal digits only (0-9,a-f) option: this makes your passwords very easy to crack! Second, because Generate Pronounceable passwords disables the use of symbols/special characters, you should always leave this check box unticked.
Now, what to do here: set Password length to at least 14 and enable using at least 2 lowercase and uppercase letters, digits and symbols.
As many web services do not work properly with Lower Than and Greater Than symbols (< and > ; login attempts with passphrases including one or both of these symbols will fail miserably), it is necessary to define your own Special set of Symbols that excludes the two problematic ones.
Click Close twice after making changes to close Password Policy windows.
Password Safe, Change/View Database Default Password Policy. Set 'Password length' to at least 14 and enable using lowercase and uppercase letters, plus digits and symbols. Then click Close.

Creating groups and entries for user names and passwords

I always recommend having different groups in password database to make finding necessary items easier. For example, create separate groups for bank accounts, mobile phone PIN and PUK-codes, e-mail accounts, online shops, etc.

To add a group, right-click an empty space and select Add Group from the menu.
Type a name for the group and press Enter key.
Password Safe. To create a group in password database, right-click an empty space and choose 'Add Group'.

To add a user name and password in a group, click the group name and use keyboard shortcut Ctrl+A or right-click the group name and click Add Entry...:
Password Safe. To create a user name and password in a group, right-click the group name and click 'Add Entry'.

Type a description in Title field ("Yahoo! mail", for example). Then fill in Username, Password and Confirm Password fields.
Note that the passwords are not displayed for safety reasons - dots or asterisks appear in place of characters. If you want to see the password, click Show button - this will disable Confirm Password field.

While creating a new account, Generate button might be helpful for suggesting a random and secure password. You do not need to remember all the passwords anymore, just use Password Safe's Autotype feature from now on!

If you are creating an entry for some online service or website, type or paste its login page address into URL field. This allows using the Browse to URL + Autotype command (described a bit later). Remember to type in the address for login page, not just any page. Also, make sure to enter a secure (HTTPS) address.
Click OK to add the entry.
Password Safe, Add Entry. Fill in Title, Username, Password and Confirm Password fields. If you are creating an entry for online account, you can also type in the service's address in URL field. Click OK to add the entry.

Now create other groups and entries. If you accidentally put an entry to a wrong group, you can either drag the entry to the correct group using your mouse, or open the entry and change its group in the Group field.

To change an entry, right-click it and select Edit/View Entry... from the menu.
Password Safe, to change an entry, right-click it and click Edit/View Entry.

To see previously used passwords for an entry, open Additional tab and check the Password History section. Please note that all passwords are displayed as plain text here, so make sure no one is looking over your shoulder.
Password Safe, entry, Additional tab. Previous passwords are shown in Password History section.

All changes are automatically saved after clicking OK only if you've set Password Safe to do so in the options.

To close a database, use keyboard shortcut Ctrl+F4 or open File menu and select Close.
Password Safe, to close a database, open File menu and click Close.

Using Browse to URL and Autotype features in Password Safe

To use Browse to URL + Autotype for online accounts, you will need to specify an address to a page that asks for login details - user name and password fields. This also includes the pages that open pop-up dialogs for logging in.
Please note that the web page must automatically activate the user name field for this feature to work correctly. If it does not, you can still open the page using the Browse to URL feature, without automatically filling the login details.

For example, to use Autotype feature for accessing Yahoo! Mail account, copy and paste https://login.yahoo.com/config/login_verify2?&.src=ym in the URL field. This is the page where Yahoo! asks for your login details.

If a page opens a pop-up dialog for user name and password, use the URL that opens that dialog. To do that, right-click on the link and click Copy Shortcut. Then return to Password Safe, click inside the URL field to activate it and then press Ctrl+V on your keyboard to paste the copied link.

The Browse to URL + Autotype feature in Password Safe opens the specified web page (URL) for you, then after a few seconds automatically types in your user name and password and "presses" Enter key to submit the login details.
To do that, right-click on an entry in Password Safe and click Browse to URL + Autotype.
Password Safe, to automatically open a web page and enter login details, right-click on an entry and click 'Browse to URL + Autotype'.

If there is no separate login page available or the page does not activate the user name field automatically, use the Autotype feature.
Open a login page in your web browser and activate user name field (not any other field!). Then return to Password Safe and double-click the entry (in case you selected the Autotype option in the Misc tab of Password Safe options).
Or you can right-click the correct entry and select Perform Auto Type. You can also use keyboard shortcut Ctrl+T for this, just remember to click on the correct entry first.
Password Safe, to automatically enter login details for an active webpage, right-click on an entry and click 'Perform Auto Type'.

This will re-activate your browser window, enter both user name and password and press Enter key for you. That's it - you're in! Smile

Using Password Safe securely

Password Safe automatically locks its open database if it has not been used for 5 minutes or when you lock your screen (using keyboard shortcut Windows Key+L). This keeps people from seeing your credentials and you can safely keep a Password Safe file open and locked.

When Password Safe starts, it will not open any database and its icon will be black in Taskbar Notification area (aka System Tray).
To force Password Safe icon to be visible in the area at all times, see the Change Taskbar in Windows tutorial.
Windows XP, Password Safe icon in Taskbar Notification area. When Password Safe starts after logging in to Windows, it will not open any database. Password Safe icon will remain black in Taskbar Notification area. Windows 7, Password Safe icon in Taskbar Notification area. When Password Safe starts after logging in to Windows, it will not open any database. Password Safe icon will remain black in Taskbar Notification area.

To open a database, right-click on the black icon and select Restore.
Password Safe system tray icon right-click menu. To see the program window and open a database, click Restore.

Password Safe window opens, click File menu and select your password file from Recent Safe List.
Password Safe, to open a database, click File menu and select your database file from Recent Safe List.

Type your Safe Combination (password) and click OK.
Password Safe, Enter Safe Combination. To open a database, type in your Safe Combination (password) and click OK.

After you minimize Password Safe window or use Autotype features, Password Safe icon in Taskbar Notification area will turn red - this means that a password safe file is open, but not locked (anyone can access its contents without entering a password first).
Windows 7, Password Safe icon in Taskbar Notification Area. When a password database is open, but not locked, Password Safe icon will turn red.

To lock the open database file, right-click on the icon and select Lock Safe.
Password Safe, to lock an open Password Safe file, right-click on red Password Safe icon in Taskbar Notification area and select 'Lock Safe'.

When Password Safe is minimized and current password database is locked, Password Safe icon will turn green in System Tray.
Windows XP, when Password Safe windows is minimized and current database is locked, Password Safe icon will turn green in Taskbar Notification area.

Changing password (combination) to a Password Safe database

In case you need to change your Password Safe file password, open the file, click Manage menu and choose Change Safe Combination... command.
Password Safe, to change password of the current password database, open 'Manage' menu and click 'Change Safe Combination'.

In Change Safe Combination dialog, enter your current password in Old Safe Combination field and type a new password in New Safe Combination and Confirmation fields. Click OK to change password.
Password Safe, Change Safe Combination. Type your current password in 'Old Safe Combination' field and enter a new password in 'New Safe Combination' and 'Confirmation' fields. Click OK.


Please support winhelp.us:
No PayPal account required!

 Comments? Suggestions? Ideas? Let me know! 
Your name (public):
Your e-mail (will not be displayed):
Title:
Notify me of new comments to this item: (send e-mail to info[at]winhelp.us to stop receiving)
Your comments/suggestions/ideas (no HTML code!)
winhelp.us owners reserve the right to remove or not publish comments that they find unacceptable because of strong language, inappropriate contents, advertising or spamming.
winhelp.us Privacy Policy.
This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)
Share: Facebook Google+ Twitter LinkedIn StumbleUpon Pinterest E-mail

Browser and plugin check Google Custom Search Donate to keep this site running