In current digital world every person has about a gazillion accounts - online banks, personal and work e-mails, work computer, many web site accounts, etc. Add mobile phone and credit/debit card PIN-s, door access codes at workplace, maybe security code for home surveillance system, etc.
Phew! How are people supposed to remember all these access details? Using the same password for each account? Using the same PIN code? No, you should never use such approach!
Suppose your Facebook account gets hacked and you have that same name and password for all other accounts. Cybercriminals would now randomly test your username/password combination in Twitter, LinkedIn, Google, Yahoo, Amazon, iTunes etc and they would break into each account you have. This can easily end up with credit card frauds and identity thefts!
And then think about password policies that suggest changing passwords at least twice a year. Or that using web browsers' features that remember user names and passphrases for web sites is a really-really bad idea, because malware is able to steal the stored credentials within seconds.
The very best strategy is to create unique and strong passwords for each account. While this makes breaking in difficult for cybercrooks, it also makes it hard for you to remember all those passwords. See guidelines for creating strong passwords.
This is where you can use a password manager program - Password Safe in this example. When using Password Safe, you basically need to remember only two passwords - first, your Windows logon details, and second, access to your password database.
Never use the same passphrase for both!
Password Safe keeps all your user names and passwords in an encrypted file (using Twofish encryption algorithm) that can be accessed only by using the correct password.
It can also fill in your user name and password on web pages you visit, and it keeps password history.
Password Safe was designed by renowned security and encryption technologist Bruce Schneier and it has many ports and readers for different operating systems (Android, iOS, Mac, Linux, Unix, etc), plus Disk-on-Key Versions (storing both the program and database on same USB key). So whatever the platform you are using, you can at least read data from your password database.
Latest versions of Password Safe work with YubiKey, too.
To protect your user credentials while you're already using a web service, see the Trusteer Rapport/Endpoint Protection tutorial.
Downloading and installing Password Safe
Open Password Safe download page and click the Download pwsafe-<version number>.exe link.
Windows Vista and later will pop up a User Account Control Warning about Password Safe being unidentified (again, this is because of the lack of digital signature). Click Allow or Yes.
License Agreement page opens, click I Agree here.
Click Next to accept Regular installation.
In Choose Components page, scroll down, deselect Install desktop shortcut and click Next. As Password Safe starts automatically, you do not need to overcrowd your Desktop with unnecessary icons.
As default destination folder is fine, click Install.
Click Close after setup is complete ("Completed" is displayed above progress bar).
Password Safe does not start automatically after setup is complete - it starts automatically only after you log off and back on, or restart your computer.
In Windows XP, open Start menu by pressing Ctrl+Esc keys on your keyboard or by clicking Start button. Expand All Programs, Password Safe and click Password Safe.
In Windows Vista and 7, open Start menu by pressing Windows Key and type "password" into Search box. Then click Password Safe.
In Windows 8 and 8.1, press Windows Key+Q to open Apps Search/Search everywhere, type "password" and click Password Safe in the results.
First you need to create a password database. Click the New Database button to do that.
Password Safe creates a folder named My Safes inside your My Documents/Documents folder and gives your first database a name - pwsafe. You can change the folder and file name, if you want to.
As defaults are fine, click Save.
Next, you'll need to assign a password for the new password database. Make it strong and remember it well - if you forget the password, you will have no access to the database! Do not use the same password as your Windows logon password here! See this tutorial on guidelines for creating strong, but memorable passwords.
Type the new password in Safe Combination and Verify fields and click OK.
Please note that in the picture below, the password is deliberately too short and will cause a warning!
In case you typed in a weak password (too short, no mixed-case characters, numbers or punctuation characters), Password Safe will inform you of this. Click No and type a better password - at least 8 characters long, using numbers, punctuation characters and mixed-case letters.
A blank password database will be created.
Now it is time to set Password Safe preferences using keyboard shortcut Ctrl+M or by opening Manage menu and clicking Options.
Backup tab opens. Tick the Save database immediately after Edit or Add check box for extra safety after your password changes. Note that Password Safe displays non-default options in blue.
Next, click the Misc tab. First, select Autotype from the Double-click action combo box. The default action for double-clicking an entry is copying password to Windows clipboard, but as clipboard contents are often monitored by password-stealing trojans, there is no sense in using the feature. Besides, Autotype is a very convenient feature in Password Safe.
Then clear the Use as default username and Query user to set default username check boxes. This will prevent the annoying pop-ups asking whether you want to set the entered user name as the default one.
Move on to the Password History tab. Click to turn on the Save ... previous passwords per entry feature. The default number, 3, is fine.
In case you have used Password Safe before and opened your previously created file, select the Start saving previous passwords option from the Manage password history of current entries section to enable the feature for older entries, too.
Click to open Security tab. Turn on the Lock password database after 5 minutes idle option for enhanced security. Then clear the 'Browse to URL' copies password to clipboard check box. This will protect your credentials from password-stealing malware.
Finally, slide Unlock Difficulty to 10 or more.
All other options are fine by default.
Open System tab. After you've populated a password database, you rarely need to change it. Turn on the Open database read-only by default option to prevent creating loads of unneeded intermediate backup files.
You can always start changing the currently open database by opening File menu and clicking Change to R/W. You must enter database password to enable read-write mode.
Click OK to close Options window.
Next, you need to modify the default password rules for program-generated passphrases.
Generating random passwords comes handy when your mind is blank and you need to create a unique and strong passphrase. Password Safe can do this for you, and auto-fill your user name and password the next time you need to log on to the account.
Open Manage menu and click Password Policies.
In the Manage Password Policies window, make sure that the Default Policy is selected and click View button on the right.
Please note that this screenshot already displays a modified policy.
First of all, never enable the Use Hexadecimal digits only (0-9,a-f) option: this makes your passwords very easy to crack! Second, because Generate Pronounceable passwords disables the use of symbols/special characters, you should always leave this check box unticked.
Now, what to do here: set Password length to at least 14 and enable using at least 2 lowercase and uppercase letters, digits and symbols.
As many web services do not work properly with Lower Than and Greater Than symbols (< and > ; login attempts with passphrases including one or both of these symbols will fail miserably), it is necessary to define your own Special set of Symbols that excludes the two problematic ones.
Click Close twice after making changes to close Password Policy windows.
I always recommend having different groups in password database to make finding necessary items easier. For example, create separate groups for bank accounts, mobile phone PIN and PUK-codes, e-mail accounts, online shops, etc.
To add a group, right-click an empty space and select Add Group from the menu.
Type a name for the group and press Enter key.
To add a user name and password in a group, click the group name and use keyboard shortcut Ctrl+A or right-click the group name and click Add Entry...:
Type a description in Title field ("Yahoo! mail", for example). Then fill in Username, Password and Confirm Password fields.
Note that the passwords are not displayed for safety reasons - dots or asterisks appear in place of characters. If you want to see the password, click Show button - this will disable Confirm Password field.
While creating a new account, Generate button might be helpful for suggesting a random and secure password. You do not need to remember all the passwords anymore, just use Password Safe's Autotype feature from now on!
If you are creating an entry for some online service or website, type or paste its login page address into URL field. This allows using the Browse to URL + Autotype command (described a bit later). Remember to type in the address for login page, not just any page. Also, make sure to enter a secure (HTTPS) address.
Click OK to add the entry.
Now create other groups and entries. If you accidentally put an entry to a wrong group, you can either drag the entry to the correct group using your mouse, or open the entry and change its group in the Group field.
To change an entry, right-click it and select Edit/View Entry... from the menu.
To see previously used passwords for an entry, open Additional tab and check the Password History section. Please note that all passwords are displayed as plain text here, so make sure no one is looking over your shoulder.
All changes are automatically saved after clicking OK only if you've set Password Safe to do so in the options.
To close a database, use keyboard shortcut Ctrl+F4 or open File menu and select Close.
To use Browse to URL + Autotype for online accounts, you will need to specify an address to a page that asks for login details - user name and password fields. This also includes the pages that open pop-up dialogs for logging in.
Please note that the web page must automatically activate the user name field for this feature to work correctly. If it does not, you can still open the page using the Browse to URL feature, without automatically filling the login details.
For example, to use Autotype feature for accessing Yahoo! Mail account, copy and paste https://login.yahoo.com/config/login_verify2?&.src=ym in the URL field. This is the page where Yahoo! asks for your login details.
If a page opens a pop-up dialog for user name and password, use the URL that opens that dialog. To do that, right-click on the link and click Copy Shortcut. Then return to Password Safe, click inside the URL field to activate it and then press Ctrl+V on your keyboard to paste the copied link.
The Browse to URL + Autotype feature in Password Safe opens the specified web page (URL) for you, then after a few seconds automatically types in your user name and password and "presses" Enter key to submit the login details.
To do that, right-click on an entry in Password Safe and click Browse to URL + Autotype.
If there is no separate login page available or the page does not activate the user name field automatically, use the Autotype feature.
Open a login page in your web browser and activate user name field (not any other field!). Then return to Password Safe and double-click the entry (in case you selected the Autotype option in the Misc tab of Password Safe options).
Or you can right-click the correct entry and select Perform Auto Type. You can also use keyboard shortcut Ctrl+T for this, just remember to click on the correct entry first.
This will re-activate your browser window, enter both user name and password and press Enter key for you. That's it - you're in!
Password Safe automatically locks its open database if it has not been used for 5 minutes or when you lock your screen (using keyboard shortcut Windows Key+L). This keeps people from seeing your credentials and you can safely keep a Password Safe file open and locked.
When Password Safe starts, it will not open any database and its icon will be black in Taskbar Notification area (aka System Tray).
To force Password Safe icon to be visible in the area at all times, see the Change Taskbar in Windows tutorial.
To open a database, right-click on the black icon and select Restore.
Password Safe window opens, click File menu and select your password file from Recent Safe List.
Type your Safe Combination (password) and click OK.
After you minimize Password Safe window or use Autotype features, Password Safe icon in Taskbar Notification area will turn red - this means that a password safe file is open, but not locked (anyone can access its contents without entering a password first).
To lock the open database file, right-click on the icon and select Lock Safe.
When Password Safe is minimized and current password database is locked, Password Safe icon will turn green in System Tray.
In case you need to change your Password Safe file password, open the file, click Manage menu and choose Change Safe Combination... command.
In Change Safe Combination dialog, enter your current password in Old Safe Combination field and type a new password in New Safe Combination and Confirmation fields. Click OK to change password.