Security

How to use Password Safe on Microsoft Windows 7

Password Safe is an excellent choice of password manager on the MS Windows platform. Using it effectively can save time, effort, and privacy.

As explained in "Five features of a good password manager," the increasing complexity of our digital lives and the increasing threat from malicious security crackers and malware combine to present the troubling problem of needing to use strong passwords -- which are pretty much by definition difficult to remember -- in large numbers, without writing them on sticky notes, storing them in text files, and so on. Using some kind of password management tool has become the only suitable answer to the problem. A good password manager turns the problem of remembering hundreds of strong passwords into the somewhat simpler task of only remembering one while still allowing us to maintain separate strong passwords for all of our secure authentication needs.

Another article explained how we can use pwsafe as a keyboard shortcut driven X tool, which can greatly improve the convenience of using a password manager for common tasks on Unix-like desktop systems using the X Window System. Even without the solution provided there for turning it into a keyboard shortcut driven tool, pwsafe is a decent password manager, as are Password Gorilla and MyPasswordSafe.

All three of them use peer-reviewed, heavily tested, strong encryption for password storage, and the design of all three of them is verifiable because they are all open source software. MyPasswordSafe, in fact, is copyfree licensed under the terms of a BSD License. They are also mutually compatible, using the same password database format, because all three of them are designed to be compatible with a password manager called Password Safe.

Password Safe was created by Bruce Schneier and Counterpane Labs for MS Windows users, and it has been released under the terms of the Artistic License. It can be downloaded from a link on the Password Safe site, where it says "click here for latest version." As that site explains:

Password Safe allows you to manage your old passwords and to easily and quickly generate, store, organize, retrieve, and use complex new passwords, using password policies that you control. Once stored, your user names and passwords are just a few clicks away.

The installation process is straightforward, and most users will have no need to choose non-default configuration options. The most likely option that a user may wish to change during install is the "Installation Type"; in some cases, a user may wish to use the "Green" option, which makes use of a separate USB flash media device to ensure the password database is portable, and does not use the Windows Registry. Most users will just go with the "Regular" option, however.

When opening Password Safe, it provides a text field labeled Open Password Database:, which can be used to access already saved passwords. The first time the program is executed, however, you will need to create a password database. To start that process, click the New Database button.

You will then be presented with a dialog asking you to choose a name for the new password database. After entering a name -- or accepting the default -- and clicking the Save button, the Combination Setup dialog will appear. Despite the cutesy "safe combination" terms, this is merely a request to set a master password that will be used to access the passwords you will store in Password Safe's encrypted database. Enter the same strong password twice, once in the Safe Combination: field and once in the Verify: field, then click the OK button to set that as the master password for your new password database. If your password is too short and simple, Password Safe will pop up a warning, asking whether you want to use the password you entered or choose something stronger.

After the database's password is set, the main Password Safe window will open, showing a series of buttons at the top and a blank white area that represents the password database itself, currently empty. As long as the Password Safe window has focus, pointing your mouse cursor at each of the buttons that are not grayed out will raise a tooltip that states the basic function of the button. One that looks somewhat like a sheet of paper with a plus sign in a green circle at the lower-right corner is the Add New Entry button, and clicking that will open the Add Entry window, used to save a new password in the database.

Before creating your first new password entry in your first database, you should set a default password policy. To do this, click on the Password Policy tab in the Add Entry window. The default random password generation rules are simplistic, and do not produce the strongest passwords. Given that the whole point of using a password manager is to save the user the headache of managing passwords he or she would have difficulty remembering, using a series of as many different types of characters as reasonably possible seems like the obvious choice, and the eight-character alphanumeric password policy that is Password Safe's default is woefully inadequate for the task of ensuring password security. To rectify this shortcoming, three simple steps should be taken:

  • Select the Use the Policy below: radio button, and increase the password strength of the settings provided.
  • At minimum, increase the Password length: setting to 20.
  • Check the Use Symbols checkbox.

Back at the Basic tab, you can then create a new password entry where you generate a random password using this policy.

Password Safe organizes passwords in a simple hierarchical manner, allowing the user to categorize them by "Group" name. To set the group of a new password, enter the name for the group in the Group: field -- email, for instance, if you are setting up an entry for an email account password. The Title: field allows you to label the password using a term that will be easily recognizable in relation to how the password is used, such as "gmail" if this entry will store your GMail password. The Username: and Password: fields will store the authentication credentials for this entry in the database. The URL: and email: fields are described in more detail in Password Safe help documentation, but are not critical to the use of the password manager, and the Notes: field is exactly what it seems to be: a place to save notes about this particular password.

It is a good idea to use the Generate button, with a password policy that specifies strong passwords as described above, when creating new passwords. Unfortunately, bad password policy that prevents us from using the strongest passwords does exist in some authentication systems, and especially egregious cases like the American Express password policy of several years can really limit our ability to use randomly generated strong passwords. In such cases, it is typically a good idea to still use a complex, randomly generated password, but use the Show button under the Basic tab and hand-edit the password to remove characters disallowed by the restrictive password policy to which your new password must conform. An even better idea, if you can get away with it, is to not use the application, site, service, or other resource that enforces weak passwords.

Unfortunately, Password Safe does not provide a way to save the custom password policy when creating your first password entry for the database. To permanently change the password policy, you must first have at least one password in the database. Once you do, highlight the password entry and click the Edit an Entry button, identified by a vaguely pencil-like icon. This time when you open the Password Policy tab, there will be an Apply button at the bottom of the window. After changing the password policy, you can save it using either of the Apply and OK buttons. The new policy will then be used by default whenever a new random password is generated with the Generate button on the Basic tab.

The default setup for Password Safe will place an icon amongst the "hidden icons" of the MS Windows 7 system tray, so that it can be activated at any time by double-clicking the icon there. If you maintain multiple password databases with Password Safe, and have more than one of them open, there will be a Password Safe icon in the system tray for each open database.

Once your password database is populated with a few passwords, it is easy to access the passwords stored in it. If the main Password Safe window is not open already, open it from the system tray. Find the specific password entry you need; you can then double-click it to copy the password to the system clipboard, or highlight it by single-clicking it and choose an action to perform from among the buttons at the top of the window (including possibly copying the password to the system clipboard, the same as if you double-click the entry). If you have copied some part of the authentication credentials stored in a password entry in the database to the system clipboard, you can paste it into whatever login or other authentication interface you need to use. Password Safe then clears the stored data from the system clipboard.

Fighting back against bad password policy involves more than just trying to get others to allow strong passwords. In fact, it starts with you. A password manager like Password Safe can help you practice good policy where it counts.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

31 comments
yansilogin
yansilogin

Well...Thanks. I have tried this method. I also found another useful way, to use Windows Login Recovery tool can also achieve this. You can also have a try.

risques
risques

I have 386 in keepass and 71 in Pins, use keepass for everyday sites and then pins for the passwords I think are essential. I have investigated two factor and think this is another way of adding to security. I still have not tried two factor using the same logon and password relying on the second factor to provide security. I am currently evaluating gmail two factor system and apart from the few seconds delay in receiving the txt message and entering the code it works well, it will additionally authorise a device, eg a smartphone to access the account..

Acharya.sharma2007
Acharya.sharma2007

Yes i am using it since 2 year it has made password managing very ezey.

Timbo Zimbabwe
Timbo Zimbabwe

I've NEVER trusted a password manager and probably will never trust one. Where would you leave your "keys to the kingdom"? On my person. (aka- in my head)

jcarroll
jcarroll

I've been using Password Safe for many years and love it. I use it at home and have installed it at work for all employees.

brianzion
brianzion

lastpass gets my vote of password manager very good integration across browsers etc.

Leonardo_C
Leonardo_C

Been using Keepass or my passwords (very polished app) and Zumodrive for on-line, hands-free live backups and am pretty happy with the setup, just a heads-up for those looking at all options.

mark.burke
mark.burke

I've tried other password managers and I keep coming back to Password Safe.

bill.ligon
bill.ligon

I have mounted it onto a USB with both the Win executable as well as the Mac O/S app. Both will use the same database.

ibmtech
ibmtech

I have also used this app for several years, and it works as advertised. I'm very happy with PW Safe. Lots of good features and very stable.

CharlieSpencer
CharlieSpencer

It seems satisfactory, but I had one disappointment. I was hoping for the capability of clicking an entry and having it open the associated URL and automatically populating the username and password fields. I created an entry for TR as a test. Right-clicking it and selecting 'Browse to URL and Autotype' looked promising, and it did briefly open the TR login page. However, the browser immediately went to a Google page displaying the results of a search on my username. That won't keep me from evaluating this tool further; it's just doesn't appear as convenient as I'd hoped. Maybe there's an FF plug-in that links to an open password safe?

Quailr
Quailr

I have been using LastPass for several years. It allows similar features as Roboform as well as the ability to store your encrypted passwords on the LastPass server for recovery from anywhere on the web. I have not seen any bed reviews of LastPass, but would appreciate any other comments.

konamobilepc
konamobilepc

How does this app compare to Roboform? From the article, they seem similar, but does pwsafe fill in web forms with address,etc.? Manage multiple identities for spouses etc.? Manage credit card info? I like the idea of using an app recommended by TR but I would be reluctant to let go of these other great features that I've used for nearly 3 years . Is anyone familiar with Roboform.com?

Ron_007
Ron_007

How about providing a link to the download page? Did I miss it? Never mind, I finally saw it.

Ron_007
Ron_007

How about providing a link to the download page? Did I miss it?

LarryBoy2
LarryBoy2

I've been using Password Safe for several years and am quite happy with it. I started using it after seeing the recommendation for it on Bruce Schneier's website. Figured I couldn't go wrong knowing it was created by someone w/ his credentials.

apotheon
apotheon

Are you spamming or . . . what? This isn't about a password recovery tool, and if you had actually tried it (or read the article) I suspect you would know that.

CharlieSpencer
CharlieSpencer

Some of us have a hard time keeping up with all of our passwords. This is aggravated by activities and sites that I feel unnecessarily require a username and password, such as downloading drivers.

lshanahan
lshanahan

Love KeePass, and I've tried quite a few PWMs. In a previous job I supported multiple state agencies, each with their own passwords for various things. I think I had to track upwards of 30+ passwords, not including my own personal ones.

apotheon
apotheon

There's a compatible command line application for Unix-like systems called pwsafe. I wrote an article about how to make pwsafe into a keyboard shortcut driven tool in the X Window system a while ago.

apotheon
apotheon

Once you integrate Password Safe with Firefox, the benefits it gives you over simply using the password manager built into Firefox are probably somewhat reduced. If you're going to use the built-in password manager, be sure to check out that article for some tips on how to use it well, but a requirement to manually paste into the browser does help protect against automated password access attacks and other malicious activity that could take advantage of tight integration between your password manager and your browser.

apotheon
apotheon

See my response to konamobilepc above.

apotheon
apotheon

Password Safe better fits the criteria from the cited article Five features of a good password manager, but the trade-off for that is that it is not as tightly integrated with your Web browsing experience. While such a trade-off is not necessary in principle, it exists in this case, so you have to make a choice between the convenience of a feature or two you like in Roboform and the better security design of Password Safe. My preference is for the greater security suggested by the design of Password Safe. Your mileage may vary.

apotheon
apotheon

I don't know about Timbo, but I've got 184 passwords currently in one password database. I add more every couple days or so. I'd definitely have a tough time keeping track of all of those. I have to wonder whether Timbo Zimbabwe uses the same password for everything.

apotheon
apotheon

I've got 184 passwords tracked by pwsafe. Because I use MS Windows so rarely, my password database tracked by Password Safe is much more modest -- about a dozen. KeePass does look like a decent application, but my calling my experience with it "limited" would be pretty generous, so I can't really comment on it much. My biggest concern would be design complexity and compatibility with the tools I use on Unix-like systems. The KeePass interface is not in the least designed to work well with the kind of workflow I use, so compatibility with other tools becomes kind of important; I need nothing more than a command line interface and keyboard shortcuts on Unix-like systems, and the rest just gets in the way, so KeePass would not qualify to be my tool of choice.

CharlieSpencer
CharlieSpencer

Obviously it has no portability, but that isn't on my list of criteria anyway. My home and work on-line activities rarely intersect, although this joint is one of the exceptions. Chad, have you had any dealings with it?

apotheon
apotheon

I poked at it a little a while ago, but never really tried using it at all. Given my feelings on what kinds of security software one can trust, I absolutely don't trust it, so I will not likely ever have any use for it.