Microsoft

Use Password Safe to save effort and time in Windows 7

Save time, effort, and privacy with Password Safe, a password manager on the Microsoft Windows platform.
This post was originally published in the TechRepublic IT Security Blog in March 2011.

As explained in "Five Features of a Good Password Manager," the increasing complexity of our digital lives and the increasing threat from malicious security crackers and malware combine to present the troubling problem of needing to use strong passwords -- which are pretty much by definition difficult to remember -- in large numbers, without writing them on sticky notes, storing them in text files, and so on. Using some kind of password management tool has become the only suitable answer to the problem. A good password manager turns the problem of remembering hundreds of strong passwords into the somewhat simpler task of remembering only one while still allowing us to maintain separate strong passwords for all our secure authentication needs.

Another article explained how we can use pwsafe as a keyboard shortcut driven X tool, which can greatly improve the convenience of using a password manager for common tasks on Unix-like desktop systems using the X Window System. Even without the solution provided there for turning it into a keyboard shortcut driven tool, pwsafe is a decent password manager, as are Password Gorilla and MyPasswordSafe.

All three of them use peer-reviewed, heavily tested, strong encryption for password storage, and the design of all three of them is verifiable because they are all open source software. MyPasswordSafe, in fact, is copyfree licensed under the terms of a BSD License. They are also mutually compatible, using the same password database format, because all three of them are designed to be compatible with a password manager called Password Safe.

Password Safe was created by Bruce Schneier and Counterpane Labs for MS Windows users, and it has been released under the terms of the Artistic License. It can be downloaded from a link on the Password Safe site, where it says "click here for latest version." As that site explains:

Password Safe allows you to manage your old passwords and to easily and quickly generate, store, organize, retrieve, and use complex new passwords, using password policies that you control. Once stored, your user names and passwords are just a few clicks away.

The installation process is straightforward, and most users will have no need to choose nondefault configuration options. The most likely option that a user may wish to change during install is the "Installation Type"; in some cases, a user may wish to use the "Green" option, which makes use of a separate USB flash media device to ensure the password database is portable and does not use the Windows Registry. Most users will just go with the "Regular" option, however.

When opening Password Safe, it provides a text field labeled Open Password Database:, which can be used to access already saved passwords. The first time the program is executed, however, you will need to create a password database. To start that process, click the New Database button.

You will then be presented with a dialog asking you to choose a name for the new password database. After entering a name -- or accepting the default -- and clicking the Save button, the Combination Setup dialog will appear. Despite the cutesy "safe combination" terms, this is merely a request to set a master password that will be used to access the passwords you will store in Password Safe's encrypted database. Enter the same strong password twice, once in the Safe Combination: field and once in the Verify: field, then click the OK button to set that as the master password for your new password database. If your password is too short and simple, Password Safe will pop up a warning, asking whether you want to use the password you entered or choose something stronger.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday.

After the database's password is set, the main Password Safe window will open, showing a series of buttons at the top and a blank white area that represents the password database itself, currently empty. As long as the Password Safe window has focus, pointing your mouse cursor at each of the buttons that are not grayed out will raise a tooltip that states the basic function of the button. One that looks somewhat like a sheet of paper with a plus sign in a green circle at the lower-right corner is the Add New Entry button, and clicking that will open the Add Entry window, used to save a new password in the database.

Before creating your first new password entry in your first database, you should set a default password policy. To do this, click on the Password Policy tab in the Add Entry window. The default random password generation rules are simplistic and do not produce the strongest passwords. Given that the whole point of using a password manager is to save the user the headache of managing passwords he or she would have difficulty remembering, using a series of as many different types of characters as reasonably possible seems like the obvious choice, and the eight-character alphanumeric password policy that is Password Safe's default is woefully inadequate for the task of ensuring password security. To rectify this shortcoming, three simple steps should be taken:

  • Select the Use the Policy below: radio button and increase the password strength of the settings provided.
  • At minimum, increase the Password length: setting to 20.
  • Check the Use Symbols checkbox.

Back at the Basic tab, you can then create a new password entry where you generate a random password using this policy.

Password Safe organizes passwords in a simple hierarchical manner, allowing the user to categorize them by "Group" name. To set the group of a new password, enter the name for the group in the Group: field -- email, for instance, if you are setting up an entry for an email account password. The Title: field allows you to label the password using a term that will be easily recognizable in relation to how the password is used, such as "gmail" if this entry will store your GMail password. The Username: and Password: fields will store the authentication credentials for this entry in the database. The URL: and email: fields are described in more detail in Password Safe help documentation but are not critical to the use of the password manager, and the Notes: field is exactly what it seems to be: a place to save notes about this particular password.

It is a good idea to use the Generate button, with a password policy that specifies strong passwords as described above, when creating new passwords. Unfortunately, bad password policy that prevents us from using the strongest passwords does exist in some authentication systems, and especially egregious cases like the American Express password policy of several years can really limit our ability to use randomly generated strong passwords. In such cases, it is typically a good idea to still use a complex, randomly generated password, but use the Show button under the Basic tab and hand-edit the password to remove characters disallowed by the restrictive password policy to which your new password must conform. An even better idea, if you can get away with it, is to not use the application, site, service, or other resource that enforces weak passwords.

Unfortunately, Password Safe does not provide a way to save the custom password policy when creating your first password entry for the database. To permanently change the password policy, you must first have at least one password in the database. Once you do, highlight the password entry and click the Edit an Entry button, identified by a vaguely pencil-like icon. This time when you open the Password Policy tab, there will be an Apply button at the bottom of the window. After changing the password policy, you can save it using either the Apply or OK button. The new policy will then be used by default whenever a new random password is generated with the Generate button on the Basic tab.

The default setup for Password Safe will place an icon among the "hidden icons" of the MS Windows 7 system tray, so that it can be activated at any time by double-clicking the icon there. If you maintain multiple password databases with Password Safe and have more than one of them open, there will be a Password Safe icon in the system tray for each open database.

Once your password database is populated with a few passwords, it is easy to access the passwords stored in it. If the main Password Safe window is not open already, open it from the system tray. Find the specific password entry you need; you can then double-click it to copy the password to the system clipboard or highlight it by single-clicking it and choose an action to perform from among the buttons at the top of the window (including possibly copying the password to the system clipboard, the same as if you double-click the entry). If you have copied some part of the authentication credentials stored in a password entry in the database to the system clipboard, you can paste it into whatever login or other authentication interface you need to use. Password Safe then clears the stored data from the system clipboard.

Fighting back against bad password policy involves more than just trying to get others to allow strong passwords. In fact, it starts with you. A password manager like Password Safe can help you practice good policy where it counts.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

17 comments
rosshiuk
rosshiuk

this was scanned with conealarm download scanner and reported as a Zombie very malicious

tim.yen
tim.yen

I have found passpack to be good and it has an adobe air desktop client.

wmjas.shaw
wmjas.shaw

Is the database simple to back up? Wouldn't want to have the only copy on a USB key and lose the key.

ben_j_dover
ben_j_dover

I can not remember when I started using Password Safe. It has been a while - and I have yet to be disillusioned with it. My access password is a pain - and that is only for the passwords I store for bank, cards. Paypal, etc. Another database gets me to everyday sites that pose no financial risk - and that is a trivial access password. I use the same database with Password Gorilla on Ubuntu. At this point I have not figured out how to get PG to open a network file - so I routinely copy the everyday sites to the Ubuntu store and I am good. I have considered the disk on key approach - too inert to learn how to do it. Instead I keep the extra secure database on a USB drive that is only online when I need to use it. There are probably other equally effective solutions out there - this is the one that I have learned to use - and I am pleased. :-) Understand that this writer has also been with the same automobile insurance company for 49 years, so maybe I am not the most credible source. If it works and I am pleased I see no reason to change.

Ray Baker
Ray Baker

If the passwords are in the computer, someone will get them. A Rolodex can't be hacked.

john.wesley
john.wesley

I'll stick with my handwritten list thank you.

_rob_d
_rob_d

Pwsafe has been ported for 'droid devices, so you can travel with your passwords.

ibmtech
ibmtech

I've been using Password Safe for several years. Does what it says it will and does it well! Available in a portable version as well as a U3 version.

Neon Samurai
Neon Samurai

The "use pwsafe as a keyboard shortcut driven X tool" link is pointing at the "5 features" article not the article discussing use of pwsafe with X bindings.

Neon Samurai
Neon Samurai

Obligatory mention; Keepass. It's another great password manager worth looking at with a client/database setup so you can open your database of passwords on nearly any OS you might sit down infront of. Keepass (Windows) Keepass Portable (Windows portableapp format for USB or run-from-directory use) KeepassX (osX, Linux based OS, BSD based OS, Blackberry, PalmOS, Maemo, probably Iphone by now) (For a fully portable database, stick with version 1 not 2) Password Safe is a great choice also though my one complaint with it was a less portable database. I had been using it for a while when an updated desktop version incorporated a newer database format making it unreadable on my mobile devices. If you don't need to open your passwords on multiple devices though; Password Safe will probably cover your needs.

Rod.Wright
Rod.Wright

I often travel and when I do, I use my iPhone and plan to get an iPad. How would I use these tools in those environments? Meanwhile, I have a Win 7 laptop that I use while travelling. How well do these tools work when switching among these operating environments?

noexpert
noexpert

Just copy and paste. You can access a backup by selecting its directory at startup.

CharlieSpencer
CharlieSpencer

There's nothing to hack; just pick it up and read it. Are you going to lock it in a safe at home, and carry it around in a locked briefcase like Elwood Blues' harmonica?

Mycah Mason
Mycah Mason

I like KeePass too. The UI is much cleaner in my opinion and it is cross platform (I have used it on BlackBerry, Android, and Windows). The main thing that I like about it other than being FREE is that it has a "portable" version (also free). Password Safe makes you pay $9.99 if you want to use their "portable" version.

WDMilner
WDMilner

KeypassX is also available for WIndows making it the most cross-platform capable option (though not the most feature rich).

mrivard
mrivard

Unless you have hundreds of thousands of strangers trolling through your home office, the Rolodex sounds like a safe bet for me. Although I personally don't use a Rolodex (do they even make them anymore?).

Neon Samurai
Neon Samurai

KeepassX started as a version of Keepass for Unix like OS (I think it came second anyhow) so I've gotten used to recognizing the difference. I wonder what the difference between Keepass Win and KeepassX Win is. In terms of OS supported, you sure can't go wrong starting from the Keepass website: Keepass Download page - Windows, Windows portableapp, Windows U3 - Windows Phone, PocketPC, Iphone, Blackberry, PalmOS, J2ME java environments - Linux based OS and Apple OSX (KeepassX link at bottom) KeepassX download page - Linux based distribution repositories - Linux based distributions by 1click install - osX - Windows And if your not covered under either of those two download pages or your distro repositories. You can download the source code for either and build it yourself. Freaking fantastic.

Editor's Picks