Use Password Safe to save effort and time in Windows 7

Save time, effort, and privacy with Password Safe, a password manager on the Microsoft Windows platform.

This post was originally published in the TechRepublic IT Security Blog in March 2011.

As explained in "Five Features of a Good Password Manager," the increasing complexity of our digital lives and the increasing threat from malicious security crackers and malware combine to present the troubling problem of needing to use strong passwords -- which are pretty much by definition difficult to remember -- in large numbers, without writing them on sticky notes, storing them in text files, and so on. Using some kind of password management tool has become the only suitable answer to the problem. A good password manager turns the problem of remembering hundreds of strong passwords into the somewhat simpler task of remembering only one while still allowing us to maintain separate strong passwords for all our secure authentication needs.

Another article explained how we can use pwsafe as a keyboard shortcut driven X tool, which can greatly improve the convenience of using a password manager for common tasks on Unix-like desktop systems using the X Window System. Even without the solution provided there for turning it into a keyboard shortcut driven tool, pwsafe is a decent password manager, as are Password Gorilla and MyPasswordSafe.

All three of them use peer-reviewed, heavily tested, strong encryption for password storage, and the design of all three of them is verifiable because they are all open source software. MyPasswordSafe, in fact, is copyfree licensed under the terms of a BSD License. They are also mutually compatible, using the same password database format, because all three of them are designed to be compatible with a password manager called Password Safe.

Password Safe was created by Bruce Schneier and Counterpane Labs for MS Windows users, and it has been released under the terms of the Artistic License. It can be downloaded from a link on the Password Safe site, where it says "click here for latest version." As that site explains:

Password Safe allows you to manage your old passwords and to easily and quickly generate, store, organize, retrieve, and use complex new passwords, using password policies that you control. Once stored, your user names and passwords are just a few clicks away.

The installation process is straightforward, and most users will have no need to choose nondefault configuration options. The most likely option that a user may wish to change during install is the "Installation Type"; in some cases, a user may wish to use the "Green" option, which makes use of a separate USB flash media device to ensure the password database is portable and does not use the Windows Registry. Most users will just go with the "Regular" option, however.

When opening Password Safe, it provides a text field labeled Open Password Database:, which can be used to access already saved passwords. The first time the program is executed, however, you will need to create a password database. To start that process, click the New Database button.

You will then be presented with a dialog asking you to choose a name for the new password database. After entering a name -- or accepting the default -- and clicking the Save button, the Combination Setup dialog will appear. Despite the cutesy "safe combination" terms, this is merely a request to set a master password that will be used to access the passwords you will store in Password Safe's encrypted database. Enter the same strong password twice, once in the Safe Combination: field and once in the Verify: field, then click the OK button to set that as the master password for your new password database. If your password is too short and simple, Password Safe will pop up a warning, asking whether you want to use the password you entered or choose something stronger.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday.

After the database's password is set, the main Password Safe window will open, showing a series of buttons at the top and a blank white area that represents the password database itself, currently empty. As long as the Password Safe window has focus, pointing your mouse cursor at each of the buttons that are not grayed out will raise a tooltip that states the basic function of the button. One that looks somewhat like a sheet of paper with a plus sign in a green circle at the lower-right corner is the Add New Entry button, and clicking that will open the Add Entry window, used to save a new password in the database.

Before creating your first new password entry in your first database, you should set a default password policy. To do this, click on the Password Policy tab in the Add Entry window. The default random password generation rules are simplistic and do not produce the strongest passwords. Given that the whole point of using a password manager is to save the user the headache of managing passwords he or she would have difficulty remembering, using a series of as many different types of characters as reasonably possible seems like the obvious choice, and the eight-character alphanumeric password policy that is Password Safe's default is woefully inadequate for the task of ensuring password security. To rectify this shortcoming, three simple steps should be taken:

  • Select the Use the Policy below: radio button and increase the password strength of the settings provided.
  • At minimum, increase the Password length: setting to 20.
  • Check the Use Symbols checkbox.

Back at the Basic tab, you can then create a new password entry where you generate a random password using this policy.

Password Safe organizes passwords in a simple hierarchical manner, allowing the user to categorize them by "Group" name. To set the group of a new password, enter the name for the group in the Group: field -- email, for instance, if you are setting up an entry for an email account password. The Title: field allows you to label the password using a term that will be easily recognizable in relation to how the password is used, such as "gmail" if this entry will store your GMail password. The Username: and Password: fields will store the authentication credentials for this entry in the database. The URL: and email: fields are described in more detail in Password Safe help documentation but are not critical to the use of the password manager, and the Notes: field is exactly what it seems to be: a place to save notes about this particular password.

It is a good idea to use the Generate button, with a password policy that specifies strong passwords as described above, when creating new passwords. Unfortunately, bad password policy that prevents us from using the strongest passwords does exist in some authentication systems, and especially egregious cases like the American Express password policy of several years can really limit our ability to use randomly generated strong passwords. In such cases, it is typically a good idea to still use a complex, randomly generated password, but use the Show button under the Basic tab and hand-edit the password to remove characters disallowed by the restrictive password policy to which your new password must conform. An even better idea, if you can get away with it, is to not use the application, site, service, or other resource that enforces weak passwords.

Unfortunately, Password Safe does not provide a way to save the custom password policy when creating your first password entry for the database. To permanently change the password policy, you must first have at least one password in the database. Once you do, highlight the password entry and click the Edit an Entry button, identified by a vaguely pencil-like icon. This time when you open the Password Policy tab, there will be an Apply button at the bottom of the window. After changing the password policy, you can save it using either the Apply or OK button. The new policy will then be used by default whenever a new random password is generated with the Generate button on the Basic tab.

The default setup for Password Safe will place an icon among the "hidden icons" of the MS Windows 7 system tray, so that it can be activated at any time by double-clicking the icon there. If you maintain multiple password databases with Password Safe and have more than one of them open, there will be a Password Safe icon in the system tray for each open database.

Once your password database is populated with a few passwords, it is easy to access the passwords stored in it. If the main Password Safe window is not open already, open it from the system tray. Find the specific password entry you need; you can then double-click it to copy the password to the system clipboard or highlight it by single-clicking it and choose an action to perform from among the buttons at the top of the window (including possibly copying the password to the system clipboard, the same as if you double-click the entry). If you have copied some part of the authentication credentials stored in a password entry in the database to the system clipboard, you can paste it into whatever login or other authentication interface you need to use. Password Safe then clears the stored data from the system clipboard.

Fighting back against bad password policy involves more than just trying to get others to allow strong passwords. In fact, it starts with you. A password manager like Password Safe can help you practice good policy where it counts.