One of the more daunting tasks in the modern world is remembering all those pesky passwords you need for the dozen different applications that require credientials. One solution is to use a password manager, such as KeePass, a freely available, Open Source (tm) solution for Microsoft Windows systems. The benefit of an Open Source (tm) solution is the availability of the source code makes it easy for to audit the code for secure coding practices. (Sure, an attacker can take advantage of the source code, but there are plenty of exploits available for Microsoft Windows and the source code is not available; I am a believer in transparency.)
Below the fold, I'll discuss usage of KeePass and a little more than you wanted to know about user authentication schemes.
To get started, download the latest version with the installer, version 2.15 Professional as of this writing. The only choices of interest during install are whether to create desktop or quick launch shortcuts. Otherwise, the defaults are fine.
When starting the application, KeePass will greet you with a grayed out window. Before you can start entering your passwords, you need to create a new password database. Do this by clicking on the New icon or via the File - New... menu entry.
Give the database a name and save it some place where it won't get lost. The usual default on Windows is the My Documents directory. Next, you will be prompted to enter the last password you'll ever have to remember. The Master password is the master lock, the keys to the vault of gold. If discovered by an attacker, she gains the keys to the city. Choose wisely.
Alternately or additionally, you can safe guard your password file using a Key file. Essentially, a Key file is like a totem in Inception. It's worthwhile if only you have access to it. If anyone else gets it, the game is up. A good place for such a key is on a USB key, with a backup burned to a CD-R and locked safely away. Much like the Master password, if you lose the key (or either one if you use both), game over.
When you select Create... to build your Key file, you will be asked to move your mouse around and type some random characters in an adjacent box. The purpose of this exercise is not to measure your mouse or typing proficiency, but to generate truly random data, which amusingly enough, a computer is not actually capable of doing without special hardware. The reason to physically isolate the key when not in use is it is impossible to hide it. If an attacker gains access to your system, the key file can be discovered by monitoring file accesses.
Naturally, if you use both a Master password and a Key file, an attacker will both need something you have, the key file, and something you know, the password, to gain access to your password database. (The third kind of security token is something you are: your finger print or DNA.)
(For more information about different authentication strategies, an excellent lecture is available.)
For Step 2 of database creation, you can optionally give the database a name and description. If you use the same username most places, you may want to type it into the field Default user name for new entries. The defaults for the other tabs should be fine for most users.
Once that's complete, you will be greeted with your new password database. KeePass uses a category list, making it easy to group your passwords. The default categories are self explanatory. For passwords to things that don't have a URL, just leave it blank. As such, you can store all kinds of passwords, including those for email, physical systems, your FAFSA or Federal tax PIN, and so on.
By default, KeePass will automatically generate a password for new entries. While it is random nonsense, the task of remembering it is entrusted to KeePass, a burden you no longer must bear. If you don't fully trust KeePass, you can always use your own password instead, safe in the knowledge if you forget it, you can retrieve it from the safe KeePass database.
To modify how KeePass creates the automatic password, examine Tools - Generate Password.... There are quite a few options in the Settings tab. If the default password length of 20 is causing problems on Web sites, it's possible to shorten it, but preferably no shorter than 8 characters. The shorter the password, the more insecure, as a general rule. Not all sites allow it, but ideally the password includes Special characters, too.
In order to commit changes to the Password Generator Options a strange dance is required. After selecting options, click the floppy disk icon on the Profile: line immediately under the Settings tab. Then, select the entry (Automatically generated passwords for new entries) and click OK. Otherwise, the changes seemingly get lost.
To add a new entry, select a relevant category on the left (or you can make up your own or rename or delete existing entries) and click the small key icon in the icon list. Alternately, right click in the right window and select Add Entry... a third of the way down the list.
Once you have added some entries into the KeePass database and saved your changes, you can actually start using it. To do so, simply select the entry for the Web site or other resource. Having done so, such that the entry has a blue background, you can either press CTRL-C or right-click and select Copy Password to copy it to the clipboard. Finally, paste the password into the login form or application that requires the password. Done. KeePass automatically clears the clip board by default after 12 seconds.
While there are a ton of possible options for the software, the above is enough to get started.
Jason Boxman is an IT industry professional working in the life and health insurance sales industry. His principle background is Linux Systems Administration, task automation, and documentation. He is happy to answer any questions anyone may have and also available for contract work.