Installing the KeePass Password Manager

Today I want to walk through installing the KeePass password manager on Windows 10. This post will explore downloading, installing, and first steps to using a local password manager. The end result, for those who follow these steps, will be an encrypted password generation and storage mechanism.

Setting Up KeePass

Download KeePass

The first step in the process is downloading the installer. From the KeePass download page, there are options for both the installer and the portable package. While this post will be focused around installing the software on Windows 10, the portable option provides a good solution for users who need their passwords on multiple machines.

KeePass Download Page

Choose the installer and then save the file to disk

Save Installer

Once downloaded, navigate in Explorer to wherever the file was saved. Usually, this is in C:\Users\$USER\Downloads. Double clicking the installer will launch the process. After Windows User Access Control confirms permission to proceed, the KeePass installer will launch. The following series of images illustrates the install process.

Installing KeePass

First, select the install language.

Select Language

The license agreement is next. Be sure to read this before selecting “I accept the agreement”, which is required in order to proceed.

Accept License Agreement

I generally don’t mess with the install path, but if you have a desire, the next dialogue allows for definition of where KeePass will be installed on the system.

Choose Install Path

Another area that I typically don’t mess with, the component selection dialogue lets users take more control over what components of KeePass are installed.

Select Install Components

Yet another menu that requires no changes, the options pictured below ensure that KeePass recognizes the .kdbx file extension, as well as letting the user decide if a desktop and/or Quick Launch shortcut should be created.

Additional Tasks

With all the options configured, take a moment to look over the install configuration before proceeding.

Confirm Install Options

And we’re off to the races! In a few moments KeePass will be installed on the local system.

KeePass Installing

Once installation completes, launching KeePass will take us into the next steps to configure a password database.

Launch KeePass

Using KeePass

Launch the Program

If you accepted the install defaults, there is an icon on the desktop. Otherwise find the launcher in the start menu and KeePass walks users through the basic steps of setting up a database.

Configuring New Database

Select the path and file name that will become the password database file.

Select Password Database Path

The next step is to define the master password. This is the one password which users need to remember to access all the other passwords. Generally, I encourage users to use a passphrase rather than a password, for increased security.

Configure Master Password

Presuming both entries match, selecting “OK” will take us into some additional database settings. Again, since we’re just covering the basics of KeePass, I won’t be covering these today, but I encourage users to explore these other options.

Additional Database Settings

The last step in the setup is to print the KeePass Emergency Sheet. Print this off, fill out the details, and keep it safe as this will contain the details to gain access, should someone need it.

KeePass Emergency Sheet

And finally, we’re presented with the KeePass interface. In a later post, we’ll work with creating, editing, and using various entries, and how to put KeePass to work generating, and protecting, your passwords from prying eyes.

MyDatabase Running

There are several default entries and categories within a default KeePass database. I highly recommend exploring the entries that are available, learning the options, and making some mistakes with passwords that don’t matter before you start entering passwords on which you depend into KeePass.

Conclusion

If you’ve followed along at home, we’ve successfully installed, configured, and started using the KeePass password manager. While this post was written to demonstrate the process on a Windows 10 machine, KeePass also runs on Linux and Mac. In the next post, I’ll cover some notes on general usage of KeePass and the use of online alternatives. The goal here is to get readers to understand the benefits of using a password manager, and to illustrate the ease with which they can be implemented. I hope you’ve found this post to be informative and I appreciate the time you’ve taken to read it. Remember that we live in a hostile world and it is important to take measures to protect yourself!

OpSec in the Real World

Operations Security

What is OpSec?

Operations Security (OpSec) is the action of protecting information which might be used against one in a hostile encounter. OpSec forces a person, or organization, to perform threat modeling to determine potential vulnerabilities which might be exposed to adversaries and establish controls aimed at anticipating and defending possible attacks. Identifying attack surfaces and hardening them reduces risk and increases the difficulty an adversary faces in launching a successful attack.

“All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”  – Sun Tzu

Operational Security OpSec

 

Why OpSec

Allow me to put my tin foil hat on for a moment to explain why OpSec matters. It is a harsh, cold world out there today and adversaries are everywhere. In a world that is constantly connected, where people share and over share everything, it’s important that we’re taking steps to protect ourselves, our data, and our friends/family. It can be something as simple as thoughtlessly sharing a photo to Facebook. Without thinking, you could expose someone to risk, There could be a stalker out there just waiting for information that could lead them to their prey. A Facebook group I belong to recently proved this threat as someone posted a photo in the group which exposed the license plate of another person who happened to be trying to escape an abusive spouse. Thankfully, the victim was gone before anything bad could happen but this mishap did put a dangerous person on the trail of someone they had been trying to find for nearly a year!

The sad fact of the matter is that there are so many bad situations we can find ourselves in today that makes OpSec more important than ever before. Keeping data safe means implementing consistent OpSec practices. My hope in writing this is that you’ll think about your own operations security and will find ways to make changes that make you and your data more secure.

How to OpSec?

Creating an effective OpSec program requires 5 steps:

Identify Critical Information

Critical information is a specific fact related to intentions, capabilities, or activities that could be used by adversaries in an attack. If Critical Information is obtained, the adversary would be able to impact the mission. The first step of the OpSec process is developing a Critical Information List (CIL) which defines any sensitive data which might be targeted.

Limitations

In the case of organizational risk and corporate espionage, learning the limitations of a partner or competitor could be invaluable. Learning what cannot be done is just as valuable as knowing what can. For a hostile threat agent to understand the limitations of a target

Operation Plans

Getting visibility into planning operations poses a significant risk to both organizational and personal OPSEC. Attacks against operational plans include the who, what, when, and where components of the planning phases and can wreak havoc upon the forward momentum of operational plans.

Personal Information

In 2007, stolen email accounts were worth anywhere from $4-$30. In 2008, prices fluctuated between $0.10 and $100. Compare this to 2009, when the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10.

Credit card information, on the other hand, has not depreciated in recent years. In 2007, credit cards advertised around $0.40 to $20 per record. Sale price would depend on factors such as the brand of card, the country of origin, how much metadata is provided, volume of purchase, and how recently the card data was obtained. In 2008, the average asking price for credit card data, according to my research, was slightly higher–$0.06 to $30–and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card records fluctuate between $0.10 and $20 per record. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cyber criminals trade in volume.

Where we saw healthcare records fetch $200-$500 for a single record in 2015, today prices are more in the range of $1.50-10 depending on the type of data and who’s buying it.

Analyze Threats

With critical information identified, we now have something to protect. The next step is to determine the individuals or groups that represent a threat. There may be multiple adversaries, and different pieces of information may be targeted by different groups. In this stage, the capabilities, use for the information, determination and resources must also be analyzed.

Analyze Vulnerabilities

Vulnerability analysis is one of the most challenging pieces of the OpSec puzzle. Basic vulnerability exists in innocent day to day tasks like conversations or phone calls in public or posts on social networking sites. But society has become more reliant on technology and a complacency has put us in the position of exposing our email conversations and web pages which can provide insight for a threat agent. In the most extreme cases, communication intercepts and espionage may come into play. Each level presents it’s own risk and has it’s own consequences. This is why threat modeling is important.

Assess the Risks

First, planners analyze the vulnerabilities identified in the previous action and identify possible OpSec measures for each vulnerability. Second, specific OpSec measures are selected for execution based upon a risk assessment done by the commander and staff. Risk is calculated based on the probability of Critical Information release and the impact if such as release occurs. Probability is further subdivided into the level of threat and the level of vulnerability. The core premise of the subdivision is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.

Apply Countermeasures

Protected communications

Implement controls over your personal communications. Use encryption wherever possible. Email can be encrypted using PGP. Text messages and mobile phone calls can be encrypted with services like Wire and Signal respectively. If you have a service you’re using, there is probably a way to encrypt the data. Learn how and make it happen!

Protected Web Browsing

Modern web browsers offer methods to force the use of HTTPS while browsing. One way to accomplish this is with the use of browser plugins or extensions Adding this functionality to your browser will force encryption to be used during browsing.

Physical Controls

OpSec doesn’t solely apply to the internet, there are many concerns in the physical world too. While you operate in daily life, there are some considerations to keep in mind:

  • Be alert
  • Be suspicious
  • Be aware

Finally, consider the threat when you:

  • Use the phone
  • Talk to strangers
  • Disclose in public
  • Use social media

Each of these present their own unique risks to personal OpSec and should be addressed to reduce the risk of attacks.

Conclusion

OpSec is a necessity for anyone who has anything sensitive that needs to be kept confidential. Obscuring information, skewing facts, and offering misinformation can all be useful in protecting personal operations. Making sure to be consistent in these practices will eliminate the likelihood that information gets leaked to unauthorized parties, reducing the overall attack surface. Protect yourself out there- no one’s going to do it for you!