Create a Secure Offline Password Management System for Windows / WSA / WSL2

Regular Contributor

Keepass Portable version (KeePass-2.xx.zip file) | KeePassDX (Android)

Guidelines for Creating Passwords:

NOTE: *MOST* newer and legacy systems do not support passwords longer than 64 characters as a rule of thumb (or the full range of printable ASCII Characters)
NOTE: The maximum range for all printable characters within the Latin ASCII Character set (Unicode,) is 1-93 Characters in BASE10 / Decimal (0-92 in BASE64 / HEX)
NOTE: No whitespaces, and No Control Characters are allowed -> https://www.unicode.org/charts/PDF/U0000.pdf

NOTE: Password Generators Should AVOID Introducing Bias Towards one Range of Characters or an Individual Character at ALL COSTS 
NOTE: They MUST also Utilize a Cryptographically Secure Pseudorandom Number Generation Scheme 
NOTE: NIST Random Bit Generation Overview -> https://csrc.nist.gov/Projects/Random-Bit-Generation

Useful Links for Password Management on Older Versions of Windows, MS-DOS, PC-DOS, FreeDOS, CP/M, OS/2, some Unix / Linux variants:

NOTE: Windows Wordpad/Microsoft Word/Office Standards -> https://docs.microsoft.com/en-us/openspecs/standards_support
NOTE: Windows Code Page 1252 / IBM 437 (Informal standard found in most early x86 PCs and IBM AT/XT clones)
NOTE: ISO 8859-1 (Standardized version of IBM437) -> https://docs.microsoft.com/en-us/windows/win32/intl/code-pages
NOTE: Code Page Identifiers -> https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
NOTE: ISO/IEC 8859-1:1998 -> https://webstore.iec.ch/publication/11730
NOTE: Unicode 14.0 Character Code Charts -> https://www.unicode.org/charts/

Guidelines for Creating a Manual Password List Printout / Sheet / Card:

1.) Always use a monospaced font with a slashed zero 
2.) Choose Size 9-10 in Regular or Bold
3.) Examples: Consolas, Cascadia Code, Monaco, Menlo, Roboto Mono, PT Mono, etc -> https://en.wikipedia.org/wiki/List_of_monospaced_typefaces

Post-Installation Guide for KeePass / KeePassDX ->

Enable: Options -> Security -> Clipboard auto-clear time (seconds; main entry list): 5
Enable: Options -> Security -> General -> Lock workspace when locking the computer or switching the user
Enable: Options -> Security -> General -> Lock workspace when the computer is about to be suspended
Enable: Options -> Security -> General -> Lock workspace when the remote control mode changes
Enable: Options -> Security -> Clipboard (Main Entry List) -> Clear clipboard when closing KeePass
Enable: Options -> Security -> Clipboard (Main Entry List) -> Do not store data in the Windows clipboard history and the cloud clipboard
Enable: Options -> Security -> Clipboard (Main Entry List) -> use 'Clipboard Viewer Ignore' clipboard format
Enable: Options -> Security -> Advanced -> Use native library for faster key transformations
Enable: Options -> Security -> Advanced -> Enter master key on secure desktop
Enable: Options -> Security -> Advanced -> Clear master key command line parameters after using them once
Enable: Options -> Security -> Advanced -> Remember master password (in encrypted form) of a database while it is open
Enable: Options -> Policy -> Plugins
Enable: Options -> Policy -> Auto-Type
Enable: Options -> Policy -> Auto-Type - Without Context
Enable: Options -> Interface -> Main Window -> Minimize to tray instead of taskbar
Enable: Options -> Interface -> Main Window -> Minimize main window after performing auto-type
Enable: Options -> Interface -> Main Window -> Minimize main window after locking the workspace
Enable: Options -> Interface -> Main Window -> Hide 'Close Database' toolbar button when at most one database is open
Enable: Options -> Interface -> Entry List -> Use alternating item background colors
Enable: Options -> Interface -> Entry List -> When selecting an entry, automatically select its parent group, too
Enable: Options -> Interface -> Entry List -> When showing dereferenced data, additionally show references
Enable: Options -> Interface -> Dialogs -> Show confirmation dialog when moving entries/groups to the recycle bin
Enable: Options -> Interface -> Dialogs -> Show results of database maintenance in a dialog
Enable: Options -> Interface -> Dialogs -> Show confirmation dialog when opening a database file whose minor format version is unknown
Enable: Options -> Interface -> Advanced -> Require password repetition only when hiding using asterisks is enabled
Enable: Options -> Interface -> Remember recently used files: 1
Enable: Options -> Integration -> System-wide hot keys -> Global auto-type: None
Enable: Options -> Integration -> System-wide hot keys -> Global auto-type - password only: None
Enable: Options -> Integration -> System-wide hot keys -> Auto-type selected entry: None
Enable: Options -> Integration -> System-wide hot keys -> Show KeePass window: None
Enable: Options -> Advanced -> Start and Exit -> Remember and automatically open last used database on startup
Enable: Options -> Advanced -> Start and Exit -> Limit to single instance
Enable: Options -> Advanced -> Start and Exit -> Start minimized and locked
Enable: Options -> Advanced -> Auto-Type -> Always show global auto-type entry selection dialog
Enable: Options -> Advanced -> Auto-Type - Sending -> Prepend special initialization sequence for Internet Explorer windows
Enable: Options -> Advanced -> Auto-Type - Sending -> Send Alt keypress when only the Alt modifier is active
Enable: Options -> Advanced -> Auto-Type - Sending -> Ensure same keyboard layouts during auto-type
Enable: Options -> Advanced -> Auto-Type - Sending -> Allow interleaved sending of keys
Enable: Options -> Advanced -> Auto-Type - Sending -> Cancel auto-type when the target window changes
Enable: Options -> Advanced -> Auto-Type - Sending -> Cancel auto-type when the target window title changes
Enable: Options -> Advanced -> File Input/Output Connections -> Verify written file after saving a database
Enable: Options -> Advanced -> File Input/Output Connections -> Use file transactions for writing databases
Enable: Options -> Advanced -> File Input/Output Connections -> Use file transactions for writing configuration settings
Enable: Options -> Advanced -> File Input/Output Connections -> Extra-safe file transactions (slow)
Enable: Options -> Advanced -> Automatically search key files
Enable: Options -> Advanced -> Remember key sources (key file paths, provider names, ...)
Enable: Options -> Advanced -> Remember working directories
Enable: Options -> Advanced -> Remember password hiding setting in the main window
Enable: Options -> Advanced -> Remember password hiding setting in the entry editing dialog
Enable: Options -> Advanced -> Mark TAN entries as expired when using them

NOTE: The following 4 settings must be Enabled to modify or create a new Database, though after any changes are saved, they must be disabled before exiting the program
NOTE: New changes require you to selectively enable these settings, without entering in the master key, and then restart the program

1.) Enable: Options -> Policy -> New Database
2.) Enable: Options -> Policy -> Save Database
3.) Enable: Options -> Policy -> Change Master Key
4.) Enable: Options -> Policy -> Change Master Key - No Key Repeat

File -> New... 
Database Settings -> General -> Database name
Database Settings -> Security -> Database file encryption algorithm: AES/Rijndael (256-bit key, FIPS 197)
Database Settings -> Security -> Key derivation function: AES-KDF

Database Settings -> Security -> Iterations:

Example Iterations:

Start Menu -> Run -> Calc
Calc -> Menu -> Scientific
Calc -> 2 -> xY (exponent) -> 20 -> = -> 1048576 -> M+ (Memory add)
1.) Calc -> MR (Memory recall) -> x or * (multiply) -> 64 -> = -> 67108864 ( Average Delay Time -> Multicore PC: 1-2 Seconds )
1A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
2.) Calc -> MR (Memory recall) -> x or * (multiply) -> 128 -> = -> 134217728 ( Average Delay Time -> Multicore PC: 2-2.5 Seconds )
2A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
3.) Calc -> MR (Memory recall) -> x or * (multiply) -> 256 -> = -> 268435456 ( Average Delay Time -> Multicore PC: 4-4.5 Seconds )
3A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
4.) Calc -> MR (Memory recall) -> x or * (multiply) -> 384 -> = -> 402653184 ( Average Delay Time -> Multicore PC: 7-7.5 Seconds )
4A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
5.) Calc -> MR (Memory recall) -> x or * (multiply) -> 512 -> = -> 536870912 ( Average Delay Time -> Multicore PC: 9-9.5 Seconds )
5A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
6.) Calc -> MR (Memory recall) -> x or * (multiply) -> 768 -> = -> 805306368 ( Average Delay Time -> Multicore PC: 14-14.5 Seconds )
6A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
7.) Calc -> MR (Memory recall) -> x or * (multiply) -> 1024 -> = -> 1073741824 ( Average Delay Time -> Multicore PC: 18-19.5 Seconds )
7A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
8.) Calc -> MR (Memory recall) -> x or * (multiply) -> 1536 -> = -> 1610612736 ( Average Delay Time -> Multicore PC: 28-28.5 Seconds )
8A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
9.) Calc -> MR (Memory recall) -> x or * (multiply) -> 2048 -> = -> 2147483648 ( Average Delay Time -> Multicore PC: 37-38.5 Seconds )
9A.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
10.) Calc -> MR (Memory recall) -> x or * (multiply) -> 4096 -> = -> 4294967296 ( Average Delay Time -> Multicore PC: 75-76 Seconds )
10A.) Calc -> MC (Memory Clear)
10B.) Calc -> C (Clear) or CE (Clear Entry) then C (Clear)
11.) Calc -> Edit -> History -> Clear
11A.) Alternate: Calc -> Right Panel (History Tab) -> Trash Can icon in the bottom right corner (Clear)

NOTE: On most mid-range smartphones, ranges 3-7 can often take anywhere between 2-10 minutes to decrypt

Database Settings -> Compression: Gzip
Database Settings -> Advanced -> Limit number of history items per entry: 0
Database Settings -> Advanced -> Limit history size per entry (MB): 0

Database -> Right Click -> Add Group...

NOTE: More sensitive passwords typically only work with Option #2, and require Two-channel auto-type obfuscation to be disabled
NOTE: Most things work with Option #2 and Two-channel auto-type obfuscation enabled in a browser
NOTE: Option #1 works with the majority of logins for game launchers and other similar software

NOTE: In most situations, Option #2 with Two-channel auto-type obfuscation enabled will be the default choice

Option #1 -> Add Group -> Auto-Type -> Override default sequence -> {USERNAME}{TAB}{PASSWORD}{ENTER}
Option #2 -> Add Group -> Auto-Type -> Override default sequence -> {PASSWORD}

Database -> <Entry Name> -> Edit Entry...

Edit Entry -> Username
Edit Entry -> Password
Edit Entry -> Repeat

NOTE: The easiest way to set it up is assign groups with a special ruleset so post-setup configuration is easier later on

Edit Entry -> Auto-Type -> Enable auto-type for this entry
Edit Entry -> Auto-Type -> Inherit default auto-type sequence from group

NOTE: In some cases you might have to bypass the rules for individual entries to maintain a cohesive layout within the group
NOTE: This is if the software does not allow you to tab between fields, or copy paste (security software is like this.)

Option #1 -> Edit Entry -> Auto-Type -> Override default sequence -> {USERNAME}{TAB}{PASSWORD}{ENTER}
Option #2 -> Auto-Type -> Override default sequence -> {PASSWORD}

NOTE: You have to manually enable or disable this for each entry within each group:

Edit Entry -> Auto-Type -> Two-channel auto-type obfuscation

Practical Considerations / Choices for the Most Frequently Used KeePass Group Settings Templates / Layouts:

1.) Most common for computer software on a desktop / laptop (2.) Common for browser logins, and some computer software
3.) Most common for security software / programs / poorly-designed web page logins (4.) The least common type of group layout

NOTE: If you are using KeePass to create a database to export to KeePassDX, layout #2 or #3 save the most time when manually editing entries.

1.) ENABLE: Add Group -> Auto-Type -> Override default sequence -> {USERNAME}{TAB}{PASSWORD}{ENTER}
1.) ENABLE: Edit Entry -> Auto-Type -> Enable auto-type for this entry
1.) ENABLE: Edit Entry -> Auto-Type -> Inherit default auto-type sequence from group
1.) ENABLE: Edit Entry -> Auto-Type -> Two-channel auto-type obfuscation

2.) ENABLE: Add Group -> Auto-Type -> Override default sequence -> {PASSWORD}
2.) ENABLE: Edit Entry -> Auto-Type -> Enable auto-type for this entry
2.) ENABLE: Edit Entry -> Auto-Type -> Inherit default auto-type sequence from group
2.) ENABLE: Edit Entry -> Auto-Type -> Two-channel auto-type obfuscation

3.) ENABLE: Add Group -> Auto-Type -> Override default sequence -> {PASSWORD}
3.) ENABLE: Edit Entry -> Auto-Type -> Enable auto-type for this entry
3.) ENABLE: Edit Entry -> Auto-Type -> Inherit default auto-type sequence from group
3.) DISABLE: Edit Entry -> Auto-Type -> Two-channel auto-type obfuscation

4.) ENABLE: Add Group -> Auto-Type -> Override default sequence -> {USERNAME}{TAB}{PASSWORD}{ENTER}
4.) ENABLE: Edit Entry -> Auto-Type -> Enable auto-type for this entry
4.) ENABLE: Edit Entry -> Auto-Type -> Inherit default auto-type sequence from group
4.) DISABLE: Edit Entry -> Auto-Type -> Two-channel auto-type obfuscation

File -> Save

Disable: Options -> Policy -> New Database
Disable: Options -> Policy -> Save Database
Disable: Options -> Policy -> Change Master Key
Disable: Options -> Policy -> Change Master Key - No Key Repeat

Right-Click System Tray Icon -> Lock Workspace
File -> Exit

KeePassDX -> Gear Icon (Top Right Corner) -> App settings

Enable: Delete password
Disable: Write-protected
Enable: Keep screen on
Enable: Show lock button
Generated Password size: 64
Enable: Hide passwords
Enable: Remember databases locations
Enable: Remember keyfile locations
Enable: Show recent files
Enable: Hide broken database links

KeePassDX -> Gear Icon (Top Right Corner) -> Form filling

Device keyboard settings -> Manage Keyboards -> ENABLE: Magikeyboard (KeePassDX)

Enable: Magikeyboard settings -> Entry: Entry selection
Enable: Magikeyboard settings -> Keys: Auto key action
Enable: Magikeyboard settings -> Switch Keyboard: Auto key action
Enable: Autofill settings -> Manual selection

KeePassDX -> Gear Icon (Top Right Corner) -> Advanced unlocking

Enable: Device credential unlocking
Enable: Auto-open prompt
Delete encryption keys (useful only if you have to generate / import a new database layout)

NOTE: After you reboot the device / smartphone, you have to log into the database, making sure to tap the orange circle emblazoned with a lightning bolt afterwards
NOTE: Save your database ( 3 vertical dots in the top-right corner -> Save data )

KeePassDX -> Gear Icon (Top Right Corner) -> App settings

Enable: Write-protected (Only Enable after saving a working configuration)

NOTE: The Following List Describes a Process for Inputting Database Entries into the Password Field on a Login Screen / Prompt / Form:

1.) Enter in the username for the login credentials if necessary / based on entry / group layout
3.) Enable the keyboard using the following line below
3A.) Settings (Android UI) -> Language & input -> Current keyboard -> Switch from Gboard to Magikeyboard (KeePassDX)
2.) Switch to KeePassDX and select the entry from the database 
4.) Switch back to the login screen on the app and click the button with 3 stars / asterisks on it ( *** )

 

0 Replies