Slashdot Mirror

Don't forget that Keepass 2.x series is cross platform compatible via Mono running "Windows 98, 98SE, ME, 2000, XP, 2003, Vista, 7, Mono (Linux, Mac OS X, BSD, ...)" http://keepass.info/compare.html

Keepass is cross platform works on PC and Linux. :) Makes it easy to keep different credentials for every site you go to. Keeps passwords in an encrypted file.

http://keepass.info/

KeePass.

* Stores all of your passwords in a secure encrypted file

* Has auto-type so you don't have to type or remember your passwords

* Has a great password generator tool, so that you can reset all of your passwords to something secure

* Easily transferable password database.

* Can run off a USB stick

I checked it out a month ago on the recommendation of a mate, and have been using it ever since.

It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!

And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.

And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).

Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!

http://keepass.info/download.html

I use one password for all of my accounts. It opens my Keepass store.

It's not a simple password.

If you can remember your passwords, you're doing something wrong.

Just set up a master password with Firefox and get some auto-login addon like Secure Login or use a program like KeePass or Password Safe.

Perhaps poor form to reply to my own post, but I don't feel like replying to every comment individually, so I'm rolling up here.

First, most of the replies appear to be from people who stopped reading at "fire everyone with passwords on sticky notes", which means they missed the rest of my post: I agree with the findings of the paper and have started working towards implementing what I can in my environment. Long, complex passwords don't solve the main problems faced by businesses today (keyboard logging, password sniffing, and social engineering), and, since the things they do address aren't common, the net to a company is a loss of security.

Next, there were lots of replies stating that passwords are different from the examples I listed because passwords are ephemeral. I would agree if passwords changed every couple days; it takes me as much as a week before I stop swearing every time I try to unlock my screen after a password change. The thing is, I use the password every day, multiple times a day, for MONTHS. If that's not long enough to learn 8 bytes of new information, I don't know what is.

Similarly, people claim that the problem is having to change multiple passwords on different rotation schemes. Here, I agree. In my job, I have multiple accounts that I deal with, one primary that I use many times a day, but several others that I may only use once a month. I use a more secure version of the sticky note for those accounts: Keepass. It has an encrypted file stored on your primary system (a.k.a. the one you can learn a password for), and contains the passwords you don't use often enough to commit to long-term memory. Keepass is free, it works, and it includes a password generator to help you pick new passwords. Between repetition of my primary password and Keepass, I can log into all the systems required for my job and it doesn't involve disclosing passwords to the janitor.

Finally, many people mentioned how passwords simply aren't important to people, and that's why people can't remember them. In my view, either the accounts are personal (i.e. my bank account, my /. account, etc.), in which case the password SHOULD be important to me, since it's MY data, or the account is on my employer's system, in which case the password SHOULD be important to me, as failure to protect my employer's data could result in me being fired. If loss of my own information or the loss of my job aren't important enough reasons to remember passwords, I'm not sure what would be. If it were my job to unlock the store first thing in the morning and I kept forgetting to bring the key in, I'd be fired. If I had the key to the store and gave it to someone because they offered me a candy bar, I'd be fired. Just because passwords protect data instead of physical goods doesn't mean that passwords are any less important than physical keys.

http://keepass.info/

Thankfully I use KeePass myself, so I have everywhere *different* ~20 chars totally random password. If you also use keyfile to protect the container, a trojan getting your master password doesn't matter. Some of them might also be stupid enough not to monitor the clipboard when you're pasting the password. And even if they do, you wont give out password to bunch of websites, services, email, servers etc at once and you're protected against malicious admins or people hacking servers to get passwords because you have different password everywhere.

I dont see why more people dont use KeePass or some other such software, it makes your passwords and accounts a lot more secure. And yes, stong passwords are better than short and easily guessed ones, specially in this case.

The solution for you would be keypass

According to this spreadsheet, it'd take millenia to guess my best password.

But I suspect my password will be cracked by more advanced computers long before then. Or a keylogger will get me. Or I'll die of old age.

It's about 40-50 characters long before adding a passphrase to the end. It's not written down anywhere, either on paper or digitally. Like a true geek, I remember the whole thing in my head.

And no, I don't use this password on Slashdot. This is my special "only if it's direly important" password. For slashdot and most other sites, I use KeePass to generate passwords.

My pet's name is JDianD_6S8pXOHMK8m2C!

If I lose my password, I probably lost my computer(or my memory?), which means creating a new account is less hassle than what I'd be going through at the time.

But... I've never lost a password yet. The only troubles I've had with passwords is when sites get hacked. They give you short new ones by email, but the new ones sometimes don't work when you try to change them(to something more secure), so then you're stuck with them. :/

If you actually use the secret questions from time to time, I suggest you lock your passwords away with KeePass and put a good master password on it instead. Random hexadecimal passwords of random lengths are way harder to guess than a secret question!

I have one 512MB USB key that I got as a promo. For the longest time it just sat there. Then I decided that I had too many passwords, and too many places to use it. Now I use it for some of my important documents, documents that I'm taking to client sites, and most importantly, my copy of KeePass. I use the portable Windows version, put all my passwords in there, and now I only need to really remember 1 password when I'm at my computer. I plug it in when I get to work, take it back home with me when I leave, and the database is encrypted, so I should have enough time to redo all my passwords if someone should steal it. Now the data on there is more valuable than the hardware, and so is the convenience. If you want to take it a step further, you could encrypt the drive and have a more effective portable safe for all your documents, but it would be less useful for moving client data.
P.S. Of course I have a backup of the password database.

Why not allow reliale software such as those listed bellow to generate and manage your password? Passwords suck as security, but they aren't going away. These even let you setup rules for generating the password.

http://passwordsafe.sourceforge.net/
http://keepass.info/download.html

I don't really like OpenID. I have a lot of email accounts that are separate for a reason. It annoys me when I go to a random site, and one of them is pre-entered into a login box.

I use KeePass to manage usernames/passwords. Having a single ID/password isn't any more convenient.

That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass, and Bruce Schneier's Password Safe.

Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a computer which I don't want to stick the key into (because the key might get infected with some virus/trojan if I stick it into a public PC, or maybe their is malware on the PC which, once I've unlocked the password safe, grabs all the account/password info), I can't get into my accounts.

The real, true, ultimate problem isn't that people need a password safe. It's that people need fewer accounts/passwords. We need something like OpenId to become more widespread. Now, you probably wouldn't use OpenId (or some analog) for very sensitive accounts like bank/paypal/amazon.com/etc, but how many times have you been to a site where you wanted to post in a forum, or add a comment to a blog, but then you were confronted with being forced to register an account? On the one hand, that might cut down on spam/noise/trolls (or it might not; if you are a troll or spammer, you just register an account without worrying about every using it again, so you don't care what the password is or if you remember it), but it also cuts down, I'm sure, on worthwhile posts because people can't be bothered to try to remember yet another password (or they just end up using a very small number of passwords everywhere).

I wish more sites used OpenId. Seems like only a very small minority of sites I've visited offer that as an option.

Here are two: Roboform - www.roboform.com (this is what I use, but is not free) and KeePass - http://keepass.info/ (this is free)

Bruce Schneier already covered this, first in a 2005-02-11 entry in his blog, and again in a 2008-04-04 essay for ComputerWeekly.

I am absolutely not trying to compare myself to Bruce, but I recognized the weakness of security questions prior to his writings, when I was using his freeware PasswordSafe in 1997. (I've since moved to Keypass... not fucking plaintext Post-it Notes, FFS).

Like Bruce, I've always filled these Q&A fields with 64+ printable ASCII characters via PasswordSafe's/KeyPass's integrated CS-PRNG, which I do not record. When I can provide the question, even better. Two crazy-ass-long fields for an attacker to guess.

It should be obvious, no? A constrained set of questions (2-4 bits of entropy), each with a correspondingly constrained set of answers... ("First make of CAR???" You gotta be fucking kidding me... Why not be done with it, and offer 2kB dictionary downloads for brute-force attackers right on the Lost Password form?) Compare these constraints to a proper, lengthy CS-PRNG alphanumeric pass[word|phrase]... No contest.

A custom encryption solution? Ok, but what about those of us who aren't Bruce Schneier?

I don't have any affiliation with the software/devs other than being a long-time user and occasional bug-reporter, but KeePass:
A) Is GPL. Haven't been through the source myself, but I find it highly unlikely that a 'government back door' would go unnoticed.
B) huh..?? Don't really follow what you're getting at here.
C) Have KeePass generate a key-file for you, which you then need to use along with the password for two-factor auth. (obviously don't keep the key file with the password DB!). Layer on more levels of encrytion by putting the password store inside a TrueCrypt volume (hidden volume if you want to go with deniability as well), etc, etc.

On top of that, KeePass has some pretty nifty features like auto-type w/ obfuscation that (claims to) break all known keyloggers and clipboard spies, in-memory encryption so your passwords will never show up un-encryted in a page file, and configurable key-transformations to slow dictionay attacks to name a few. I personally trust it more than I trust an encrypted network connection and use it for everything these days. Seriously, check out their security page.

Unfortunately it's for Windows only, although there is a cross-platform port called KeePassX (haven't tried it yet myself).

You mean like this? (it's an AutoIt script, not a Firefox plugin, but does what you want)

Keepass

How do you keep track of all the different passwords of all the different websites which you sign into?

Use keypass or another key storage system.

Now, if it had an automagical firefox plugin that would let me create a strong password for a site and store it in my key database, that would rock.

I introduce people to KeePass Password Safe and teach them how to use it to store and generate passwords. It can auto-fill in passwords, stores them in an AES encrypted database, can store attachments (say, your GPG private key,) and supports keyfiles. It's small enough to fit on a USB key, and open source. It has autotype, and that checks the URL. This reduces the risk of typing your password into a phishing site. Because of this program, almost all my passwords are >20 characters of random junk, and I don't know any of them.

I want google sync too but honestly it's too much of a security risk on its own. Honestly, encrypted passwords? Come now.

Form data? Plenty of stuff out there for that,although not all in one combination.

Encrypted passwords? bring them on Keepass. http://keepass.info/download.html

I fail to see how this synchronizes cookies, bookmarks, passwords among multiple computers that I am using at the same time which is what Google sync solves for me.

I think they use blowfish algorithms for the encryption

Google browser sync uses RSA.

Hey, not so much.

I want google sync too but honestly it's too much of a security risk on its own. Honestly, encrypted passwords? Come now.

Form data? Plenty of stuff out there for that,although not all in one combination.

Encrypted passwords? bring them on Keepass. http://keepass.info/download.html

works on linux, windows, everything, free. Notably that you can require a key stored on something in addition to password to decrypt. So USB key + password to unencrypt. Works flawless and smooth. Go ahead and store that encrypted file anywhere, I think they use blowfish algorithms for the encryption,

Forms, well, tons of stuff for that.

Please don't assume that I wanted to have all my data stored on the web. That's just not a good idea. I don't care who can see my bookmarks, even at work. I do care who can see form data. I know how to keep my systems safe and secure but still, not worth the risk here. honestly.

Keepass on a USB stick? Although if the problem is phishing, I guess it wouldn't help much. Anyone smart enough to use keepass should be smart enough to see a phishing attempt - yes or no?

KeePass might work well for this, and has the added benefit of encryption. I use it to store a lot of networking-related information at work, and with its search capabilities it has been quite useful.

Use KeePass.

I've been using it for over 3 years, and have somewhere north of 200 passwords stored for different systems, sites and organizations.

It'll even generate new random passwords for you and can keep track of expiration dates.

So you can't memorize a new phone number every 30-90 days? Also you can cycle these back after so many changes (usually 3 to 6). You can't memorize (up to) six 8 character strings? Really?

Do you think people in IT don't have to deal with the same problem? Don't you think we have far more passwords to maintain than you do?

I have about 80 passwords total that I have to maintain professionally and personally. So, like an adult, I accepted that responsibility and found a way to manage it. I use a piece of software called KeePass that I highly recommend it.

(Also I change my bank PINs quarterly, and I have about 8 different PIN numbers from different cards.)

I much prefer KeePass, which I store in TruCrypt on a thumb drive (also backed up in multiple locations).

The only thing I can say, is I've started some major "learning" about encryption and various other personal privacy applications.

So far, what I've found and like are:
TrueCrypt - "On-The-Fly" Disk/Storage Encryption. Actually, I've been using this for 24 hours and love it. I've also seen great reviews of this, and some of its very interesting features, such as plausible deniability. Oh, and its Free Open Source Software. Available for Windows 2K/2K3/XP/Vista, Linux, and soon MacOS (v5.0, due in Jan 08)
KeePass - Encrypted Password Storage Database. I've been using this for years, and love it. Also good reviews. If you wish to try it, there are two versions, v1.x and v2.x. v1.x (1.10 being current) is the original independent version. Can be run standalone, no system requirements (.Net or the like). Can be run from a USB Key. v2.x (2.04 being current) is a total rewrite of the application based on the .Net libraries and are required. This version is ALPHA quality and does not yet meet the current functionality of the 1.x branch. This was started due to the fact of people requesting features that would require significant rewrites to implement. Also FOSS. Available for Windows 98/98SE/ME/NT/2K/XP/2K3/Vista 32 and 64 bit. Third party ports also available for PocketPC, Linux, MacOSX, J2ME, Blackberry, PalmOS.
Gnu Privacy Guard - An open source PGP implementation. I use a port of this, GPG for Windows. It seems a bit clunky, and am actively looking for something to replace it so suggest away if you do know something better. I will say though that it does work as advertised, and its FOSS. GPG is distributed mainly as source code I believe, where as G4W is as binaries.

People have looked at some of us who use PGP/GPG, and other encryption/digital signatures for a few years with the look of "why do I need that, I have nothing to hide." I keep waiting for people to finally wake up and realize that the concept of "inherent privacy" (meaning anything not actively publicly published is not publicly known) is gone. We have entered the age of "explicit privacy." If you want something to be private, you must make explicitly so, especially on your computer, with these recent news articles of laptops being fair searching territories at Customs, or the reports that the NSA has feeds from AT&Ts offices to intercept everything.

1. new people available to projects
2. old people now unavailable to project

I observe that at this time, the increase in new people on the Internet dwarfs changes in either rate. True, the loss of key players can kill a project. Just because more middle-class white males may be forces to stop working on 'F/OSS' will not mean the end of F/OSS. OpenSource is not a business in competition with proprietary software. And as long as a project is Opensource, someone can dig up the old tapes and start patching away. The pool of raw talent is growing. Invite these new people in, they might be able to help.

Inability to upgrade, leads to more intense skill sets.

I agree that manufactures have been dumbing down the documentation. This is done not only to be friendly to the Aunt Mable crowd, but also protect this new "Intellectual Property" that the marketing department has gotten the legal department worked up about.

However, real - or open - standards vs fake - de-facto / Microsoft - standards are published in their gory detail. Many many books are published today on the details of how things work, worked and will work. However, you must go to your library and read them to benefit. Today many people want instahacking sk1llz at the push of button. Unfortunately, the real world is also garbage-in/garbage-out. Those 3rd world folks are required to put in the effort to make work what is just a push-of-a-button away for 1st world people. The difference if subtle: they have to read, you ought to read.

And, to top it off, I resent the SourceForge and all such "organizations". I much enjoy and miss, the days when each project had it's off-beat web-site hanging off of some obscure computer connection, or even hosted by some free hosting site like Geocities. Greatly enhanced the fealing of individuality and added a lot of color to the Linux community. When Sourceforge came around, it so much feals corporate, institutionalized and all the horrible things that most of us hate.

Enhanced the fealing (sic) of individuality? Don't you mean ugly?

Hmmm, let's see: sourceforge provides webhosting and other tools for a project, but how many still have their own websites?

• Slashcode @ sf.net points to slashcode.org
• keepass project's site is keypass.info
• filezilla is hosted at filezilla-project.org
• The TortoiseSVN project has a nice site at tortoisesvn.net
• Clamwin uses clamwin.com
• many more...

And that was just from clicking randomly on the top 10 downloads page. (Technically I also hit sourceforge's own project, but can you really blame sourceforge for hosting at sourceforge?) I don't really see the addition of a useful 'professional' index really impacting the 'feals' (sic) of the projects. I think it's less geocites and more "it's only 100 bucks, just register the domain already."

You still end up at some obscure computer connection for many projects. Not everything is a myproject.sourceforce.com site. However, for tiny projects they get free hosting and some do fairly

http://keepass.info/

You might want to try Keepass (http://keepass.info/) in the PC based password manager realm. It has ports to most operating systems you might want plus a slew of handheld devices. Not to mention that the interface is nice, it has a decent password generator, and is free as in beer / speech.

KeePass Password Safe is even better. There's also a Linux and OS X port.

Even worse is that once you break one of the unreasonable policies (no admin logon on a developer machine, say), it's hard to keep any respect for the more reasonable ones. A bit of trust and leniency would go a long way toward respect. You could for example tell employees that they should avoid spending a lot of bandwidth during peak hours, and give people plenty warning if they're hogging all the gas.

Oh, and help them out a little by hinting about things like KeePass for passwords, TrueCrypt for sensitive data, and MD5 Password generator.

KeePass

It generates passwords for you, letting you set the length and what
characters are included. Then it stores them all for you.
You can use one password to protect all your other ones.
You can even set expiration in the program to remind you when to change
a password.

I used to re-use the same three or four passwords everywhere. But now
nearly all of mine are quite random.

Give it a try.

I would give Keepass a look if you want a phenomenal password organizer. It's auto-type feature is unparalleled!

I don't trust any browser to save my login information. I use keepass. It's FOSS too.
http://keepass.info/

It's already been done, and the result is open source: KeePass. Unlike other password managers, KeePass stores passwords in a cryptographically-safe database. Passwords are never entered automatically -- you can double click the KeePass password field to copy the password to the clipboard for 10 seconds, and then paste it into Web page's password field. After 10 seconds, the password is automatically removed from the clipboard. Works for more than web pages, too.

Use KeePass http://keepass.info/. Open source, and better automation with websites and much more control than the internal password manager.

Well, I have tried anything (from PINs to Password Gorilla).

The winner is KeePass 1.x

- it's secure - AES and Twofish
- fast
- easy to use
- cross platform
- good import/export routines

I use the same database under my windows box (KeePass), under my various Linux boxes (KeePassX) and also my Mac laptop with OS X (actually, under ubuntu/ppc you can also download keepassx from the official repository!)

It's also possible to use the same database on PalmOS anc PocketPC.

http://keepass.info/
http://keepassx.sourceforge.net/
http://keepasssd.sourceforge.net/

Having a seperate password for 50+ websites is not realistic when you plan to memorize them all. I use KeePass to have very random 16+ char passwords (that I do not bother to remember) for every place I visit, and one master password to access the database.