Slashdot Mirror

Please recommend a password manager.

I wish open-source programmers would be more careful about choosing names. Keepass sounds like "Keep Ass".

Information about Keepass: KeePass Password Safe

Does Keepass synchronize across devices?

Keepass https://keepass.info/ its what i put first on any new device, you can use your own "cloud" for store and share the database.

Just use open source KeePass to hold your passwords and use DropBox to sync your encrypted database between computers/phones/tablets. Works great between Windows, iOS, and Android at least. http://keepass.info/

I would think many use same the password. I do for ease of use. It's knowing when to use a unique one is the trick - to add: almost all of mine are unique.

Why would you ever use the same password twice when there is KeePass? You memorize one complex, annoying, long password which unlocks your database, then generate really really long, complex, annoying passwords (that tend to break the authentication software of many naively written websites) for each and every individual account. Everything goes into the database, with lots of nice metadata like the date of account creation and the recovery questions and answers. That way you can lie on the recovery answers intentionally, and not have to worry about remembering which site you told which lie. (You didn't think my dog's name actually was AdmiralNelson did you?) About the only thing which doesn't go into the database is the passphrase for the encrypted volume in which I keep all my nuclear secrets. I memorize that one too.

Linux tard :) I use acerose and have for many years. So buggy Wine program working site refused to post my "how to" :)

As for my secret identity I use http://www.fakenamegenerator.c... and keep re-rolling it till my area code is close. (appears to be spam alone sides, all white space).

I would think many use same the password. I do for ease of use. It's knowing when to use a unique one is the trick - to add: almost all of mine are unique.

Why would you ever use the same password twice when there is KeePass? You memorize one complex, annoying, long password which unlocks your database, then generate really really long, complex, annoying passwords (that tend to break the authentication software of many naively written websites) for each and every individual account. Everything goes into the database, with lots of nice metadata like the date of account creation and the recovery questions and answers. That way you can lie on the recovery answers intentionally, and not have to worry about remembering which site you told which lie. (You didn't think my dog's name actually was AdmiralNelson did you?) About the only thing which doesn't go into the database is the passphrase for the encrypted volume in which I keep all my nuclear secrets. I memorize that one too.

> very little choice but to write the password down on a little yellow sticky note

Why aren't you using a password manager like KeePass or KeePassX and just remembering one passphrase to access all your other passwords???

* http://keepass.info/
* https://www.keepassx.org/

There are two ways to log in on websites: try to recall the email address and password you registered with -- or ... (snip)

Or pick , door #3.

I'll second KeePass. Not just because it's what I use, but because it takes serious measures to protect your data. Anyone can make a functioning password safe, but the way KeePass does it shows it was designed with an eye toward security. As a dev, I can appreciate it.

A browser extension? Really? Your OS has a massive, old, reliable security feature in that one process can not easily access the memory of another process, and you choose to not use that and instead build support directly into the largest attack vector on your PC, the browser?

The KeePass database format is documented and a de-facto standard. There are independent implementations for non-Windows platforms such as KeePassX. The KeePass download page links to a whole bunch of them.

KeePass, or any other offline password manager, is a good first step. I really shouldn't need to go into the inherent issues with using an online password management system. However, to improve the security of the database, go with two-factor authentication by adding plugins such as OtpKeyProv and configuring KeePass to use it in conjunction with a Yubikey token.

(Disclaimer: I am not associated with either the OtpKeyProv developer or with Yubico. I use them as examples based on past successes.)

Which is why I still don't use it. If they really wanted to bolster security then MFA should really be standard, IMHO.

I will just leave this here...
http://keepass.info/help/kb/yu...

Who the hell can remember 100 different complex passwords?

Me. This is a solved problem.

The one at keepass.info.
If the forks haven't made any major refactoring they should still benefit a lot from this since they can do the diff from the audited version and see if any of the problems found still is present in their code.
Sure, they can have added new ones, but that is one of the costs of making a fork.

Personally I don't like the idea of electronic password managers since I feel that too much damage would be done is the manager is compromised.
I feel that a note next to the computer with a few hints to what the password would be is safer since anyone getting control over my computer can't get all passwords with a single key sniffer and has to wait until I actually accesses the page they are interested in.
If they break into my house and murders me to get the note they will probably not bother and just take my credit card from my wallet instead, but at that point I am not very likely to care.

A open-source password manager (and generator I believe?)
http://keepass.info/

For lots of OSes: http://keepass.info/download.h...
With lots of plugins: http://keepass.info/plugins.ht...

A open-source password manager (and generator I believe?)
http://keepass.info/

For lots of OSes: http://keepass.info/download.h...
With lots of plugins: http://keepass.info/plugins.ht...

A open-source password manager (and generator I believe?)
http://keepass.info/

For lots of OSes: http://keepass.info/download.h...
With lots of plugins: http://keepass.info/plugins.ht...

You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?

Apparently... This issue has been addressed now by the developer, a testing version of the fix is available and is undergoing testing, and the security recommendations made will be included in the next version of software. There is already a digital signature included in any update that should raise a flag if anyone were to download a bad file from an insecure source.

I'm not sure what the whole story is (and don't really care enough to read through the endless internet commentary to find out), but it sounds like the guy was dealing with some web hosting constraints for the website, and he didn't want to implement a half-assed solution. But people complained, and he responded. After only a few days of complaints, he appears to have implemented the solution... which is a lot better than I can say for most free software.

(And just as a sidenote -- anyone who downloads a security product or an update to one without checking to see that it's legit already is engaging in potentially dangerous security protocols. If they are doing this with random software, they could easily be installing a keylogger or something on their machine which could undermine KeePass's security, whether or not it had anything to do with a KeePass update or some other random software asking to install. I agree the developer's attitude was problematic, but his original recommended fix of actually verifying the legitimacy of any updates to security software is actually a BETTER policy than just depending on the fix to KeePass itself.)

So the summary is wrong?

KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check

Also You're wrong.

"There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.

First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.

KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.

The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.

The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.

Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."

It is not for the base software functionality. It's for the optional upgrade check, which connects to the website and downloads a signed binary. If you're concerned about the integrity of the binary, compare the hashes yourself.

When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.

Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.

There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.

that's why I used to use a three password system. One simple alpha password for accounts that don't matter and then a beta and gamma passwords for sort of secure and really secure accopunts respectively and then a delta password for my email. Nowadays I use a Password Manager and Two Factor Authentication for every place that allows it. I use KeePass because while I'm pretty careful I wasn't help with the security of a 3+1 password system nor the flexibility such as the fact that I tended to use Alpha for everything and only switch when that site got hacked. I started to use Google Authenticator but I hit that phone failsafe issue where I was constantly worried about what happened if my phone was off or dead or lost. The fact that I had to go through a version of that when I switched phones only cemented my fears. I ended up at Authy and full Two Factor because Authy provided me the flexbility and failsafes to complete the loop that KeePass started. I now feel comfortable with appropriately complex passwords on everything. I don't worry about having to enter them on my phone because KeePass has android ports that can access a cloud stored back up of my database. It's controlled (by me) it's uniform. I know how to do it on every site I need to do it on. It's practically unintrusive at this point in my life. The type of secuity I'll use is about how much I trust it, how consistent the experience is and how easy it is to use. Two Factor isn't hard and it's rigedly consistent.

keepass is cross platform, using the same file on Linux/Win/Android/MacOS. You can store the encrypted database in a cloud-based service like dropbox and have a highly portable system for password storage on-line & off-line.

That's what I do. For added security, I have a key file that I never put online and only stored locally on my laptop/phone. That way, even if someone gets my database AND somehow intercepts my password they're still out in the cold.

KeeCloud is a good place to start. Then just pick a browser integration plugin and you're off. For android, Keepass2Android is a good choice, too. It has an integrated keyboard that will directly type the username and password into the browser (or app) so you can avoid all those clipboard stealing exploits.

KeePass is free and open source, and easy to use. Its interface is fairly basic, but it gets the job done. It can generate strong passwords, it has a password strength checker, some fairly decent management and organization options, etc. It's aimed primarily at Windows but it can function in Linux and BSD (including OS X) under Mono, and fully supports this. We use this at my workplace and it serves its purpose.

However, I personally am a fan (and long-time user) of 1Password, which is my vault of choice. It's got a highly polished and very easy to use interface, very active development, it's cross-platform Windows, OS X, iOS, and Android. It has plug-ins for all the major web browsers. It supports a range of features KeePass lacks, and also some third party support (like DropBox, for keeping your vault synced over all devices). It's also got a good community--I've found a few bugs myself, and the developers were very accessible and responsive to my posts in their 1P forum they have available for such things. The only downside with 1P, of course, is that it is not free nor is it open source (though the schema and design of their vault file format is fully open and documented, and has been audited in the past). However, I think it is worth its price, and I'm happily a paid user.

Versions I use:

iPhone: https://itunes.apple.com/us/ap...
Android: https://play.google.com/store/...
Windows: https://ninite.com/keepass
Linux: http://keepass.info/help/v2/se... - Mono supported

More versions (official and unofficial at: http://keepass.info/download.h... )

Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepass.info/plugins.ht...

Keepass allows plugins... one of which has Two Factor: http://keepass.info/plugins.ht... - I've never used it, so I'll leave it up to you. Other options exist on at the plugins link above.

Versions I use:

iPhone: https://itunes.apple.com/us/ap...
Android: https://play.google.com/store/...
Windows: https://ninite.com/keepass
Linux: http://keepass.info/help/v2/se... - Mono supported

More versions (official and unofficial at: http://keepass.info/download.h... )

Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepass.info/plugins.ht...

Keepass allows plugins... one of which has Two Factor: http://keepass.info/plugins.ht... - I've never used it, so I'll leave it up to you. Other options exist on at the plugins link above.

Versions I use:

iPhone: https://itunes.apple.com/us/ap...
Android: https://play.google.com/store/...
Windows: https://ninite.com/keepass
Linux: http://keepass.info/help/v2/se... - Mono supported

More versions (official and unofficial at: http://keepass.info/download.h... )

Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepass.info/plugins.ht...

Keepass allows plugins... one of which has Two Factor: http://keepass.info/plugins.ht... - I've never used it, so I'll leave it up to you. Other options exist on at the plugins link above.

Versions I use:

iPhone: https://itunes.apple.com/us/ap...
Android: https://play.google.com/store/...
Windows: https://ninite.com/keepass
Linux: http://keepass.info/help/v2/se... - Mono supported

More versions (official and unofficial at: http://keepass.info/download.h... )

Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepass.info/plugins.ht...

Keepass allows plugins... one of which has Two Factor: http://keepass.info/plugins.ht... - I've never used it, so I'll leave it up to you. Other options exist on at the plugins link above.

This kind of stuff is the reason I never re-use passwords across services. All my passwords are randomly generated and stored by KeePass. Sure, it's a little less convenient to have to unlock the password safe in order to get into services, rather than just type in something you've already memorized. But, it's the only way to be sure that having your password compromised on one service won't compromise an account on another service. Even if the service isn't externally compromised, there's probably a lot of systems out there where employees (DB administrators, programmers) can gain access to the passwords from various methods such as logs or unaudited code.

I think this whole password fiasco has gotten super fucking complicated for a normal human being.

When you need a password manager application to tell you what to type into the computer, we might as well all just switch to a tokencard system.

Or better yet, write you passwords down on a card in you wallet. Write you login names down on your password-protected phone. Problem solved. Go ahead and try to hack that system remotely.

This kind of stuff is the reason I never re-use passwords across services. All my passwords are randomly generated and stored by KeePass. Sure, it's a little less convenient to have to unlock the password safe in order to get into services, rather than just type in something you've already memorized. But, it's the only way to be sure that having your password compromised on one service won't compromise an account on another service. Even if the service isn't externally compromised, there's probably a lot of systems out there where employees (DB administrators, programmers) can gain access to the passwords from various methods such as logs or unaudited code.

The one-password-to-rule-them-all sounds like KeePass.
The "procedurally generated passkey" you mentioned sounds like a One Time Password algorithm such as HOTP or TOTP; both of which are standards (rfc 4226/6238 i think)

HOTP support is built-into KeePass, and TOTP is available as a plugin. Not the simplest thing to setup, but I'd rather someone improve the current wheel before reinventing their own. Doubly so in security.

And how else are you going to manage the hundreds of dozen-character long, unique, and complex passwords you want to use with each site?

with an offline tool, like keepass. Same functionality, only stored locally (or on your phone), not on the cloud.

For someone who does want an online identity, password management software is by far the best option for anyone with a moderately valuable one. Of course there isn't a perfect solution, but it would be wronger than wrong to suggest that since there are ways to subvert password management software, then it's no better than memorization. A good camera angle or keylogger will steal your memorized passwords as you type them just as easily as it will from a password manager. Easier, in many cases. And your "single point of failure" argument is weakened by the fact that even a moderate password locking a database of one of the popular password managers would be resistant to years of offline attack. I mean, sure, the lack of convenience is an argument against using a password manager, but it's also an argument against wearing a seatbelt. It's needlessly risky to type a memorized password into a site where you have no visibility on what they're doing with it, what security they have in place to detect breaches, or even if they'd notify you when your credentials were stolen. Monitoring your credit report is a valuable part of a defense in depth but not as an alternative to good password practices.

Well, no. That's an entirely different type of attack, requiring entirely different skills and resources. Script kiddies are perfectly able to download a bunch of leaked databases, look for username or email address matches between them, read the passwords in plaintext, guess that you're using the site name or url to modify your passwords, and then try your username and password on amazon or banking or webmail sites. They're not going to be able to say "Man, look at that guy's password! I should hack a trojan onto his computer by backtracing his IP address using a Visual Basic GUI!"

Also of note, KeePass has defenses against keyloggers.

Keepass http://keepass.info/ versions for all OS's and database can be securely put on a flashdrive

Use Keepass and convey the master key verbally or some other medium, it's designed for this sort of thing...

http://keepass.info/

KeePass http://keepass.info/ is the first thing i put on a new device.

This list is part of a much longer list that I maintain and sometimes publish.

* 7-ZIP -- Create/Extra ZIP and many other other file compression formats, very powerful. Note can open some installer EXE and MSI files (see Microsoft Orca for more MSI options) (free, open source, Windows, there may be Linux/Mac variants). http://www.7-zip.com/

* CCleaner -- System optimization, privacy and cleaning tool. (free, closed source, Windows) http://www.ccleaner.com/ **Alternate Tool** BleachBit -- Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. (free, open source Linux/Windows) http://bleachbit.sourceforge.n...

* Greenshot -- Good Screen Shot tool with simple annotation options. (free, open source, Windows) http://greenshot.sourceforge.n...

* IrfanView -- Image Program View, convert, crop, optimize, sideshow, batch Processing etc (free noncommercial, closed source, Windows) http://www.irfanview.com/

Instantbird -- Multi Protocol Instant Messaging (IM) Client - AOL, MSM, Yahoo, etc (free, open source, Linux/Mac/Windows) **Alternate Tool** Pidgin - Multi Protocol Instant Messaging (IM) Client - AOL, MSM, Yahoo, etc (free, open source, Linux/Mac/Windows) http://pidgin.im/

* KeePass Password Safe -- Good Quality secure password manager, stores passwords encrypted. (free, open source, Windows Linux/Mac with Mono) http://keepass.info/

* LibreOffice -- Power-packed Open Source personal productivity suite for Windows, Macintosh and Linux, that gives you six feature-rich applications for all your document production. Excellent replacement for other Office Suites, can open many different and sometimes odd file types -- (free, open source, Linux/Mac/Windows) http://www.libreoffice.org/

* Mozilla.org FireFox -- Web browser for more security then Internet Explore (free, open source, Linux/Mac/Windows) http://www.mozilla.com/ http://www.mozilla.org/

* SpeedCrunch -- fast, high-precision and powerful cross-platform desktop calculator (free, open source, Linux/Mac/Windows) http://www.speedcrunch.org/ & http://speedcrunch.blogspot.co...

* UltraEdit -- Probably the absolute best most powerful text editors around, edit huge files, FTP, column mode, and more (shareware, closed source, Win/Mac/Linux) http://www.ultraedit.com/ **Alternate Tool** Noteppad++ -- Good Text / Source Code Editor replacement for Microsoft Windows Notepad/Wordpad (free, open source) http://notepad-plus.sourceforg...

* VLC Media Player -- One of the best media players out there. Highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network. (free, oen source, Linux/Mac/Windows)
http://www.videolan.org/

This list is part of a much longer list that I maintain and sometimes publish. There are few others, but some are more as needed special use cases. * 7-ZIP -- Create/Extra ZIP and many other other file compression formats, very powerful. Note can open some installer EXE and MSI files (see Microsoft Orca for more MSI options) (free, open source, Windows, there may be Linux/Mac variants). http://www.7-zip.com/ * CCleaner -- System optimization, privacy and cleaning tool. (free, closed source, Windows) http://www.ccleaner.com/ **Alternate Tool** BleachBit -- Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. (free, open source Linux/Windows) http://bleachbit.sourceforge.n... * Greenshot -- Good Screen Shot tool with simple annotation options. (free, open source, Windows) http://greenshot.sourceforge.n... * IrfanView -- Image Program View, convert, crop, optimize, sideshow, batch Processing etc (free noncommercial, closed source, Windows) http://www.irfanview.com/ Instantbird -- Multi Protocol Instant Messaging (IM) Client - AOL, MSM, Yahoo, etc (free, open source, Linux/Mac/Windows) **Alternate Tool** Pidgin - Multi Protocol Instant Messaging (IM) Client - AOL, MSM, Yahoo, etc (free, open source, Linux/Mac/Windows) http://pidgin.im/ * KeePass Password Safe -- Good Quality secure password manager, stores passwords encrypted. (free, open source, Windows Linux/Mac with Mono) http://keepass.info/ * LibreOffice -- Power-packed Open Source personal productivity suite for Windows, Macintosh and Linux, that gives you six feature-rich applications for all your document production. Excellent replacement for other Office Suites, can open many different and sometimes odd file types -- (free, open source, Linux/Mac/Windows) http://www.libreoffice.org/ * Mozilla.org FireFox -- Web browser for more security then Internet Explore (free, open source, Linux/Mac/Windows) http://www.mozilla.com/ http://www.mozilla.org/ * SpeedCrunch -- fast, high-precision and powerful cross-platform desktop calculator (free, open source, Linux/Mac/Windows) http://www.speedcrunch.org/ & http://speedcrunch.blogspot.co... * UltraEdit -- Probably the absolute best most powerful text editors around, edit huge files, FTP, column mode, and more (shareware, closed source, Win/Mac/Linux) http://www.ultraedit.com/ **Alternate Tool** Noteppad++ -- Good Text / Source Code Editor replacement for Microsoft Windows Notepad/Wordpad (free, open source) http://notepad-plus.sourceforg... * VLC Media Player -- One of the best media players out there. Highly portable multimedia player for various audio and video formats ) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network. (free, open source, Linux/Mac/Windows) http://www.videolan.org/

A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software. If I need a password, I just open that file up and copy / paste the password needed - then close it again. If I make a change to a password I can just change it once and that populates to all the other locations where my Google Docs are stored, but it is fully and safely encrypted the whole time.

I even have an app for my phone in case I need it, but there is three factor authentication: my phone's login, a short PIN for the app, and then my full encryption password.

Just FYI, KeePass does basically the same thing for you, but in a user-friendly, searchable, generally-less-mucking-around-required database. Pop the encrypted database file into Google Docs or Dropbox or somewhere and boom, you're done.

I suppose one benefit of using a text file would be that you could theoretically use it on some new system that didn't have a KeePass client yet...if your encryption/decryption client worked on the new system, that is.

I agree, keepass runs on just about everything, Linux, Winblows, Mac, Android, and some phones. The database is locally securely stored and backups to a flash drive make it transferable across OS's. Lots of flexibility in the options.
  http://keepass.info/

Also use KeePass and it's great.
http://keepass.info/
I use it for personal use, at $current_job, and did at $last_job.
At work we use a https shared db with a key, LDAP/AD auth, and master passphrase.

Agreed on writing them down and keeping them in your wallet, but nowadays I just use Keepass.

Sorry this is Slashdot, I think you mean the FOSS version of 1Password called KeePass?

PS. Can someone please do a FOSS and native version of KeePass for Mac OSX.

I would probably give a master password and a copy of my password safe to my lawyer, along with my will and other legal paperwork that she should have just in case something should happen to me.

I was in the midst of posting something similar. I hadn't thought of encryption, but that would be a good idea.

• 1) Stored all my passwords in KeePass Password Safe, and protected the database with a single password
• 2) Attached the password for it, along with other important instructions (like a local password for the computer with the database), with my will. I also added a list of important contacts and bank accounts my family might not know about
• 3) Sealed the documents in an envelope, and let my family know about the documents (or left it with them, before an overseas trip)
• 4) Upon my timely death or loss of memory, my family will have all it needs to delete my embarrassing online photos

I like it! Take two people you feel you can trust, each with half a master password for your keepass vault. You may not want those two people to know who the other person is. That, and perhaps hide a copy of your keepass file somewhere in a fire/water proof location that those individuals are aware of. Then instruct them to return their halves of the password to you along with the keepass file when you are deemed fit mentally.

KeePass supports two-channel auto-type obfuscation. While it of course can't be perfect, the timing would be very difficult for a user-mode keylogger to snatch during the auto-type.

KeePass
Deal with it.

Based on comments like yours, you're not not a normal human being. You are a lazy human being. Normal people might ask "gee, how might I solve this problem?" Instead, you're adopting the "oh no, it's too hard" attitude.

I've been working with normal people who manage to memorize multiple passwords for fifteen years. They aren't programmers, either, although some people are naturally better at this than others. For those who have a lot of passwords to manage, there are a wealth of options available, including things like KeepPass, Password Safe, and many others. There are "local only" options, online options, portable options, etc.

Again, your fundamental problem is that you're lazy, and you're encouraging others to be lazy and adopt terrible security practices. Stop dispensing security advice, and stop attempting to speak for what others can or can't handle.

I used to do it the same way you do, with different levels of passwords. I eventually lost track and just started using KeyPass and generate unique passwords.

I think you mean KeePass and I quite agree.

Every new MMORPG that comes out now has a huge wave of "hacked" account

It would be interesting to know which "level" people tend to choose for their MMORPGs (at least of those who have "levels"). On the one hand it's just a game, while on the other it involves a gargantuan investment of time and attention.

To be specific, a hash or signature should only be done once. A DES hash of an MD5 hash is weaker than either DES or MD5, for example.

There is a small exception to the above. Running multiple rounds of the SAME algorithm in a very specific way can sometimes make it slightly more secure against one particular type of attack - brute force. That's a narrow exception, though.

I use Keepass. It has an option encryption rounds. I thought this meant the encryption is applied 5000 times:

To generate the final 256-bit key that is used for the block cipher, KeePass first hashes the user's password using SHA-256, encrypts the result N times using the Advanced Encryption Standard (AES) algorithm (called key transformation rounds from on now), and then hashes it again using SHA-256.