Slashdot Mirror
Coping with the Avalanche of IDs and Passwords?
Bitwick asks: "The number of web sites and other systems I need IDs and passwords for is finally becoming overwhelming. Right now, I tend to use a small selection of IDs and passwords. I know this isn't an ideal situation, but so far it has been the most practical. However, it has become clear to me that this needs to change. I am planning to get a USB keyfob and a password manager to keep track of my IDs and passwords. What experience have you had with password managers? What's good, what's bad, what features are important? Are there other reasonable and secure alternatives?"
Password Corral for Windows -- it's free, and the best one I've found, hands down.
Not All Who Wander Are Lost
How about BugMeNot.
"Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive." - C.S. Lewis
i love the post-it note method under the keyboard, now thats secure
A text file with your usernames and passwords slightly obsufucated may work depending on the sort of person you expect to find your thumbdrive.
You can run Openoffice on a thumb drive and save your list of passwords in a encrypted document if you need added security.
Stop the world; I need to get off.
My system for quite a few years has been to keep passwords in an encrypted file located somewhere that I can easily get to it whenever I have an Internet connection. I'm sure that's less secure than keeping it on a USB device. But the risk of someone hacking the file I consider to be much lower than the risk of losing the file (via system crash, user stupidity, or whatever), so that ability to have it backed up is crucial. And unless you are scrupulous enough to regularly back up a file on a USB device to another offline device that you will always have and not lose, I don't see that it's a better system, all things considered. I'm willing to be convinced otherwise...
You can have a different password for each site if you make an algorithm for your password that involves the website. I.E have a standard password and add a few letters of the sites name, or add game to it if it is a game site, pron if it is that type of site, etc - Be creative and make it easy and it should work for you.
..........FULL STOP.
Password safe is awesome
http://sourceforge.net/projects/passwordsafe/
Bruce Schneier recomends it in many/most of his monthly crypt-o-grams
http://www.schneier.com/
paul reinheimer
I have a separate password for EVERYTHING I have, no matter how obscure the website or service is. Each password is at least 10 characters long, with random uppercase/lowercase letters, numbers, and symbols; none of this "can be broken by a dictionary attack" crap.
The trick is, you don't actually have to memorize your passwords; after you type each one about 20 times, your fingers retain it in muscle memory. I actually couldn't tell you what any of my passwords are, I have to type them on a qwerty keyboard. (If I ever lose one of my hands, I'm screwed.)
Anyway, as backup, I have them all written down on a sheet of paper in an undisclosed location, with the format of login on one line, password on the line after it, with no identifying information on which login/password combo goes to what website, computer, etc. The text in this list is also encrypted using a one time pad encryption program (that I wrote myself), the key to which is in a different undisclosed location.
So if my fingers happen to forget one of the passwords, I can still retrieve it (with a lengthy process). You'd be surprised how many different login/password combos you can remember, even months after you've used them last, if you type them several dozen times over the course of a few days. But to each his own. That's just my system.
Password Manager XP by cp-labs has worked good for us.
http://www.cp-lab.com/index.html
Amongst many other features, it supports removable devices such as usb keyfobs and will install the necessary binaries on the device to run from.
hNo .vimrc:
/dev/null'
matter where I'm at, I am always ssh'ed into my server. So, I put the following into my
augroup encrypted
au!
autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo=
autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile
autocmd BufReadPre,FileReadPre *.gpg set bin
autocmd BufReadPre,FileReadPre *.gpg,*.asc let ch_save = &ch|set ch=2
autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt 2>
autocmd BufReadPost,FileReadPost *.gpg set nobin
autocmd BufReadPost,FileReadPost *.gpg,*.asc let &ch = ch_save|unlet ch_save
autocmd BufReadPost,FileReadPost *.gpg,*.asc execute ":doautocmd BufReadPost " . expand("%:r")
autocmd BufWritePre,FileWritePre *.gpg '[,']!sh -c 'gpg --default-recipient-self -e 2>/dev/null'
autocmd BufWritePre,FileWritePre *.asc '[,']!sh -c 'gpg --default-recipient-self -e -a 2>/dev/null'
autocmd BufWritePost,FileWritePost *.gpg,*.asc u
augroup END
And I have a pw.gpg file that I just store everything in a "usage username/password" format. Works like a champ, and I'm not bound to a proprietary file format from the password-manager of the week. Seriously, I tried most everything before, from palm-based managers, os x's keychain, kde's wallet, and this is by far the easiest to use, most robust, and the most future-proof.
No, seriously. Paper is an incredible solution. At our office we have a locked filing cabinets we store passwords in. Quite handy.
An excellent personal solution is to keep a list in your wallet. Keep another list somewhere safe and stationary, so that if you lose the first one you have a complete list of sites to go down to change all the passwords.
It's pretty much the simplest thing you could possibly have, secure, and responds well to failure.
However, as a countermeasure I've been known to make my few passwords very long and obscure (full sentence method).
Password Safe. Works great. You could just install on your USB fob, I imagine.
bla.com: u/xyz p/abc
yada.com: u/abc p/def
bbb.com: u/def p/ghi
K.I.S.S. Why do anything more complex?
KisKis is the best I've seen. Cross-platform, various templates, encrypt files too. I keep the database and the installer (which is also cross-platform, Java is cool) on my USB key.
Bran muffins and whiskey.
I use S.T.R.I.P. "Secure Tool for Remembering Important Passwords" running on my palm OS handheld (Palm IIIxe). The encrypted DB is backed up when the palm hotsyncs so if I ever lose the handheld I can restore it to a new one.
by having it on my handheld which is very nearly always with me I don't have to rely on the app running on whatever system I'm working on at the time (various windows, Linux, Solaris, MVS, and others)
bla.com: u/xyz p/abc
yada.com: u/abc p/def
bbb.com: u/def p/ghi
I believe you loaded up the wrong file, none of those sites have login fields.
Problem statelment: How to associate one string (domain name) with another string (username/password combination)? a.k.a. translate strings.
Here's a whacky possible solution: use a translator pen, such as this:"SuperPen Translator" - which supports 'custom dictionaries' , to store passwords. Run the pen across site's address bar displayed on the computer screen, and the pen translates it to your username/password for that site.
Here's another of those pens: C-Pen.
Of course, if none of their dictionaries are user-editable, and if they have no SDK, this won't work.
Here's a more sensible solution: Javascript password generator
(Video about it - flash format)
We have standards for everything else, why not create a password-protection standard? If there was a standard set of requirements for a password, then people could use the same password for all standard-compliant systems.
What do you do when you dont trust the system you're at, enough to insert your USB keyfob (ie: internet kiosk, or needing the password to a customer's system while onsite)?
How about a USB KeyFob with a built-in display, and a means of entering a password to decrypt the database. When you want to make a change, you use a tool like Password Safe to edit the text file from a trusted system (copy the text file for backups too!). Though when you're at an untrusted system, you just snatch your password using the built-in display.
I keep mine in an email that I sent to myself. I am only in trouble if I forget the password to that email account. I think it's a pretty solid system. I can access it from anywhere, and somebody would have to hack a pretty solid email provider to get at my information.
just use 12345 as your password on every site--problem solved.
I run Keyring on my Palm Pilot. It works well. I carry my Palm with me literally everywhere but at rock concerts, and it's very nice to have every obscure, seldom-used password securely available wherever I happen to be.
All of my passwords are there, and a few other bits of even more important personal information.
Stuff is encrypted, and lives in the Palm's RAM where it will be destroyed instantly upon power loss. So, if left in a bus terminal, chances are that the data will be gone before the hapless thief finds a charger for it to keep the RAM alive, let alone manages to crack the database or even recognize its existance.
All I have to do is remember one passphrase.
Stuff is also backed up to the machine that I hotsync to, where it remains encrypted on disk. While non-volatile, the machine does have the advantage of vastly increased physical security.
And that isn't much of a backup regime, so all of the work-related passwords and data that might affect Other People get beamed via IR to a co-worker with a similar rig. This usually happens in the windowless basement I call "work," and is thus also reasonably secure despite its plaintext-edness.
I've used Keyring on everything from old-school black-and-green Handsprings, to Treo 650s. It Just Works(tm). It is free. It is GPL'd.
I'd go on, but I shouldn't have to...
Kid-proof tablet..
Save the following html page to your computer or usb device
http://angel.net/~nic/passwd.html
Come up with a master password, enter the domain name of the particular site you are browsing and a unique password is generated for that site. All you have to remember is your master password. The page uses javascript, no data is passed to the internet. Whenever you need a password, just run the saved html page, enter master password, enter domain name, click generate button and you have your password
use Gator!
Quidquid latine dictum sit, altum sonatur.
Besides being a programmable day runner with alarm,
Besides keeping cheatsheets, notes, & reference files
You get a program that will keep passwords and encrypt the datafile. Not just is it unlikely someone will be able to "steal" your passwords, but a backup copy of the data will be available when you sync the PDA.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Personally I use yaps on a Palm Pilot, though I could see using another PDA-based one. The cool trick about YAPS is that you can drag your pen across their keyboard for multiple inputs, effectively allowing you to draw very, very long passwords quickly.
I would use either a PDA-based or a phone based system... something you carry with you at all times, no computer required. Mine has everything from password / logins to credit card information and bank numbers. You're not always near a computer when you need to know your checking account number.
For computer privacy, try dekart private disk. It's a pretty solid encrypter / decrypter that creates virtual drives under XP. Anything you put on a drive is protected, from passwords to applications. And it runs from removable disks. It does tie you to windows, though.
The ______ Agenda
I suggest you consider encrypting part of the drive, TrueCrypt is a great little app and will run from the USB Thumb Drive as a way to store any info you wish to be secure.
2 000280/qid=1115360158/sr=8-1/ref=pd_csp_1/002-8782 437-3718417?v=glance&s=books&n=507846"
href="http://www.amazon.com/exec/obidos/tg/detail/ -/0142000280/qid=1115360158/sr=8-1/ref=pd_csp_1/00 2-8782437-3718417?v=glance&s=books&n=507846"
class="externalLink">get the book from Amazon.g e"
>wiki,
and http://groups-beta.google.com/group/43Folders/"
href="http://groups-beta.google.com/group/43Folder s/"
>newsgroup.)
You might also want to consider EssentialPIM or Getting Things Done tools like GTDTiddlyWiki or Next Action (requires firefox)
Check out portablefreeware for more apps and Slashdot
Microsoft usb flash manager is a way to backup you flash drive and keep the info safe, you might also want to consider a second flash drive
(PS: Getting Things Done is a simple and effective personal productivity method by David Allen. You can http://www.amazon.com/exec/obidos/tg/detail/-/014
Also check out the GTD community at the 43Folders http://www.43folders.com/" href="http://www.43folders.com/" >website, http://wiki.43folders.com/index.php/Main_Page" href="http://wiki.43folders.com/index.php/Main_Pa
I was considering doing a little j2me (java) application for my cellphone, to keep them encrypted.
;-)
And I think its a good way to start j2me programming
If you're running OS X on a Mac, you're already covered. All of your logins and passwords can be stored in OS X's "Keychain", which allows easy access to all of your passwords by simply logging in to OS X. All of your passwords (that you allow) will be automatically remembered and will populate any appropriate fields. In addition, individual logins and passwords can be accessed by typing your login info (for your OS X account), and it will reveal your login info for that particular item.
For more info on Keychain Access, read one of many of Apple's support pages on it. It's great, and completely integrated into the operating system. You don't even have to think about it. Any time you enter a username and/or password for something (in any application, web site, etc.) you'll be asked if you want the login information to be added to your Keychain. You can allow it to be added, ignore it this time, or never allow it for the particular site/application in question. You can even manually add items that have nothing to do with logging in. (Combinations for locks, or other confidential information.) It's a snap. :-)
I use eWallet (review) - it has a Windows, Windows Mobile Pocket PC, Windows Mobile Smartphone and Palm OS versions - all compatible.
I started using it with my Palm III, then moved throug a couple of other Palm OS devices, always synchronising with my Windows desktop. Then moved to the Windows Mobile Pocket PC version and I am now using the Smartphone version. I have more than 500 passwords stored, document numbers, credit cards, etc... Everything synchronises between platforms.
Keychain's encrypted too, isn't it?
Users of the world: We're here to help you, but help us help you. (your IT dept)
KeePass is what you are looking for I have been using it for years now and it fucking cool.
It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" while SHA-256 is used as password hash.
YOu can Group your list with details on each password:
Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment.
It fully open-source (OSI certified) runs under Windows and PocketPC with NO INSTALLATION NEEDED so will run off USB key or Network, etc
All in all a very cool and sweet program for anybody with alot of Username/Passwords/URL/IPs to remember and a most have for all System/Network Admins.....
How about a Firefox extension...Password Maker http://passwordmaker.org/. I think this would work just fine!
I used to use a USB key with a list of sites, usernames and passwords on it. All protected using a secure zip drive. It became a pain in the ass to get the passwords out, so I gave up. It also concerned me as a single point of vulnerability (if someone stole it and cracked it they have access to my life).
So now instead I use this algorithm:
$password = MD5($sitename . $single_password)
So I don't have any passwords written down, just the single global password in my head along with the algorithm. There's an MD5 calculator on every UNIX system, and there's javascript ones available on the web too.
The benefits of this system:
Some websites don't support 32 character passwords, for those I just use the first 10 or 20 characters of the MD5 hash.
If you like Password Safe, Password Gorilla uses a compatible database, and it runs on many more platforms through the use of TclTk.
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Rather than using a unique password manager, I just use a text file encoded with GNU Privacy Guard. A shell script called pwgrep consists of "gpg -d pwgen is a nice tool for creating random passwords that are still phonetically memorable. lai5Chema, Eshoh3tum, Thie2thoy, die4Baejo, etc. I use a new one for every last site, and the passwords I need to pwgrep half a dozen times or so stay with me after a while.
The password manager I recommend is RoboForm. It isn't free, but It has every feature I've ever wanted.
* Secure encryption
* Random Password Generator
* Storage of automatic logins
* Storage of "SafeNotes"
* Ability to fill forms with one button (CC entry, etc.)
* Storage of bookmarks (import from IE/Firefox)
* Storage of contacts (import from Outlook or file)
* Portable version that runs from a thumbdrive.
* Palm add-on
Quite nice.
All I wanted was a rock to wind a piece of string around, and I ended up with the biggest ball of twine in Minnesota
Since I work at a company that has a decent IT department, I have single signon at work. And, I only use websites that use microsoft passport.
So, I only have two passwords to remember, ever.
I can use this at public places that I wish to log onto. I don't have to really remember much at all for these. I am smart enough to know of keystroke loggers and obviously use much better passwords for my bank and credit card ONLY at home.
..........FULL STOP.
Let's also not forget that you should regularly check and recheck the passwords of YOUR USERS , and enforce strong password strings (length, alphanumeric, punctuation at a minimum).
Very recently, someone I know who is a very well-known talking head in the Open Source community had his box rooted, because a colleague of his had an account on his server with a default password, and never logged in.
One of those recent ssh brute-force login bots came scanning along and got in using this account. They logged in, downloaded a rootkit from Romania into /tmp, built and executed the rootkit, replaced sshd, and as each user tried to log into the machine over ssh, they were forced to retype their password (ignoring ~/.ssh/authorized_keys).
Ever user logging in would blindly retype their password, thinking something was wrong.. Meanwhile their passwords were being sent back to Romania to someone to malisciously use elsewhere.
The smart part about this rooting, was that the user's ~/.ssh/known_hosts was scanned and used to further spider out and attempt more ssh attacks.
For example, user jdoe has his authorized_keys set up. He tries to log in over ssh, and instead of an un-prompted login, he is asked for his password. He dutifully enters it and is denied access. He enters it again (thus confirming it), and is still denied access. Now /home/jdoe/.ssh/known_hosts is parsed and remote hosts found in it are added to the "ssh attack these hosts" file for later brute-force sshd attacks.
It was ugly. We had to change passwords, generate new ssh keys, and check our local keys and machines as well... all because SOMEONE ELSE had a weak password in an account they never even used.
A very different idea, and im not saying its a great one that will work in all situations, is using mobile phone, e.g my college login was numberic, so i stored it as a phone number entry. The same can be done with passwords using the name, or saving text messages, perfect for on the move for those who dont have PDAs like me.
Yes, using Fast Elliptical Encryption, on which Apple owns a patent (via NeXT).
I have several passwords and login names, and give them 1- to 2-char nicknames, which I put in plaintext next to the text name in my bookmarks.
E.g.,
"BarBlog (nn n)" = my normal net login name, normal password
"FooBank (fn e)" = my full name, extended password
"BazPr0n (pn 8t)" = my pornstar name, 8 tabs
and so on.
It works fine.
I just use PGP to encrypt a text file with all your passwords. One of the problems with other packages might well be lack of support in future (maybe e.g. passwordsafe will stay around ?).
I have been playing around with KeYpass that has a CTRL-Right Click option to login. This is a very nifty feature, I wonder why you don't see it in other programs, like the open source ones. Does it have something to do with the development platform?
While there are plenty of home-grown and one-off solutions, it would probably be worth your time to look into the various SSO (Single Sign On) software providers and find a security product that works for you.
Lasers Controlled Games!
For websites, though, I mostly use this:
What if the system you are forced to change a password on won't allow you to use a previously-used password?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent