Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coping with the Avalanche of IDs and Passwords?

Posted by Cliff on from the information-overload dept.

Bitwick asks: "The number of web sites and other systems I need IDs and passwords for is finally becoming overwhelming. Right now, I tend to use a small selection of IDs and passwords. I know this isn't an ideal situation, but so far it has been the most practical. However, it has become clear to me that this needs to change. I am planning to get a USB keyfob and a password manager to keep track of my IDs and passwords. What experience have you had with password managers? What's good, what's bad, what features are important? Are there other reasonable and secure alternatives?"

6 of 120 comments (clear)

  1. All eggs in one basket and watch that basket? by Creosote · · Score: 3, Informative

    My system for quite a few years has been to keep passwords in an encrypted file located somewhere that I can easily get to it whenever I have an Internet connection. I'm sure that's less secure than keeping it on a USB device. But the risk of someone hacking the file I consider to be much lower than the risk of losing the file (via system crash, user stupidity, or whatever), so that ability to have it backed up is crucial. And unless you are scrupulous enough to regularly back up a file on a USB device to another offline device that you will always have and not lose, I don't see that it's a better system, all things considered. I'm willing to be convinced otherwise...

  2. Password Safe by PktLoss · · Score: 4, Informative

    Password safe is awesome
    http://sourceforge.net/projects/passwordsafe/

    Bruce Schneier recomends it in many/most of his monthly crypt-o-grams
    http://www.schneier.com/

    --
    paul reinheimer
  3. Paper. by Pyromage · · Score: 2, Informative

    No, seriously. Paper is an incredible solution. At our office we have a locked filing cabinets we store passwords in. Quite handy.

    An excellent personal solution is to keep a list in your wallet. Keep another list somewhere safe and stationary, so that if you lose the first one you have a complete list of sites to go down to change all the passwords.

    It's pretty much the simplest thing you could possibly have, secure, and responds well to failure.

  4. Keyring by adolf · · Score: 4, Informative

    I run Keyring on my Palm Pilot. It works well. I carry my Palm with me literally everywhere but at rock concerts, and it's very nice to have every obscure, seldom-used password securely available wherever I happen to be.

    All of my passwords are there, and a few other bits of even more important personal information.

    Stuff is encrypted, and lives in the Palm's RAM where it will be destroyed instantly upon power loss. So, if left in a bus terminal, chances are that the data will be gone before the hapless thief finds a charger for it to keep the RAM alive, let alone manages to crack the database or even recognize its existance.

    All I have to do is remember one passphrase.

    Stuff is also backed up to the machine that I hotsync to, where it remains encrypted on disk. While non-volatile, the machine does have the advantage of vastly increased physical security.

    And that isn't much of a backup regime, so all of the work-related passwords and data that might affect Other People get beamed via IR to a co-worker with a similar rig. This usually happens in the windowless basement I call "work," and is thus also reasonably secure despite its plaintext-edness.

    I've used Keyring on everything from old-school black-and-green Handsprings, to Treo 650s. It Just Works(tm). It is free. It is GPL'd.

    I'd go on, but I shouldn't have to...

    --
    Kid-proof tablet..
  5. Re:Password algorithm by Philom · · Score: 3, Informative

    Using MD5 and a single master password isn't such a good idea.

    Suppose a bad guy steals your password for one site and wants to learn your master password (which you input to the hash function along with the domain name of the site). He can perform a brute force attack by checking each possible input password up to a certain length to see whether hashing it produces the stolen site password.

    The problem is that MD5 is very fast to compute: for small blocks it takes <0.5us on a modern CPU. That means testing every possible password is surprisingly fast. For example, searching the space of all 8 character alphanumeric passwords (single case) would take only 16 days! With your master password in hand, the attacker can almost immediately determine your passwords for every other site where you employ this scheme. Of course, the attacker can work even faster if your password is in any way guessable.

    Splitting a password with a hash function *can* work very well, but doing it securely is tricky. See this paper.

  6. KeePass Password Safe by Shadow_139 · · Score: 2, Informative

    KeePass is what you are looking for I have been using it for years now and it fucking cool.

    It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" while SHA-256 is used as password hash.

    YOu can Group your list with details on each password:
    Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment.

    It fully open-source (OSI certified) runs under Windows and PocketPC with NO INSTALLATION NEEDED so will run off USB key or Network, etc

    All in all a very cool and sweet program for anybody with alot of Username/Passwords/URL/IPs to remember and a most have for all System/Network Admins.....