Slashdot Mirror
Coping with the Avalanche of IDs and Passwords?
Bitwick asks: "The number of web sites and other systems I need IDs and passwords for is finally becoming overwhelming. Right now, I tend to use a small selection of IDs and passwords. I know this isn't an ideal situation, but so far it has been the most practical. However, it has become clear to me that this needs to change. I am planning to get a USB keyfob and a password manager to keep track of my IDs and passwords. What experience have you had with password managers? What's good, what's bad, what features are important? Are there other reasonable and secure alternatives?"
How about BugMeNot.
"Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive." - C.S. Lewis
i love the post-it note method under the keyboard, now thats secure
A text file with your usernames and passwords slightly obsufucated may work depending on the sort of person you expect to find your thumbdrive.
You can run Openoffice on a thumb drive and save your list of passwords in a encrypted document if you need added security.
Stop the world; I need to get off.
My system for quite a few years has been to keep passwords in an encrypted file located somewhere that I can easily get to it whenever I have an Internet connection. I'm sure that's less secure than keeping it on a USB device. But the risk of someone hacking the file I consider to be much lower than the risk of losing the file (via system crash, user stupidity, or whatever), so that ability to have it backed up is crucial. And unless you are scrupulous enough to regularly back up a file on a USB device to another offline device that you will always have and not lose, I don't see that it's a better system, all things considered. I'm willing to be convinced otherwise...
You can have a different password for each site if you make an algorithm for your password that involves the website. I.E have a standard password and add a few letters of the sites name, or add game to it if it is a game site, pron if it is that type of site, etc - Be creative and make it easy and it should work for you.
..........FULL STOP.
Password safe is awesome
http://sourceforge.net/projects/passwordsafe/
Bruce Schneier recomends it in many/most of his monthly crypt-o-grams
http://www.schneier.com/
paul reinheimer
I have a separate password for EVERYTHING I have, no matter how obscure the website or service is. Each password is at least 10 characters long, with random uppercase/lowercase letters, numbers, and symbols; none of this "can be broken by a dictionary attack" crap.
The trick is, you don't actually have to memorize your passwords; after you type each one about 20 times, your fingers retain it in muscle memory. I actually couldn't tell you what any of my passwords are, I have to type them on a qwerty keyboard. (If I ever lose one of my hands, I'm screwed.)
Anyway, as backup, I have them all written down on a sheet of paper in an undisclosed location, with the format of login on one line, password on the line after it, with no identifying information on which login/password combo goes to what website, computer, etc. The text in this list is also encrypted using a one time pad encryption program (that I wrote myself), the key to which is in a different undisclosed location.
So if my fingers happen to forget one of the passwords, I can still retrieve it (with a lengthy process). You'd be surprised how many different login/password combos you can remember, even months after you've used them last, if you type them several dozen times over the course of a few days. But to each his own. That's just my system.
No, seriously. Paper is an incredible solution. At our office we have a locked filing cabinets we store passwords in. Quite handy.
An excellent personal solution is to keep a list in your wallet. Keep another list somewhere safe and stationary, so that if you lose the first one you have a complete list of sites to go down to change all the passwords.
It's pretty much the simplest thing you could possibly have, secure, and responds well to failure.
You do realize that to 99.99% of Slashdot readers, including those who make their living as software engineers, that's completely incomprehensible, don't you? That's the reason why they invented comments.
Problem statelment: How to associate one string (domain name) with another string (username/password combination)? a.k.a. translate strings.
Here's a whacky possible solution: use a translator pen, such as this:"SuperPen Translator" - which supports 'custom dictionaries' , to store passwords. Run the pen across site's address bar displayed on the computer screen, and the pen translates it to your username/password for that site.
Here's another of those pens: C-Pen.
Of course, if none of their dictionaries are user-editable, and if they have no SDK, this won't work.
Here's a more sensible solution: Javascript password generator
(Video about it - flash format)
I run Keyring on my Palm Pilot. It works well. I carry my Palm with me literally everywhere but at rock concerts, and it's very nice to have every obscure, seldom-used password securely available wherever I happen to be.
All of my passwords are there, and a few other bits of even more important personal information.
Stuff is encrypted, and lives in the Palm's RAM where it will be destroyed instantly upon power loss. So, if left in a bus terminal, chances are that the data will be gone before the hapless thief finds a charger for it to keep the RAM alive, let alone manages to crack the database or even recognize its existance.
All I have to do is remember one passphrase.
Stuff is also backed up to the machine that I hotsync to, where it remains encrypted on disk. While non-volatile, the machine does have the advantage of vastly increased physical security.
And that isn't much of a backup regime, so all of the work-related passwords and data that might affect Other People get beamed via IR to a co-worker with a similar rig. This usually happens in the windowless basement I call "work," and is thus also reasonably secure despite its plaintext-edness.
I've used Keyring on everything from old-school black-and-green Handsprings, to Treo 650s. It Just Works(tm). It is free. It is GPL'd.
I'd go on, but I shouldn't have to...
Kid-proof tablet..
Save the following html page to your computer or usb device
http://angel.net/~nic/passwd.html
Come up with a master password, enter the domain name of the particular site you are browsing and a unique password is generated for that site. All you have to remember is your master password. The page uses javascript, no data is passed to the internet. Whenever you need a password, just run the saved html page, enter master password, enter domain name, click generate button and you have your password
A long and obscure password means you are probably never going to be brute-forced. Good for you. But shorter, unique passwords for each site is better for security for your average person.
Crackers don't want your login and password--they want any login and password--precisely because so many people reuse passwords across multiple sites. If they manage to recover your password through a site hack or phishing scam (yes yes, you're on Slashdot, you're not going to fall for one of those) or a cross-site scripting attack, all your sites are now compromised. Your 20 character password means diddly.
An different 8 character password that will survive a dictionary attack for each site you use would be orders of magnitude more secure. As I said, no one wants your password (if you happen to be the president or a particularly "important" person, forgive my belabouring of that point). No one's going to brute-force your password, they're going to try common passwords for multiple usernames or simply hack the site to recover it. Having a password that will survive a dictionary attack solves the first problem, and not using the same password at every site mitigates the damage caused by the second problem.
KeePass is what you are looking for I have been using it for years now and it fucking cool.
It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" while SHA-256 is used as password hash.
YOu can Group your list with details on each password:
Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment.
It fully open-source (OSI certified) runs under Windows and PocketPC with NO INSTALLATION NEEDED so will run off USB key or Network, etc
All in all a very cool and sweet program for anybody with alot of Username/Passwords/URL/IPs to remember and a most have for all System/Network Admins.....
I used to use a USB key with a list of sites, usernames and passwords on it. All protected using a secure zip drive. It became a pain in the ass to get the passwords out, so I gave up. It also concerned me as a single point of vulnerability (if someone stole it and cracked it they have access to my life).
So now instead I use this algorithm:
$password = MD5($sitename . $single_password)
So I don't have any passwords written down, just the single global password in my head along with the algorithm. There's an MD5 calculator on every UNIX system, and there's javascript ones available on the web too.
The benefits of this system:
Some websites don't support 32 character passwords, for those I just use the first 10 or 20 characters of the MD5 hash.