Slashdot Mirror
Best Tool For Remembering Passwords?
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Keep them on a slip of paper, in your wallet.
but DONT list what each is for - you can remember that part easily enough
I want to delete my account but Slashdot doesn't allow it.
Passwords in a file that you keep on an external drive locked in a safe? :)
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
I recommend this three step method:
Step 1) Memorize one very long complex password. Take your time and pick something out that is long enough that someone could watch you type it a dozen times and have absolutely no hope of getting close to it. Use this password to encrypt a zip file, 256 bit AES, with separate text files for each system where you need a password. Never type this password on a computer you can't trust implicitly and save the archive somewhere safe online and on a thumb drive. Update this password list several times a year. Practice mentally regularly.
Step 2) Use the Xmarks plugin with Firefox to gain portable bookmarks and passwords with a fairly complex master password.
Step 3) Pick a password manager that works well for you where you will use it most often. I like KeePass personally. (Much of my work is done from a Windows workstation, so this is a convenience choice.)
The master password file is your personal master backup, in case of a severe event in your life that would let your memory of your other passwords become lost or obsolete. It is what you refer to if you need to decrypt something or recall a password that you haven't used in years. The encryption is expected to remain solid for a long time and it is cross-platform. Xmarks will let you keep your passwords online encrypted and shared between systems and cover your most common needs. KeePass, or similar, will fill in the void for all the other times when you want to keep track of your passwords.
B) Eliminate all the stupid users. This is frowned upon by society.
http://keepass.info/download.html
1password for mac and iPhone/iTouch is a good product
I only use the anonymous account. No one will ever know the password. Haha .. wait!
You underestimate the capacity of a human brain to store information.
KeePass is a great application that runs on any platform - the file is encrypted ensuring that in the event your lappy gets stolen, your passwords will remain secret - that is unless your password is password.
Hasn't everyone heard of KeePass (and KeePassX)?
http://keepass.info/
http://www.keepassx.org/
Just use the same password for everything. I use "1234".. its the same as my luggage combo
I have to return some videotapes...
Is your head. Plain and simple. Never write a password down on your hand and NEVER on a sticky note on your monitor. Make at least two or three passwords. One for forum and slashdot and another for banking and secure sites. Use firefox's "master password" lock and set that password to your third password.
The passwords are saved in files and are encrypted and you an password protect roboform so they can't access your passwords, after saving your passwords in roboform be sure to clear firefox or IE's saved passwords. Also get a USB stick and backup all you passwords, it's very easy to do. Then you can keep your master password to access editing the encrypted pass files as something you use all the time like your bank pin + some other word fudge factor you'll easiy remember
http://www.roboform.com/
Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/
If you have a mac, definitely get 1password. It encrypts all of your passwords in a database that is accessed via 1 password that temporarily unlocks it. You can have it generate very long passwords on the fly too to make it very secure. It stores passwords from all websites that can be recalled during a session by pressing apple+\ but it locks after a period of time where it asks for the master password. You can also store secure notes, and keychains from applications.
I've used Keepassx for a few years now. It's cross platform (Windows / Linux) and stores the files encrypted. I tried one of Bruce Schneier's public domain solutions previously, but the Linux install (Password Gorilla ???) was rather painful on some systems if I recall correctly.
Just be sure to use a substantial password for the database...
I first saw the link to PasswordSafe from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.
Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password. Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)
I've been using Roboform for years. Highly recommended and works with IE, Firefox and Chrome.
If you have access to any other box, how about a plain-text file there? Even a little security through obscurity (ie hidden file burried in the filesystem somewhere) would be better than letting Firefox automagically fill it in. I guess you could always encrypt the file so you only have a single one you absolutely must remember (shades of Flourish and Blott's losing all those copies of the Invisible Book of Invisibility though).
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
KeePass.
* Stores all of your passwords in a secure encrypted file
* Has auto-type so you don't have to type or remember your passwords
* Has a great password generator tool, so that you can reset all of your passwords to something secure
* Easily transferable password database.
* Can run off a USB stick
I checked it out a month ago on the recommendation of a mate, and have been using it ever since.
It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!
And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.
And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).
Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
on Linux, aka PasswordSafe on Windows (I think). Bruce Schneier first did the Windows version, and it's all open source, so it's should be safe and easy.
The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
I've come up with an incredible solution to your problem!
Used condom wrapper: It fits in your wallet. It's easy to come by. Almost nobody will stop to pick up and investigate your used condom wrapper for secret passwords.
Pros:
- It's highly likely to be thrown away by a pissed-off janitor if it is found
- It could be infected with a disease, so people won't want to touch it
- It gives you "this geek may have had sex cred", and believe you-me... That comes in handy
Cons:
- If you keep it in your pocket and it gets washed, you might have some 'splaining to do to your committed girlfriend or wife
Other than that, it's pretty much a perfect idea.
I'll Paypal you an invoice for my time. TIA.
Best tool I can recommend is the brain. It has an amazing capacity for remembering passwords when properly exercised. And if it's lost, well, then there's no reason to be concerned.
I've using LastPass for the past few months and like it immensely. It integrates with almost every major browser. It also can generate a random password for you. Check it out: https://lastpass.com/
from http://www.cp-lab.com/
Works great, is inexpensive and secure.
We use it at work and can assign different users different permissions.
It's also portable, so you don't have to install it on your computer, you can copy it to a thumbdrive and take it with you anywhere.
First of when using firefox, use the password manager. From what i understand it encyrpts your passwords with your master password. For everything else from secure notes, ssl keys, to passwords i use a custom container in Key Chains. The built in password manager of any OS X machine.
If you can't fix it ask the 3 year old down the street.
the best spyware password tool evar
Never ever ever ever (EVER!) store your passwords where they can be retrieved by unauthorized 3rd parties! That includes password storing utilities, scraps of paper under your keyboard, or a little note in your wallet.
Written down, in a lockbox, in a safe, in the floor of your basement, under a rug, in your house that has an active alarm system (that you use), in a armed guard and gated community is ok. Ok, most of us can be a bit less secure than that, but I don't recommend it. :)
Choose your passwords intelligently. Then they'll be easier to remember.
"W)Wg#jwe9^)SEG" is pretty hard to remember.
"BankPass" is a terrible password, but easy to remember. Don't use it.
"Wh3rzIzM!M0ny?" (Where is my money?) is easier to remember, even though it's a nice secure password. I dare any brute force attack to get that one. :)
For the sake of legacy access (like, when you get hit by a bus, and your wife needs to get into your accounts), make sure a second *TRUSTWORTHY* person knows the combination to the safe in your basement.
Serious? Seriousness is well above my pay grade.
Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I've been thinking almost the same thing for a little while now. One of the solutions I think might work is an IronKey. While remembering passwords isn't so much of an issue for me it will be for my wife if, heaven forbid, something should happen to me.I'd very much like her to have easy access to important information -- things like banking passwords, insurance and retirement accounts come to mind. I'd also probably put scans of important documents on there -- not that you could use a printed copy -- but more of a database to make ordering new documents easier if there was an emergency and those documents were lost. It is also important that it be as cross-platform as possible, since I may not be around to get it to work. :\ I haven't really come across a software-only solution that fulfills most of these criteria.
Do as I say, not as I do! :
Da15,naId!
This and other security practices at my blog . Hope you find it useful here!
Opera stores multiple passwords for sites (like say if you have a few gmails). Unlike normally with most built in password managers, Opera allows you to set a master password that prompts you to enter it before it'll show your current passwords for a website. It works sort of like this:
Opera does not store its Master Password in the plaintext format. Moreover, Opera doesn't even store its hash. The developers have chosen a different route: the password along with the salt participates in the encryption of a portion of data and then, to check the validity of the password, it uses the decrypted data hash and the original salt value.
source: http://www.passcape.com/choosing_master_password_decryption_method.htm
I use a variation of the plain text file. I use a file but instead of listing the actual passwords I write memory hints to remind me what the passwords are and not the actual passwords. This does have the flaw that I am using many variations of a few passwords for most of my needs. The hints help me remember what variation of the password is for that site. If someone else got that file they wouldn't be able to make much use of it.
I also use simple throw away passwords combined with mailinator.com for websites/forums that I don't really care about security wise. If I forget the password I have it resent to mailinator.
--
Placeholder for future witty sig.
The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Taxation is legalized theft, no more, no less.
You can try KeePass to store all your passwords or by far the easiest method is to to save all the passwords in a text file & encrypt the file using any file encryption tool like AxCrypt.
I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.
It was me, I did it, I moved your cheese
no one mentioned http://supergenpass.com ?
supergenpass hashes the base url with your main password. you can also customize the length of the final password.
it works in every browser (bookmarklet) and you can also use it if you aren't on your computer with the mobile version.
The Firefox automatic password remembering thingy is okay. Not too worried about if the computer is stolen as I have a BIOS password plus there's not exactly enough money in my bank account to be worth bothering with, and my bank system doesn't actually let you do a lot without human intervention. My biggest worry, actually, was if Firefox would ever show me these saved passwords in case I do wish to make an attempt to remember. It can. Cool.
What I can't believe is how many people are giving their best ideas for remembering passwords. Was this a serious question or a cleverly disguised bit of social engineering?
I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:
http://passwordsafe.sourceforge.net/
Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.
Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.
'Thats they exact same thing a banana wrench monkey.'
ccrypt: http://ccrypt.sourceforge.net/
Another vote for KeePass
I use a memorized formula that does not change, but continuously generates new passwords as time goes on. That way my password is based on the time it was created, and another memorized section.
Gringotts used to be goog. Gringotts saves info in encrypted files. You still need 1 password to decrypt the file, but you can have copies of the file in multiple places. See http://directory.fsf.org/project/gringotts/
--- Often in error; never in doubt!
I've researched this one for my boss, as well as for personal use. I agree that for Mac users, 1password isn't too bad a program.
If you want a *hardware* based solution, I've looked at Mandylion Labs' Password Manager before too.
Personally, I thought the Mandylion Labs solution was overkill for anything less than corporate use, though. Its "strong points" are largely centered around an I.T. staff centrally administering password policies for the keyfob and so on.
Another basic, but potentially effective and useful solution is simply keeping track of your login info in a text document, but maintaining that document someplace like Google Docs. Then, wherever there's Internet access, there's the ability to get to the document and it's platform-neutral. No worries about a computer drive crash causing you to lose all your passwords either.
Keepass is cross platform works on PC and Linux. :) Makes it easy to keep different credentials for every site you go to. Keeps passwords in an encrypted file.
http://keepass.info/
The diversity and expression of human opinion is essential to human survival.
Do what every idiot in my office does - use their name.
Sure, I try to change the password policy on the server, but of course management gets mad because they can't use "bill" to login and "bill" for a password.
Just this morning someone was all in a huff that there was an open document on their computer. Well, change the password retard, and logout at the end of the day.
BTW, I'm the sysadmin.
Seriously though, if you really can't remember, try using paper and pen in a very cryptic method so as to not shout "I'm a password list" or use a "base" password and addon specifics regarding the login site, for example, for facebook "billbook," for google, "billgoogle," you know, like the retards in my office.
I use a split solution.
On my desktop running Gnome, I use revelation. It has a handy applet you can add to the gnome toolbar.
You can export your password file to something compatible with PasswordSafe and then do a USB key install on it. Since the file is encrypted, you don't need to worry about people getting access to your accounts if you lose the USB key.
I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/), it's essentially a self-contained AES encrypting Notepad.
And it's extremely stand-alone/portable, so you can just stick it on a USB stick.
I encrypt everything about myself in SplashID (passwords, credit cards, account info), and sync my home computer to my Blackberry. I have been doing this for years (first with my Palm), and it has always been a reliable method to carry all my secret data. All I have to do is never forget that *one* password.
I make my passwords something totally ridiculous that would probably be offensive to most people or certain groups I dont care for, haha. Something like macFanb0ysRghey&. Sure, I remember it, but if there's ever a chance you have to share that password with someone else, you either have to change it or see the person's face look like O.o
A spread sheet kept securely (encrypted file, not excel/etc. encryption but something like PGP or TrueCrypt). There are specific programs for this but I find a spread sheet works better.
1: Pick 3 six digit passwords that are not dictionary words (one should have some numbers in it)
.jpg to the end of the file name. Casually clicking on it won't open the file, you get an error. If I open it from within the Text Editor program it then opens fine. Security through obscurity works well enough for me.
2: Use the simplest one for your low level password for sites that require one.
3: For other sites use a combination of the 3 passwords, either the same one repeated or 2 or 3 of them together as a group. Mix&Match, if you forget a password for a site, it is one of the combinations of those three.
extra credit: if you want, give each password a NAME that has nothing to do with the actual password. Then feel free to write down the NAMES of the passwords anywhere you want!
This has worked for me for a long time with no problems, I have had problems with the replacement passwords assigned to me like 7qyR&8T . I just forget them and have to write them down or save the email. someone once got into my email and got those passwords! Never again.
If I REALLY have to save info in a text file, I do that, but I add
I also have a safe in my house. Everyone knows I have a safe. There is nothing in it.
I hide my valuables in a fireproof box elsewhere.
Porn star names....definitely, always works for me. Plus, I can then guess other users' passwords much more easily and don't need to bother with those pesky password cracking software. Let's see....jjordan (jana jordan), mistiluv (misti love), brandytal (brandy talore).....
I use eWallet on my cellphone, with secured cleartext copy at home. Very convenient, relying on semi-trusted vendor/security and pretty much with me at all times... but when I lost my previous cellphone this summer on a bus, I was able to have access codes/passwords changed in hours. And subsequently have had NO indication that the *.wlt file was ever breached. Also, passwords are "scrambled" by a simple memorized algorithm; enter the text you see and you won't get in.
My wife, OTOH, kept this kind of info cleartext on paper in a "bag" (not her purse) and we had a major panic when that was stolen from her car in a smash-n-grab.
I had to address this same issue recently myself. I'm getting an increasing number of login/passwords. I won't use the same combination on any two sites and I'm in my 30s. I can't remember passwords like I could 10 years ago. For me Password Gorilla was the product that fit all of my needs.
It's Free/OSS, runs on all major platforms, can be run from a flash drive and is compatible with the Password Safe file format.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
1password for Mac OS X. Wait you meant for Linux, right?
This isn't my locker...
Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).
Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.
I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).
This question has been asked on superuser.com, with many answers and associated discussion: http://superuser.com/questions/255/how-do-you-keep-track-of-all-your-passwords
Looking around I can see lots of words and phrases, such as
http://michaelsmith.id.au
Cellphone contact list...until your phone dies or goes missing
I have literally hundreds of passwords memorized, yet I cannot match a face to a name without much effort =(
I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.
Make one good, difficult-to-crack master password. Then, for each site which requires a password, make up a unique one which is a function of your master password and the name of the site.
As a simplistic example, if your master password is "s3cr3t", then you can use "s3cr3t#slsh." for your slashdot account, "s3cr3t#b@nk" for your bank account, etc.
The overlap means that the amount of gibberish you have to memorize is minimized, yet each of your passwords is still unique.
Create some basic algorithm that applies to all the passwords. For example you could shift the value of the first 5 letters in the domain name 5 places. Chase becomes hmfxj for example.
The hard part is remembering all the different rules that each site has for their password. You could keep that in a text file. So if chase requires a capital letter and a number in the password you'd note Chase=cap * + num and know to capitalize the first letter from your algorithm and append whatever number you always use.
This won't provide the strongest possible security, but if you're just worried about some petty thief taking your laptop this is probably adequate.
Like I'm gonna tell you what I do. . . Don't write them down, don't use the 'remember password' option for bank websites. That is all.
jaz
Life is what happens to you while you are busy making other plans. No-one sees motorcycles
I've been using a VIM password file for seven years now. Just enable encryption on VIM, and it seems good enough; lightweight and works on any machine.
Once you start using a full disk encryption solution like Truecrypt or others, all the "insecure" electronic methods you discussed suddenly become secure.
I'm not kidding...get it here.
I keep an encrypted password file (several copies, actually) that I use with a GPG key. If GPG is good enough to general-use encryption, it's certainly good enough for your password needs.
Firefox has a "master password" feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.
1password for mac is the best
I like using my brain.
Seriously, how many passwords do you need to remember? 15? 20?
Figure out a reasonable mnemonic for remembering them and do just that...remember them.
Every other tool I've tried has ended up being not available at some point when I needed it (e.g. at a hotel, at a friend's house, on an airplane etc).
I haven't actually done this, but if I had to pick my passwords all over again, I would use a foreign keyboard (my choice would be some type of hangul keyboard), and just pick words that make sense in the foreign language. For instance, if you need an alphanumeric password, you could do something "11tlqdlf" where t = "siot", l = "ee", q = "bieup", d = "digeut" and f = "rieul". Its "11eleven" in Korean.
Or if its one of those bank question/response things, you could do something like "What did the truck say to the bread?" Your response would be "Qkd Qkd" or "bbang bbang".
Or, "What did the bus driver say to the egg?" "rp fks" = "ge-ran" or "get on".
Everyone else here is apparently attempting to answer the question in the title, which is not the actual problem he's trying to solve.
There is an easy solution to the whole 'laptop getting stolen' problem.
It's called TrueCrypt. Encrypt your drive. Put in the password on boot. Use your browser like normal.
If someone steals your laptop, tada, no stolen passwords, because they can't boot your computer to get to them.
If you want to have a USB fob, well, sadly, keyfiles are not supported by system encryption yet in Truecrypt. But there are third party tools that will do that.
Trying to figure out what to 'store your passwords in' is silly. Store your passwords in your damn computer. And then encrypt your computer.
Incidentally, people saying 'Don't write your passwords down' are idiots living in the 1980s, where people had passwords on local files and for local networks, and that was essentially it. It was, indeed, stupid to write down a password next to a computer if the point of the password was to protect things from people physically sitting at the computer.
It's not stupid when it's your bank password or other online passwords, next to your computer at home. Because the security risk is not people breaking into your house and finding your passwords! The security risk is people you have no contact with at all guessing the passwords, and it's much safer to make it a 20 character password that's is written down than a 10 character one that isn't.
If corporations are people, aren't stockholders guilty of slavery?
Memorize a single algorithm for generating all of your passwords. For example you might take the first name of a family member, modify it according to a set of rules, and append their birth date also modified by some set of rules. Now obviously you want to use something more secure than family names and birth dates, but you get the idea. With enough creativity, you'll end up with secure passwords. There are several advantages to this method. When you forget a password, you can pull from your pool of initial values and generate passwords until you find the right one. And it's often easier to remember a set of initial values associated with a particular website/etc, than the complex password that you actually generate and use.
http://passwordsafe.sourceforge.net/
I'm old skool, so I have most of my stuff in KeyRing for PalmOS. There's a jpilot plugin so I can sync and access it from Linux.
Someday I plan to migrate to KeePass, and then have some plugin automatically sync and login with Firefox using some sort of master password.
Also need to make some dead man's switch so my wife can get access to all of the accounts if something happens to me. Right now my plan is to write down my master password with my last drops of blood as I lie face down on the pavement.
Created by Bruce Schneier and perhaps the best app available.
http://passwordsafe.sourceforge.net/
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
I use RoboForm and have never turned back. It adds an (optional) toolbar to Firefox and IE that has drop-downs for form-filling, including password filling. There's also a password generator where you can choose complexity.
If you move between computers (say home + work PC) then RoboForm2Go runs on a USB key and will autosync your passwords.
You stick it in the USB drive and your existing IE/FF window automagically adds the RoboForm toolbar. Once you take it out, the toolbar is gone -- no need to close the window.
I've lately really gotten into using the password keeper on my BlackBerry, putting in various websites and so on. I like it because it's portable, as you switch devices it's backed up and moved, and I pretty much always have it with me. It doesn't integrate with software etc for me, but I'm now in the habit of just throwing new stuff in there. It's quite handy, and free.
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
A trick I learned on Slashdot long ago that has served me well over the years is to use a formula-based password whereby you have a constant formula combined with an application-specific salt. Take this simplified example for web pages, say I wanted a password for slashdot:
1) Take each alternate letter of the server root section of the url: "saho"
2) Append the remaining letters of the url so you now come to "saholsdt"
3) Sprinkle in a bit of your username after every second letter: "sakhodlsadtn"
4) And finally add a few numbers, say the last two letters of the server root converted to ascii: "15sakhodsadtn20"
Hopefully you get the idea. What you end up with is a password that is unique per-site or application but - assuming you use a consistent formula every time - is easy for you to remember. Other than a few exceptions I have been able to store my passwords nowhere else but my head. (Work-related passwords that expire every month have been the exception, the solution for me was to write down nothing but the salt and apply my formula accordingly)
add a master password to firefox. that way, you (or the thief) will have to key in the master password before ff fills in the password. ff only asks for the master password the first time the password manager is used, so its actually not that much of a hassle. (although this security measure backfires in the unlikely event that the thief steals ur laptop when ff is running)
Come up with a system that somehow deterministically transmutates the name of the site or item you're making a password for into something else. For example, a password for Key Bank might be "K3y_b@nk-banking_site" or something like that. Bingo: strong password that's unique to that site, and easy to remember as long as you're consistent. Just don't tell anyone your pattern.
Of course, consistency is difficult when some sites don't allow passwords longer than eight characters, some don't allow special characters, and so on.
Use the 'master password' option in Firefox that requires you to type in a password (the master password) before it will automagically fill in the username/password boxes on websites.
I have found a really good "tool" for remembering passwords, basically, you rely upon your childhood and the Nursery Rhymes that you learned and/or your own list of favorite songs and poems. The "algorithm" that I use takes into account the "rules" that seem to be imposed more and more lately by sites that want to make sure that you have a strong password. Most of these sites require some combination of upper-case letters, lower-case letters, numbers and symbols. Thus was born the easy to remember password algorithm - I typically use poems. You start by recognizing that you will need a number (or two) somewhere in the password. Thus the first portion of the password is the line number of one line of the poem (usually two digits). Next, you recognize that poems (or songs, etc.) start each line with a capital letter (takes care of one more requirement for the strong password) - I usually use two capitals here that are taken from the first letters of the first two words on that line of the poem. The next step is to take the first letter of the next words on that line of the poem (or song). If there is no punctuation on that line, you can end the password with a period (or two). If there is punctuation within the line, then the requirement for symbol(s) is also taken care of. Now, all you have to remember is what poem you are currently using and which line you are on. When you need to change passwords, it's easy just to take the next line of the poem and repeat the procedure.
On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.
For my PC at work, TrueCrypt with a spreadsheet inside.
LastPass is definitely nice - it encrypts passwords so that they're not transmitted or stored on the server in the clear. It's also one of the best integrated pieces of software I've used - it generally just does what you want it to.
I recommended it to a non-technical user recently, and she sent me back an email later thanking me because it removed all the mess that she was dealing with before and have her a single launch off point for her web logins.
I do it like this.
I use a super-secret, my wife doesn't know it password for the mission critical life-changing passwords.
For web sites and forums there's a formula in my head, based on the web site name, truncated and a mathematical operation.
If you were to somehow aquire In the IT part of your job only remember the one's you have to, don't try to store or remember your users e-mail password etc, just the one you need to reset their password.
You can use the same formula, for your work related passwords. Keeping a paper list of them in your locked fire-file or safe at work isn't crazy, and the risks of you getting hit by a bus are probably greater than the risk of ninjas breaking in to steal your login info.
http://www.splashdata.com/splashid/index.asp
It's the most important and most used app on my treo (including as use as a phone)
Personally, I use a disk image for the emulator Mini vMac that contains the old MacPGP 2.6 and a text editor. This is easily carried on a USB stick, and can be used on Macintosh, Windows, or Linux computers (and there are other ports). Further, the disk image should work on other Mac emulators. Of course, I'm the maintainer of Mini vMac - this might not be the best solution for other people.
I am no security expert, but for what it's worth, I use a pretty strong base password, which is a couple characters in the middle which vary based on the name of the account. The base password is multiple permutations of some very personal information. So even if forgot my passwords, I could probably figure them out eventually.
I use Keepass, and use SugarSync to keep it sync'ed between computers.
This way, it's also available on the web whenever I need it. The nice thing is Keepass also has a portable apps version so you can use it anywhere.
I recommend OBZVault. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.
We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).
It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.
(Disclaimer: I co-founded OffByZero, the company that produces OBZVault.)
I keep track of all my passwords using a "rootword" system I devised. I started off simply, and have made the system more complex as time passes.
As an example, all my passwords are based off a single, easily-remembered word. Then I complicate the rootword -- i.e., by replacing characters with symbols or numbers so that even in the unlikely chance anyone ever does find out my rootword, they don't know which iteration of characters make up the string of said word. If I choose "banana", then my rootword may end up being "b@Nan4" or "BAn@n@" or "b4n4n@" etc.
Next, I simply add extra characters as identifiers to the rootword depending on the services or sites for which it is used. It may have something to do with the site or service name, the person that introduced me to it, or something completely random that reminds me of it. Thus, my "b@Nan4" may end up as "g00b@Nan4" for a Gmail account.
You'd be surprised at how simple it is to remember a couple hundred different passwords using a system like this.
UNIX: Find it, fsck it, forget it.
Any poem or bible verse can be used as an acrostic to generate a password. Here is one from the 23rd Psalm:
THHHHHYITTTTSa
Here is one from Hamlet's soliloquy:
HWTOANTTDTFWMT... etc.
You can also have a rule that says a number gets incorporated into them. Like pi:
H3W1T4O1A5N9T2T6D5TFWMT
Some of us prefer to use emacs to edit our encrypted files...
I *remember* passwords in my head, and hate to admit it but they are short phrases... if I was a Blade Runner fan I might choose "Time2DiE!" for a not so important account.
I *record* as few passwords of my passwords as possible, but at my employer we record all the details in a special area of our CRM system. It isn't very secure, but it works. I prefer not to have any record of my employer's client's passwords and check the CRM every time - it is embarrassing to lock out the Admin account when another engineer changes the password!
I feel sorry for one customer who needed to give us admin access. His "never tell anybody" password was the brand name and model of s personal electronic device for appling mild electric shocks to sensitive parts of the body... I just HAD to google it!
PasswordMaker.org has a solution that allows you to create passwords using a number of options and hashing algorithms. You use one (or a few) main passwords and then hash those with something specific about the program/application/website you are creating the unique and strong password for. The hash is a repeatable process so long as you can remember the options and password you used to generate it.
There are executables, web applications and embedded source code at their site and it is an open source solution. You are not tied to any particular device or program and can create the hashes from any machine in the world.
I've been using this for years. I've tried KeePass, 1Password, etc for weeks each, and kept coming back to Roboform. Roboform is MUCH better than any of these I've tried at filling forms easily/fast - not just passwords, but identity and credit card/payment information. My biggest complaint with it has always been syncing my encrypted roboform directory files between different machines - used live sync, sugarsync, etc - but now they do that also, with a free RoboForm Online account. Data still encrypted, but I can now get to it with my master password and any web browser. (Even dumb phones). PLUS - they've come out with clients for the iPhone. (Have had Palm, WinMobile, Blackberry, Symbian clients for quite awhile). I have full access to my codes, always synced, EVERYWHERE I go. Love it. My final favorite use for this, in addition to the password vault, is for ALL my bookmarks. I got tired of syncing/restoring/losing bookmarks between different laptops, desktops, OSs, etc some time ago - so I now have thousands saved over the last several years into my Roboform repository. I save them (as well as passcards, etc) with a few extra keywords, and use the Roboform search window to very rapidly go to any website (and login if necessary), even when I can't remember exactly what the site was called - pull it up by subject/keyword. A major timesaver. Cost some $$, but not much, and well worth it.
I use a plain old spiral bound address book. A I keep it locked in my gun safe, in the same room with with a shredder.
for a long time... it was a little keychain dongle... you push a sequence on the buttons on front and it lets you see the passwords. There are not that many buttons, so if it's stolen don't expect it to last more than a few days, but it'll slow 'em down hopefully long enough to let you change your passwords.
but mine broke :(
vim -x somefile
PasswordMaker.org has a solution that allows you to create passwords using a number of options and hashing algorithms. You use one (or a few) main passwords and then hash those with something specific about the program/application/website you are creating the unique and strong password for. The hash is a repeatable process so long as you can remember the options and password you used to generate it. There are executables, web applications and embedded source code at their site and it is an open source solution. You are not tied to any particular device or program and can create the hashes from any machine in the world.
If you are expecting something here, I don't know what to tell you...
Remember how to generate them. MD5 hashes of the base domain name plus your favorite quote you're sure to remember verbatim.
If you want to have a warm winter,you have to know Ugg boots.Ugg boots are “must have ” nike air max jordan ,shoes, caoch,gucci,lv,dg, ed hardy handbagsin the winter.Now here is an onlinestore , discount 30%-50% off,free shipping, you may take a look, you may find the UGGS you want here.
http://www.coolforsale.com/
thanks...
A simple and effective way may be to use a secret sharing scheme between your computer ,a usb device that you carry on you and a third one that you keep in a secure spot (bank), the secret sharing scheme should allow you to recover the secret from any two shares , if one out of three is lost or stolen you can still recover all your passwords.
(Look for secret sharing on wikipedia)
I use clipperz, a free and anonymous online password manager which comes in an offline version too. It is based on open standards, proven encryption technologies, and has no vendor lock-in, and full anonymity.
http://www.clipperz.com/
I like the philosophy behind it and the people who have developed it.
If you use it, please consider a donation =)
I like ewallet by Iliumsoft. Much more than passwords, basically a little encrypted database app. syncs to iphone, windows mobile, blackberry etc... I use it on a U3 drive for portability. And hallelujah it works under parallels on my macs too!
I use password safe, where I keep the encrypted password data file on a thumb drive, and backed up on my home computer. The program helps you organize passwords with categories, one click copy-paste to the clipboard (and clears the clipboard when the program is minimized or closed), and auto-generation based on a specified password policy.
I keep my passwords encrypted on my cellphone, backed up on my PC.
I have multiple passwords with variations to each. I have a code for each base password, there are 6 now and then I have hints there which tell me which one and it's variation. Hint might be : scientist silicon doped p-type. Which would stand for Einstein34.
Firefox installed onto a USB stick. Have a single password for everything. If you lose the USB stick you can change passwords quick enough. It is convenient in that you only have to remember one thing. It is secure against key-loggers on infected computers. And you can probably make the usb stick effectively read-only protecting the stick itself. And the whole thing costs like a dollar.
Mnemonic techniques work well, and will help you keep your brain active and healthy longer.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far Honestly, when is the last time you've lost your wallet? For me this was eight years ago. Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)
In these days, bleeps and bloops mean something more
In this way every website has a different password, and not even your closest friends will be able to guess from the hint. And so if a database is compromised or packets are sniffed while you are logging in, only the website in question is affected. If you forget which of your many passwords goes with which site, the hint should help. And if you completely forgot the password, you can look up based on the theme what the password is.
If you are worried that the theme can be easily predicted from the sheet, you can use the position on the sheet of paper, feed it through a formula, and have the resulting number be a number used in determining the word or phrase.
If you are less worried about accessing your stuff remotely, you could do something rudimentary like append what the password is for to the password, run it through crypt(), and use that.
Create a 6 character base password like qaJdkW5 and use it as a base for everything. Then add a suffix for each particular use like quJdkW5G for Google quJdkW5sd for slashdot. You can then add digits to "version" them for applications that require changing passwords on a regular basis. Then all you have to do is remember the base and you can derive the rest.
Try password safe. Choose one strong password to encrypt (via twofish) the entire data base, then choose strong random passwords for everything within. Only one password to store in memory that way.
It can run on a USB key (no registry entries), making it very portable. You can right-click entries to (1) surf to the selected logon page, (2) auto-fill username and password, and (3) hit submit, making surfing nearly as easy as the built-in firefox password manager, but much more secure. Of course, it has all the standard features, like auto-generating random passwords, database search, categories/subcategories/etc. My wife and I both use it and are pretty satisfied.
In the related links, you can find non-windows implementations, making it very portable.
I hope this helps; good luck! -- Paul
OpenSource.MathCancer.org: open source comp bio
If you check the website for magic password generator, you'll find a bookmarklet and a form that are browser- and os-agnostic, that comes up with the same passwords the plugin does.
"The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
It sounds like you're describing this: Mandylion Password Manager. ThinkGeek's out of stock at the moment, but you can probably find one elsewhere.
Less convenient than some options since you can't copy & paste. On the other hand, more secure since the list of passwords never gets to the PC's RAM.
Alphanos
As long as you have internet access, SuperGenPass is a great option. It's a little bookmarklet where you type a master password, it will account for the domain you're currently on, and then generate a random password based on both. So, as long as you provide it with the same master password for the same website, it will always generate the same password. And as long as you have access to the internet you can always use it (when you're on the go, try SuperGenPass.com/mobile). I actually use it outside of the web as well. I will just use the name of the application as the domain name.
I don't like to sit. Sitting is for people who like to sit.
It's secure. It's online. It stores more than just passwords. And it's free. 'nuf said.
And encrypt a data partition. Install Firefox and it's profile on this parition, use a master password in Firefox. Install KeePass ( http://keepass.info/ ) onto the encrypted partition to hold other passwords, license numbers etc. Store all your data on this partition and like the Firefox install I mentioned above, if it contains any personal information or data install it to the encrypted partition. In Windows you can use TweakUI to move your Documents folder to this partition too.
That doesn't seem to solve his worry about using computers without Firefox installed. Also, even assuming every machine he wants to use has Firefox installed, does this allow him to easily use a password file stored on, say, a thumb drive? I've never tried to use an external password file with Firefox (i.e., one I did not create with Firefox.
I guess he could just keep Firefox portable on a thumb drive, although he'd need a copy for each OS he wants to run it on.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
are all you need
The question is what tool do slashdotters use? That is part of the problem, backups are the other. I have passwords for myself and all of my clients, so the tool I use (Password Safe) has hundreds of passwords that are not easily retrievable, or not retrievable at all. So I have to keep all of my passwords, but loosing a laptop with my passwords, would mean more than worrying if someone would get into my bank account. It would mean I have tons of customer passwords lost.
I store all of my passwords on a USB key. The password files are encrypted on this device, it is also my "master copy" When I update a password, I copy the password database to my home computer (Unencrypted I am not concerned about a theft resulting in my password tool being cracked) My home computer is backed up to Mozy. I then copy the update to my laptop (Unencrypted)
I have 4 copies of my password files. I can tolerate loosing any one of them.
Coffeecup Software has a password manager called LockBox. It's password protected and encrypted. I keep it on a flash drive.
Works great, cause the sites can be sortable, plenty of information fields.
Best way to remember password is a just us a Hint and keep it in plain text. The best place to store the hints for you logon ID and Password is on the Cloud. The cloud is perfect location because you never need to sync and its accessible on Any computer or smart phone. Also, since I log into my accounts generally by clicking the URL on my bookmarks, I keep all my account passwords are stored in the Title of the URL on my google bookmarks (my bookmarks are stored on the google website so only I can get into them but I can still access them any computer or cell phone, with no syncing required). Example: The title of the bookmark to my Amazon account would show: Amazon.com - ID_Hint Password_Hint. For my hint I would use a very cryptic combination of Letters, Numbers, and Symbols. Say my ID for this account is Syphony123456! then my ID hint would be S16! which tells me to type my favorite word (since I like music) using a capital letter with number range 1 to 6 followed by ! Most of my hints are a bit more complex but it works. I've asked people to figure out my hints and they can't, unless I explain it to them then it's simple. I have over 50 different hints and even my wife can remember all of them easily)
Passpack.com. Actually, the site seems uncharacteristically sluggish at the moment... better be sure to download the offline client and use it to keep a local backup of the DB.
Good enough for personal passwords. For really sensitive enterprise stuff, it may be ideal to use an Enterprise password management product, such as a Passpack appliance (whenever they get to making that), or Citrix Password Manager.
Generally the requirements for businesses include strong encryption, multi-user access, and role-based access controls.. Most simple DB methods lack detailed access controls.
Some Enterprise password managers also provide options to allow a user to utilize the password to login to something, from the application, it will launch a browser or ssh/telnet directly with login details filled..
In some cases, allows user login without their workstation allowing them to know what the password actually is that is being submitted. Or requires a separate action be taken to 'see' the password, which generates a special audit record.
That way, if someone's terminated, or stripped of certain roles (and therefore access to certain passwords), it may not be quite as urgent to change them all immediately, or the passwords they actually chose to view can be changed first.
Policy might be for a password to always be changed to a new random password within 3 days of someone clicking on the "show me this password" link. To ensure use of the PWM is for one-time access, and protect against improper practices such as _writing down_ passwords or recording them outside the official DB.
Have the body of the password as a numerical string, write this string down in notepad but precede it with phone numbers that your remember from your childhood. Hardly anyone remembers numbers now but old numbers of schoolmates stick in my mind for some reason. If the file gets "found" then only you would know where the numbers stop and start, especially if you omit area codes.
I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D
I use an old program called KeyMaker. It uses a passphrase of your choice, the complexity of your choice and other options (such as the name of the website and the username) to generate the password. I like it because, I never have to write down a password. I simply have to remember the passphrase and what options I used, and the program will generate the password for me.
I don't know why this hasn't been mentioned, but you can set a master password on your Firefox password manager to make sure that your passwords are kept secure via encryption.
Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
SuperGenPass (http://supergenpass.com/) solves a lot of problems for me... you remember one (or more if you like) master password and use the domain name + the master password to generate the site password. There are several advantages to doing this:
1) Your master password never gets transmitted or recorded, so even if one site is compromised no other site is. (One way hash makes recovering master pass from site pass basically impossible)
2) The generated site passwords are very secure as they are a pseudo-random string of upper- and lower-case characters and numbers, and can be any length you'd like, in other words not vulnerable to a dictionary attack as most memorable passwords.
3) It's a bookmarklet - a javascript script that runs from a bookmark completely locally. Works with any browser and all the hashing is completely local to your computer with nothing stored. Or you can also use the mobile version on the site if you're away from your computer.
For an added measure of obscurity, I've added a keyboard shortcut using Ctrl + last letter of my password to activate the hash. so even if someone was watching me type the password, they would not necessarily be able to access the site unless they knew i was using SPG. I know obscurity is not security, but it makes me feel better :)
Overall, SGP gives you the convenience of remembering only one or few passwords and the security of many highly difficult to guess site passwords.
www.lastpass.com I store less important passwords, and keep in memory ones for banking, ebay, etc.
It does encrypt the passwords with a master password and having them on a PDA/phone is much more convenient than a file/application on a laptop.
I can't believe nobody mentioned LastPass yet. I've been using this for a year or two now and its awesome.
Works everywhere and fills out the form for you... under IE, Firefox, Chrome, etc... has apps for iPhone and whatnot. Works under Linux, Mac, Windows...
Keeps the password stored on the lastpass servers, encrypted. Can backup easily...
I tried many password managers, this one is easily the best.
Bento - put out by Apple if you use a Mac. It's a small personal database - so you can do a lot more with it. But it also includes a great encrypted field - AND it will sync your password database to your iPhone if you want, and give you access almost anywhere.
Get a Mac. It has had a keychain manager, Keychain Access, since 1995. It works with _all_ password-using programs, not just browsers, and it is beautifully integrated across the system like more and more of OS X.
Make three passwords of differing strengths for various uses. Weak: abc123 (New York Times online, random one-use sites) Medium: m1dd13name (forums) Strong: tw45br1ll1ggreat! (mail, bank) Then just write them on a piece of paper and put that in your wallet. Try to remember them every time, but if you forget, consult the paper in your wallet. Eventually you won't so much remember them as your hands/fingers will remember how to type them in a given situation. Just keep trying and they'll stick.
http://www.tenjou.net/
I use "pwman" because it works with my pgp key (and stores them in an encrypted XML file)
Not the greatest, I wouldn't mind finding something better.. (sometimes it corrupts my file) but it was the only one I could find that worked with the terminal. (I don't like critical stuff using X11, plus, I want to get at it via ssh)
http://passwordmaker.org/
- remember one password
- easy to use firefox plugin
- works from anywhere from their website
- protects from spoofed websites
http://www.clipperz.com/
Clipperz is both a service, and a downloadable webapp you can run on your own server. It's the closest thing I've found that approximates the features of 1Pass (for Macs) on Linux. Now I just need to get a data plan for my phone.
Acts 17:28, "For in Him we live, and move, and have our being."
There's also an add-on called Master Password Timeout. You set a period of time after which it will again ask for your master password when you log in somewhere. The security feature here is that if you get a password prompt without expecting it, you'll know that there's some background code on the page poking into places it shouldn't be. It is also good in a workplace if you happen to leave your browser open while away from your desk. Keeps co-workers from checking your webmail, or bidding for you on ebay. I usually set mine for 15 minutes. You can set it to a really short period if your particularly paranoid.
The closer you are to the code, the happier you are. - Ancient Geek Proverb
There is password manager daemon (pwmd). But there is no GUI. Applications that want to use it need to be patched to use libpwmd which also includes a command line client that can send passwords to stdout and then piped to xclip or whatever.
Blackberry password keeper for low security passwords. High security keypass and ironkey. Top secret stays in my brain. When captured by the enemy, I will only state my username and a/s/l.
I would tell you, but then I'd have to kill you.
Table-ized A.I.
I keep all of my passwords in a file that I encrypt using PGP type software (http://www.gnupg.org/). This means all you need to remember is one password. I found an add-on to vim that makes opening this file seamless when I'm in the terminal. This isn't necessary, but I find it useful. If you're more of a mouse type person, there are lots of free tools for encrypting / decrypting text files using the PGP standard. While it isn't the most fancy solution, it's pretty flexible and there is no risk of lock in, OS limitations, etc.
...but it works for me. Use vim's pgp/gpg capabilities and a wrapper script to check out/check in my encrypted password files to a remote
SVN repository (which is backed up to several other servers). Just have to be cognizant of tmp files. Allows me to
have ridiculous usernames as well as passwds and be fairly resistant to catastrophic disk failures. I have been caught a
couple times in third world countries when I had no ability to SSH to one of my servers, but it's few and far between.
your brain.
Using multiple passwords will lead to using some sort of tool to store them, and one master password to access this tool. Might as well just come up with a couple of reasonably strong, easy to remember passwords and rotate them between all sites you use. The trick is to never use your passwords on the systems you do not trust, and never register accounts on some shady sites using your standard email and passwords.
What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":
Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.
/not my password ... or is it?
This is another vote for keepass(x) - but with the addition of Unison to replicate the database everywhere you need it.
Redundancy makes the 'laptop stolen' problem less severe, since you still have your passwords backed up. I'm assuming that there's at least 1 other person here that doesn't really backup as often as they should...
Personally, I'm surprised that some people are advocating 'remembering them all' - I kind of assumed that everyone had a WiFi router, a machine with a root and root SQL pw, and a personal website, and PINs, and ... Also, what about the 'name of your first school teacher' questions : it's more secure if you don't answer correctly...
I use a template that contains some characters along with something that is specific to the website I wish to generate a passphrase then I use md5 and that becomes the password. For sites that have a limit on characters, I just use cut. This is only for public sites like slashdot, digg, etc.
For sites that use SSL, I don't hash my passphrase.
How about PasswordVault by Lava Software --> http://www.lavasoftware.com/PasswordVault
They have binaries for Windows, Linux, Mac
There's also a portable version to put on a USB stick that will sync up with the Desktop version.
You can categorize you passwords and it has auto-fill features, amongst other features.
http://www.passpack.com/en/home/
http://www.clipperz.com/
https://lastpass.com/
I have a uniform base password which mixes letters and numbers and punctuation, then for each different password I modify it in a predictable way. From time to time, maybe once a year, I change the base password and the form of modification. I actually picked up that habit after reading it from a comment on Slashdot.
For instance, if the base password is p@ssw0rd, then the password at slashdot might be SLp@ssw0rd and the password at Digg might be DIp@ssw0rd.
For me that's a medium-security way to partially obfuscate a shared password.
http://www.f-secure.com/weblog/archives/00001784.html
Think up a 3 or 4 or 5 character "pin".
write down your passwords on a post-it and stick to your monitor.
Actual password is whatever is on post-it + your pin preceding of following it.
In order to loose a password you have to forget your (short) pin or loose your monitor. For somebody else to get your password (barring keylogers etc) they need physical access to your computer / postit, and a gun pointed to your head for your pin.
Crypto for the file-system. Then store your less than critical passwords in firefox, and/or use a master password system to generate a unique password for each individual site based off a single password. Really important passwords I store in a GPG encrypted file on this crypto partition.
Then I back this stuff up to a server that resides in a secure facility.
Works very well.
Sean
Obviously you could setup something on the iPhone or some other smart phone to record the passwords then cough them up when needed to type into the browser
just a few days ago Jon Udell was suggesting this site: http://www.clipperz.com/. Seems interesting.
I use 1Password on the Mac and iPhone which works very well for me. The desktop program comes with plug-ins for several web browsers and your password data can be wirelessly sync'd to your iPhone in case you need access to your data on the go.
Keepass Password Safe should be the first tool you check out. It's superb. I *highly* recommend it. I see that plenty of other /.ers share my opinion.
http://keepass.info/
Great little program...have been using it for years. The developer, Vince Sorenson, is also wonderful to work with--very personal attention.
Write down mnemonics that make sense to you but would be of little help to anyone else. For example, "rabbit food" might remind you of a password like "bbl2e^s". That would be because you based the password on "bugs bunny like to eat carrots"
If you do this right, even someone who finds your list AND knows one or two of your passwords would not be able to infer the others.
GPG is wide spread enough that you should be able to find front-ends to it for many mobile platforms, otherwise at the least you can use cygwin to get it running. On a more complex level, gpg lets you add/revoke permission to read the file and also does integrity checking via PKI signatures and signed keys (ie: gpg creates an encryption key pair, then signs it with a users own public key so they can decrypt it. any additional user can be added by adding another signed key using that users public key to decrypt the original encryption key)
-tm
Support TBI Research: http://www.raisinhope.org
I use Lastpass (www.lastpass.com). Supported by multiple browers, operating systems, and iPhones.
I have seen Password Safe recommended in a number of comments and I use it for any "sensitive" passwords. You still need to remember one master password for it, but that's easier than keeping track of dozens of them. I have also found that in using Password Safe I am MUCH more likely to use a stronger password for two reasons. One is I don't have to memorize it and even more important is I don't have to type it. I just copy and paste from Password Safe. Of course, like my Grandfather said about locks, passwords only keep the honest folks out.
I too use RoboForm but the biggest thing I like is RoboForm2Go which is a USB version and very portable between Windows machines. I too tried other password programs but RoboForm have a ton of features.
Now, I don't trust them having my encrypted password file stored on their server which is why I keep it on my USB flash drive. Naturally if I lose it I still have a copy and plenty of time to change the passwords on the websites. I doubt they'll be able to crack the encryption but at least I can plan it if I have to.
If you havn't seen it yet, it's worth a peek. Straight from passpack's site
...Your data is encrypted on-the-fly before leaving your browser. Passpack uses the AES-256 encryption algorithm, US government approved for classified information, to make sure that only you can decrypt it with your secret Packing Key. Your Packing Key never gets sent or saved to the server, so not even Passpack staff knows it. As far as the world outside your browser is concerned, your Packing Key is a complete mystery. Without it, it is impossibile to see, access or use your Passpack account (so don't loose it!)...
You can verify the integrity of the encryption algorithm by looking at their JS implementation. It dosn't have the added protection of key files though...
Trying to install linux on my microwave, but keep getting a kernel panic...
In order to use a unique password for every website and still be able to remember them, devise a secret scheme based on the site name.
An example scheme:
google.com -> 'xgooHoo'
digg.com -> 'xdigEig'
ebay.com -> 'xebaFba'
facebook.com -> 'xfacGac'
etc.
As long as you don't divulge your methodology to anybody, most people won't be able to "guess" your passwords between sites. I've even had friends witness me typing in some passwords in the clear, and they didn't recognize that a methodology was being used.
Of course, if a real dedicated hacker wants to crack your personal code, they would probably have enough information to do it if they had access to a small subset of your used passwords. Though if somebody's really that dedicated to cracking your passwords, most software and hardware solutions are also going to be just as easily compromised.
Given the requirements of many sites today, it's also a good idea to mix some numbers and capital letters into your scheme, so that you don't have to create any 'special case' passwords for the odd super-finicky site.
Try the website supergenpass.com. It makes a javascript bookmarklet for your browser. You basically use a master password, which gets combined with the domain name in order to generate a random-looking password of whichever length you'd like. Since the bookmarklet is stored locally, nothing (aside from the initial bookmarklet download) is transmitted online.
I use Notational Velocity. It's open source, mac. Make sure you turn on encryption. I'm using version 1.1.1. It's a minimalist application that was written for a user interface class at Northwestern University. The design is as elegant as it could possibly be.
http://notational.net/
vim -x filename
What could be simpler? It's easy, quick, and unless your laptop is stolen by an uber hacker, it's quite safe.
'Impossible' is a word that humans use far too often. -- Seven of Nine
I use my own brain. I continue to surprise myself at how many passwords I can remember, even years later. If I counted I'm sure it would be in the hundreds. And I don't have any a special memory powers...
Also, it helps if the passwords you create follow some pattern that only you know but still pass the usual test of being more than 9 characters and both alpha and numeric. It might even help to go further than 9 chars.
For what it's worth, I wrote a password keeper app for myself a while back. I offer it on my website here if anyone is interested (first link). It's just a simple .NET winforms app, but I use the built-in support for AES to store the data using AES 256 bit encryption.
Probably better tools out there, but I felt like this is some pretty heavy data to trust to a random app I found on the internet, and I didn't want to have to sift through a bunch of code in a FOSS app to make sure my password file wasn't getting periodically sent to Russia. Of course by that logic you shouldn't trust me either, which is fine too :-)
Put everything in a notepad file, and encrypt it using free software to compress and encrypt the file. Just remember the password to the encrypted file :)
If you're using a tool, you're no longer "remembering" :-)
I'm a big fan of Passpack but some people are paranoid enough to think it's a conspiracy to collect passwords...
They at least released the key to their backend as open source.
I've used TK8 Safe for the last 3 years. Works great.
I use RoboForm. I have a master PW to protect all my passwords, it will auto-fill websites if I wish it to. (Preventing Keyloggers from being able to log the data)
It has a portable app so I can put it on a flashdrive.
I can copy the data to my netbook from my gaming machine.
It works great with IE, Maxthon, Chromium (the RF flavor of Chrome), and FireFox.
You can manually look up passwords, it has a PW generator, and a notes function to keep track of other important data.
Check it out: http://www.roboform.com/
Passwords I use are different for each site. Something site related, then a standard piece with Upper/lower/special characters, a non-dictionary combo. I checked with a couple of password crackers until I came up with a pretty tough combo to crack. Good enough for me, they're never written down or saved inside a machine. I know the tinfoil hat crowd might take issue but I feel they're pretty secure & they won't be found anywhere except in my brain. I only have to remember the combo & the rule per site.
I also belief some mobile apps exists to store password - not too sure how "secure" they are though.
Need an ISP in South Africa?
In addition to recommending 1Password for the Mac, another solution I used for a long time was a list of sites, login names and password hints (you could even have your login name as a login hint, if you wanted). This meant that even in an unencrypted plaintext file, there's no information there that will really make sense to anyone else. I also don't typically use more than three passwords, and I have my own mental rating system as to when each password is appropriate to use, meaning that knowing one of them isn't going to give access to everything.
"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
Use the same passwords for things that don't really matter (forums, games that sort of thing) and memorize a small number of strong passwords for important more things, banks, important email addresses, school or work stuff. That works for me at least.
What with one thing and another, I've been having to remember passwords for at least twenty years--and the number has only increased. I use a rotating theme system. Every six weeks or every month or whatever security seems to dictate at the time, I pick a new theme. Successful themes have included: Old boyfriends, cars I have owned/want to own, ice cream flavors, species of birds, dog breeds, former phone numbers and zip codes, lines or words from a song, botanical names, astronomical names, book characters, etc. I then go through and change all my passwords so that they relate to the current theme--with appropriate injections of numbers and punctuation marks. If the passwords are somewhat interrelated, I seem much less likely to forget one. My method isn't foolproof, and I'm sure the security-minded could poke plenty of holes in it. But I've never had to write down a password, I seldom forget one, and I've yet to have one guessed. All I have to do is remember, "Oh. Right. It's 'A Tale of Two Cities' right now."
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
Yeah I agree roboform is the best, it's updated every few weeks for the last 5 years or whatever. The online sync is great, has plugins for all the browsers and even a special build of chrome (chrome doesn't usually support plugins so it's nice to see they recompiled the whole thing with plugins enabled and this preinstalled). Lots of useful features like a configurable password generator, selective form filling... It supports multiple users, you can choose the encryption algorithm, it can auto-logoff by timer or screensaver or whatever you want. I used to review software in my spare time and this one really beat out everything else, it does have a free trial so you can see for yourself. I guess, out of all the software I have, this is my 2nd favorite. I rarely "pay" for software but this one is just updated too often for me to waste time pirating, plus I actually want to support the development.
I've used Roboform for about 3 years now and it works great. I have around 100 passwords stored on it.
It works on the single master password concept and stores the hashed files as text files in the appropriate folder.
It has a USB version for portability (which I don't use)
It also has form filling functions including credit card details which work very well.
You click on the site you wish to visit, it surfs there, fills in the forms, enters the site (in one click)
46137
HP Labs has a small program called SitePass. It uses a hashing system between a master password and a public info, such as a domain name.
Example:
master password of qwerty
site name of amazon
generates the password of SHX9AGgvKIls
Same password every time. If you lose your computer, there is no risk to your accounts, since nothing is saved besides the actual program, and you can always recover them on a new computer by downloading the SitePass program again.
URL to website (including code and executables): http://www.hpl.hp.com/personal/Alan_Karp/site_password/index.html
haha
i wouldn't worry about that, the default is 128-bit AES encryption, as long as you haven't accidentally stored important passwords in the unprotected mode...
Q: If somebody steals my RoboForm Passcard files, can they get into my accounts?
A: If you password-protect all sensitive Passcards and Identities and then it will be very difficult. Specifically, all password-protected Passcards and Identities are stored in files that are encrypted by your Master Password using AES, BlowFish or 3DES. So a person who stole your computer or password files, will have to break these encryption algorithms in order to get your passwords from Passcards.
As long as you observe these rules, it should be very hard to use the stolen info:
* Password-protect all sensitive Passcards and Identities. Anyone can see and use Passcard or Identity that is not password-protected.
* Make your Master Password long enough and un-obvious enough, so that it cannot be defeated by a simple dictionary attack. Do not use any words or names from any widely used languages, make your Master Password at least 10 characters long.
* Use AES, BlowFish, or RC6 for encryption, they are harder to break than other algorithms.
How to Maximize Personal Data Security in RoboForm.
If you want to achieve the maximum level of security, do this:
* Check "Password-Protect New Passcards" in the "Options -> Security" dialog.
* Make sure that all sensitive Passcards and Identities are password-protected. The Lock icon should be yellow and locked, and the Protected menu item should be checked. Remember that anybody who can read files on your computer will be able to extract your sensitive info from any Passcard or Identity that is not password-protected -- so do password-protect them.
* When you leave your computer, click the "Logoff" button on the RoboForm toolbar so that all entered passwords are purged from memory.
You do all realize that this post could simply be a thinly veiled attempt at gathering sensitive information (i.e. where you all store your passwords)... Just a thought.
put it in the cloud!
THL phish sticks
I know -- I'm likely to get laughed off Slashdot, but I've been on the WinMo platform for years -- anyway, check out SPB Wallet (http://www.spbsoftwarehouse.com). It's not free, but it offers AES-256 encryption, integrates with IE and FireFox, has random password generation, and most importantly syncs with your phone so you always have a backup copy with you. I love it and rely on it. The phone sync has saved my bacon on many occasions, especially when travelling.
I agree with the TrueCrypt plain text file, but would only encrypt the file, and instead use Opera Unite to share it between all my web enabled devices. Of course using a fairly simple cipher and a favorite author, band name, song name, etc. it is relatively easy to make a memorable and secure password.
Use PasswordSafe with DropBox for synchronizing across computers
Just use the keychain.
Oh, you don't have a mac? I'm sorry.
Comment removed based on user account deletion
If you are on a Mac 1Password is a wonderful app. It provides very similar functionality to the already mentioned Keepass but was much more stable and has an iPhone app. I also found it very frustrating that the various incarnations of Keepass kept changing formats and the like. 1Password, while not free, is well worth the money although you may want to wait for the new version to come out which has some interesting features.
Their site
I personally like Roboform and install it to USB ... although, I've increasingly been using a web-only product for public sites called myonelogin.com ... seems pretty reasonable, but I'm a little nervous about storing passwords in the cloud.
Anyway, just adding my $.02
I'm surprised nobody has brought up firefox's (and thunderbird's) master password feature. I believe it uses strong encryption to store all your passwords. Since almost all of my passwords are for websites now a days, it's great. Of course, I also keep a backup in a gpg encrypted file.
In Soviet Russia, articles before post read *you*!
of all places:
http://www.slate.com/id/2223478/
expandfairuse.org
1 \/\/r4p 411 my p455w0rdz 1n d07z 4nd u53 13375p34k.
I pick a meaningful word to myself. Perhaps something like "Pathfinder," which is one of my favourite Vox amps.
This becomes: .p47hf1nd3r.
On some server you control, in your "projects" directory (or however you organize your hacker life), do an svn checkout of a small branch of some codebase you care nothing about. Add somewhere a README which is chown root, chmod 600. Maintain your stuff there.
With 99.999% probability your machine isn't going to be stolen by a person who can find the interest to read this, or recursively seek for recently modified files blah blah, much less boot into single-user mode to read it. If you need it remotely, you use ssh of course.
(And if you're on Windows, don't store your passwords there at all. Not trolling -- I have several Windows clients I use daily -- but they're just not the same beast.)
SuperGenPass is a good option for online passwords. especially since the website lets you customize the bookmarklet before you download it. though why there is an option to hardcode your master password into the bookmarklet, thereby completely defeating the security of it, is beyond me. conversely, the option to have it store a hash of your master password and compare it against the master pass you type in the field is nice... especially if you're like me and prone to typographical errors.
-It is by will alone I set my mind in motion.
There are apps for storing passwords safely on a mobile (cell) phone (iPhone, nokia n and e series etc) on the media card. Gonna try on soon.
I have an enormous amount of personal data on my Blackberry - all encrypted and all safe. If I lose my device, everything is password protected and Blackberry is known for security. I even have a remote wipe utility so I can kill it right away if it's ever stolen. I store all my passwords there, right in the "Password Keeper" application.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
Keepass. Done. Works on almost every os, hell even on my google phone.
Been using 1Password (agilewebsolutions.com) for several months - nifty browser integration, iPhone app, more portability options.
Another (more algorithmic and easier to remember) method of generating secure passwords you can remember (without having to remember which number replaces which letter, etc.) is to take a phrase or even better a full sentence or two with punctuation (such as "This phrase is for my password, bitches!") and create an acronym (such as "Tpi4mp,b!") of it including punctuation, capitalization and replacing "to" with 2 and "for" with 4 (and perhaps other word/number homophones).
If you're on a Mac, there are a couple of good options.
The first is the built-in Keychain. It can save application and website passwords, certificates, secure notes and it's all AES encrypted. As it's built-in, the support for it is pretty good with most apps and most websites. You have a normal login keychain that's automatically unlocked when you log in and remains unlocked (by default). You can have additional keychains with various levels of security over and above the login one - have them lock after a period of inactivity, have them lock when the screensaver is activated, have a different password to access them from your login keychain etc. The keychain can also be synchronised between different computers that you use, so if you create a login to a website on one, you can access the password you used on another one. As this works really well, I now use different randomly generated strong passwords for every site I need a login for - eg Bapdageshem9, negTuthsuc5 or EyHepGoyft8 ( apg -n 1 -m 10 -x 12 -M NCL -d )
If you find that the Keychain isn't up to the task there's 1Password. which does pretty much everything the built-in keychain does, and more...
Specialist Mac support for creative pros, Melbourne
Easy, create passwords that are memorable but subtly changed, such as "H0rd3r0gu3". See what I did there? ^.- 133t5p34k passwords usually count as 'strong' passwords, especially with the addition of symbols.
All my accounts are in a notepad. Their corresponding passwords are labeled. Like Work password, or e-mail password. For the passwords force changes I usually put a number in there and then I'll append + 1 or something on the text file. It doesn't give away where the number might be placed or what the password might be.
Master password does not protect you from malicious Firefox plugins stealing passwords stored under Master Password, so it shouldn't be used for access to any sensitive information.
I use ccrypt to encrypt a plaintext file where I keep many different pieces of vital information.
The file is always kept encrypted in my home directory. I have a script that enables me to enter the password for the file, edit it, and then re-encrypt it with the same password. I have cron email the encrypted password file to a gmail account every day. Therefore, it's always encrypted except for a brief time while being edited. It's always readily available, and backed up. ccrypt is available on virtually all platforms. After using this system for about two years, I find it to be nearly ideal. I don't worry about leaving copies of the encrypted file here and there because its password is memorized and very strong. I've also never needed to get access to a password without being able to retrieve it fairly quickly. After using this system for a few months, I realized that there's no penalty for using very strong passwords everywhere (16 character random alphanumeric with special characters...), including all financial or etailer sites.
Overall, it works well for me with minimal personal effort and good security.
Roboform (www.roboform.com)
I'm not a shill about this... been using Roboform for years. It supports multiple profiles, encrypted notes, password generation according to the rules you supply, and a full ability to specify settings for encryption type and strength, how often and what ways it reauthenticates you, etc. They've also started an online synch service so that you can keep a central online repository and synch them down to a new machine. Lastly they have a portable version. Each login has log, pass, and url. You can "Go and Fill" in IE or FF, and it stands alone to reference, in the system tray. They've made a Chromium/Roboform and will be porting it for Chrome when Google makes the new add-on framework available. They have a "bookmarklet" feature for accessing booksmarks on Mac, Linux, etc.
I sound like an ad for the company, but I really do like the program and have recommended it for years to friends, and recently introduced to my new company.
Keypass from a usb drive.
Keepass works well, and has been ported to almost every platform. Win, Lin, Mac, iphone, droid, winmo, even the old fashioned blackberry.
http://keepass.info/
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/
It is a greasemonkey userscript for firefox. But you can also bookmark their page and use it in IE or Opera.
They have a bash script. There are lots of improvements as well. With zenity you can make a gui for it in linux. There is a Visual Basic program so you can keep it on a memory stick as well.
In a pinch you can even use MD5 and do it yourself take the first 8 chars of md5("password:url")
vi +
Just put everything in a flat, tab-formatted text file and encrypt it with a decent algorithm, against a strong "line noise" password.
Make a number of copies of the file and put them all on memory cards. Each card should carry several copies of the file (to protect against corruption), and the file should never be stored on any computer. Distribute those cards to safe places around your local area (i.e. one at work, one at a trusted friend's house, etc). Put several copies on a CD or DVD and store that along with another memory card in a safe deposit box, and keep the key to that box somewhere safe but innocuous (hell, your normal keychain is probably enough). Don't tell anyone where that box is kept.
Write the password down, without context, and store it in a safe place well away from any copies of the encrypted file - maybe in your wallet as someone else suggested. Anyone who finds it will probably assume it's just a system password anyway.
on my website. It is safe because there is no link to it from any of html files and is always handy. Only access to it is possible over admin.html which is also nowhere linked to, therefor safe.
God's gift to chicks
But they are ones I'll never forget.
And no one else would ever guess.
One is my uberstrong password, the other is for everything else.
Not having them written down anywhere is a big security plus, which I think makes it stronger than changing them so often that you have to "manage" them.
LastPass.com
PasswordMaker is a great way to hash a master password with the URL of the website you are visiting. You only need to remember one or a few master passwords and have access to PasswordMaker. Passwordmaker supports several different hashing algorithyms as well as lots of other options, so you can customize the security of your passwords.
There's a firefox extension:
https://addons.mozilla.org/en-US/firefox/addon/469
There's an open source javascript passwordmaker for when you are on the road, it runs completely client side - and you can self-host it if you are paranoid:
http://passwordmaker.org/passwordmaker.html
And, theres an Android app in the Market as well.
Try to pick passwords that are easy to remember to you, and hard to guess/crack by someone else. Pick something you remember, a song title, a verse, a murphy law, whatever. Then do a simple and easy to remember transformation on it, like picking initials, uppercasing every third letter, or things like that. And if you can put into the mix something related to the site you are using it, better. Who knows how much people have as password for Slashdot something like "S:nfn,stm".
And btw, if you have to store them somewhere, you can store only one of the components (i.e. the seed, but not the transformation algorithm), or the start of the phrase or even something that suggest it to you (i.e. "Spock died" to suggest the password ST2:TwoK)
www.ironkey.com
I'll tell you about my password system built around vim, apg and cat.
This system is a variation of the single encrypted file that enables gnarly passwords and user identifications and challenge response answers.
This system has two points of weakness. One is: never print out a reference copy of your decrypted password file to a printer attached to a Windows computer. And as the vim "help X" text notes, a process running as you or root could read passwords while the file is open. The leading risk is a browser java, javascript or browser plugin.
Here is how it works: The vim editor supports ":X" for write a file encrypted with a pass phrase.
That is the key feature this scheme uses.
Steps: On a sheet of paper write out an encryption pass phrase.
Choose a file name for the passwordfile.
Generate a nice big nasty list of passwords using "apg" and "wc".
Set aside a printed paper copy of a complete separate set of passwords to use if you must change passwords due to a security breach.
Here is a big command line to play with:
(/usr/bin/apg -a 1 -n 99 -m 11 -x 14 -M CL; /usr/bin/apg -a 1 -n 100 -m 18 -x 23 -M NCL ) | cat -n
Using the unix ">" direct the passwords into the filename for your passwordfile.
Open the file in vi like "vi passwordfile"
Write the file out using the :X command and using your encryption pass phrase.
Exit and re-open the passwordfile with vi, to ensure you have the passphrase working.
For each password you store in the file. Create a text entry like this:
website-url date-established
userid
password
other security information
Every time you use a password from the pre-generated list, mark the password with a mark to prevent any password being used twice.
When copying userids and passwords, use the Linux mouse copy instead of typing. Open the password file in a separate window from the Web Browser. If you figure out a few vi editing shortcuts, getting into the password file, and logging on is a fast process.
For fire safety and disaster recovery, I periodically make a plain text printout of the password file using the vi ":ha" command. As I said: don't print out a almost certainly infected Windows printer.
A security issue to watch is: don't mix entertainment browsing with banking or online purchase activity, don't put your passwordfile on a machine that you don't own and control.
The drill if you discover a security breach of this system is: Either somebody got into your account without your password or your Linux password file may be completely breached. Using the spare password file printed on paper noted above, change important passwords post haste.
I keep all my passwords etc in an encrypted text file on my mobile phone. (during bouts of paranoia i type them in reverse order sometimes)
I usually sync the phone to my laptop every 1-2 weeks and save an encrypted file in the laptop as well as in my gmail account for backup in case i loose the phone and need to change all passwords etc
I appreciate all the suggestions to use fixed patterns or algorithms, but the problem I (and I'm sure most of you) run into is that I need passwords for sites that both:
* Require mixed case/special characters/long length
* Don't accept mixed case/special characters/long length
Every pattern I've tried inevitably runs into a new website that demands more or only accepts less, leading to a menagerie of subtle variations and the need to remember whether this particular site needed "PaSSword", "password!", "password5", "PWD", etc, etc, etc.
I have a text file, stored on both disk and USB key, that lists which passwords go with which accounts... then I GPG-encrypt it.
Also, I never use a similar pattern between low-risk sites like message boards and high-risk sites like Paypal and my bank.
Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.
Yes, that's perfectly safe, until you have to type it into a computer for any reason.
I had this problem myself for many years, additionally compounded by the fact that I used many different operating systems. However I still wanted a safe and secure central place to keep all my passwords and important details. In the end I helped write one myself -> OBZVault. OBZVault is cross-platform, very easy to use, and secure. You can install it on your machine, or even a keychain and take it everywhere with you. Hope that helps.
I have a mile of stupid passwords. And a couple of weeks ago, because I'm a giant dork, I infected my system with a rootkit through a daring act of extreme idiocy. So I had to go and change all of those stupid passwords to new stupid passwords because I had no idea what the heck that rootkit was looking for or was capable of doing. It's like losing your wallet and having to cancel your credit cards. Fun times. I flushed a lot of old favorite memorized passwords down the drain. -Which, all things considered, is probably a pretty smart thing to do periodically anyway.
But man! What a world, eh?
I did a bunch of reading on how rootkits and viruses work, and the amazing thing is that it's pretty much impossible to have a world where there won't be enough jack-asses to fill the available space with toxins and general bullshit. It's just the way things are. There will always be a jerk out there trying to screw you over; a humanoid extension of a disease vector. When I take several steps back, the internet really is looking more and more like robust biological environment with diseases and antibodies acting one another, where evolutionary forces are playing at full tilt.
I wonder how long it will take at the rate we're going for somebody's computer to sprout limbs and crawl from the seamy depths of the web.
I keep my passwords in an encrypted container/folder which I keep redundant copies of in various places and only open up when I forget how to log in to something, which since a couple of weeks ago, is bloody frequently.
It's flu season? No shit.
-FL
type your passwords and send to your own gmail. But instead of subjecting it with "passwords", call it kimJong1L. Which acts as a strong password for searching in gmail.
With over 500,000 mails in your account, no one will find it in time even if they have your gmail password. But fo you it's just 1 click. No need for paper. The only time you need your password is when you have internet access, and when you have access, you can gmail.
tata.
Combination of Firefox with master passport (for password encryption) and Weave (for passport syncing/backup) works for me...
http://mozillalabs.com/weave/
LastPass is definitely the way to go if you ask me. It is secure, it syncs, you can get to your passwords from any device, and it's truly a brilliant concept. The idea is that you only remember one "LastPass" and there are no more passwords to remember. The customization is awesome and the compatibility across browsers makes it ideal for the migrating web user. I especially like the "AutoLogin" feature. This eliminates all user interaction by actually submitting forms for you when you come up on a page. The ability to specify individual accounts for a password re-prompt helps keep your most important accounts more secure and the form filling feature is a nice bonus. I've tried 'em all and to me this is a clear winner. Anyone agree?
By the way I reviewed it here if anyone is interested: Top Notch Password Manager
http://www.angel.net/~nic/passwd.html
I use a text file that I keep on a USB stick, copy lots of places and encrypt/de-crypt with OpenSSL. It's native to so many systems, and can pretty easily be installed on anything that it isn't.
(First switch to borne shell or something else that doesn't keep a command history, dummy!)
You can even kick the security up a notch.:
Let the reactionary flaming begin!
-CR
"So is the BSD licence even more 'free' (than GPLv2)? Yes. Unquestionably." --Linus Torvalds (TinyURL.com/2vugzl)
https://online.roboform.com/ http://www.roboform.com/pass2go.html
I put mine under my keyboard on a sticker!
I use an algorithm to generate my passwords. The function is F(master keyword, login keyword). My S.O. and I both know the algorithm and the master keyword. I just have to write down the login keyword for each site. If I ever die, she can access anything, yet the passwords are not stored anywhere. The master keyword and algorithm are memorized.
The only problem with the system is that so many places have arbitrary password rules: No special characters, no more than 8 characters, must have 2 digits and two uppercase, etc. That makes it a pain to pick the login keyword since it has to produce an output that meets the site's rules. Curse them x100 when they make you randomly rotate it!
been playing with pip.verisignlabs.com for password protection. Nifty browser interface, multiple layers of security...
Carve your passwords onto a stone tablet. By the time you DO manage to get the task done, odds are you'll likely have them memorized, anyway. And if you don't, you'll have a painfully heavy reminder to lug around.
The way I handle passwords is I developed and code based on the name of whatever I am assigning the password to. That way you don't have to remember a hundred different passwords, just one code. Use different indicators such as colors, letters and numbers based on the item. Ex. gmail password =5GLmai the password is 5 for the number of letters, first and last letter together capitalized, then the middle letters together lowercase.
Firefox Preferences --> Security --> Use master password
Sorry, but is NOT hard to guess. I guess Ngbu9E. See, it is not that difficult after all.
http://www.mojopac.com/
https://www.ironkey.com/
I just use a memo on my BlackBerry Bold. I use the highest built-in encryption on the phone and it locks itself every 15 minutes. For those not familiar with BlackBerries, a password attempt can only be made 5 times and then the device wipes itself.
I back the phone up at least once a week, so even if I lose the phone I can easily reinstall my entire profile to a replacement, and the phone is never far from me.
Maybe I trust in RIM too much, but it seems like security is pretty important to their business model.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
My preferred password solution is still KeyRing (http://gnukeyring.sourceforge.net/ ). It satisfies the requirement that it is a non-connected device and that the data is stored in strong encryption. A similar application for a mobile phone would be a next best. At least until someone writes a keylogging virus for the mobile phones and then steals your data. But that is much more likely to happen on Windows.
As a student, I have many textbooks on/around my desk. Every month I pick a book and open to a chapter (normally the chapter corresponding to the month). I use the first letter of each word, capitalization and punctuation included, of a sentence. Since most of textbooks are engineering related, the sentences are rich with numbers, so this method allows for an endless supply of complex alpha-numeric passwords. All I have to do is remember the book (or the sentence).
I really enjoy the fingerprint readers from UPEK (http://www.upek.com/).
The device knows my passwords, and I can log into sites with just a finger swipe.
It is both faster and more accurate than typing a password (no typos... re-try is just another finger-swipe if it didn't read properly).
You can unplug the USB fingerprint reader and keep it separate from your computer if you want to be extra paranoid.
One thing I started doing was using passwords from languages that were not my native tongue, and then L337 encrypting them mentally. That is, there are a few particular phrases I find in latin to be absolutely wonderful to say. Same thing goes for a few sayings I know in Navajo, Roman, Spanish, and Greek. I don't know the full languages by any means, just some cool sayings and phrases I picked up from literature and poems and the like over the years. By ensuring that I use non-native language (read non English) passwords, I ensure that there are only so many options that I could have used for the password. Since the words come from less than common-place languages, they are very rarely found in any dictionary files. All I have to do is transcribe some of the common letter, mentally, like a = @ or S = 5 and before I know it I have all sorts of permutations on a very small set of base words that are not common enough for most people to try to guess.
I know it's not a password tracking system like to asked per say. But by knowing that there are only a few base words that I use (from a few dead languages and a few live languages) I can easily track that base set and go from there. It's also a fine mental exercise....
Motorcycles, Robots, Space Gossip and More!
Use Lastpass. Works cross-browser, cross-operating-system, the passwords sync automagically between computers, but the encryption's all done client-side.
RoboForm in windows 1Password for mac.
Two tricks i use to hide passwords is to use short forms, eg "A7" might expand as "ABD968017", and a general "salt and pepper" table. These are all unrelated to what is typically discussed. Note also that a7 expands to "abd968017", so some case can be preserved.
In a salt and pepper table, one uses an intermediate table that is easy to recall, but no need to be written, and not common knowledge. An example might be "husbands and wives", so a password displayed as "John" might be entered as "Yoko". Another kind of table might be "middle names", so "John" would elicit the response of "Winston". Note eg, jOhn gives yOko or wInston, so you can hide case in here too.
The less obvious you make the salt and pepper table, or the more unobvious the abbreviations, the more secure the table, even if the reminders are kept in plain text (plain text in an unobvious application also deters automatic gathering. Who would look for something like a .DOC file, might have some fun when the downloaded document is a multimate doc!
OS/2 - because choice is a terrible thing to waste.
There's these neat devices we all have inside of us that are capable of remembering passwords. it's so cool! its called your brain.
You could always lock your machine, and set the screensaver to lock after a period of time. It's a much better solution.
And runs on most popular OS.
Maurice W. Hilarius Voice: (778) 347-9907
I have a mac with an encrypted keychain (yet another reason to have a mac), but in addition I have developed a formula for remembering passwords. Although this is not my formula, you will get the picture.
Lets pretend I am trying to remember my password for my Bank of America online banking account for my business.
First the username. Most sites these days use email address as the username. No sweat there, I just use my business email address
anonymous@coward.com
for the password I look to the url for inspiration
I take the first two after the www, in this case "w" and "e" I take onto it some gibberish that I use for all my passwords
"spanky123"
So the password is now "wespanky123" and onto that I tack on the last letter of the url and a symbol "o" and "%"
thus my password is
wespanky123o%
for my wells fargo account
for boa
baspanky123a%
for slashdot
slspanky123t%
and so on and so forth.
I've tried doing using Password Gorilla since it runs on all three OS's I might use (Mac, Linux, and Win), and since it's available as a TCL script, I can keep a TCL interpreter on my USB thumbdrive along with the file.
The biggest problem I have with these things isn't the tool, as much as getting myself to actually use it. If it's not built into the browser, it's really a pain in the ass to use. In all honesty, I just keep a bunch of plaintext files containing the username and password pairs for the sites I use. It's terribly insecure, but it works for my laptop, and really, who wants to know my boingboing login anyway?
Don't write it anywhere. The only safe place to store the passwords is your brain. Make a scheme to generate a strong password using mnemonics. When you look at the screen to type the password, you should be able to determine the correct password. In your password generation scheme make associations between your 'salt' and the system that prompts for password.
Sudheer Satyanarayana
www.techchorus.net
I concur. On some Firefox versions I think there was a separate box "encrypt passwords". Use it. Apart from ease-of-use, this method is proof against keyloggers (since you are not actually typing the website password). It also makes it less of a headache to use a different password for each website. The question you should ask is, "Do I trust molewhacker.com with my day-trading password?" and so on. I recently changed most of my online passwords to unique random 20-character strings - only the odd glitch where a site truncated it, or did not accept certain punctuation. To be sure, it's a pain to transfer them to a different computer (I use a GPG encrypted textfile), and my bank uses a method that the browser won't remember (so it still has a short more memorable passphrase...)
I'm a fan of stuff right in plain sight, but within other information.
For example, I might have a password or pin reminder in my wallet, but it will be written down in only a form that I would readily associate in order to come up with the pass. I might do it in the form of a fake business card or phone directory, using mnemonics and certain patterns that I'd know immediately but others wouldn't. When I can make up my own secret question, I make it in the form of an obscure (to others) riddle but provokes an easy mental association for myself.
Even if my account type, user name, and password lists are found, it would be extremely tough for someone to put all 3 together to come up with the right answers, even if they were to recognize them for what they were in the first place.
I use http://passwordmaker.org/ for a few months now. Its great. First of all it creates a unique password for each site, base on one master password. This master password is the only one I have to remember, and for some sites I have a special profile because of some password restrictions. It has a standalone website, a firefox plugin and there is source code to compile it on every major platform.
http://www.fpx.de/fp/Software/Gorilla/
The only problem I have with Clipperz, is that it doesn't automatically log me off their site after say, 5-10 minutes or so. So I switched to www.passpack.com.
The idea of logging into passpack Clipperz (or whatever web-service), having all my accounts and passwords unlocked, while I was at work in the office, where my colleagues might access my workstation when I got up to take a leak... That's the stuff of nightmares I'm trying to avoid for sure. So I use passpack instead.
When I am at home, I can stay logged in longer, it is my choice.
Other features I like are 'sharing' passwords with other passpack account holders, and the secure email of passwords (via web-service links).
Yeah, I know it sounds daft, and it is perhaps a rather naive scheme, but what I do is keep them on my mobile. That's mostly for PIN numbers, though; I store them as false telephone numbers. I don't use the socalled "secure" style of passwords, I write them too many times every day for that to work; I need something that is reasonably easy to type.
I use a java program called jPasswords. It stores the database in ecrypted form. Only need to remember the master key, and you can keep track of all logins, URLs, notes, etc.
I am always using "fuck.$systemname" as my password so its easy to remember this for me...
for my mail I use "fuck.mail"
for my facebook account I use "fuck.facebook"
mysql -> fuck.mysql
I've been waiting to try out cpm (console password manager), http://www.harry-b.de/dokuwiki/doku.php?id=harry:cpm , for quite a while now. However, there's still no working version for me debian :(
Hey! That's my sig you're smoking there!
I memorize em... nuts I know, but it works.
Check out Keepass and KeepassX ; both open source password managers.
Remember one master password, link it with an external password file and no-one will be possible to view your gems .....
You can even put your pincodes, cards and other sensitive stuff in it.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
As already noted, KeePass is great for Windows. There is also KeePassX for Linux which uses the same file format, so you can move the password database around easily if you use both operating systems.
Look around your office and read random words off of random things in plain view. Incorporate these into your password. If you forget a password, just look around the room and you'll have mnemonics built into the decor. Just don't get lazy and type literally exactly what you see. Use it as the basis for your passwords, only.
You see? You see? Your stupid minds! Stupid! Stupid!
Talking about passwords and LastPass is not in a Score 5 comment is insane.
Used several password solutions over the year like a password like SlashDotIsGod*****, where ***** is something unique about the site like first 5 chars of the web address. That way you don't have to remember really long unique passwords but still have a long unique password for every place.
After that I tried KeePass and others like it. The bad thing is that if I go away from my computer I have to sync it to a USB stick. And in some places you cant use it (like public libraries, iPhone).
So I found LastPass. And its insane how easy my life has become. It can auto fill (and auto login) on sites, it automatically recognize forms and logins. It works in multiple browsers, IE, FF, Chrome. And if you cant have a plugin you can access it by a webpage to receive the passwords.
It's extremely easy to use but still as powerful as any other solution. Even my mother, that cant remember from one day to another if instructed how to do things on a computer, can use it. Still I have it to generate 12-20 long passwords (depending on place) with numbers, special chars if needed.
I just sync the passwords to my KeePass once in the while to be on the safe side (never trust a single point of failure).
For a ton of more information visit lastpass.com
... something that looks interesting
http://www.thinkgeek.com/gadgets/security/91a2/
Rather, they have a page that says the interesting thing is "Out of stock".
Still sounds fun: "50 logins ... 14 characters ... 5 buttons ... activated by entering a unique button sequence that is user-defined ... including a self-destruct feature"
http://www.vim.org/scripts/script.php?script_id=2012
It handles de- and encryption transparently.
I use this for storing all my password, its simple and needs no install, meaning you can run it from a USB key! Password Corral http://www.cygnusproductions.com/freeware/pc.asp With regards to getting around the path location issue, simply use . to tell the prog to look in current directory.
because ... half the Internet knows about your passwords now by going to their favorite pornsite±
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
BRAIN
I have taken to chosing one really strong password that I use for everything. But I add a two-character prefix to each one that corresponds to what the site/service/application is... For instance, let's say my base password is 4n4lr4p3! That means my login for Slashdot is really sd4n4lr4p3! ...and my login for Google is go4n4lr4p3!
1. As everybody suggested, KeePass is a good option.
2. text or html file encrypted with gnupg (use symmetric key encryption, and then remember a passphrase/password). This is what I use.
3. firefox has a built in password manager, so you only have to remember one password
4. KDE 3 has kwallet, a password manager that integrates to KDE applications. I don't know if KDE 4 has it, as I'm trying to stay away from that.
5. There are several applications for PDAs/mobiles for password management. Have a backup somewhere else in case you drop your cellphone in the toilet.
Been using Exile ( http://www.codeproject.com/KB/applications/Exile.aspx ) since a couple of years and it's been of great help. Only have to remember 1 hard password now :)
I use supergenpass (http://supergenpass.com/). A very handy bookmarklet. You type in your master password into the password field of the web form and click the bookmark. The bookmarklet code picks your password up from the form, concatenates it with the site's domain name, takes a hash, and fills first 10 or so hex digits of the hash back into the form. It's a one-click operation. You only need to remember one master password and you still get a unique password for each site. Works on 95% of all pages that need a password and don't do anything fancy. You can use it in manual mode for the remaining 5% pages. Your master password should be quite strong, though, to prevent someone from brute-force guessing your master password from the hash.
I would suggest AI Roboform 2 Go. I was surprised to see no one mention it. It can be carried on a flash drive, alll records encrypted, and a master password set. It will run the software as soon as the drive mounts. It works for all the major Internet browsers and many system password prompts. It only runs on windows unfortunately. You could also store password for other things manually in it for the non-website/dialogue type stuff.
my tool is called "brain". I wouldn't store a password on a computer system.
Once you start using a full disk encryption solution like Truecrypt or others, all the "insecure" electronic methods you discussed suddenly become secure.
Amen to that - for what the original poster asked for, this is the best solution by far. Remember that passwords are not the only sensitive data on your drive - whole disk encryption will protect all of your data. Combine this with autolocking screensaver and some other basic security precautions (keep your OS up to date, never leave your computer unlocked, keep the FW up, don't load random software from internet without a sandbox, etc, etc) and you have a REASONABLE protection. Is it foolproof - no. THERE IS NO FOOLPROOF SECURITY. Security is a game of "cost of intruding" vs "worth of data". As long as you keep the "cost of intruding" higher than the "worth of the data" - you are reasonably protected.
One catch though - last I checked Truecrypt does not support Linux for full OS disk encryption. There are other, less simple, but probably as secure (if not more) solutions for Linux.
Alternative to this is running PortableFirefox from an encrypted disk/usb/partition/file.
-Em
RelevantElephants: A Somatic WebComic...
....Solaris? .... my mobile phone? .... my PDA?
Should I go on?
IANAL but write like a drunk one.
I suppose that need a bit of explaining to you.
IANAL but write like a drunk one.
you might be using windows at work, osx and linux at home and want to share the same password file between desktops (at least i do want to keep them all). keychain is fine but hard to use from the other (non osx) workstations ;)
I understand that reading Slashdot is done quickly and under pressure (you should be working after all), so I wonder what kind of service people provide to their costumers/users/business partners when they can't adhere to the specifications of a given request.
First of all the questioner specifically says that he has bad memory, so point number one of your reply is out of context already.
Then later on he says he does not want a solution tied to Firefox, but then you helpfully proceed to tie a solution to Firefox.
Wakey, wakey!
IANAL but write like a drunk one.
... because you are not reading what the poster is asking.
IANAL but write like a drunk one.
"Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky"
Which other helpful advice do you have in offer?
IANAL but write like a drunk one.
I have hundreds of books on shelves in my house. In one of them, on a particular page, all my user ids and passwords are written down.
And I know what you're thinking - but if my house burns down, finding my passwords will be the least of my worries...
They will never know the simple pleasure of a monkey knife fight
http://keepass.info/ we use it at the company i work. It offers some safety in keeping your passwords together and secure.
Random
writing a passwod down in any form or using the same password across multi sites is foolish and begging for disaster.
as for it in your wallet, oh i mug you of your wallet. maybe badly assulting you and leeaving you in hospital for a couple days while i pillage your email.
keepass is the way to go. can also email (possibly to someone trusted?) or store your keepass database in some cloud ftp server such as hotmails skydrive (assuming publicly available)
could also try fSekrit but you lose your cross platform goodness. check out firefox portable at portableapps.com
I'll keep pointing out replies like this until people get it (i.e. maybe never)
IANAL but write like a drunk one.
I use the password keeper application on my blackberry. It allows you to create entries for each of the sites, for which you want to store the password. You can store the website name,URL, username and password. Access to the application is password protected. So you have to remember only one password.
I'm surprised that no one has mentioned this great add-on yet. It keeps all the passwords encrypted and all communications are encrypted as well. You need a master password to login and then it will prompt/autologin (if you choose) you into websites for that browsing session. It also automatically detects when you are trying to create a new account at a site and can generate a 'hard' password which it automatically stores. The nice thing is that since it is centralized you can login at work using Firefox and have all your passwords accessible to you there too.
Well, more specifically, I use a version I've slightly modified and have uploaded to my own hosting account.
I also keep a copy on a USB stick so that I have access when offline.
I have used Roboform for at least 8 years and love it. http://www.roboform.com
The RF people havemobile solutions ranging from password protected USB to have apps for various smart phones.
This makes you liable for bank and credit-card losses should you lose your pin or bank passwords this way. You will be surprised how fast some thieves can be. A security chip may slow things down to be theoretical, but you're still liable if you lose it together with your paper.
You could obfuscate the passwords in a code language though, and most banks have some simple systems they promote.
It should never be stored in a computer that is network accessible, although I'm sure you're not that liable for the misuse unless you have been found extreme neglient (but how to prove innocent there?)
Most banks are cool though, but people have lost tons of money, and it have happened that the banks have said it's your fault. That's very bad.
http://www.debunkingskeptics.com/
or the other way around: if you use Firefox without a master password, you should be worried because it's very easy to go to the menu and see all your user/passwd combinations.
on windows, just right-click on the password file and encrypt it.
C:\Users\{USER}\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX.default\signonsX.txt
Do it once and don't worry about losing your laptop.
Let me Google that for you...
I've seen some pretty rubbish SlashDot questions, but this really takes the cake. 5 minutes of Google searching would have revealed Password Safe, Keepass, and all manner of other free secure password databases / keyrings.
Drop kdawson as an editor.
Finally had enough. Come see us over at https://soylentnews.org/
I use LastPass. Probably no different from many other password managers mentioned. Works well.
Written down, in a lockbox, in a safe, in the floor of your basement, under a rug, in your house that has an active alarm system (that you use), in a armed guard and gated community is ok.
But why would you want the Vogons to find your password list?
KeePassX works for me. On a USB stick. Password or certificate protected.
You should be able to have multiple binaries on the USB stick for each OS you need to work on.
Sorry, but it is trivial to crack. Rootkit the OS and keylog everything. You can correlate with OS activities such as browsers and other apps's activities. With browsers you can even log most activity nowadays, or just use a custom binary. Basically you can hijack most used processes and log whatever you do in SSL or SSH (you're using putty right?). Worst case, make snapshots or view the screen from remote for those virtual keypads. Peep through the web camera for fun :-)
"Security" is today a bad joke. I'm surprised people's passwords aren't all abused more already, because it's theoretically do-able and most security schemes rely on weak protection against high-impact security holes (which most people running Windows are already afflicted by). It's like relying on captcha - only a matter of time before it breaks totally.
This is going to create more problems in a few years. It only require virus writers to incorporate more already-existing features into their codebase, and to more actively start to misuse people's identities.
How do you know your OS is not already rooted?
http://www.github.com/gera/spg/
Also:
http://www.theoldmonk.net/spg/
if you use mac os you could try 1password. it stores your passwords in an aes encrypted file und has browser plug ins..
automaticly fills your fields if you want to.
by now i only know the very imortant passwords.. the rest is just by 1password generated ;)
My bank gave me a digipass. it's a small calculator thingie that generates numbers once i put in a pin, and i assume the bank computer keeps track of all the digipasses and knows what number to expect from me (each digipass has an id and similar). So a potential thief needs my pin and my digipass in order to use my homebank account. I think this is as safe as it can get (it feels a lot safer than carrying around a credit card). And for the rest, keep it simple. do you really have access to critical data? if not, think of a long full phrase for each pass: "ThisIsMyPasswordForThisInterestingWebsite". Obviously, you can make variations of this, combine it with the pwgen program that someone mentioned earlier and so on. It should be safe enough. If you do have access to critical data, it gets complicated. you could however apply a few permutations to a full phrase, and remember the permutations additionally to the full phrase.
new sig
Allowing firefox to fill in the passwords for you is daft, but not if you use a master password. Then you only really need to remember that one password
I created a directory for web passwords, and I create a new text file for each site that I register with, using the GRC password generator. The text file includes email, username, and password. This directory is encrypted by TrueCrypt and opened each time I login.
I'm gambling that 1) I'm not a high-profile attack for hacking 2) my firewall would add difficulty to any attack 3) malicious software wouldn't get installed 4) malicious software wouldn't be smart enough find the directory and parse its contents.
The advantage of this approach is that each site has its own very good password.
I've discovered that many sites have short password length limits, which are not disclosed on registration. It's frustrating to register with a long password, only to find out later that the site truncated it. This means that I have to figure out where it was truncated, or I have to reset the password and enter a new one.
I've been using something like this for a while
http://www.angel.net/~nic/passwd.html
basically it's md5(websiteUrl + masterPassword) which creates a nice random string to use as a password. If one of those sites gets hacked or one of the passwords gets found out it's no biggie because each site has a unique password (if your master password gets found out then people might be able to guess at some of your logins tho)
I still let Firefox store my passwords but I keep them protected with a master password. Sure someone could brute force it but I don't save my bank passwords with it.
pwsafe
Or, you know, remember them :)
May we live long and die out
Mod this guy up, original thought here!!!
http://www.keepassx.org/
http://kedpm.sourceforge.net/
I use RoboForm. It's not free, but does the job well
FWIW - I use SPB Wallet to hold passwords etc. I normally prefer OS stuff, but made an exception in this case since it syncs with (and runs on) my Windoze More-bile phone and integrates well with Firefox. Comes with password generator, can capture and auto-fill login pages, auto cleans out clipboard if you've copy-pasted data and is a general encrypted database that stores all sorts of info. I have no idea how well it actually does in terms of leaving traces etc, but it works nicely for me, keeping my phone, work PC and home PC synced up whilst being very convenient in terms of browser use.
KeePass:
http://www.keepass.info/
I use Keepass and then sync the file to a dropbox folder, then I have access to it from outside too ... :P
I used to use 3rd party encryption and password keeper tools, until one of the paid apps I relied on introduced a bug in an update that corrupted the encrypted data. If you are well versed in IT you probably know what that means, but for the regular folk out there I'll spell it out: Your data is unrecoverable, forever, if an encrypted file becomes corrupted even by a small amount. So, Rule Number One:
BACKUP YOUR ENCRYPTED DATA
If you use a password manager, know how to find the password file and know how to back it up, how to recover it, how to use it on another system with the same tools installed.
Bitten by that bug, where everything I could not re-create from memory was essentially gone, I looked once again at the tools the OS provided me.
Using OSX's system-wide Keychain support and utilities, I created a user keychain, set a robust password on it, and created appropriately titled secure notes. All my login credentials, all my banking info, all secure data is stored there. You can back it up, you can carry it on a USB drive and use it on another Mac, you can sync it across multiple machines. The text formatting abilities are rudimentary, but I can live with it.
It's encrypted and unusable by anyone who does not know the username and password of the owner, and isn't visible to other users. It has OS and OS-vendor level support, and that same level of troubleshooting and testing ... it works and obscure bugs, if there are any, will be found and fixed (in the case of my paid app, the developer just gave up and left us all staring at empty wallets and useless apps with unusable data).
The latest version of FileVault (10.5 or later) has had major improvements. I never had problems with FileVault on my laptop going back 7 years, but others I know have. The later version encrypts in 10MB sections, and therefore if there are issues (eg drive or data corruption), most of your data will be recoverable. It's also much faster since it only deals with changed data during certain normal operations (eg recovering free space).
SuperGenPass is a good option for online passwords. especially since the website lets you customize the bookmarklet before you download it. though why there is an option to hardcode your master password into the bookmarklet, thereby completely defeating the security of it, is beyond me.
Maybe it is to cope with URLs that change. It doesn't happen often, but it does occur occasionally, and when it does, poof! There goes your password hash. Bad news if its your banking site that's just done a major upgrade (I've seen this twice, once on my trading account, once on my online banking account). That said, for financial matters I use a unique password, handwritten on a sheet of paper and stored on a locked filing cabinet. If for some reason I do forget the password, I can go home and get it.
Password hashing is nice, but it will break when web pages move or reorganise.
The Future of Human Evolution: Autonomy
Brain. Best if it's yours.
Lately memory is really undervalued.
Several posters have proposed using a simple-but-obscure algorithm to generate passwords. I like this idea, for its sheer portability: no need for a USB key, or a special password management program. Other posters have also proposed interesting ideas - like starting from a meaningless fixed text and constructing a password from it.
There is just one problem: <rant>What is it with those sites that "know better"? Your password must contains at least one capital letter, 2 digits, 3 special characters and four donkeys. Or else: your password may not contain any of the characters ./*,:;_ etc.? The fact that every such idiotic website has a different set of rules makes any sort of 100% consistent password management impossible.</rant>
Sorry, just had to get that off my chest - having just yesterday been forced to create a password outside my system, because of some nitwit's idea of security. To add to the "amusement": it was a credit-card company. You know, the guys who invented that ultra-secure secret number printed on the back of your credit card.
Enjoy life! This is not a dress rehearsal.
How about Universal Password Manager, http://sourceforge.net/projects/upm/. It's written in Java and comes packaged as a Windows Installer/Mac DMG/tar.gz. It's as basic as you'll get in terms of a password manager but that's what I wanted. It does what it's meant to do and nothing else.
Disclaimer: I wrote UPM.
I use http://onlinepasswords.sourceforge.net/
It is a web based and uses "PHP + flat file" for easy retrieval. All passwords stored are encrypted and the master (key) password is never saved. Even the user-id (for both master and individual access) are all encrypted. So you can put his on a hosted website if you like!
Demo is also available at: http://onlinepasswords.sourceforge.net/demo/login.php
I use http://keepass.info/
Does everything I want it to do.
I'll try anything once. Twice if it tastes good
1. You still don't have the 160 entries because those are not the ones _in_his_wallet_. Even if you crack his computer, you still don't have his passwords.
2. Even if you crack his computer _and_ get his wallet, you still don't have
A. What this password is for (his bank account? stock account? which web site?)
B. His user id.
C. Which of those 160 entries is it. And by the way, good luck when the the system locks you out after 5 failed attempts.
Sounds like an excellent utility, for a different purpose, though.
I guess when I'm tired carrying it, I can always let keepass take care of my ass. Securely, of course.
The best tool for remembering passwords I thought would be obvious: your own memory. This is an article about the second best tool for remembering passwords. Unless of course folks don't trust that there aren't mind readers out there lurking in the shadows, waiting for you to think of your password. Of course there is software you can learn to encrypt the passwords in your mind...
Anyone considered a web-based system? (preferably run on your own server, naturally).
This one looks interesting: http://www.alexanderinteractive.com/blog/2009/08/mortimer-password-manager-redesigned-v12.html Uses PKI thoughout so everyone can have their own "copy" of individual shared accounts without divulging your personal passwords to other users of the system.
I recently had similar thoughts. The solution that was recommended to me was KeePass. There are windows, OSX, and linux versions. I use DropBox to store the password database. I was also able to install dropbox on windows, OSX, and linux (ubuntu). This has proven itself to be very convenient. Note: The 2.x series of KeePass doesnt run on OSX or linux yet. Use the 1.x series. The 1.x series can't read the 2.x password database files. There is also 'standalone' versions for windows. I have been using it for about a month, and have had zero problems with it.
A lot of people don't realize that vim actually has support for encryption (the -x option).
Combined with text-folding, it works well as a password holding mechanism, and bonus, it is pretty much cross platform as there is a version of vim on mostly any platform you would care to use.
I try to remember them all, but if I had to store my passwords, I would make a text file, and store it into an encrypted 7z compressed file (AES 256, maybe it's weak). Of course, you would need a master password.
- 7z doesn't need install, so you can put it on a USB stick with your pass file, if you want to carry it.
- 7z is cross platform
7z or anything with that kind of features and easyness.
I also use KeePass. If you're feeling adventurous check out http://passpack.com./ passpack is good for passwords you might need when you just don't have access to a keepass program but do have access to a browser and internet connection.
BRAAAIIINNSSS! ^^
Oh you mean outside your head?
Very simple: A password!
Or more exact: A password-protected thing that stores your other passwords. It can really be anything. I use KDEs KWallet.
And Firefox's password manager, encrypted and protected by a master-password (which you can set in Firefox's own settings dialog, if you had looked there for even a second!)
(Firefox sadly needs a lot of manual scripting hackery to integrate into KWallet).
But really, anything password-protected and encrypted is good enough. Even a text file. If it's on an encrypted drive on an USB stick.
There are tons of possibilities. Use whatever suits your needs best.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
My technique is pretty simple. My brain. To this point I have about 47 active passwords rattling around in there, uniquely.
Create more associations. Some abstract pictures is a good thing.
I know these are Windows apps, but still very useful free apps: Steganos Locknote: http://www.steganos.com/us/products/for-free/locknote/overview/ Steganos Password Manager: http://www.steganos.com/us/products/for-free/password-manager-free/overview/
Important passwords should be long, random and not written down.
For each password, make up a set of cryptic crossword clues, preferably making obscure references to things from several different aspects of your life.
Additionally, make them really evil cryptic crossword clues that don't quite give you enough information (but enough to jog your memory).
I wish to remain anomalous
I've used everything from the slip of paper in the wallet to encrypted files on the pc.
My current choice is SplashID Desktop/iPhone
This app runs on the iPhone, Windows and Mac and syncs wireless between the iPhone and the desktop.
When I was carrying a Windows Mobile device I used Handy Desktop Safe that has a WM app so it was on the phone/PDA and the windows machine.
My criteria other than security (encryption) is that the tool work on multiple paltforms depending on the device that living in my pocket at the time.
I even had opne for my Palm Pilot back in the day.
internic (parent poster) wrote:
I know people don't read the F*** Articles, but could you at lead read the F*** Summary?
He's referring to his laptop, which has firefox.
Thanks for playing, no fish today, better luck next time.
In Soviet Russia, Firefox Master Password STILL protects YOU!
This is true, but if you DO use the master password feature, being able to see your usr/pw combos is VERY handy when you want to copy your account info between your laptop and desktop, or write it all down (and store in a secure place, natch) for future reference.
Better than trying to guess it and being IP-banned after n number of failed attempts.
I once tried to set my password to 'penis'. It said that my password was too short....
I am a leaf on the wind, watch how I soar.
Pot, meet kettle. From the summary:
Perhaps next time read the whole summary.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
I use a mental algorithm that will always it generates a "good" secure password. No two passwords are the same. Because I the input to the algorithm is site or situation specific, but personally obvious, I always get the same output. I have to keep track of more than 30 passwords and I have a terrible memory. I used to use the same four passwords over and over again until I read the Simple Formula for Strong Passwords (SFSP) Tutorial. It is a long read but most of it is examples. Basically it teaches you how to come up with a system that guarantees that you create memorable and secure passwords.
When you start a fire, be to windward of it. Do not attack from the leeward. -- Sun Tzu
Free and it can be portable. http://keepass.info/
A few years back, I was working on a computer for a friend, she had auto password configured, and I said I needed to wipe and reinstall windows, I asked her what the password was...she said (yep, you guessed it). dot dot dot dot dot. And yes, she was blonde!
I use eWallet, which runs on both Windows PCs and Mobile Phones, syncs between the two, and encrypts.
I use a password storing program on a portable device such as a PDA or iPod touch. I use obscure passwords that I can remember with a hint that won't make sense to anyone else. I only store the hint in the encrypted storage.
more cowbell
If your bank is using a password scheme to authenticate you you should switch to a bank with proper security as soon as you can.
I'm currently using an IronKey with it's built in password manager. It's a USB key with an encryption chip built in with the memory chip, epoxied together and encased in stainless steel.
Has anyone given thought as to why he is asking this question??
Q: What does this look like?
A: It looks like someone dropped ink on a piece of paper.
Q: What else does this look like?
A: A black and white picture of ketchup that fell on a white floor. ...
Remember, You are unique...just like everyone else.
With Blackberry, desktop, iPhone/iPod Touch, Nokia, Palm and Windows Mobile versions; keep your passwords AES encrypted and synced across multiple platforms. http://www.splashdata.com/splashid/
Moral: Don't install plugins you're not sure about.
Same as: Don't run programs you're not sure about.
Or: Don't reply to too-good-to-be-true emails.
And: Ignore web sites that say "Your computer has a virus. Download Free Antivirus2009 to clean it up."
The user has to take some responsibility. It's the same as going outside in 40 below weather ... if you don't dress appropriately, don't start complaining that you're cold. Or bitching that your car doesn't start when you haven't put gas in it (Don't laugh - I've seen the same guy have his car towed - twice - to get a supposedly "defective" fuel pump changed. turns out the gas tank was empty both times. "It can't be! I put $5 in it a couple of days ago!" This when gas prices were $1.34/litre, or more than $5 a gallon. Not to be too worried, though. He lost his drivers' license - too many moving violations - then lost his restricted license, so problem solved :-)
How about that big lump of greyish jelly inside your cranium? I hear it's really a hyperdimensional storage array capable of holding incredibly vast amount of information. Like passwords.
Or.. You could all ways use the first 5 letters of the site or company or whatever, capitalized as you prefer, followed by your favorite 3 digits, and a symbol, like
Slash266@
Micro766&
Amazo166!
(see the pattern?)
Or.. you could do what my Mom does: She doesn't have any passwords because she doesn't do anything electronically. She doesn't own a computer. She doesn't own a cell phone. She has a cat, and a bottle of Scotch.
This little program encrypts your passwords: http://islandlimited.net/download.php?file=3
PGP public key at: http://keskydee.com/gil.asc
Just hide it in plain sight: if nobody knows that there is a password, nobody will find it. And if you put it on the internet, you can access if from everywhere. You could even hide it in some stupid text you post on some stupid forum for dumb 13 year old kids.
With OS X the best way I've tried is to store the built-in Keychain app profile on a USB drive. This can be inserted into any Mac (though most of the system passwords won't work there) and opened via the master password by importing the profile.
It is of course encrypted and you can set all kinds of policies for individual account/password credentials. It has support for Certs, accounts of all types as well as manually created entries for things like ATM/Credit cards, etc.
The downside for you of course may be that it only works on a Mac but others may find this useful - or you can look for something comparable.
You can find details about this at Mac OS X Hints.
A fool throws a stone into a well and a thousand sages can not remove it.
It's quite interesting that everyone has some convoluted method of passwords... Take the square root of your mothers age + the name of the website + your favorite color...+1
This is not a job for software. The proper solution is a device that interposes between the keyboard and the host computer, accepts signals from applications to the effect that the current entry is a password, and records the context/password pair, or alternatively accepts a keyboard signal or an application request for a password that most closely corresponds to a given context (application case, with user approval) or provides a (probability-ordered) prompt to select a known password (user case). The device is independent of operating system, portable between computers, and trivial to backup/edit/configure/restore via usb.
-I like my women like I like my tea: green-
I use lastpass. They have online sync plugins for firefox, chrome, ie, and safari, as well as a downloadable tool similar to keepassx. All you have to do is remember this one password, and it keeps track of all the others. very handy. Plus, if you do use the online sync tool (i.e. if you're not afraid of having your passwords on some other company's machine), you can always log in at their site to retrieve passwords if you're on a computer that can't download the plugin.
XMarks works with Firefox, IE, Chrome and Safari (xmarks.com). Even though it was originally intended to allow portability of Bookmarks, it works great with passwords. And you can store your passwords at the XMarks site (encrypted) or use your own server.
Hey, I just use the Master Password feature on Firefox. Use something which no one could guess as your master.
This is a desktop though so I'm not worries about it being stolen.
Usually what I suggest to people is to think of a simple sentence they can remember easily such as:
I have a White car
then proceed to take the first letter of each word
ihawc
then proceed to change letters into numbers or capitalize them
1H4wc
then proceed to add special characters to the end, such as an exclamation mark.
1H4wc!
there is now a complex password that is easy to remember: "i Have a white car!
keynotes: the complexity will vary for different people as some people can recognize a 4 as an A, or a 1 as an i or l.
Overkill maybe?
I create a simple HTML page with a Javascript.
The HTML lets me input the site name, and a master password. And then the Javascript will generate a password for me.
The Javascript algorithm is simple, it involves some summing, modulos, lengths, and Base 36 conversion at the end to give me an alphanumeric password. So far works all the time. I can specify the length of the desired password. If a number is required and the password does not contain it, I simply append a "0" at the end.
You can also play with CSS to make your password field invisible, etc. The only caveat is you want to copy some junk to the clipboard afterward to erase the copied-and-pasted password.
I made the algorithm so simple I could reimplement it from scratch on an Excel spreadsheet with built-in functions, no VBA.
The key to create your own algorithm is that, you're trying to make a simple hash. Try to make it so that changing one character either in the site name or the master password would make the entire password look different, not just a single character at some corresponding position.
If you don't want to bother with your own algorithm, you can just md5sum a concatenation of the site name and master password. I don't like this method because the master password must either be stored in a file or typed in the command line, which will be in the command line history, which may get backed up by mistake if you're at work and don't clear your history quickly. Also, md5sum may not be available on every computer - my own algorithm is easy enough to be constructed from scratch in a minute or 2.
Except that I run the phrase through babelfish, so all I need to remember is "phrase"+"language". I could post my passwords and still be somewhat secure; unless you can figure out which language I used and what capitalization schema I used you're out of luck.
Works until they change the algorithm.
Lockcrypt (http://www.lockcrypt.com)
.NET Mobile Versions
* Central Database (Flat File or MySQL)
* Strong Encryption
* Multiple Languages
* Customizable Account Types
* Import and Export
* AutoType
* Firefox Extension
* J2ME and
* Secure Clipboard
* Easy to Use Interface
Secure Password (https://addons.mozilla.org/en-US/firefox/addon/4429)
* Add on Extension to Firefox's password database
* Adds strong encryption (not plain text)
* Easy one-click access to Site information for logging in.
Keywords for the NSA overthrow oppressive regime true believers marathon Manhatten the financial district blueprints I
I keep a text file, but it's only visible as root and its name doesn't make it seem like a text file. Furthermore, within it I never actually spell out my passwords, just a couple of characters to remember my sequence. I used to do the same for the system for which it applied, but then I found that I would forget my clever-at-the-time abbreviations for those (that leaky brain problem you mentioned...). I think that's sufficient obfuscation for now.
I disagree ... Lockcrypt is far superior to Keepass on the multi-platform arena. It supports Mobile platforms and also can use a MySQL backend. And comes with a Firefox extension to make logging in easier.
Keywords for the NSA overthrow oppressive regime true believers marathon Manhatten the financial district blueprints I
Generate about 4-5 good, strong passwords, memorize them thoroughly, then come up with 4-5 variations (symbol substitution, case flipping, increments the numbers, anything really), then put a hint to the password number and variation in the bookmark text. Like, for gmail have the bookmark name read something like: GMail - P1VC For password 1, variation on capitals. I use a system similar to this and I haven't had a problem in years. Though, I do keep a few copies of my bookmarks file lying around because otherwise I am most hosed. You just have to make sure that no one ever has a chance to get your actual passwords, nor share any of the variations ever, but it seemed to me to be the most reasonably secure and simple method.
Nice logic error you've got going there :-)
And for all those other issues, he admits he's going to have to install *something* ... so why not just install or run Firefox and be done with it? One simple solution.
If he can't install or run other apps on those computers, then there IS no "ideal tool" that will work for him short of pen and paper, which can also get lost/forgotten/copied/swiped/whatever, and the question becomes nonsensical ("gimme a tool to run for those times that I can't run a tool").
Works fine unless you use tabs and add-ons. There is a bug this procedure that prompts you for the master password for tabs and addons. You will end up entering it MANY times. One would think Mozilla would have resolved this issue long ago.
A collegue of mine got tired of keeping passwords in his head, as well as all the time you have to renew your passwords every 2 months according to these "hard-to-break-password-rules", that makes the password impossible to remember.
He made a simple S60 app (that by itself is password protected) where you can store all your passwords and to what account (if needed) they are used. The app saves the passwords encrypted on your phone, and it also has the ability to generate new passwords with a lot of different parameters to help you set the length, special characters etc. I think it works wonderful for me, and I haven't had any problems remembering passwords since.
The weak points is ofcourse you will need to set a fairly strong password on the application to start it, which can be tricky to remember. Best would be if the cellphone had a finger-print-reader built in that you could use to start the app.
Available in three ways:
Constructs a one-way hash of
to get a domain-specific password. Memorize one strong password and use this utility to get distinct passwords for each domain. The generated passwords are (usually) complicated enough to pass any conceivable non-triviality test.
thumb drive + KeePass Password Safe (http://keepass.info/)
Try using a password vaulting app such as KeyPass, and encrypting the password database on your laptop. I'd suggest not trusting the encryption built-in to the password vaulting app and using multiple layers of encryption such as a TrueCrypt volume, whole disk encryption, etc. You can determine the level of security/usability that's right for you. You could also look at hosting the password database online so you can access it from anywhere. You could use an online backup/file hosting service for that purpose. Keep in mind that security is inversely proportional to usability, so you'll have to make some sacrifices in terms of usability for good security. If you're not willing to make those trade-offs, then this whole exercise is probably pointless.
What I've done is make a small TrueCrypt drive, and redirect Firefox to use that for its local data. It will store the cache and my passwords on that drive, thus keeping my passwords hidden without first entering the TrueCrypt password.
Find Firefox's profiles.ini file in your local application data directory.
Downside: you have to give TrueCrypt a password whenever you startup, and Firefox won't boot at all if the TrueCrypt drive isn't mounted. The error message is misleading too, "Firefox is already running ..." (fail!)
Bonus: the pr0n downloads in your cache are encrypted too.
Ofcourse I' m one of those guys with multiple computers ... . My personal laptop on which I work at home is a macbook pro. At work I have windows 7 pc. So my system has to be cross platfrom and synced at any time. Since I don' t want to use 2 password files I did the following.
I have a dropbox account (actually this is a amazon S3 storage service with AES encryption, you could also use evernote for that purpose) on which I placed a truecrypt file of about 50 mb encrypted with 3 encryption algorithms. In this file I have a keepassx file with all my passwords. So I only need 2 passwords to remember. One for the keepassx file : ************** and one for the truecrypt volume: ************ . :) .
Another tip:
There is a keepass version for smartphones that can open keepassx files.
IronKey makes a very useful encrypted flash drive, that includes a password management tool called "Identity Manager".
The Identity Manager is password management tool which saves and autofills your account user names and passwords. It also includes helpful features such as a virtual keyboard, password generation, etc. One-time passwords can also be generated using VeriSigns VIP Service. This is great for locking down your eBay and PayPal accounts with 2-factor authentication.
In case you lose your IronKey, there is online backup that you can do, that enables you to restore your account information to a new IronKey.
You will (of course) still need to remember the password to your IronKey.
Full disclosure: Yes, I work for IronKey.
Current linux versions are capable of encrypting the disk - files and swap - automatically. (Ubuntu, for instance, can install this feature from the "alternate" install disk.)
Only the boot partition is in the clear. Any passwords you stashed in Firefox's autocomplete mechanism are encrypted as well. You have to issue the filesystem password to boot or to come out of hybernation etc.
With this in place the bad guy has to get your laptop while it's running and use it before it sleeps or whatever. (Fancier attackers might be able to pull something out slightly longer - if they get to the RAM before the charge dissipates.) Even if you're only using browser autocomplete passwords this gives your system (and ALL the files it contains) another layer of protection.
DON'T forget the password or all your files are gone forever. Unlike commercial products there are no backup or backdoor passwords or challenge/response protocols. The passphrase you use when installing is the only one there is. Without it (or a cryptosystem crack) even the software has no way to decrypt your files.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
PASSWD=`echo "${login}${masterpasswd}" | openssl dgst -ripemd160 -binary | openssl dgst -sha1 -binary | openssl base64 | head --bytes 8`
The password is stored in the KDE klipper for 20 seconds afterwards.
I use an encrypted file (to which I remember the encryption key) which has all of my logins and URLs, and the first 3 or 4 characters of the associated password. Between the file encryption and the fact that only a 25-30% fraction of each password is listed, I feel that I am pretty safe. My passwords tend to look like this:
...so a typical entry would look like this:
$uns#!n34tn!t3 (sunshine at night)
http://www.punkisnotdead.com/ PunXX0r $un
You are right - Untrusted plugins are a core issue. However, users need to understand that Master Password does not add any protection to passwords, to avoid the illusion that it makes them safer. In fact it makes passwords less safe by storing them on the machine, and very easy to hack into if the machine is stolen, say. So (I think) users should neither use untrusted plugins nor store passwords to sensitive sites under the Master Password.
I've been using KeePass Password Safe for years. I keep it installed on a thumb drive and take it with me pretty much everywhere I go. The KeePass files also get backed up to my desktop every time I insert the thumb drive or modify the password file. If I lose it, no big deal, no ones going to guess the master password and I always have a backup. There are builds for just about any OS people are using these days, so you shouldn't have to worry about retrieving your passwords cross-platform.
http://keepass.info/download.html
In OSX, I save a list of my plaintext usernames and passwords inside an encrypted disk image (AES-128) residing on my pocket USB stick (and can secrete copies on the various machines).
One major passphrase to unlock the image if ever I can't remember a particular password.
Since I'm always in OSX it poses no problems, but there's nothing I know of to use the same scheme from OSXwindows... Does anyone know of a windows app that can handle DMG files?
Encrypted disk images are also nice ways to keep my project notes, diaries, and data - they can be given different passphrases so that other colleagues can have specific access to the information.
It encrypts all of them with a master password, and I've always got it with me. Easy to backup the db to the sd card, and easy to export a plain text file of all passwords, for storage in our safe deposit box, in case I get hit by the proverbial truck.
http://www.openintents.org/en/node/205
You need to divide web sites that need passwords into at least 2 categories (high risk/low risk).
Any account that holds your money (banks, etrade, etc) needs to be in the highest security level. For these accounts you should never use any laptop ever - use a desktop computer - better yet, buy a $300 netbook with linux on it that you *only* use for bank websites. Never use this netbook for casual browsing or any other purpose. Best of all - don't use the web for any of your banking needs. Also consider using only banks (like Bank of America) that have higher security features such as the one that only lets you login after they send you a random pin to your cell phone (these pins tend to expire within a minute).
email accounts should have second highest security because these can often be used to get your bank password (click here to have your password sent to your email).
For your slashdot account, you can be more lax. Maybe put the password on paper or maybe let your laptop's firefox browser store passwords.
Many people have lost their entire balance due to keyloggers - money that they never got back (as far as I know only business accounts).
The best way is to design a system *yourself* so nobody else knows it.
I have that kind of system myself but, if I tell you what it is, it will then less secure (very much so on /.)...
So...
Anyway, I'll give you some tips.
Think of the things that you have no problem remembering. If these they are easy to find (like in a dictionary), design some combination that would not. Among those, select the ones that could be found elsewhere if your memory fails. From these select the ones easier to use and/or to consult elsewhere. Design some indexing method that will allow *you* to find them easily from these available sources. Store these indexes the way that is more convenient for you.
An example that I _do_not_ use and that's worse than the one I use: Bible quotes. Bibles are available almost everywhere. Long ones have good resistance to brute force. And the indexing is already done for you. You just have to design some basic encryption method for the index (the method depends on the storing method: simpe rotation for hand-written, as complex as you like if store on a computer: you can write a prgram to do that) and store the index in some place (the piece of paper in the wallet, some text file on your computer, whatever is more secure for your case).
In any case, you should design something that is easy to use _for_you_ or you'll end up using some other less secure but more usable system.
Ah, and don't use the example I described as now it's already known...
--
El Guerrero del Interfaz
SplashID on your Android phone.
Use one 256bit Blowfish password to access ALL of your passwords. Your phone goes everywhere with you, so do your passwords. If you lose your phone, no big deal. Chances are that person doesn't have the resources to crack that encryption.
Best part is you can use it to fill in forms for websites you visit on your phone, which is good because typing in obscure passwords on a phone can be a challenging feat.
Authority questions you. Return the favor.
The mandylion password manager seems like a pretty nifty tool. It's a key fob device which can both generate, and store up to 50 sets of login usernames and passwords. It meets DoD\Military specs for a password generation\storage device and can even be set to scuttle after a number of login failures (this is optional of course). Thinkgeek sells them, but is currently out of stock. http://www.thinkgeek.com/gadgets/security/91a2/
1password is by far the best solution available for this. I've seen some other people say it, but i wanted to echo how great it is. On the security side, it uses 128 bit AES encryption. You can find more information on their security here: http://help.agile.ws/1Password3/agile_keychain_design.html - basically it would take eleventy billion years to crack into your password database.
1Password also offers direct browser integration with all major browsers. It's so good that I'll only use a browser if 1password supports it. It also comes with tools like a password generator and a place to store secured notes (which is where I keep all my software registration keys, etc.). Bottom line is I couldn't live without 1password.
All that said, I still commit my bank password to memory and do not store it in 1password or anywhere else.
or else!
Here's a low-tech solution:
1. Memorize a single 10-digit number, which will be your master passphrase (eg 1234567890).
2. Keep all your passwords, encrypted with this passphrase, written on paper in your wallet, as follows:
write down the true password on a scrap piece of paper.
eg: augur4
3. subtract one passphrase digit from each password character:
a - 1 = z (wrap around the alphabet)
u - 2 = s
g - 3 = d
u - 4 = q
r - 5 = l
4 - 6 = 8 (wrap around 0 back to 8)
4. Keep the result in your wallet: zsdql8, next to the name of the website you need it for.
5. Burn or eat or compost the scrap of paper.
This has several advantages:
- addition can be done in your head: look at zsql8, and it's not too hard to reconstruct augur4 without using a temporary piece of paper.
- if someone steals your wallet, they'll need your 10-digit passphrase.
- you don't need internet access or a USB key to recall your ATM's PIN.
Alejo
I also put a vote in for Roboform, I use it all over the place. Now that they have the server based sync it especially rocks!
This topic comes up every once and a while and I too have gone through various iterations of solutions to this problem. Until recently I was storing them in an encrypted DB on a Palm TX pda. As that thing slowly degrades I realized I won't be owning a pda in the future, so I looked at other solutions.
- Has to be portable and follow me to any computer I'm on.
- Has to be easily searchable and or sortable/organizable, I have close to a hundred logins stored.
- Has to be secure.
My solution is that for the MOST important things like anything involving money like my online banking I just memorize the passwords. For the almost one hundred of the rest I keep them in a wiki on one of my personal websites (shared hosting). I use a wiki plugin that encrypts the data client side before saving the wiki page. So only the encrypted list is stored on the web server. It's decrypted in my browser by JS.
Works pretty good so far. Minor concerns about it being stored in the browser's cache, but I never access it from public computers.
Use OpenSSL to encrypt the file. You can carry OpenSSL on your thumb drive with the AES encrypted file as well.
Of cours you will need to remember the password you used to encrypt it. But that should be the case with most secure/semi-secure solutions.
http://www.madboa.com/geek/openssl/
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass pass:MySillyPassword
It is on MANY OS's and FREE.
I use Password Dragon written by Ramesh Natarajan. The publisher says the files are encrypted using BlowFishJ. It can be resident on a USB flash memory device. I have been using it for over a year with both XP and Vista, and have had no problems. their website is http://www.passworddragon.com/.
Note to FTC: I am in NO WAY compensated by the author or publisher!
BTW: The best part is that it is FREE! As in beer.
Just email me your passwords and the related sites. I'll keep track of them for you.
coffee | nose > keyboard
It's a nice slick little web app. Works like Roboform, but it is completely free. Stores your passwords on your machine and encrypts them using AES 128-bit encryption technology.
Mmmph - I have a couple hundred to keep track of - I use gpasman, and keep the .gpasman file in an encfs encrypted directory (symlinked back to .gpasman in my home directory).
Seems reasonably secure.
I was happy syncing up across browsers (work, home, netbook ...) through password exporter (URL:https://addons.mozilla.org/en-US/firefox/addon/2848>, svn, thumbdrives, and KeePass ... yikes. LastPass showed up while reviewing the current state of identity management (SSO providers, etc) for a work project, and all of the actions I used to take to have my identities with me are usually zero clicks away, and on whatever browser or device (they have a blackberry client) I am surfing with. Encryption on the client, shared out in the cloud, and most significantly, close to transparent in the interface ...and their roadmap has some of the issues I do have with it scheduled.
Hooray for LastPass solving a problem I didn't realize I had and eliminating a small hack in my online life.
Dropbox is a great "access anywhere" secure solution across all major OS platforms, and using KeePass is a great software (as many have already mentioned) for managing all the different passwords you have. Upload KeePass - the executable and the database - to Dropbox, keep your master password verification file that KeePass creates for you on the computers you use and a USB key drive, and you will be very safe and secure, but unhindered by being tied to a particular OS or physical media. When you use dozens of different password-only websites, multiple network logins at work, and your own home computer password apps, it becomes imperative to manage it all in some sane way. The only way to do this for me before was a USB key + TrueCrypt + KeePass, but with Dropbox you eliminate the physical media to be lost accidentally. (And I thought a while back that I HAD lost my USB key, and I literally started freaking out before finding it on my car floor. Switched to Dropbox later that night, and no more freak-out sessions for me.)
Are you usually this slow on the uptake, or did the humor bunny skip you at birth?
So...then you admit he did refer to more than just his laptop. I said it doesn't seem to "solve his worry" about computers without Firefox, and obviously that is his worry (if he mentions it as a desirable property) and your solution doesn't solve it.
A more useful response would have simply stated the reasons why you believe one cannot reasonably do better than this alternative (even in the face of the submitter's stated desire). Hashapass, for example, makes an interesting alternative with a different trade-off of security and flexibility. You could also have answered the simple question about using an external password file in Firefox.
I know, I know, "You must be new here."
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
I bought a copy of Password Tracker Deluxe years ago, and it's been a great tool on Windows, so I wanted to give it a mention.
I'm currently trying to replace Windows for my daily needs with Linux (I'm currently trying Linux Mint KDE), and so I had to find another option (although it does mostly work under wine).
What I found was KeePassX, which has done a pretty good job as a replacement. And because KeePassX is cross-platform, I can access on Windows as well.
I saw others mentioning KeePassX above, and they mentioned features I haven't even discovered yet.
Keep your most important papers and a list of passwords (unlabeled) in a safety deposit box at your bank
1Password not only works on the Mac, but it also syncs fairly easy with the same named application on your iPhone. So you have all your passwords encrypted with you, all the time!
with storage is the best as far as I'm concerned. I used to keep passwords for several different mainframe accounts there. No worry about my watch being compromised.
Your original point, to which I responded, was:
On reconsideration, any machine that he does not personally control simply has no acceptable solution if you want to be reasonably secure. A copy of firefox run off a thumb drives don't do it (copies of data on the hd swap file, keyloggers, malware, etc). Installing Firefox on the target doesn't do it either, for the same reason. Booting off the thumb drive? Thumb drives get lost/forgotten all the time. The real "solution" is simple, but inconvenient - don't use other people's machines.
Example: I would never use someone else's machine to do my online banking. Generally, when I need to use a computer somewhere, except at home or work, I bring on of my own. Part of that is because I'd rather use linux on my laptop than struggle with Windows on their desktop, part is "it just works", but even then, I wouldn't access anything sensitive from someone else's network. It's just not necessary. Plus it also gets out of the whole issue of other forms of leakage, such as shoulder surfing, web cams or security cams grabbing your keystrokes (I was actually able to do that once, just to show it was possible with a 25x PTZ camera)., etc.
Even less sensitive stuff, it's a hassle. I made the mistake of logging in to one account from a known-safe machine (only used linux and bsd) over a compromised network. Oh, the pain. No "serious" damage done, but still a PITA. Took a few hours to track down which Windows box had a chat session connected to a machine with a .ru domain ... nowadays it's almost always .ru (russia) or .cn (china) or .ua (ukraine).
What can you do - it is what it is. All security is a balancing act - managing risk against ease of use. As one pundit said - the only completely secure machine is an unplugged machine - with the hard drive, cpu, and ram removed and run through a shredder (and all post-it notes removed from monitors, under the keyboard, and inside the case).
https://lastpass.com/
Makes it incredibly easy to remember passwords and add new passwords.
I used to loath making accounts to websites until this program. I can generate random passwords and it will remember them with ease. It will auto fill in next time I visit the website.
makes life so much easier
I guess you didn't catch the humor right there ... cool down ..
I'm living in Belgium btw, so there is no such thing as Foxtard TV here.
Wasn't the recession over years ago ?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
lastpass.com does just this. it is a free cross browser (ie, firefox, safari, chrome, iphone) plugin that encrypts your passwords and then stored them on their servers. (only your encrypted passwords are stored) it replaces the built in firefox manager (which doesn't work very well and i can't believe they haven't addressed that yet) and lastpass's plugin works much much better than the built in ie / firefox managers. its also a lot more secure. its not without faults.... its not very easy to use with multiple accounts and trying to correct an account with a wrong password is sometimes painful overall, i love it and am a user. check it out: lastpass.com
-mr silver
It doesn't work that way. The Firefox "Master Password" just protects the vault of saved passwords. The saved passwords still appear automatically (without entering a master pw) on any site where you have OK'd the saving of a pw.
I've enjoyed roboform as it works great (ahem on windows) and has nice encryption. The random password generator and information form auto filler are tools which I use almost every day. I was somewhat perturbed that they didn't support linux but then I found that it will install on wine if you open the installer from an IE browser so their is cross platform compatibility.
I've been using SplashID for the last 5 years or so. One of the best apps I ever paid for. It exists on pretty much any major OS you might be using on a PC or - and here's the selling point - any mobile phone.
I've had it successfully synchronize between my PC and Nokia E61i. Before that it was syncing with my Sony Ericsson P990i and P910i. There is an Android version of it out, but unfortunately Android Market is not available in Singapore. I was forced to use SlideME to use the very barebones but still functional gbaSafe.
SplashID uses the 256bit Blowfish encryption method and comes with a built in password generator, with quite a few options like limiting the password to lowercase and numbers and even checks for "pronounceability". It comes with a nice set of icons, you can create custom templates with multiple masked fields and the layout is intuitive. There are several export options, with some compatibility with other formats as well as the standard unencrypted CSV excel file.
I've been using the password "neeXa6Re" for years. See, I opened an AOL account, it asked me for a password, and of course, "neeXa6Re" was the first thing that popped into my head. Now, here you go just posting it out on the interwebs for everyone to see.
http://supergenpass.com/ From the site: Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit. There’s no software to install.
https://www.ironkey.com/
I use this one, http://sdm.sourceforge.net/
Written in Java, Open Source and light weigh.
passpack.com
Think of a password you can easily remember. The password should have upper and lower cases, numbers and punctuation in it. Do not store or write down the password. In addition use a variable password generated by a security token. This token can be easily carried on a key chain. The result is: a static password + a variable password.
The same thing can easily be achieved with SSH; generate a key pair, put your private key on a USB drive and use a long / complex password to protect it.
Just throwing my suggestion on the heap of hundreds: Take the first letter of the chorus of a song you like, and make that the password. If you forget it, you can just think of the song and punch out the password. For example, Iron Maiden's "Run To The Hills", you have "Run to the hills, run for your lives", which comes out as rtthfryl, which is not likely to come up in any brute force dictionary based attack, and it has a built in method for you to remember it. Feel free to add characters or numbers if necessary, I really like the !1, or *8.
http://kiskis.sourceforge.net/
Is java based so it's cross platform, it'll fit on a usb stick and run on anything with java on.
http://www.passwordmaker.org/
All you have to remember is a master password. It will generate secure passwords for you depending on the "note text" you enter (whether it's a domain or something else.)
Has a firefox extension, but also a CLI / PHP / Java version, so you can use it on anything.
..mm.. I've been using Keepass for a couple of years,http://keepass.info/ ..mm.. it's a small standalone program that'll run as a Portable App http://portableapps.com/ on a Flash/USB stick drive or on your hard drive it's Password protected and Free to use.. I find the database easy and useful and you only have to remember 1 password to let you in - all your passwords in one place..
No doubt there are some clever hackers out there who would delight in trying to crack the opening password.. but I'm not Paranoid..are you?
I have by passwords as drawings on keyboard. Example: one of my (old) passwords is hnji9 - as in the tick in nike and letter 'N' at the bottom.
LastPass works for me.
If you have PalmOS, I suggest Strip. There is also an iPhone version, but I don't know that platform very well.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
Also as some have recommended techniques with written "password," type out your password but add a common or nonsense word into the middle of it. Then you just know to remove that word.
Having the browser remember you passwords is so easy, it's hard to give up. So why not just setup truecrypt, and move your browser user profile inside the truecrypt volume?
Then you only have to remember one password (well two, your login password for the computer, and the password for the truecrypt volume). And then you can start up your web browser, and it remembers all your passwords just like always. And everything is very encrypted this way.
It's not quite as secure as keepass, since keepass can be made to require a file and a password...but unless you're keeping the file on a USB stick and not your hard drive, it's not really much more secure than just having one password for truecrypt (anyone who gets access to your hardrive will have the keepass DB and the key file). And messing around with keepass for your day to day passwords is a major chore. It's great for a master list of passwords as a backup though, or if you're sharing passwords with others at work, etc.
--Julian
I have a text file that I edit with vim that automagically decrypts the file when I view/edit it and re-encrypts it when done. Very secure, don't have to worry about a single use application going the way of the dodo.
Salut,
Jacques
I love this tool. I've used it for 6 years now. It is still actively developed and is fully cross platform (anything that will use tclkit). http://www.fpx.de/fp/Software/Gorilla/
I have this problem where I work. Last spring they upped the requirement to 12 characters, which must include numbers and special characters. They do not yet require squirrel noises, but that is certainly next.
I did a study of memory aids and came up with a system that has worked fairly well for me.
Here are the tricks:
1. I remember pictures but not words. I can remember the first three letters of the name of many animals that I can picture in my mind.
2. Silly stories are much easier to remember than reasonable ones, so string animal pictures and action verbs together into a foolish story.
3. The special characters can be used to make simple picture or represent action verbs: ^ jump over, and || wall becomes ^|| jumped over the wall.
4. I know a few strong visual nouns that come with numbers attached: ME109, P38, 56Chev, V8, 03Flyer, 707, 747.
Putting this all together you get:
The elephant jumped over the wall and landed on the flea. The elephant had four legs; the wall had no legs, and the flea had six legs. Ele^||Fle+406
The Frog in his ME109 shot the shield of the Walrus: FroME109()Wal
It is also easy to leave yourself an effective hint: Kermit in his WWII fighter did what?
You can also progress the story a little every time you need a new password: Then the Whale in his P38 caught the Frog hiding behind the wall with his six shooter: WhaP38||Fog6
Of course, if too many people start using this scheme it will not remain secure very long.
Tom Riley TomRiley@woodwaredesigns.com http://woodwaredesigns.com/woodware.html
I don't turn on the 'save my password' on my notebook. I keep all my passwords in a cloud-based file so they are available at all times on all computers should I forget them. I need then remember only one wherever I am. The file is not exactly encrypted, but has passwords listed in a highly personal code. 1968fire could meen MLK to me (many cities burned). But mine are even more personal than that so I think they are really just understandable as hints to my personal memory. the sites they correpsond to are similarly encoded (but that's harder...).
I still keep a PSION Series 5mx Pro for my everyday agenda, address book and else. (Still looking for a *good* alternative for my iPhone, including migration/synchronisation software - got any?).
The PSION is secured with a 3 letter password (to allow for easy log-in). *ALL* my passwords, credit card numbers, PIN &c. are stored there in an encrypted file. The CompactFlash card of the device holds an impressive 128 MB (yes Meg - not Gig) but 80 Meg remain almost always free. It is regularly backuped to my PC being regularly backuped to my Synology DS-408 being regularly backuped independendly to two 1,5 TB external hard drives. From a previous SDK there does still exist an emulator for PC that even allowed to access the file from there. But last time I used that is ages ago - literally.
As the devices used to be pretty cheap recently, I do still hold 2 spare ones in my drawer for replacement in case of emergency...
I like Clipperz. You don't need to have anything installed, which is nice. They host your passwords in encrypted form.
Tried this. wsjp133 is your password for some obscure account you don't need for 6 months. Then you have to track down your old cube neighbors PC. Plus even the most benign sights these days force a special character, number and upper and lower case.
Because I'm a Flemish-American.....