Slashdot Mirror
Best Tool For Remembering Passwords?
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Taxation is legalized theft, no more, no less.
I agree.
100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.
Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.
If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.
So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.
People rarely steal passwords that way because of masking. Get rid of masking, and shoulder-surfing will flourish.
You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
Wolde you bothe eate your cake, and have your cake?
enjoy explaining that bit of paper to DHS when they decide to look in your wallet as you go through airport security
Congrats, and thanks.
Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.
160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.
Create a passphrase which you prepend or append to every important password.
Bad idea. You should never use the same password (or part thereof) on two or more systems (that you do not control). In your case, if an attacker managed to get two of your passwords (say to two different web sites) then they could simply compare them and determine your super-secret pass phrase that you attach to all your passwords. Combine that with your list and you're owned.
160 characters * 8 letters = 1280 characters.
Number of one-character passwords: 1280 (actually it's even less but stay with me)
Number of two-character passwords: 1279
Number of three-character passwords: 1278
Number of 100-character passwords: 1180
Number of 1280-character passwords: 1
Total number of passwords = 1 + 2 + 3 + ... + 1280 = (1638400 + 1280) / 2 = 819840 passwords
Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)