Slashdot Mirror
Best Tool For Remembering Passwords?
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
I agree.
100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.
Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.
If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.
So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.
You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
Wolde you bothe eate your cake, and have your cake?
enjoy explaining that bit of paper to DHS when they decide to look in your wallet as you go through airport security
Congrats, and thanks.
Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.
160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.
160 characters * 8 letters = 1280 characters.
Number of one-character passwords: 1280 (actually it's even less but stay with me)
Number of two-character passwords: 1279
Number of three-character passwords: 1278
Number of 100-character passwords: 1180
Number of 1280-character passwords: 1
Total number of passwords = 1 + 2 + 3 + ... + 1280 = (1638400 + 1280) / 2 = 819840 passwords
Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)