Slashdot Mirror
Best Tool For Remembering Passwords?
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Keep them on a slip of paper, in your wallet.
but DONT list what each is for - you can remember that part easily enough
I want to delete my account but Slashdot doesn't allow it.
Passwords in a file that you keep on an external drive locked in a safe? :)
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
I recommend this three step method:
Step 1) Memorize one very long complex password. Take your time and pick something out that is long enough that someone could watch you type it a dozen times and have absolutely no hope of getting close to it. Use this password to encrypt a zip file, 256 bit AES, with separate text files for each system where you need a password. Never type this password on a computer you can't trust implicitly and save the archive somewhere safe online and on a thumb drive. Update this password list several times a year. Practice mentally regularly.
Step 2) Use the Xmarks plugin with Firefox to gain portable bookmarks and passwords with a fairly complex master password.
Step 3) Pick a password manager that works well for you where you will use it most often. I like KeePass personally. (Much of my work is done from a Windows workstation, so this is a convenience choice.)
The master password file is your personal master backup, in case of a severe event in your life that would let your memory of your other passwords become lost or obsolete. It is what you refer to if you need to decrypt something or recall a password that you haven't used in years. The encryption is expected to remain solid for a long time and it is cross-platform. Xmarks will let you keep your passwords online encrypted and shared between systems and cover your most common needs. KeePass, or similar, will fill in the void for all the other times when you want to keep track of your passwords.
B) Eliminate all the stupid users. This is frowned upon by society.
http://keepass.info/download.html
1password for mac and iPhone/iTouch is a good product
You underestimate the capacity of a human brain to store information.
Just use the same password for everything. I use "1234".. its the same as my luggage combo
I have to return some videotapes...
Is your head. Plain and simple. Never write a password down on your hand and NEVER on a sticky note on your monitor. Make at least two or three passwords. One for forum and slashdot and another for banking and secure sites. Use firefox's "master password" lock and set that password to your third password.
The passwords are saved in files and are encrypted and you an password protect roboform so they can't access your passwords, after saving your passwords in roboform be sure to clear firefox or IE's saved passwords. Also get a USB stick and backup all you passwords, it's very easy to do. Then you can keep your master password to access editing the encrypted pass files as something you use all the time like your bank pin + some other word fudge factor you'll easiy remember
http://www.roboform.com/
Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/
If you have a mac, definitely get 1password. It encrypts all of your passwords in a database that is accessed via 1 password that temporarily unlocks it. You can have it generate very long passwords on the fly too to make it very secure. It stores passwords from all websites that can be recalled during a session by pressing apple+\ but it locks after a period of time where it asks for the master password. You can also store secure notes, and keychains from applications.
I've used Keepassx for a few years now. It's cross platform (Windows / Linux) and stores the files encrypted. I tried one of Bruce Schneier's public domain solutions previously, but the Linux install (Password Gorilla ???) was rather painful on some systems if I recall correctly.
Just be sure to use a substantial password for the database...
I first saw the link to PasswordSafe from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.
Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password. Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)
If you have access to any other box, how about a plain-text file there? Even a little security through obscurity (ie hidden file burried in the filesystem somewhere) would be better than letting Firefox automagically fill it in. I guess you could always encrypt the file so you only have a single one you absolutely must remember (shades of Flourish and Blott's losing all those copies of the Invisible Book of Invisibility though).
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
KeePass.
* Stores all of your passwords in a secure encrypted file
* Has auto-type so you don't have to type or remember your passwords
* Has a great password generator tool, so that you can reset all of your passwords to something secure
* Easily transferable password database.
* Can run off a USB stick
I checked it out a month ago on the recommendation of a mate, and have been using it ever since.
It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!
And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.
And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).
Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
I've come up with an incredible solution to your problem!
Used condom wrapper: It fits in your wallet. It's easy to come by. Almost nobody will stop to pick up and investigate your used condom wrapper for secret passwords.
Pros:
- It's highly likely to be thrown away by a pissed-off janitor if it is found
- It could be infected with a disease, so people won't want to touch it
- It gives you "this geek may have had sex cred", and believe you-me... That comes in handy
Cons:
- If you keep it in your pocket and it gets washed, you might have some 'splaining to do to your committed girlfriend or wife
Other than that, it's pretty much a perfect idea.
I'll Paypal you an invoice for my time. TIA.
from http://www.cp-lab.com/
Works great, is inexpensive and secure.
We use it at work and can assign different users different permissions.
It's also portable, so you don't have to install it on your computer, you can copy it to a thumbdrive and take it with you anywhere.
First of when using firefox, use the password manager. From what i understand it encyrpts your passwords with your master password. For everything else from secure notes, ssl keys, to passwords i use a custom container in Key Chains. The built in password manager of any OS X machine.
If you can't fix it ask the 3 year old down the street.
Never ever ever ever (EVER!) store your passwords where they can be retrieved by unauthorized 3rd parties! That includes password storing utilities, scraps of paper under your keyboard, or a little note in your wallet.
Written down, in a lockbox, in a safe, in the floor of your basement, under a rug, in your house that has an active alarm system (that you use), in a armed guard and gated community is ok. Ok, most of us can be a bit less secure than that, but I don't recommend it. :)
Choose your passwords intelligently. Then they'll be easier to remember.
"W)Wg#jwe9^)SEG" is pretty hard to remember.
"BankPass" is a terrible password, but easy to remember. Don't use it.
"Wh3rzIzM!M0ny?" (Where is my money?) is easier to remember, even though it's a nice secure password. I dare any brute force attack to get that one. :)
For the sake of legacy access (like, when you get hit by a bus, and your wife needs to get into your accounts), make sure a second *TRUSTWORTHY* person knows the combination to the safe in your basement.
Serious? Seriousness is well above my pay grade.
Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I've been thinking almost the same thing for a little while now. One of the solutions I think might work is an IronKey. While remembering passwords isn't so much of an issue for me it will be for my wife if, heaven forbid, something should happen to me.I'd very much like her to have easy access to important information -- things like banking passwords, insurance and retirement accounts come to mind. I'd also probably put scans of important documents on there -- not that you could use a printed copy -- but more of a database to make ordering new documents easier if there was an emergency and those documents were lost. It is also important that it be as cross-platform as possible, since I may not be around to get it to work. :\ I haven't really come across a software-only solution that fulfills most of these criteria.
Opera stores multiple passwords for sites (like say if you have a few gmails). Unlike normally with most built in password managers, Opera allows you to set a master password that prompts you to enter it before it'll show your current passwords for a website. It works sort of like this:
Opera does not store its Master Password in the plaintext format. Moreover, Opera doesn't even store its hash. The developers have chosen a different route: the password along with the salt participates in the encryption of a portion of data and then, to check the validity of the password, it uses the decrypted data hash and the original salt value.
source: http://www.passcape.com/choosing_master_password_decryption_method.htm
I use a variation of the plain text file. I use a file but instead of listing the actual passwords I write memory hints to remind me what the passwords are and not the actual passwords. This does have the flaw that I am using many variations of a few passwords for most of my needs. The hints help me remember what variation of the password is for that site. If someone else got that file they wouldn't be able to make much use of it.
I also use simple throw away passwords combined with mailinator.com for websites/forums that I don't really care about security wise. If I forget the password I have it resent to mailinator.
--
Placeholder for future witty sig.
The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Taxation is legalized theft, no more, no less.
I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.
It was me, I did it, I moved your cheese
no one mentioned http://supergenpass.com ?
supergenpass hashes the base url with your main password. you can also customize the length of the final password.
it works in every browser (bookmarklet) and you can also use it if you aren't on your computer with the mobile version.
The Firefox automatic password remembering thingy is okay. Not too worried about if the computer is stolen as I have a BIOS password plus there's not exactly enough money in my bank account to be worth bothering with, and my bank system doesn't actually let you do a lot without human intervention. My biggest worry, actually, was if Firefox would ever show me these saved passwords in case I do wish to make an attempt to remember. It can. Cool.
What I can't believe is how many people are giving their best ideas for remembering passwords. Was this a serious question or a cleverly disguised bit of social engineering?
I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:
http://passwordsafe.sourceforge.net/
Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.
Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.
'Thats they exact same thing a banana wrench monkey.'
ccrypt: http://ccrypt.sourceforge.net/
Another vote for KeePass
Gringotts used to be goog. Gringotts saves info in encrypted files. You still need 1 password to decrypt the file, but you can have copies of the file in multiple places. See http://directory.fsf.org/project/gringotts/
--- Often in error; never in doubt!
I've researched this one for my boss, as well as for personal use. I agree that for Mac users, 1password isn't too bad a program.
If you want a *hardware* based solution, I've looked at Mandylion Labs' Password Manager before too.
Personally, I thought the Mandylion Labs solution was overkill for anything less than corporate use, though. Its "strong points" are largely centered around an I.T. staff centrally administering password policies for the keyfob and so on.
Another basic, but potentially effective and useful solution is simply keeping track of your login info in a text document, but maintaining that document someplace like Google Docs. Then, wherever there's Internet access, there's the ability to get to the document and it's platform-neutral. No worries about a computer drive crash causing you to lose all your passwords either.
Keepass is cross platform works on PC and Linux. :) Makes it easy to keep different credentials for every site you go to. Keeps passwords in an encrypted file.
http://keepass.info/
The diversity and expression of human opinion is essential to human survival.
Do what every idiot in my office does - use their name.
Sure, I try to change the password policy on the server, but of course management gets mad because they can't use "bill" to login and "bill" for a password.
Just this morning someone was all in a huff that there was an open document on their computer. Well, change the password retard, and logout at the end of the day.
BTW, I'm the sysadmin.
Seriously though, if you really can't remember, try using paper and pen in a very cryptic method so as to not shout "I'm a password list" or use a "base" password and addon specifics regarding the login site, for example, for facebook "billbook," for google, "billgoogle," you know, like the retards in my office.
I use a split solution.
On my desktop running Gnome, I use revelation. It has a handy applet you can add to the gnome toolbar.
You can export your password file to something compatible with PasswordSafe and then do a USB key install on it. Since the file is encrypted, you don't need to worry about people getting access to your accounts if you lose the USB key.
I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/), it's essentially a self-contained AES encrypting Notepad.
And it's extremely stand-alone/portable, so you can just stick it on a USB stick.
I make my passwords something totally ridiculous that would probably be offensive to most people or certain groups I dont care for, haha. Something like macFanb0ysRghey&. Sure, I remember it, but if there's ever a chance you have to share that password with someone else, you either have to change it or see the person's face look like O.o
A spread sheet kept securely (encrypted file, not excel/etc. encryption but something like PGP or TrueCrypt). There are specific programs for this but I find a spread sheet works better.
Porn star names....definitely, always works for me. Plus, I can then guess other users' passwords much more easily and don't need to bother with those pesky password cracking software. Let's see....jjordan (jana jordan), mistiluv (misti love), brandytal (brandy talore).....
I had to address this same issue recently myself. I'm getting an increasing number of login/passwords. I won't use the same combination on any two sites and I'm in my 30s. I can't remember passwords like I could 10 years ago. For me Password Gorilla was the product that fit all of my needs.
It's Free/OSS, runs on all major platforms, can be run from a flash drive and is compatible with the Password Safe file format.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).
Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.
I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).
This question has been asked on superuser.com, with many answers and associated discussion: http://superuser.com/questions/255/how-do-you-keep-track-of-all-your-passwords
Looking around I can see lots of words and phrases, such as
http://michaelsmith.id.au
I have literally hundreds of passwords memorized, yet I cannot match a face to a name without much effort =(
I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.
Like I'm gonna tell you what I do. . . Don't write them down, don't use the 'remember password' option for bank websites. That is all.
jaz
Life is what happens to you while you are busy making other plans. No-one sees motorcycles
I've been using a VIM password file for seven years now. Just enable encryption on VIM, and it seems good enough; lightweight and works on any machine.
Once you start using a full disk encryption solution like Truecrypt or others, all the "insecure" electronic methods you discussed suddenly become secure.
I'm not kidding...get it here.
I keep an encrypted password file (several copies, actually) that I use with a GPG key. If GPG is good enough to general-use encryption, it's certainly good enough for your password needs.
Firefox has a "master password" feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.
I like using my brain.
Seriously, how many passwords do you need to remember? 15? 20?
Figure out a reasonable mnemonic for remembering them and do just that...remember them.
Every other tool I've tried has ended up being not available at some point when I needed it (e.g. at a hotel, at a friend's house, on an airplane etc).
I haven't actually done this, but if I had to pick my passwords all over again, I would use a foreign keyboard (my choice would be some type of hangul keyboard), and just pick words that make sense in the foreign language. For instance, if you need an alphanumeric password, you could do something "11tlqdlf" where t = "siot", l = "ee", q = "bieup", d = "digeut" and f = "rieul". Its "11eleven" in Korean.
Or if its one of those bank question/response things, you could do something like "What did the truck say to the bread?" Your response would be "Qkd Qkd" or "bbang bbang".
Or, "What did the bus driver say to the egg?" "rp fks" = "ge-ran" or "get on".
Everyone else here is apparently attempting to answer the question in the title, which is not the actual problem he's trying to solve.
There is an easy solution to the whole 'laptop getting stolen' problem.
It's called TrueCrypt. Encrypt your drive. Put in the password on boot. Use your browser like normal.
If someone steals your laptop, tada, no stolen passwords, because they can't boot your computer to get to them.
If you want to have a USB fob, well, sadly, keyfiles are not supported by system encryption yet in Truecrypt. But there are third party tools that will do that.
Trying to figure out what to 'store your passwords in' is silly. Store your passwords in your damn computer. And then encrypt your computer.
Incidentally, people saying 'Don't write your passwords down' are idiots living in the 1980s, where people had passwords on local files and for local networks, and that was essentially it. It was, indeed, stupid to write down a password next to a computer if the point of the password was to protect things from people physically sitting at the computer.
It's not stupid when it's your bank password or other online passwords, next to your computer at home. Because the security risk is not people breaking into your house and finding your passwords! The security risk is people you have no contact with at all guessing the passwords, and it's much safer to make it a 20 character password that's is written down than a 10 character one that isn't.
If corporations are people, aren't stockholders guilty of slavery?
Memorize a single algorithm for generating all of your passwords. For example you might take the first name of a family member, modify it according to a set of rules, and append their birth date also modified by some set of rules. Now obviously you want to use something more secure than family names and birth dates, but you get the idea. With enough creativity, you'll end up with secure passwords. There are several advantages to this method. When you forget a password, you can pull from your pool of initial values and generate passwords until you find the right one. And it's often easier to remember a set of initial values associated with a particular website/etc, than the complex password that you actually generate and use.
http://passwordsafe.sourceforge.net/
Don't know about you but I have to maintain passwords in the hundreds...it is waaay out of control. No way I can try to keep it all in my head. I use password safe installed on an encrypted USB key.
while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
I'm old skool, so I have most of my stuff in KeyRing for PalmOS. There's a jpilot plugin so I can sync and access it from Linux.
Someday I plan to migrate to KeePass, and then have some plugin automatically sync and login with Firefox using some sort of master password.
Also need to make some dead man's switch so my wife can get access to all of the accounts if something happens to me. Right now my plan is to write down my master password with my last drops of blood as I lie face down on the pavement.
Created by Bruce Schneier and perhaps the best app available.
http://passwordsafe.sourceforge.net/
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
I've lately really gotten into using the password keeper on my BlackBerry, putting in various websites and so on. I like it because it's portable, as you switch devices it's backed up and moved, and I pretty much always have it with me. It doesn't integrate with software etc for me, but I'm now in the habit of just throwing new stuff in there. It's quite handy, and free.
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
A trick I learned on Slashdot long ago that has served me well over the years is to use a formula-based password whereby you have a constant formula combined with an application-specific salt. Take this simplified example for web pages, say I wanted a password for slashdot:
1) Take each alternate letter of the server root section of the url: "saho"
2) Append the remaining letters of the url so you now come to "saholsdt"
3) Sprinkle in a bit of your username after every second letter: "sakhodlsadtn"
4) And finally add a few numbers, say the last two letters of the server root converted to ascii: "15sakhodsadtn20"
Hopefully you get the idea. What you end up with is a password that is unique per-site or application but - assuming you use a consistent formula every time - is easy for you to remember. Other than a few exceptions I have been able to store my passwords nowhere else but my head. (Work-related passwords that expire every month have been the exception, the solution for me was to write down nothing but the salt and apply my formula accordingly)
Come up with a system that somehow deterministically transmutates the name of the site or item you're making a password for into something else. For example, a password for Key Bank might be "K3y_b@nk-banking_site" or something like that. Bingo: strong password that's unique to that site, and easy to remember as long as you're consistent. Just don't tell anyone your pattern.
Of course, consistency is difficult when some sites don't allow passwords longer than eight characters, some don't allow special characters, and so on.
On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.
For my PC at work, TrueCrypt with a spreadsheet inside.
LastPass is definitely nice - it encrypts passwords so that they're not transmitted or stored on the server in the clear. It's also one of the best integrated pieces of software I've used - it generally just does what you want it to.
I recommended it to a non-technical user recently, and she sent me back an email later thanking me because it removed all the mess that she was dealing with before and have her a single launch off point for her web logins.
I do it like this.
I use a super-secret, my wife doesn't know it password for the mission critical life-changing passwords.
For web sites and forums there's a formula in my head, based on the web site name, truncated and a mathematical operation.
If you were to somehow aquire In the IT part of your job only remember the one's you have to, don't try to store or remember your users e-mail password etc, just the one you need to reset their password.
You can use the same formula, for your work related passwords. Keeping a paper list of them in your locked fire-file or safe at work isn't crazy, and the risks of you getting hit by a bus are probably greater than the risk of ninjas breaking in to steal your login info.
http://www.splashdata.com/splashid/index.asp
It's the most important and most used app on my treo (including as use as a phone)
Personally, I use a disk image for the emulator Mini vMac that contains the old MacPGP 2.6 and a text editor. This is easily carried on a USB stick, and can be used on Macintosh, Windows, or Linux computers (and there are other ports). Further, the disk image should work on other Mac emulators. Of course, I'm the maintainer of Mini vMac - this might not be the best solution for other people.
I am no security expert, but for what it's worth, I use a pretty strong base password, which is a couple characters in the middle which vary based on the name of the account. The base password is multiple permutations of some very personal information. So even if forgot my passwords, I could probably figure them out eventually.
I recommend OBZVault. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.
We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).
It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.
(Disclaimer: I co-founded OffByZero, the company that produces OBZVault.)
I keep track of all my passwords using a "rootword" system I devised. I started off simply, and have made the system more complex as time passes.
As an example, all my passwords are based off a single, easily-remembered word. Then I complicate the rootword -- i.e., by replacing characters with symbols or numbers so that even in the unlikely chance anyone ever does find out my rootword, they don't know which iteration of characters make up the string of said word. If I choose "banana", then my rootword may end up being "b@Nan4" or "BAn@n@" or "b4n4n@" etc.
Next, I simply add extra characters as identifiers to the rootword depending on the services or sites for which it is used. It may have something to do with the site or service name, the person that introduced me to it, or something completely random that reminds me of it. Thus, my "b@Nan4" may end up as "g00b@Nan4" for a Gmail account.
You'd be surprised at how simple it is to remember a couple hundred different passwords using a system like this.
UNIX: Find it, fsck it, forget it.
Some of us prefer to use emacs to edit our encrypted files...
I *remember* passwords in my head, and hate to admit it but they are short phrases... if I was a Blade Runner fan I might choose "Time2DiE!" for a not so important account.
I *record* as few passwords of my passwords as possible, but at my employer we record all the details in a special area of our CRM system. It isn't very secure, but it works. I prefer not to have any record of my employer's client's passwords and check the CRM every time - it is embarrassing to lock out the Admin account when another engineer changes the password!
I feel sorry for one customer who needed to give us admin access. His "never tell anybody" password was the brand name and model of s personal electronic device for appling mild electric shocks to sensitive parts of the body... I just HAD to google it!
I've been using this for years. I've tried KeePass, 1Password, etc for weeks each, and kept coming back to Roboform. Roboform is MUCH better than any of these I've tried at filling forms easily/fast - not just passwords, but identity and credit card/payment information. My biggest complaint with it has always been syncing my encrypted roboform directory files between different machines - used live sync, sugarsync, etc - but now they do that also, with a free RoboForm Online account. Data still encrypted, but I can now get to it with my master password and any web browser. (Even dumb phones). PLUS - they've come out with clients for the iPhone. (Have had Palm, WinMobile, Blackberry, Symbian clients for quite awhile). I have full access to my codes, always synced, EVERYWHERE I go. Love it. My final favorite use for this, in addition to the password vault, is for ALL my bookmarks. I got tired of syncing/restoring/losing bookmarks between different laptops, desktops, OSs, etc some time ago - so I now have thousands saved over the last several years into my Roboform repository. I save them (as well as passcards, etc) with a few extra keywords, and use the Roboform search window to very rapidly go to any website (and login if necessary), even when I can't remember exactly what the site was called - pull it up by subject/keyword. A major timesaver. Cost some $$, but not much, and well worth it.
I use a plain old spiral bound address book. A I keep it locked in my gun safe, in the same room with with a shredder.
i use this too. generates strong passwords for you and then autofills the forms. very nice.
for a long time... it was a little keychain dongle... you push a sequence on the buttons on front and it lets you see the passwords. There are not that many buttons, so if it's stolen don't expect it to last more than a few days, but it'll slow 'em down hopefully long enough to let you change your passwords.
but mine broke :(
vim -x somefile
PasswordMaker.org has a solution that allows you to create passwords using a number of options and hashing algorithms. You use one (or a few) main passwords and then hash those with something specific about the program/application/website you are creating the unique and strong password for. The hash is a repeatable process so long as you can remember the options and password you used to generate it. There are executables, web applications and embedded source code at their site and it is an open source solution. You are not tied to any particular device or program and can create the hashes from any machine in the world.
If you are expecting something here, I don't know what to tell you...
I use clipperz, a free and anonymous online password manager which comes in an offline version too. It is based on open standards, proven encryption technologies, and has no vendor lock-in, and full anonymity.
http://www.clipperz.com/
I like the philosophy behind it and the people who have developed it.
If you use it, please consider a donation =)
I like ewallet by Iliumsoft. Much more than passwords, basically a little encrypted database app. syncs to iphone, windows mobile, blackberry etc... I use it on a U3 drive for portability. And hallelujah it works under parallels on my macs too!
I use password safe, where I keep the encrypted password data file on a thumb drive, and backed up on my home computer. The program helps you organize passwords with categories, one click copy-paste to the clipboard (and clears the clipboard when the program is minimized or closed), and auto-generation based on a specified password policy.
I keep my passwords encrypted on my cellphone, backed up on my PC.
I have multiple passwords with variations to each. I have a code for each base password, there are 6 now and then I have hints there which tell me which one and it's variation. Hint might be : scientist silicon doped p-type. Which would stand for Einstein34.
Firefox installed onto a USB stick. Have a single password for everything. If you lose the USB stick you can change passwords quick enough. It is convenient in that you only have to remember one thing. It is secure against key-loggers on infected computers. And you can probably make the usb stick effectively read-only protecting the stick itself. And the whole thing costs like a dollar.
Mnemonic techniques work well, and will help you keep your brain active and healthy longer.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far Honestly, when is the last time you've lost your wallet? For me this was eight years ago. Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)
In these days, bleeps and bloops mean something more
In this way every website has a different password, and not even your closest friends will be able to guess from the hint. And so if a database is compromised or packets are sniffed while you are logging in, only the website in question is affected. If you forget which of your many passwords goes with which site, the hint should help. And if you completely forgot the password, you can look up based on the theme what the password is.
If you are worried that the theme can be easily predicted from the sheet, you can use the position on the sheet of paper, feed it through a formula, and have the resulting number be a number used in determining the word or phrase.
If you are less worried about accessing your stuff remotely, you could do something rudimentary like append what the password is for to the password, run it through crypt(), and use that.
Create a 6 character base password like qaJdkW5 and use it as a base for everything. Then add a suffix for each particular use like quJdkW5G for Google quJdkW5sd for slashdot. You can then add digits to "version" them for applications that require changing passwords on a regular basis. Then all you have to do is remember the base and you can derive the rest.
Try password safe. Choose one strong password to encrypt (via twofish) the entire data base, then choose strong random passwords for everything within. Only one password to store in memory that way.
It can run on a USB key (no registry entries), making it very portable. You can right-click entries to (1) surf to the selected logon page, (2) auto-fill username and password, and (3) hit submit, making surfing nearly as easy as the built-in firefox password manager, but much more secure. Of course, it has all the standard features, like auto-generating random passwords, database search, categories/subcategories/etc. My wife and I both use it and are pretty satisfied.
In the related links, you can find non-windows implementations, making it very portable.
I hope this helps; good luck! -- Paul
OpenSource.MathCancer.org: open source comp bio
If you check the website for magic password generator, you'll find a bookmarklet and a form that are browser- and os-agnostic, that comes up with the same passwords the plugin does.
"The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
It sounds like you're describing this: Mandylion Password Manager. ThinkGeek's out of stock at the moment, but you can probably find one elsewhere.
Less convenient than some options since you can't copy & paste. On the other hand, more secure since the list of passwords never gets to the PC's RAM.
Alphanos
As long as you have internet access, SuperGenPass is a great option. It's a little bookmarklet where you type a master password, it will account for the domain you're currently on, and then generate a random password based on both. So, as long as you provide it with the same master password for the same website, it will always generate the same password. And as long as you have access to the internet you can always use it (when you're on the go, try SuperGenPass.com/mobile). I actually use it outside of the web as well. I will just use the name of the application as the domain name.
I don't like to sit. Sitting is for people who like to sit.
It's secure. It's online. It stores more than just passwords. And it's free. 'nuf said.
That doesn't seem to solve his worry about using computers without Firefox installed. Also, even assuming every machine he wants to use has Firefox installed, does this allow him to easily use a password file stored on, say, a thumb drive? I've never tried to use an external password file with Firefox (i.e., one I did not create with Firefox.
I guess he could just keep Firefox portable on a thumb drive, although he'd need a copy for each OS he wants to run it on.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
are all you need
The question is what tool do slashdotters use? That is part of the problem, backups are the other. I have passwords for myself and all of my clients, so the tool I use (Password Safe) has hundreds of passwords that are not easily retrievable, or not retrievable at all. So I have to keep all of my passwords, but loosing a laptop with my passwords, would mean more than worrying if someone would get into my bank account. It would mean I have tons of customer passwords lost.
I store all of my passwords on a USB key. The password files are encrypted on this device, it is also my "master copy" When I update a password, I copy the password database to my home computer (Unencrypted I am not concerned about a theft resulting in my password tool being cracked) My home computer is backed up to Mozy. I then copy the update to my laptop (Unencrypted)
I have 4 copies of my password files. I can tolerate loosing any one of them.
Passpack.com. Actually, the site seems uncharacteristically sluggish at the moment... better be sure to download the offline client and use it to keep a local backup of the DB.
Good enough for personal passwords. For really sensitive enterprise stuff, it may be ideal to use an Enterprise password management product, such as a Passpack appliance (whenever they get to making that), or Citrix Password Manager.
Generally the requirements for businesses include strong encryption, multi-user access, and role-based access controls.. Most simple DB methods lack detailed access controls.
Some Enterprise password managers also provide options to allow a user to utilize the password to login to something, from the application, it will launch a browser or ssh/telnet directly with login details filled..
In some cases, allows user login without their workstation allowing them to know what the password actually is that is being submitted. Or requires a separate action be taken to 'see' the password, which generates a special audit record.
That way, if someone's terminated, or stripped of certain roles (and therefore access to certain passwords), it may not be quite as urgent to change them all immediately, or the passwords they actually chose to view can be changed first.
Policy might be for a password to always be changed to a new random password within 3 days of someone clicking on the "show me this password" link. To ensure use of the PWM is for one-time access, and protect against improper practices such as _writing down_ passwords or recording them outside the official DB.
I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D
I don't know why this hasn't been mentioned, but you can set a master password on your Firefox password manager to make sure that your passwords are kept secure via encryption.
Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
www.lastpass.com I store less important passwords, and keep in memory ones for banking, ebay, etc.
It does encrypt the passwords with a master password and having them on a PDA/phone is much more convenient than a file/application on a laptop.
I can't believe nobody mentioned LastPass yet. I've been using this for a year or two now and its awesome.
Works everywhere and fills out the form for you... under IE, Firefox, Chrome, etc... has apps for iPhone and whatnot. Works under Linux, Mac, Windows...
Keeps the password stored on the lastpass servers, encrypted. Can backup easily...
I tried many password managers, this one is easily the best.
Get a Mac. It has had a keychain manager, Keychain Access, since 1995. It works with _all_ password-using programs, not just browsers, and it is beautifully integrated across the system like more and more of OS X.
Make three passwords of differing strengths for various uses. Weak: abc123 (New York Times online, random one-use sites) Medium: m1dd13name (forums) Strong: tw45br1ll1ggreat! (mail, bank) Then just write them on a piece of paper and put that in your wallet. Try to remember them every time, but if you forget, consult the paper in your wallet. Eventually you won't so much remember them as your hands/fingers will remember how to type them in a given situation. Just keep trying and they'll stick.
http://www.tenjou.net/
http://www.clipperz.com/
Clipperz is both a service, and a downloadable webapp you can run on your own server. It's the closest thing I've found that approximates the features of 1Pass (for Macs) on Linux. Now I just need to get a data plan for my phone.
Acts 17:28, "For in Him we live, and move, and have our being."
There's also an add-on called Master Password Timeout. You set a period of time after which it will again ask for your master password when you log in somewhere. The security feature here is that if you get a password prompt without expecting it, you'll know that there's some background code on the page poking into places it shouldn't be. It is also good in a workplace if you happen to leave your browser open while away from your desk. Keeps co-workers from checking your webmail, or bidding for you on ebay. I usually set mine for 15 minutes. You can set it to a really short period if your particularly paranoid.
The closer you are to the code, the happier you are. - Ancient Geek Proverb
There is password manager daemon (pwmd). But there is no GUI. Applications that want to use it need to be patched to use libpwmd which also includes a command line client that can send passwords to stdout and then piped to xclip or whatever.
Blackberry password keeper for low security passwords. High security keypass and ironkey. Top secret stays in my brain. When captured by the enemy, I will only state my username and a/s/l.
I would tell you, but then I'd have to kill you.
Table-ized A.I.
I keep all of my passwords in a file that I encrypt using PGP type software (http://www.gnupg.org/). This means all you need to remember is one password. I found an add-on to vim that makes opening this file seamless when I'm in the terminal. This isn't necessary, but I find it useful. If you're more of a mouse type person, there are lots of free tools for encrypting / decrypting text files using the PGP standard. While it isn't the most fancy solution, it's pretty flexible and there is no risk of lock in, OS limitations, etc.
your brain.
Using multiple passwords will lead to using some sort of tool to store them, and one master password to access this tool. Might as well just come up with a couple of reasonably strong, easy to remember passwords and rotate them between all sites you use. The trick is to never use your passwords on the systems you do not trust, and never register accounts on some shady sites using your standard email and passwords.
What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":
Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.
/not my password ... or is it?
This is another vote for keepass(x) - but with the addition of Unison to replicate the database everywhere you need it.
Redundancy makes the 'laptop stolen' problem less severe, since you still have your passwords backed up. I'm assuming that there's at least 1 other person here that doesn't really backup as often as they should...
Personally, I'm surprised that some people are advocating 'remembering them all' - I kind of assumed that everyone had a WiFi router, a machine with a root and root SQL pw, and a personal website, and PINs, and ... Also, what about the 'name of your first school teacher' questions : it's more secure if you don't answer correctly...
I use a template that contains some characters along with something that is specific to the website I wish to generate a passphrase then I use md5 and that becomes the password. For sites that have a limit on characters, I just use cut. This is only for public sites like slashdot, digg, etc.
For sites that use SSL, I don't hash my passphrase.
How about PasswordVault by Lava Software --> http://www.lavasoftware.com/PasswordVault
They have binaries for Windows, Linux, Mac
There's also a portable version to put on a USB stick that will sync up with the Desktop version.
You can categorize you passwords and it has auto-fill features, amongst other features.
http://www.passpack.com/en/home/
http://www.clipperz.com/
https://lastpass.com/
I have a uniform base password which mixes letters and numbers and punctuation, then for each different password I modify it in a predictable way. From time to time, maybe once a year, I change the base password and the form of modification. I actually picked up that habit after reading it from a comment on Slashdot.
For instance, if the base password is p@ssw0rd, then the password at slashdot might be SLp@ssw0rd and the password at Digg might be DIp@ssw0rd.
For me that's a medium-security way to partially obfuscate a shared password.
Crypto for the file-system. Then store your less than critical passwords in firefox, and/or use a master password system to generate a unique password for each individual site based off a single password. Really important passwords I store in a GPG encrypted file on this crypto partition.
Then I back this stuff up to a server that resides in a secure facility.
Works very well.
Sean
Obviously you could setup something on the iPhone or some other smart phone to record the passwords then cough them up when needed to type into the browser
I use 1Password on the Mac and iPhone which works very well for me. The desktop program comes with plug-ins for several web browsers and your password data can be wirelessly sync'd to your iPhone in case you need access to your data on the go.
Write down mnemonics that make sense to you but would be of little help to anyone else. For example, "rabbit food" might remind you of a password like "bbl2e^s". That would be because you based the password on "bugs bunny like to eat carrots"
If you do this right, even someone who finds your list AND knows one or two of your passwords would not be able to infer the others.
GPG is wide spread enough that you should be able to find front-ends to it for many mobile platforms, otherwise at the least you can use cygwin to get it running. On a more complex level, gpg lets you add/revoke permission to read the file and also does integrity checking via PKI signatures and signed keys (ie: gpg creates an encryption key pair, then signs it with a users own public key so they can decrypt it. any additional user can be added by adding another signed key using that users public key to decrypt the original encryption key)
-tm
Support TBI Research: http://www.raisinhope.org
I have seen Password Safe recommended in a number of comments and I use it for any "sensitive" passwords. You still need to remember one master password for it, but that's easier than keeping track of dozens of them. I have also found that in using Password Safe I am MUCH more likely to use a stronger password for two reasons. One is I don't have to memorize it and even more important is I don't have to type it. I just copy and paste from Password Safe. Of course, like my Grandfather said about locks, passwords only keep the honest folks out.
I too use RoboForm but the biggest thing I like is RoboForm2Go which is a USB version and very portable between Windows machines. I too tried other password programs but RoboForm have a ton of features.
Now, I don't trust them having my encrypted password file stored on their server which is why I keep it on my USB flash drive. Naturally if I lose it I still have a copy and plenty of time to change the passwords on the websites. I doubt they'll be able to crack the encryption but at least I can plan it if I have to.
If you havn't seen it yet, it's worth a peek. Straight from passpack's site
...Your data is encrypted on-the-fly before leaving your browser. Passpack uses the AES-256 encryption algorithm, US government approved for classified information, to make sure that only you can decrypt it with your secret Packing Key. Your Packing Key never gets sent or saved to the server, so not even Passpack staff knows it. As far as the world outside your browser is concerned, your Packing Key is a complete mystery. Without it, it is impossibile to see, access or use your Passpack account (so don't loose it!)...
You can verify the integrity of the encryption algorithm by looking at their JS implementation. It dosn't have the added protection of key files though...
Trying to install linux on my microwave, but keep getting a kernel panic...
In order to use a unique password for every website and still be able to remember them, devise a secret scheme based on the site name.
An example scheme:
google.com -> 'xgooHoo'
digg.com -> 'xdigEig'
ebay.com -> 'xebaFba'
facebook.com -> 'xfacGac'
etc.
As long as you don't divulge your methodology to anybody, most people won't be able to "guess" your passwords between sites. I've even had friends witness me typing in some passwords in the clear, and they didn't recognize that a methodology was being used.
Of course, if a real dedicated hacker wants to crack your personal code, they would probably have enough information to do it if they had access to a small subset of your used passwords. Though if somebody's really that dedicated to cracking your passwords, most software and hardware solutions are also going to be just as easily compromised.
Given the requirements of many sites today, it's also a good idea to mix some numbers and capital letters into your scheme, so that you don't have to create any 'special case' passwords for the odd super-finicky site.
I use Notational Velocity. It's open source, mac. Make sure you turn on encryption. I'm using version 1.1.1. It's a minimalist application that was written for a user interface class at Northwestern University. The design is as elegant as it could possibly be.
http://notational.net/
vim -x filename
What could be simpler? It's easy, quick, and unless your laptop is stolen by an uber hacker, it's quite safe.
'Impossible' is a word that humans use far too often. -- Seven of Nine
I use my own brain. I continue to surprise myself at how many passwords I can remember, even years later. If I counted I'm sure it would be in the hundreds. And I don't have any a special memory powers...
Also, it helps if the passwords you create follow some pattern that only you know but still pass the usual test of being more than 9 characters and both alpha and numeric. It might even help to go further than 9 chars.
For what it's worth, I wrote a password keeper app for myself a while back. I offer it on my website here if anyone is interested (first link). It's just a simple .NET winforms app, but I use the built-in support for AES to store the data using AES 256 bit encryption.
Probably better tools out there, but I felt like this is some pretty heavy data to trust to a random app I found on the internet, and I didn't want to have to sift through a bunch of code in a FOSS app to make sure my password file wasn't getting periodically sent to Russia. Of course by that logic you shouldn't trust me either, which is fine too :-)
If you're using a tool, you're no longer "remembering" :-)
I've used TK8 Safe for the last 3 years. Works great.
I use RoboForm. I have a master PW to protect all my passwords, it will auto-fill websites if I wish it to. (Preventing Keyloggers from being able to log the data)
It has a portable app so I can put it on a flashdrive.
I can copy the data to my netbook from my gaming machine.
It works great with IE, Maxthon, Chromium (the RF flavor of Chrome), and FireFox.
You can manually look up passwords, it has a PW generator, and a notes function to keep track of other important data.
Check it out: http://www.roboform.com/
Passwords I use are different for each site. Something site related, then a standard piece with Upper/lower/special characters, a non-dictionary combo. I checked with a couple of password crackers until I came up with a pretty tough combo to crack. Good enough for me, they're never written down or saved inside a machine. I know the tinfoil hat crowd might take issue but I feel they're pretty secure & they won't be found anywhere except in my brain. I only have to remember the combo & the rule per site.
I also belief some mobile apps exists to store password - not too sure how "secure" they are though.
Need an ISP in South Africa?
In addition to recommending 1Password for the Mac, another solution I used for a long time was a list of sites, login names and password hints (you could even have your login name as a login hint, if you wanted). This meant that even in an unencrypted plaintext file, there's no information there that will really make sense to anyone else. I also don't typically use more than three passwords, and I have my own mental rating system as to when each password is appropriate to use, meaning that knowing one of them isn't going to give access to everything.
"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
Use the same passwords for things that don't really matter (forums, games that sort of thing) and memorize a small number of strong passwords for important more things, banks, important email addresses, school or work stuff. That works for me at least.
What with one thing and another, I've been having to remember passwords for at least twenty years--and the number has only increased. I use a rotating theme system. Every six weeks or every month or whatever security seems to dictate at the time, I pick a new theme. Successful themes have included: Old boyfriends, cars I have owned/want to own, ice cream flavors, species of birds, dog breeds, former phone numbers and zip codes, lines or words from a song, botanical names, astronomical names, book characters, etc. I then go through and change all my passwords so that they relate to the current theme--with appropriate injections of numbers and punctuation marks. If the passwords are somewhat interrelated, I seem much less likely to forget one. My method isn't foolproof, and I'm sure the security-minded could poke plenty of holes in it. But I've never had to write down a password, I seldom forget one, and I've yet to have one guessed. All I have to do is remember, "Oh. Right. It's 'A Tale of Two Cities' right now."
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
Yeah I agree roboform is the best, it's updated every few weeks for the last 5 years or whatever. The online sync is great, has plugins for all the browsers and even a special build of chrome (chrome doesn't usually support plugins so it's nice to see they recompiled the whole thing with plugins enabled and this preinstalled). Lots of useful features like a configurable password generator, selective form filling... It supports multiple users, you can choose the encryption algorithm, it can auto-logoff by timer or screensaver or whatever you want. I used to review software in my spare time and this one really beat out everything else, it does have a free trial so you can see for yourself. I guess, out of all the software I have, this is my 2nd favorite. I rarely "pay" for software but this one is just updated too often for me to waste time pirating, plus I actually want to support the development.
I've used Roboform for about 3 years now and it works great. I have around 100 passwords stored on it.
It works on the single master password concept and stores the hashed files as text files in the appropriate folder.
It has a USB version for portability (which I don't use)
It also has form filling functions including credit card details which work very well.
You click on the site you wish to visit, it surfs there, fills in the forms, enters the site (in one click)
46137
haha
i wouldn't worry about that, the default is 128-bit AES encryption, as long as you haven't accidentally stored important passwords in the unprotected mode...
Q: If somebody steals my RoboForm Passcard files, can they get into my accounts?
A: If you password-protect all sensitive Passcards and Identities and then it will be very difficult. Specifically, all password-protected Passcards and Identities are stored in files that are encrypted by your Master Password using AES, BlowFish or 3DES. So a person who stole your computer or password files, will have to break these encryption algorithms in order to get your passwords from Passcards.
As long as you observe these rules, it should be very hard to use the stolen info:
* Password-protect all sensitive Passcards and Identities. Anyone can see and use Passcard or Identity that is not password-protected.
* Make your Master Password long enough and un-obvious enough, so that it cannot be defeated by a simple dictionary attack. Do not use any words or names from any widely used languages, make your Master Password at least 10 characters long.
* Use AES, BlowFish, or RC6 for encryption, they are harder to break than other algorithms.
How to Maximize Personal Data Security in RoboForm.
If you want to achieve the maximum level of security, do this:
* Check "Password-Protect New Passcards" in the "Options -> Security" dialog.
* Make sure that all sensitive Passcards and Identities are password-protected. The Lock icon should be yellow and locked, and the Protected menu item should be checked. Remember that anybody who can read files on your computer will be able to extract your sensitive info from any Passcard or Identity that is not password-protected -- so do password-protect them.
* When you leave your computer, click the "Logoff" button on the RoboForm toolbar so that all entered passwords are purged from memory.
You do all realize that this post could simply be a thinly veiled attempt at gathering sensitive information (i.e. where you all store your passwords)... Just a thought.
put it in the cloud!
THL phish sticks
I agree with the TrueCrypt plain text file, but would only encrypt the file, and instead use Opera Unite to share it between all my web enabled devices. Of course using a fairly simple cipher and a favorite author, band name, song name, etc. it is relatively easy to make a memorable and secure password.
Just use the keychain.
Oh, you don't have a mac? I'm sorry.
Comment removed based on user account deletion
If you are on a Mac 1Password is a wonderful app. It provides very similar functionality to the already mentioned Keepass but was much more stable and has an iPhone app. I also found it very frustrating that the various incarnations of Keepass kept changing formats and the like. 1Password, while not free, is well worth the money although you may want to wait for the new version to come out which has some interesting features.
Their site
I'm surprised nobody has brought up firefox's (and thunderbird's) master password feature. I believe it uses strong encryption to store all your passwords. Since almost all of my passwords are for websites now a days, it's great. Of course, I also keep a backup in a gpg encrypted file.
In Soviet Russia, articles before post read *you*!
of all places:
http://www.slate.com/id/2223478/
expandfairuse.org
1 \/\/r4p 411 my p455w0rdz 1n d07z 4nd u53 13375p34k.
I pick a meaningful word to myself. Perhaps something like "Pathfinder," which is one of my favourite Vox amps.
This becomes: .p47hf1nd3r.
On some server you control, in your "projects" directory (or however you organize your hacker life), do an svn checkout of a small branch of some codebase you care nothing about. Add somewhere a README which is chown root, chmod 600. Maintain your stuff there.
With 99.999% probability your machine isn't going to be stolen by a person who can find the interest to read this, or recursively seek for recently modified files blah blah, much less boot into single-user mode to read it. If you need it remotely, you use ssh of course.
(And if you're on Windows, don't store your passwords there at all. Not trolling -- I have several Windows clients I use daily -- but they're just not the same beast.)
SuperGenPass is a good option for online passwords. especially since the website lets you customize the bookmarklet before you download it. though why there is an option to hardcode your master password into the bookmarklet, thereby completely defeating the security of it, is beyond me. conversely, the option to have it store a hash of your master password and compare it against the master pass you type in the field is nice... especially if you're like me and prone to typographical errors.
-It is by will alone I set my mind in motion.
I have an enormous amount of personal data on my Blackberry - all encrypted and all safe. If I lose my device, everything is password protected and Blackberry is known for security. I even have a remote wipe utility so I can kill it right away if it's ever stolen. I store all my passwords there, right in the "Password Keeper" application.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
Been using 1Password (agilewebsolutions.com) for several months - nifty browser integration, iPhone app, more portability options.
If you're on a Mac, there are a couple of good options.
The first is the built-in Keychain. It can save application and website passwords, certificates, secure notes and it's all AES encrypted. As it's built-in, the support for it is pretty good with most apps and most websites. You have a normal login keychain that's automatically unlocked when you log in and remains unlocked (by default). You can have additional keychains with various levels of security over and above the login one - have them lock after a period of inactivity, have them lock when the screensaver is activated, have a different password to access them from your login keychain etc. The keychain can also be synchronised between different computers that you use, so if you create a login to a website on one, you can access the password you used on another one. As this works really well, I now use different randomly generated strong passwords for every site I need a login for - eg Bapdageshem9, negTuthsuc5 or EyHepGoyft8 ( apg -n 1 -m 10 -x 12 -M NCL -d )
If you find that the Keychain isn't up to the task there's 1Password. which does pretty much everything the built-in keychain does, and more...
Specialist Mac support for creative pros, Melbourne
All my accounts are in a notepad. Their corresponding passwords are labeled. Like Work password, or e-mail password. For the passwords force changes I usually put a number in there and then I'll append + 1 or something on the text file. It doesn't give away where the number might be placed or what the password might be.
Master password does not protect you from malicious Firefox plugins stealing passwords stored under Master Password, so it shouldn't be used for access to any sensitive information.
Keepass works well, and has been ported to almost every platform. Win, Lin, Mac, iphone, droid, winmo, even the old fashioned blackberry.
http://keepass.info/
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/
It is a greasemonkey userscript for firefox. But you can also bookmark their page and use it in IE or Opera.
They have a bash script. There are lots of improvements as well. With zenity you can make a gui for it in linux. There is a Visual Basic program so you can keep it on a memory stick as well.
In a pinch you can even use MD5 and do it yourself take the first 8 chars of md5("password:url")
vi +
Just put everything in a flat, tab-formatted text file and encrypt it with a decent algorithm, against a strong "line noise" password.
Make a number of copies of the file and put them all on memory cards. Each card should carry several copies of the file (to protect against corruption), and the file should never be stored on any computer. Distribute those cards to safe places around your local area (i.e. one at work, one at a trusted friend's house, etc). Put several copies on a CD or DVD and store that along with another memory card in a safe deposit box, and keep the key to that box somewhere safe but innocuous (hell, your normal keychain is probably enough). Don't tell anyone where that box is kept.
Write the password down, without context, and store it in a safe place well away from any copies of the encrypted file - maybe in your wallet as someone else suggested. Anyone who finds it will probably assume it's just a system password anyway.
on my website. It is safe because there is no link to it from any of html files and is always handy. Only access to it is possible over admin.html which is also nowhere linked to, therefor safe.
God's gift to chicks
But they are ones I'll never forget.
And no one else would ever guess.
One is my uberstrong password, the other is for everything else.
Not having them written down anywhere is a big security plus, which I think makes it stronger than changing them so often that you have to "manage" them.
PasswordMaker is a great way to hash a master password with the URL of the website you are visiting. You only need to remember one or a few master passwords and have access to PasswordMaker. Passwordmaker supports several different hashing algorithyms as well as lots of other options, so you can customize the security of your passwords.
There's a firefox extension:
https://addons.mozilla.org/en-US/firefox/addon/469
There's an open source javascript passwordmaker for when you are on the road, it runs completely client side - and you can self-host it if you are paranoid:
http://passwordmaker.org/passwordmaker.html
And, theres an Android app in the Market as well.
Try to pick passwords that are easy to remember to you, and hard to guess/crack by someone else. Pick something you remember, a song title, a verse, a murphy law, whatever. Then do a simple and easy to remember transformation on it, like picking initials, uppercasing every third letter, or things like that. And if you can put into the mix something related to the site you are using it, better. Who knows how much people have as password for Slashdot something like "S:nfn,stm".
And btw, if you have to store them somewhere, you can store only one of the components (i.e. the seed, but not the transformation algorithm), or the start of the phrase or even something that suggest it to you (i.e. "Spock died" to suggest the password ST2:TwoK)
I'll tell you about my password system built around vim, apg and cat.
This system is a variation of the single encrypted file that enables gnarly passwords and user identifications and challenge response answers.
This system has two points of weakness. One is: never print out a reference copy of your decrypted password file to a printer attached to a Windows computer. And as the vim "help X" text notes, a process running as you or root could read passwords while the file is open. The leading risk is a browser java, javascript or browser plugin.
Here is how it works: The vim editor supports ":X" for write a file encrypted with a pass phrase.
That is the key feature this scheme uses.
Steps: On a sheet of paper write out an encryption pass phrase.
Choose a file name for the passwordfile.
Generate a nice big nasty list of passwords using "apg" and "wc".
Set aside a printed paper copy of a complete separate set of passwords to use if you must change passwords due to a security breach.
Here is a big command line to play with:
(/usr/bin/apg -a 1 -n 99 -m 11 -x 14 -M CL; /usr/bin/apg -a 1 -n 100 -m 18 -x 23 -M NCL ) | cat -n
Using the unix ">" direct the passwords into the filename for your passwordfile.
Open the file in vi like "vi passwordfile"
Write the file out using the :X command and using your encryption pass phrase.
Exit and re-open the passwordfile with vi, to ensure you have the passphrase working.
For each password you store in the file. Create a text entry like this:
website-url date-established
userid
password
other security information
Every time you use a password from the pre-generated list, mark the password with a mark to prevent any password being used twice.
When copying userids and passwords, use the Linux mouse copy instead of typing. Open the password file in a separate window from the Web Browser. If you figure out a few vi editing shortcuts, getting into the password file, and logging on is a fast process.
For fire safety and disaster recovery, I periodically make a plain text printout of the password file using the vi ":ha" command. As I said: don't print out a almost certainly infected Windows printer.
A security issue to watch is: don't mix entertainment browsing with banking or online purchase activity, don't put your passwordfile on a machine that you don't own and control.
The drill if you discover a security breach of this system is: Either somebody got into your account without your password or your Linux password file may be completely breached. Using the spare password file printed on paper noted above, change important passwords post haste.
I keep all my passwords etc in an encrypted text file on my mobile phone. (during bouts of paranoia i type them in reverse order sometimes)
I usually sync the phone to my laptop every 1-2 weeks and save an encrypted file in the laptop as well as in my gmail account for backup in case i loose the phone and need to change all passwords etc
I appreciate all the suggestions to use fixed patterns or algorithms, but the problem I (and I'm sure most of you) run into is that I need passwords for sites that both:
* Require mixed case/special characters/long length
* Don't accept mixed case/special characters/long length
Every pattern I've tried inevitably runs into a new website that demands more or only accepts less, leading to a menagerie of subtle variations and the need to remember whether this particular site needed "PaSSword", "password!", "password5", "PWD", etc, etc, etc.
I have a text file, stored on both disk and USB key, that lists which passwords go with which accounts... then I GPG-encrypt it.
Also, I never use a similar pattern between low-risk sites like message boards and high-risk sites like Paypal and my bank.
Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.
Yes, that's perfectly safe, until you have to type it into a computer for any reason.
I had this problem myself for many years, additionally compounded by the fact that I used many different operating systems. However I still wanted a safe and secure central place to keep all my passwords and important details. In the end I helped write one myself -> OBZVault. OBZVault is cross-platform, very easy to use, and secure. You can install it on your machine, or even a keychain and take it everywhere with you. Hope that helps.
I have a mile of stupid passwords. And a couple of weeks ago, because I'm a giant dork, I infected my system with a rootkit through a daring act of extreme idiocy. So I had to go and change all of those stupid passwords to new stupid passwords because I had no idea what the heck that rootkit was looking for or was capable of doing. It's like losing your wallet and having to cancel your credit cards. Fun times. I flushed a lot of old favorite memorized passwords down the drain. -Which, all things considered, is probably a pretty smart thing to do periodically anyway.
But man! What a world, eh?
I did a bunch of reading on how rootkits and viruses work, and the amazing thing is that it's pretty much impossible to have a world where there won't be enough jack-asses to fill the available space with toxins and general bullshit. It's just the way things are. There will always be a jerk out there trying to screw you over; a humanoid extension of a disease vector. When I take several steps back, the internet really is looking more and more like robust biological environment with diseases and antibodies acting one another, where evolutionary forces are playing at full tilt.
I wonder how long it will take at the rate we're going for somebody's computer to sprout limbs and crawl from the seamy depths of the web.
I keep my passwords in an encrypted container/folder which I keep redundant copies of in various places and only open up when I forget how to log in to something, which since a couple of weeks ago, is bloody frequently.
It's flu season? No shit.
-FL
type your passwords and send to your own gmail. But instead of subjecting it with "passwords", call it kimJong1L. Which acts as a strong password for searching in gmail.
With over 500,000 mails in your account, no one will find it in time even if they have your gmail password. But fo you it's just 1 click. No need for paper. The only time you need your password is when you have internet access, and when you have access, you can gmail.
tata.
Combination of Firefox with master passport (for password encryption) and Weave (for passport syncing/backup) works for me...
http://mozillalabs.com/weave/
http://www.angel.net/~nic/passwd.html
I use a text file that I keep on a USB stick, copy lots of places and encrypt/de-crypt with OpenSSL. It's native to so many systems, and can pretty easily be installed on anything that it isn't.
(First switch to borne shell or something else that doesn't keep a command history, dummy!)
You can even kick the security up a notch.:
Let the reactionary flaming begin!
-CR
"So is the BSD licence even more 'free' (than GPLv2)? Yes. Unquestionably." --Linus Torvalds (TinyURL.com/2vugzl)
https://online.roboform.com/ http://www.roboform.com/pass2go.html
I put mine under my keyboard on a sticker!
been playing with pip.verisignlabs.com for password protection. Nifty browser interface, multiple layers of security...
The way I handle passwords is I developed and code based on the name of whatever I am assigning the password to. That way you don't have to remember a hundred different passwords, just one code. Use different indicators such as colors, letters and numbers based on the item. Ex. gmail password =5GLmai the password is 5 for the number of letters, first and last letter together capitalized, then the middle letters together lowercase.
Sorry, but is NOT hard to guess. I guess Ngbu9E. See, it is not that difficult after all.
I just use a memo on my BlackBerry Bold. I use the highest built-in encryption on the phone and it locks itself every 15 minutes. For those not familiar with BlackBerries, a password attempt can only be made 5 times and then the device wipes itself.
I back the phone up at least once a week, so even if I lose the phone I can easily reinstall my entire profile to a replacement, and the phone is never far from me.
Maybe I trust in RIM too much, but it seems like security is pretty important to their business model.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
My preferred password solution is still KeyRing (http://gnukeyring.sourceforge.net/ ). It satisfies the requirement that it is a non-connected device and that the data is stored in strong encryption. A similar application for a mobile phone would be a next best. At least until someone writes a keylogging virus for the mobile phones and then steals your data. But that is much more likely to happen on Windows.
As a student, I have many textbooks on/around my desk. Every month I pick a book and open to a chapter (normally the chapter corresponding to the month). I use the first letter of each word, capitalization and punctuation included, of a sentence. Since most of textbooks are engineering related, the sentences are rich with numbers, so this method allows for an endless supply of complex alpha-numeric passwords. All I have to do is remember the book (or the sentence).
I really enjoy the fingerprint readers from UPEK (http://www.upek.com/).
The device knows my passwords, and I can log into sites with just a finger swipe.
It is both faster and more accurate than typing a password (no typos... re-try is just another finger-swipe if it didn't read properly).
You can unplug the USB fingerprint reader and keep it separate from your computer if you want to be extra paranoid.
One thing I started doing was using passwords from languages that were not my native tongue, and then L337 encrypting them mentally. That is, there are a few particular phrases I find in latin to be absolutely wonderful to say. Same thing goes for a few sayings I know in Navajo, Roman, Spanish, and Greek. I don't know the full languages by any means, just some cool sayings and phrases I picked up from literature and poems and the like over the years. By ensuring that I use non-native language (read non English) passwords, I ensure that there are only so many options that I could have used for the password. Since the words come from less than common-place languages, they are very rarely found in any dictionary files. All I have to do is transcribe some of the common letter, mentally, like a = @ or S = 5 and before I know it I have all sorts of permutations on a very small set of base words that are not common enough for most people to try to guess.
I know it's not a password tracking system like to asked per say. But by knowing that there are only a few base words that I use (from a few dead languages and a few live languages) I can easily track that base set and go from there. It's also a fine mental exercise....
Motorcycles, Robots, Space Gossip and More!
Use Lastpass. Works cross-browser, cross-operating-system, the passwords sync automagically between computers, but the encryption's all done client-side.
RoboForm in windows 1Password for mac.
Two tricks i use to hide passwords is to use short forms, eg "A7" might expand as "ABD968017", and a general "salt and pepper" table. These are all unrelated to what is typically discussed. Note also that a7 expands to "abd968017", so some case can be preserved.
In a salt and pepper table, one uses an intermediate table that is easy to recall, but no need to be written, and not common knowledge. An example might be "husbands and wives", so a password displayed as "John" might be entered as "Yoko". Another kind of table might be "middle names", so "John" would elicit the response of "Winston". Note eg, jOhn gives yOko or wInston, so you can hide case in here too.
The less obvious you make the salt and pepper table, or the more unobvious the abbreviations, the more secure the table, even if the reminders are kept in plain text (plain text in an unobvious application also deters automatic gathering. Who would look for something like a .DOC file, might have some fun when the downloaded document is a multimate doc!
OS/2 - because choice is a terrible thing to waste.
You could always lock your machine, and set the screensaver to lock after a period of time. It's a much better solution.
And runs on most popular OS.
Maurice W. Hilarius Voice: (778) 347-9907
Don't write it anywhere. The only safe place to store the passwords is your brain. Make a scheme to generate a strong password using mnemonics. When you look at the screen to type the password, you should be able to determine the correct password. In your password generation scheme make associations between your 'salt' and the system that prompts for password.
Sudheer Satyanarayana
www.techchorus.net
I concur. On some Firefox versions I think there was a separate box "encrypt passwords". Use it. Apart from ease-of-use, this method is proof against keyloggers (since you are not actually typing the website password). It also makes it less of a headache to use a different password for each website. The question you should ask is, "Do I trust molewhacker.com with my day-trading password?" and so on. I recently changed most of my online passwords to unique random 20-character strings - only the odd glitch where a site truncated it, or did not accept certain punctuation. To be sure, it's a pain to transfer them to a different computer (I use a GPG encrypted textfile), and my bank uses a method that the browser won't remember (so it still has a short more memorable passphrase...)
http://www.fpx.de/fp/Software/Gorilla/
The only problem I have with Clipperz, is that it doesn't automatically log me off their site after say, 5-10 minutes or so. So I switched to www.passpack.com.
The idea of logging into passpack Clipperz (or whatever web-service), having all my accounts and passwords unlocked, while I was at work in the office, where my colleagues might access my workstation when I got up to take a leak... That's the stuff of nightmares I'm trying to avoid for sure. So I use passpack instead.
When I am at home, I can stay logged in longer, it is my choice.
Other features I like are 'sharing' passwords with other passpack account holders, and the secure email of passwords (via web-service links).
Yeah, I know it sounds daft, and it is perhaps a rather naive scheme, but what I do is keep them on my mobile. That's mostly for PIN numbers, though; I store them as false telephone numbers. I don't use the socalled "secure" style of passwords, I write them too many times every day for that to work; I need something that is reasonably easy to type.
I've been waiting to try out cpm (console password manager), http://www.harry-b.de/dokuwiki/doku.php?id=harry:cpm , for quite a while now. However, there's still no working version for me debian :(
Hey! That's my sig you're smoking there!
I memorize em... nuts I know, but it works.
Check out Keepass and KeepassX ; both open source password managers.
Remember one master password, link it with an external password file and no-one will be possible to view your gems .....
You can even put your pincodes, cards and other sensitive stuff in it.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
As already noted, KeePass is great for Windows. There is also KeePassX for Linux which uses the same file format, so you can move the password database around easily if you use both operating systems.
Look around your office and read random words off of random things in plain view. Incorporate these into your password. If you forget a password, just look around the room and you'll have mnemonics built into the decor. Just don't get lazy and type literally exactly what you see. Use it as the basis for your passwords, only.
You see? You see? Your stupid minds! Stupid! Stupid!
Talking about passwords and LastPass is not in a Score 5 comment is insane.
Used several password solutions over the year like a password like SlashDotIsGod*****, where ***** is something unique about the site like first 5 chars of the web address. That way you don't have to remember really long unique passwords but still have a long unique password for every place.
After that I tried KeePass and others like it. The bad thing is that if I go away from my computer I have to sync it to a USB stick. And in some places you cant use it (like public libraries, iPhone).
So I found LastPass. And its insane how easy my life has become. It can auto fill (and auto login) on sites, it automatically recognize forms and logins. It works in multiple browsers, IE, FF, Chrome. And if you cant have a plugin you can access it by a webpage to receive the passwords.
It's extremely easy to use but still as powerful as any other solution. Even my mother, that cant remember from one day to another if instructed how to do things on a computer, can use it. Still I have it to generate 12-20 long passwords (depending on place) with numbers, special chars if needed.
I just sync the passwords to my KeePass once in the while to be on the safe side (never trust a single point of failure).
For a ton of more information visit lastpass.com
http://www.vim.org/scripts/script.php?script_id=2012
It handles de- and encryption transparently.
I use this for storing all my password, its simple and needs no install, meaning you can run it from a USB key! Password Corral http://www.cygnusproductions.com/freeware/pc.asp With regards to getting around the path location issue, simply use . to tell the prog to look in current directory.
because ... half the Internet knows about your passwords now by going to their favorite pornsite±
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I have taken to chosing one really strong password that I use for everything. But I add a two-character prefix to each one that corresponds to what the site/service/application is... For instance, let's say my base password is 4n4lr4p3! That means my login for Slashdot is really sd4n4lr4p3! ...and my login for Google is go4n4lr4p3!
1. As everybody suggested, KeePass is a good option.
2. text or html file encrypted with gnupg (use symmetric key encryption, and then remember a passphrase/password). This is what I use.
3. firefox has a built in password manager, so you only have to remember one password
4. KDE 3 has kwallet, a password manager that integrates to KDE applications. I don't know if KDE 4 has it, as I'm trying to stay away from that.
5. There are several applications for PDAs/mobiles for password management. Have a backup somewhere else in case you drop your cellphone in the toilet.
Been using Exile ( http://www.codeproject.com/KB/applications/Exile.aspx ) since a couple of years and it's been of great help. Only have to remember 1 hard password now :)
Once you start using a full disk encryption solution like Truecrypt or others, all the "insecure" electronic methods you discussed suddenly become secure.
Amen to that - for what the original poster asked for, this is the best solution by far. Remember that passwords are not the only sensitive data on your drive - whole disk encryption will protect all of your data. Combine this with autolocking screensaver and some other basic security precautions (keep your OS up to date, never leave your computer unlocked, keep the FW up, don't load random software from internet without a sandbox, etc, etc) and you have a REASONABLE protection. Is it foolproof - no. THERE IS NO FOOLPROOF SECURITY. Security is a game of "cost of intruding" vs "worth of data". As long as you keep the "cost of intruding" higher than the "worth of the data" - you are reasonably protected.
One catch though - last I checked Truecrypt does not support Linux for full OS disk encryption. There are other, less simple, but probably as secure (if not more) solutions for Linux.
Alternative to this is running PortableFirefox from an encrypted disk/usb/partition/file.
-Em
RelevantElephants: A Somatic WebComic...
....Solaris? .... my mobile phone? .... my PDA?
Should I go on?
IANAL but write like a drunk one.
I suppose that need a bit of explaining to you.
IANAL but write like a drunk one.
I understand that reading Slashdot is done quickly and under pressure (you should be working after all), so I wonder what kind of service people provide to their costumers/users/business partners when they can't adhere to the specifications of a given request.
First of all the questioner specifically says that he has bad memory, so point number one of your reply is out of context already.
Then later on he says he does not want a solution tied to Firefox, but then you helpfully proceed to tie a solution to Firefox.
Wakey, wakey!
IANAL but write like a drunk one.
... because you are not reading what the poster is asking.
IANAL but write like a drunk one.
"Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky"
Which other helpful advice do you have in offer?
IANAL but write like a drunk one.
I have hundreds of books on shelves in my house. In one of them, on a particular page, all my user ids and passwords are written down.
And I know what you're thinking - but if my house burns down, finding my passwords will be the least of my worries...
They will never know the simple pleasure of a monkey knife fight
http://keepass.info/ we use it at the company i work. It offers some safety in keeping your passwords together and secure.
Random
I'll keep pointing out replies like this until people get it (i.e. maybe never)
IANAL but write like a drunk one.
I use the password keeper application on my blackberry. It allows you to create entries for each of the sites, for which you want to store the password. You can store the website name,URL, username and password. Access to the application is password protected. So you have to remember only one password.
This makes you liable for bank and credit-card losses should you lose your pin or bank passwords this way. You will be surprised how fast some thieves can be. A security chip may slow things down to be theoretical, but you're still liable if you lose it together with your paper.
You could obfuscate the passwords in a code language though, and most banks have some simple systems they promote.
It should never be stored in a computer that is network accessible, although I'm sure you're not that liable for the misuse unless you have been found extreme neglient (but how to prove innocent there?)
Most banks are cool though, but people have lost tons of money, and it have happened that the banks have said it's your fault. That's very bad.
http://www.debunkingskeptics.com/
or the other way around: if you use Firefox without a master password, you should be worried because it's very easy to go to the menu and see all your user/passwd combinations.
on windows, just right-click on the password file and encrypt it.
C:\Users\{USER}\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX.default\signonsX.txt
Do it once and don't worry about losing your laptop.
Let me Google that for you...
I've seen some pretty rubbish SlashDot questions, but this really takes the cake. 5 minutes of Google searching would have revealed Password Safe, Keepass, and all manner of other free secure password databases / keyrings.
Drop kdawson as an editor.
Finally had enough. Come see us over at https://soylentnews.org/
Written down, in a lockbox, in a safe, in the floor of your basement, under a rug, in your house that has an active alarm system (that you use), in a armed guard and gated community is ok.
But why would you want the Vogons to find your password list?
My bank gave me a digipass. it's a small calculator thingie that generates numbers once i put in a pin, and i assume the bank computer keeps track of all the digipasses and knows what number to expect from me (each digipass has an id and similar). So a potential thief needs my pin and my digipass in order to use my homebank account. I think this is as safe as it can get (it feels a lot safer than carrying around a credit card). And for the rest, keep it simple. do you really have access to critical data? if not, think of a long full phrase for each pass: "ThisIsMyPasswordForThisInterestingWebsite". Obviously, you can make variations of this, combine it with the pwgen program that someone mentioned earlier and so on. It should be safe enough. If you do have access to critical data, it gets complicated. you could however apply a few permutations to a full phrase, and remember the permutations additionally to the full phrase.
new sig
Allowing firefox to fill in the passwords for you is daft, but not if you use a master password. Then you only really need to remember that one password
I created a directory for web passwords, and I create a new text file for each site that I register with, using the GRC password generator. The text file includes email, username, and password. This directory is encrypted by TrueCrypt and opened each time I login.
I'm gambling that 1) I'm not a high-profile attack for hacking 2) my firewall would add difficulty to any attack 3) malicious software wouldn't get installed 4) malicious software wouldn't be smart enough find the directory and parse its contents.
The advantage of this approach is that each site has its own very good password.
I've discovered that many sites have short password length limits, which are not disclosed on registration. It's frustrating to register with a long password, only to find out later that the site truncated it. This means that I have to figure out where it was truncated, or I have to reset the password and enter a new one.
I've been using something like this for a while
http://www.angel.net/~nic/passwd.html
basically it's md5(websiteUrl + masterPassword) which creates a nice random string to use as a password. If one of those sites gets hacked or one of the passwords gets found out it's no biggie because each site has a unique password (if your master password gets found out then people might be able to guess at some of your logins tho)
I still let Firefox store my passwords but I keep them protected with a master password. Sure someone could brute force it but I don't save my bank passwords with it.
pwsafe
Or, you know, remember them :)
May we live long and die out
Mod this guy up, original thought here!!!
I use RoboForm. It's not free, but does the job well
FWIW - I use SPB Wallet to hold passwords etc. I normally prefer OS stuff, but made an exception in this case since it syncs with (and runs on) my Windoze More-bile phone and integrates well with Firefox. Comes with password generator, can capture and auto-fill login pages, auto cleans out clipboard if you've copy-pasted data and is a general encrypted database that stores all sorts of info. I have no idea how well it actually does in terms of leaving traces etc, but it works nicely for me, keeping my phone, work PC and home PC synced up whilst being very convenient in terms of browser use.
I use Keepass and then sync the file to a dropbox folder, then I have access to it from outside too ... :P
I used to use 3rd party encryption and password keeper tools, until one of the paid apps I relied on introduced a bug in an update that corrupted the encrypted data. If you are well versed in IT you probably know what that means, but for the regular folk out there I'll spell it out: Your data is unrecoverable, forever, if an encrypted file becomes corrupted even by a small amount. So, Rule Number One:
BACKUP YOUR ENCRYPTED DATA
If you use a password manager, know how to find the password file and know how to back it up, how to recover it, how to use it on another system with the same tools installed.
Bitten by that bug, where everything I could not re-create from memory was essentially gone, I looked once again at the tools the OS provided me.
Using OSX's system-wide Keychain support and utilities, I created a user keychain, set a robust password on it, and created appropriately titled secure notes. All my login credentials, all my banking info, all secure data is stored there. You can back it up, you can carry it on a USB drive and use it on another Mac, you can sync it across multiple machines. The text formatting abilities are rudimentary, but I can live with it.
It's encrypted and unusable by anyone who does not know the username and password of the owner, and isn't visible to other users. It has OS and OS-vendor level support, and that same level of troubleshooting and testing ... it works and obscure bugs, if there are any, will be found and fixed (in the case of my paid app, the developer just gave up and left us all staring at empty wallets and useless apps with unusable data).
The latest version of FileVault (10.5 or later) has had major improvements. I never had problems with FileVault on my laptop going back 7 years, but others I know have. The later version encrypts in 10MB sections, and therefore if there are issues (eg drive or data corruption), most of your data will be recoverable. It's also much faster since it only deals with changed data during certain normal operations (eg recovering free space).
SuperGenPass is a good option for online passwords. especially since the website lets you customize the bookmarklet before you download it. though why there is an option to hardcode your master password into the bookmarklet, thereby completely defeating the security of it, is beyond me.
Maybe it is to cope with URLs that change. It doesn't happen often, but it does occur occasionally, and when it does, poof! There goes your password hash. Bad news if its your banking site that's just done a major upgrade (I've seen this twice, once on my trading account, once on my online banking account). That said, for financial matters I use a unique password, handwritten on a sheet of paper and stored on a locked filing cabinet. If for some reason I do forget the password, I can go home and get it.
Password hashing is nice, but it will break when web pages move or reorganise.
The Future of Human Evolution: Autonomy
Several posters have proposed using a simple-but-obscure algorithm to generate passwords. I like this idea, for its sheer portability: no need for a USB key, or a special password management program. Other posters have also proposed interesting ideas - like starting from a meaningless fixed text and constructing a password from it.
There is just one problem: <rant>What is it with those sites that "know better"? Your password must contains at least one capital letter, 2 digits, 3 special characters and four donkeys. Or else: your password may not contain any of the characters ./*,:;_ etc.? The fact that every such idiotic website has a different set of rules makes any sort of 100% consistent password management impossible.</rant>
Sorry, just had to get that off my chest - having just yesterday been forced to create a password outside my system, because of some nitwit's idea of security. To add to the "amusement": it was a credit-card company. You know, the guys who invented that ultra-secure secret number printed on the back of your credit card.
Enjoy life! This is not a dress rehearsal.
I use http://keepass.info/
Does everything I want it to do.
I'll try anything once. Twice if it tastes good
1. You still don't have the 160 entries because those are not the ones _in_his_wallet_. Even if you crack his computer, you still don't have his passwords.
2. Even if you crack his computer _and_ get his wallet, you still don't have
A. What this password is for (his bank account? stock account? which web site?)
B. His user id.
C. Which of those 160 entries is it. And by the way, good luck when the the system locks you out after 5 failed attempts.
The best tool for remembering passwords I thought would be obvious: your own memory. This is an article about the second best tool for remembering passwords. Unless of course folks don't trust that there aren't mind readers out there lurking in the shadows, waiting for you to think of your password. Of course there is software you can learn to encrypt the passwords in your mind...
Anyone considered a web-based system? (preferably run on your own server, naturally).
This one looks interesting: http://www.alexanderinteractive.com/blog/2009/08/mortimer-password-manager-redesigned-v12.html Uses PKI thoughout so everyone can have their own "copy" of individual shared accounts without divulging your personal passwords to other users of the system.
I try to remember them all, but if I had to store my passwords, I would make a text file, and store it into an encrypted 7z compressed file (AES 256, maybe it's weak). Of course, you would need a master password.
- 7z doesn't need install, so you can put it on a USB stick with your pass file, if you want to carry it.
- 7z is cross platform
7z or anything with that kind of features and easyness.
I also use KeePass. If you're feeling adventurous check out http://passpack.com./ passpack is good for passwords you might need when you just don't have access to a keepass program but do have access to a browser and internet connection.
BRAAAIIINNSSS! ^^
Oh you mean outside your head?
Very simple: A password!
Or more exact: A password-protected thing that stores your other passwords. It can really be anything. I use KDEs KWallet.
And Firefox's password manager, encrypted and protected by a master-password (which you can set in Firefox's own settings dialog, if you had looked there for even a second!)
(Firefox sadly needs a lot of manual scripting hackery to integrate into KWallet).
But really, anything password-protected and encrypted is good enough. Even a text file. If it's on an encrypted drive on an USB stick.
There are tons of possibilities. Use whatever suits your needs best.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Create more associations. Some abstract pictures is a good thing.
I know these are Windows apps, but still very useful free apps: Steganos Locknote: http://www.steganos.com/us/products/for-free/locknote/overview/ Steganos Password Manager: http://www.steganos.com/us/products/for-free/password-manager-free/overview/
Important passwords should be long, random and not written down.
For each password, make up a set of cryptic crossword clues, preferably making obscure references to things from several different aspects of your life.
Additionally, make them really evil cryptic crossword clues that don't quite give you enough information (but enough to jog your memory).
I wish to remain anomalous
I've used everything from the slip of paper in the wallet to encrypted files on the pc.
My current choice is SplashID Desktop/iPhone
This app runs on the iPhone, Windows and Mac and syncs wireless between the iPhone and the desktop.
When I was carrying a Windows Mobile device I used Handy Desktop Safe that has a WM app so it was on the phone/PDA and the windows machine.
My criteria other than security (encryption) is that the tool work on multiple paltforms depending on the device that living in my pocket at the time.
I even had opne for my Palm Pilot back in the day.
internic (parent poster) wrote:
I know people don't read the F*** Articles, but could you at lead read the F*** Summary?
He's referring to his laptop, which has firefox.
Thanks for playing, no fish today, better luck next time.
In Soviet Russia, Firefox Master Password STILL protects YOU!
This is true, but if you DO use the master password feature, being able to see your usr/pw combos is VERY handy when you want to copy your account info between your laptop and desktop, or write it all down (and store in a secure place, natch) for future reference.
Better than trying to guess it and being IP-banned after n number of failed attempts.
I once tried to set my password to 'penis'. It said that my password was too short....
I am a leaf on the wind, watch how I soar.
Pot, meet kettle. From the summary:
Perhaps next time read the whole summary.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
I use a mental algorithm that will always it generates a "good" secure password. No two passwords are the same. Because I the input to the algorithm is site or situation specific, but personally obvious, I always get the same output. I have to keep track of more than 30 passwords and I have a terrible memory. I used to use the same four passwords over and over again until I read the Simple Formula for Strong Passwords (SFSP) Tutorial. It is a long read but most of it is examples. Basically it teaches you how to come up with a system that guarantees that you create memorable and secure passwords.
When you start a fire, be to windward of it. Do not attack from the leeward. -- Sun Tzu
A few years back, I was working on a computer for a friend, she had auto password configured, and I said I needed to wipe and reinstall windows, I asked her what the password was...she said (yep, you guessed it). dot dot dot dot dot. And yes, she was blonde!
I use a password storing program on a portable device such as a PDA or iPod touch. I use obscure passwords that I can remember with a hint that won't make sense to anyone else. I only store the hint in the encrypted storage.
more cowbell
If your bank is using a password scheme to authenticate you you should switch to a bank with proper security as soon as you can.
I'm currently using an IronKey with it's built in password manager. It's a USB key with an encryption chip built in with the memory chip, epoxied together and encased in stainless steel.
Q: What does this look like?
A: It looks like someone dropped ink on a piece of paper.
Q: What else does this look like?
A: A black and white picture of ketchup that fell on a white floor. ...
Remember, You are unique...just like everyone else.
Moral: Don't install plugins you're not sure about.
Same as: Don't run programs you're not sure about.
Or: Don't reply to too-good-to-be-true emails.
And: Ignore web sites that say "Your computer has a virus. Download Free Antivirus2009 to clean it up."
The user has to take some responsibility. It's the same as going outside in 40 below weather ... if you don't dress appropriately, don't start complaining that you're cold. Or bitching that your car doesn't start when you haven't put gas in it (Don't laugh - I've seen the same guy have his car towed - twice - to get a supposedly "defective" fuel pump changed. turns out the gas tank was empty both times. "It can't be! I put $5 in it a couple of days ago!" This when gas prices were $1.34/litre, or more than $5 a gallon. Not to be too worried, though. He lost his drivers' license - too many moving violations - then lost his restricted license, so problem solved :-)
This little program encrypts your passwords: http://islandlimited.net/download.php?file=3
PGP public key at: http://keskydee.com/gil.asc
Just hide it in plain sight: if nobody knows that there is a password, nobody will find it. And if you put it on the internet, you can access if from everywhere. You could even hide it in some stupid text you post on some stupid forum for dumb 13 year old kids.
With OS X the best way I've tried is to store the built-in Keychain app profile on a USB drive. This can be inserted into any Mac (though most of the system passwords won't work there) and opened via the master password by importing the profile.
It is of course encrypted and you can set all kinds of policies for individual account/password credentials. It has support for Certs, accounts of all types as well as manually created entries for things like ATM/Credit cards, etc.
The downside for you of course may be that it only works on a Mac but others may find this useful - or you can look for something comparable.
You can find details about this at Mac OS X Hints.
A fool throws a stone into a well and a thousand sages can not remove it.
This is not a job for software. The proper solution is a device that interposes between the keyboard and the host computer, accepts signals from applications to the effect that the current entry is a password, and records the context/password pair, or alternatively accepts a keyboard signal or an application request for a password that most closely corresponds to a given context (application case, with user approval) or provides a (probability-ordered) prompt to select a known password (user case). The device is independent of operating system, portable between computers, and trivial to backup/edit/configure/restore via usb.
-I like my women like I like my tea: green-
I use lastpass. They have online sync plugins for firefox, chrome, ie, and safari, as well as a downloadable tool similar to keepassx. All you have to do is remember this one password, and it keeps track of all the others. very handy. Plus, if you do use the online sync tool (i.e. if you're not afraid of having your passwords on some other company's machine), you can always log in at their site to retrieve passwords if you're on a computer that can't download the plugin.
XMarks works with Firefox, IE, Chrome and Safari (xmarks.com). Even though it was originally intended to allow portability of Bookmarks, it works great with passwords. And you can store your passwords at the XMarks site (encrypted) or use your own server.
I create a simple HTML page with a Javascript.
The HTML lets me input the site name, and a master password. And then the Javascript will generate a password for me.
The Javascript algorithm is simple, it involves some summing, modulos, lengths, and Base 36 conversion at the end to give me an alphanumeric password. So far works all the time. I can specify the length of the desired password. If a number is required and the password does not contain it, I simply append a "0" at the end.
You can also play with CSS to make your password field invisible, etc. The only caveat is you want to copy some junk to the clipboard afterward to erase the copied-and-pasted password.
I made the algorithm so simple I could reimplement it from scratch on an Excel spreadsheet with built-in functions, no VBA.
The key to create your own algorithm is that, you're trying to make a simple hash. Try to make it so that changing one character either in the site name or the master password would make the entire password look different, not just a single character at some corresponding position.
If you don't want to bother with your own algorithm, you can just md5sum a concatenation of the site name and master password. I don't like this method because the master password must either be stored in a file or typed in the command line, which will be in the command line history, which may get backed up by mistake if you're at work and don't clear your history quickly. Also, md5sum may not be available on every computer - my own algorithm is easy enough to be constructed from scratch in a minute or 2.
Except that I run the phrase through babelfish, so all I need to remember is "phrase"+"language". I could post my passwords and still be somewhat secure; unless you can figure out which language I used and what capitalization schema I used you're out of luck.
Works until they change the algorithm.
Lockcrypt (http://www.lockcrypt.com)
.NET Mobile Versions
* Central Database (Flat File or MySQL)
* Strong Encryption
* Multiple Languages
* Customizable Account Types
* Import and Export
* AutoType
* Firefox Extension
* J2ME and
* Secure Clipboard
* Easy to Use Interface
Secure Password (https://addons.mozilla.org/en-US/firefox/addon/4429)
* Add on Extension to Firefox's password database
* Adds strong encryption (not plain text)
* Easy one-click access to Site information for logging in.
Keywords for the NSA overthrow oppressive regime true believers marathon Manhatten the financial district blueprints I
I keep a text file, but it's only visible as root and its name doesn't make it seem like a text file. Furthermore, within it I never actually spell out my passwords, just a couple of characters to remember my sequence. I used to do the same for the system for which it applied, but then I found that I would forget my clever-at-the-time abbreviations for those (that leaky brain problem you mentioned...). I think that's sufficient obfuscation for now.
I disagree ... Lockcrypt is far superior to Keepass on the multi-platform arena. It supports Mobile platforms and also can use a MySQL backend. And comes with a Firefox extension to make logging in easier.
Keywords for the NSA overthrow oppressive regime true believers marathon Manhatten the financial district blueprints I
Generate about 4-5 good, strong passwords, memorize them thoroughly, then come up with 4-5 variations (symbol substitution, case flipping, increments the numbers, anything really), then put a hint to the password number and variation in the bookmark text. Like, for gmail have the bookmark name read something like: GMail - P1VC For password 1, variation on capitals. I use a system similar to this and I haven't had a problem in years. Though, I do keep a few copies of my bookmarks file lying around because otherwise I am most hosed. You just have to make sure that no one ever has a chance to get your actual passwords, nor share any of the variations ever, but it seemed to me to be the most reasonably secure and simple method.
Nice logic error you've got going there :-)
And for all those other issues, he admits he's going to have to install *something* ... so why not just install or run Firefox and be done with it? One simple solution.
If he can't install or run other apps on those computers, then there IS no "ideal tool" that will work for him short of pen and paper, which can also get lost/forgotten/copied/swiped/whatever, and the question becomes nonsensical ("gimme a tool to run for those times that I can't run a tool").
Available in three ways:
Constructs a one-way hash of
to get a domain-specific password. Memorize one strong password and use this utility to get distinct passwords for each domain. The generated passwords are (usually) complicated enough to pass any conceivable non-triviality test.
Try using a password vaulting app such as KeyPass, and encrypting the password database on your laptop. I'd suggest not trusting the encryption built-in to the password vaulting app and using multiple layers of encryption such as a TrueCrypt volume, whole disk encryption, etc. You can determine the level of security/usability that's right for you. You could also look at hosting the password database online so you can access it from anywhere. You could use an online backup/file hosting service for that purpose. Keep in mind that security is inversely proportional to usability, so you'll have to make some sacrifices in terms of usability for good security. If you're not willing to make those trade-offs, then this whole exercise is probably pointless.
What I've done is make a small TrueCrypt drive, and redirect Firefox to use that for its local data. It will store the cache and my passwords on that drive, thus keeping my passwords hidden without first entering the TrueCrypt password.
Find Firefox's profiles.ini file in your local application data directory.
Downside: you have to give TrueCrypt a password whenever you startup, and Firefox won't boot at all if the TrueCrypt drive isn't mounted. The error message is misleading too, "Firefox is already running ..." (fail!)
Bonus: the pr0n downloads in your cache are encrypted too.
Ofcourse I' m one of those guys with multiple computers ... . My personal laptop on which I work at home is a macbook pro. At work I have windows 7 pc. So my system has to be cross platfrom and synced at any time. Since I don' t want to use 2 password files I did the following.
I have a dropbox account (actually this is a amazon S3 storage service with AES encryption, you could also use evernote for that purpose) on which I placed a truecrypt file of about 50 mb encrypted with 3 encryption algorithms. In this file I have a keepassx file with all my passwords. So I only need 2 passwords to remember. One for the keepassx file : ************** and one for the truecrypt volume: ************ . :) .
Another tip:
There is a keepass version for smartphones that can open keepassx files.
Current linux versions are capable of encrypting the disk - files and swap - automatically. (Ubuntu, for instance, can install this feature from the "alternate" install disk.)
Only the boot partition is in the clear. Any passwords you stashed in Firefox's autocomplete mechanism are encrypted as well. You have to issue the filesystem password to boot or to come out of hybernation etc.
With this in place the bad guy has to get your laptop while it's running and use it before it sleeps or whatever. (Fancier attackers might be able to pull something out slightly longer - if they get to the RAM before the charge dissipates.) Even if you're only using browser autocomplete passwords this gives your system (and ALL the files it contains) another layer of protection.
DON'T forget the password or all your files are gone forever. Unlike commercial products there are no backup or backdoor passwords or challenge/response protocols. The passphrase you use when installing is the only one there is. Without it (or a cryptosystem crack) even the software has no way to decrypt your files.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
PASSWD=`echo "${login}${masterpasswd}" | openssl dgst -ripemd160 -binary | openssl dgst -sha1 -binary | openssl base64 | head --bytes 8`
The password is stored in the KDE klipper for 20 seconds afterwards.
I use an encrypted file (to which I remember the encryption key) which has all of my logins and URLs, and the first 3 or 4 characters of the associated password. Between the file encryption and the fact that only a 25-30% fraction of each password is listed, I feel that I am pretty safe. My passwords tend to look like this:
...so a typical entry would look like this:
$uns#!n34tn!t3 (sunshine at night)
http://www.punkisnotdead.com/ PunXX0r $un
You are right - Untrusted plugins are a core issue. However, users need to understand that Master Password does not add any protection to passwords, to avoid the illusion that it makes them safer. In fact it makes passwords less safe by storing them on the machine, and very easy to hack into if the machine is stolen, say. So (I think) users should neither use untrusted plugins nor store passwords to sensitive sites under the Master Password.
I've been using KeePass Password Safe for years. I keep it installed on a thumb drive and take it with me pretty much everywhere I go. The KeePass files also get backed up to my desktop every time I insert the thumb drive or modify the password file. If I lose it, no big deal, no ones going to guess the master password and I always have a backup. There are builds for just about any OS people are using these days, so you shouldn't have to worry about retrieving your passwords cross-platform.
http://keepass.info/download.html
It encrypts all of them with a master password, and I've always got it with me. Easy to backup the db to the sd card, and easy to export a plain text file of all passwords, for storage in our safe deposit box, in case I get hit by the proverbial truck.
http://www.openintents.org/en/node/205
The best way is to design a system *yourself* so nobody else knows it.
I have that kind of system myself but, if I tell you what it is, it will then less secure (very much so on /.)...
So...
Anyway, I'll give you some tips.
Think of the things that you have no problem remembering. If these they are easy to find (like in a dictionary), design some combination that would not. Among those, select the ones that could be found elsewhere if your memory fails. From these select the ones easier to use and/or to consult elsewhere. Design some indexing method that will allow *you* to find them easily from these available sources. Store these indexes the way that is more convenient for you.
An example that I _do_not_ use and that's worse than the one I use: Bible quotes. Bibles are available almost everywhere. Long ones have good resistance to brute force. And the indexing is already done for you. You just have to design some basic encryption method for the index (the method depends on the storing method: simpe rotation for hand-written, as complex as you like if store on a computer: you can write a prgram to do that) and store the index in some place (the piece of paper in the wallet, some text file on your computer, whatever is more secure for your case).
In any case, you should design something that is easy to use _for_you_ or you'll end up using some other less secure but more usable system.
Ah, and don't use the example I described as now it's already known...
--
El Guerrero del Interfaz
SplashID on your Android phone.
Use one 256bit Blowfish password to access ALL of your passwords. Your phone goes everywhere with you, so do your passwords. If you lose your phone, no big deal. Chances are that person doesn't have the resources to crack that encryption.
Best part is you can use it to fill in forms for websites you visit on your phone, which is good because typing in obscure passwords on a phone can be a challenging feat.
Authority questions you. Return the favor.
1password is by far the best solution available for this. I've seen some other people say it, but i wanted to echo how great it is. On the security side, it uses 128 bit AES encryption. You can find more information on their security here: http://help.agile.ws/1Password3/agile_keychain_design.html - basically it would take eleventy billion years to crack into your password database.
1Password also offers direct browser integration with all major browsers. It's so good that I'll only use a browser if 1password supports it. It also comes with tools like a password generator and a place to store secured notes (which is where I keep all my software registration keys, etc.). Bottom line is I couldn't live without 1password.
All that said, I still commit my bank password to memory and do not store it in 1password or anywhere else.
or else!
Here's a low-tech solution:
1. Memorize a single 10-digit number, which will be your master passphrase (eg 1234567890).
2. Keep all your passwords, encrypted with this passphrase, written on paper in your wallet, as follows:
write down the true password on a scrap piece of paper.
eg: augur4
3. subtract one passphrase digit from each password character:
a - 1 = z (wrap around the alphabet)
u - 2 = s
g - 3 = d
u - 4 = q
r - 5 = l
4 - 6 = 8 (wrap around 0 back to 8)
4. Keep the result in your wallet: zsdql8, next to the name of the website you need it for.
5. Burn or eat or compost the scrap of paper.
This has several advantages:
- addition can be done in your head: look at zsql8, and it's not too hard to reconstruct augur4 without using a temporary piece of paper.
- if someone steals your wallet, they'll need your 10-digit passphrase.
- you don't need internet access or a USB key to recall your ATM's PIN.
Alejo
I also put a vote in for Roboform, I use it all over the place. Now that they have the server based sync it especially rocks!
I use Password Dragon written by Ramesh Natarajan. The publisher says the files are encrypted using BlowFishJ. It can be resident on a USB flash memory device. I have been using it for over a year with both XP and Vista, and have had no problems. their website is http://www.passworddragon.com/.
Note to FTC: I am in NO WAY compensated by the author or publisher!
BTW: The best part is that it is FREE! As in beer.
Just email me your passwords and the related sites. I'll keep track of them for you.
coffee | nose > keyboard
It's a nice slick little web app. Works like Roboform, but it is completely free. Stores your passwords on your machine and encrypts them using AES 128-bit encryption technology.
Mmmph - I have a couple hundred to keep track of - I use gpasman, and keep the .gpasman file in an encfs encrypted directory (symlinked back to .gpasman in my home directory).
Seems reasonably secure.
I was happy syncing up across browsers (work, home, netbook ...) through password exporter (URL:https://addons.mozilla.org/en-US/firefox/addon/2848>, svn, thumbdrives, and KeePass ... yikes. LastPass showed up while reviewing the current state of identity management (SSO providers, etc) for a work project, and all of the actions I used to take to have my identities with me are usually zero clicks away, and on whatever browser or device (they have a blackberry client) I am surfing with. Encryption on the client, shared out in the cloud, and most significantly, close to transparent in the interface ...and their roadmap has some of the issues I do have with it scheduled.
Hooray for LastPass solving a problem I didn't realize I had and eliminating a small hack in my online life.
Dropbox is a great "access anywhere" secure solution across all major OS platforms, and using KeePass is a great software (as many have already mentioned) for managing all the different passwords you have. Upload KeePass - the executable and the database - to Dropbox, keep your master password verification file that KeePass creates for you on the computers you use and a USB key drive, and you will be very safe and secure, but unhindered by being tied to a particular OS or physical media. When you use dozens of different password-only websites, multiple network logins at work, and your own home computer password apps, it becomes imperative to manage it all in some sane way. The only way to do this for me before was a USB key + TrueCrypt + KeePass, but with Dropbox you eliminate the physical media to be lost accidentally. (And I thought a while back that I HAD lost my USB key, and I literally started freaking out before finding it on my car floor. Switched to Dropbox later that night, and no more freak-out sessions for me.)
Are you usually this slow on the uptake, or did the humor bunny skip you at birth?
So...then you admit he did refer to more than just his laptop. I said it doesn't seem to "solve his worry" about computers without Firefox, and obviously that is his worry (if he mentions it as a desirable property) and your solution doesn't solve it.
A more useful response would have simply stated the reasons why you believe one cannot reasonably do better than this alternative (even in the face of the submitter's stated desire). Hashapass, for example, makes an interesting alternative with a different trade-off of security and flexibility. You could also have answered the simple question about using an external password file in Firefox.
I know, I know, "You must be new here."
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
I second this, password maker is great! I am hoping that a Chrome extension is in the works.
I bought a copy of Password Tracker Deluxe years ago, and it's been a great tool on Windows, so I wanted to give it a mention.
I'm currently trying to replace Windows for my daily needs with Linux (I'm currently trying Linux Mint KDE), and so I had to find another option (although it does mostly work under wine).
What I found was KeePassX, which has done a pretty good job as a replacement. And because KeePassX is cross-platform, I can access on Windows as well.
I saw others mentioning KeePassX above, and they mentioned features I haven't even discovered yet.
1Password not only works on the Mac, but it also syncs fairly easy with the same named application on your iPhone. So you have all your passwords encrypted with you, all the time!
Your original point, to which I responded, was:
On reconsideration, any machine that he does not personally control simply has no acceptable solution if you want to be reasonably secure. A copy of firefox run off a thumb drives don't do it (copies of data on the hd swap file, keyloggers, malware, etc). Installing Firefox on the target doesn't do it either, for the same reason. Booting off the thumb drive? Thumb drives get lost/forgotten all the time. The real "solution" is simple, but inconvenient - don't use other people's machines.
Example: I would never use someone else's machine to do my online banking. Generally, when I need to use a computer somewhere, except at home or work, I bring on of my own. Part of that is because I'd rather use linux on my laptop than struggle with Windows on their desktop, part is "it just works", but even then, I wouldn't access anything sensitive from someone else's network. It's just not necessary. Plus it also gets out of the whole issue of other forms of leakage, such as shoulder surfing, web cams or security cams grabbing your keystrokes (I was actually able to do that once, just to show it was possible with a 25x PTZ camera)., etc.
Even less sensitive stuff, it's a hassle. I made the mistake of logging in to one account from a known-safe machine (only used linux and bsd) over a compromised network. Oh, the pain. No "serious" damage done, but still a PITA. Took a few hours to track down which Windows box had a chat session connected to a machine with a .ru domain ... nowadays it's almost always .ru (russia) or .cn (china) or .ua (ukraine).
What can you do - it is what it is. All security is a balancing act - managing risk against ease of use. As one pundit said - the only completely secure machine is an unplugged machine - with the hard drive, cpu, and ram removed and run through a shredder (and all post-it notes removed from monitors, under the keyboard, and inside the case).
I guess you didn't catch the humor right there ... cool down ..
I'm living in Belgium btw, so there is no such thing as Foxtard TV here.
Wasn't the recession over years ago ?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
lastpass.com does just this. it is a free cross browser (ie, firefox, safari, chrome, iphone) plugin that encrypts your passwords and then stored them on their servers. (only your encrypted passwords are stored) it replaces the built in firefox manager (which doesn't work very well and i can't believe they haven't addressed that yet) and lastpass's plugin works much much better than the built in ie / firefox managers. its also a lot more secure. its not without faults.... its not very easy to use with multiple accounts and trying to correct an account with a wrong password is sometimes painful overall, i love it and am a user. check it out: lastpass.com
-mr silver
It doesn't work that way. The Firefox "Master Password" just protects the vault of saved passwords. The saved passwords still appear automatically (without entering a master pw) on any site where you have OK'd the saving of a pw.
I've been using SplashID for the last 5 years or so. One of the best apps I ever paid for. It exists on pretty much any major OS you might be using on a PC or - and here's the selling point - any mobile phone.
I've had it successfully synchronize between my PC and Nokia E61i. Before that it was syncing with my Sony Ericsson P990i and P910i. There is an Android version of it out, but unfortunately Android Market is not available in Singapore. I was forced to use SlideME to use the very barebones but still functional gbaSafe.
SplashID uses the 256bit Blowfish encryption method and comes with a built in password generator, with quite a few options like limiting the password to lowercase and numbers and even checks for "pronounceability". It comes with a nice set of icons, you can create custom templates with multiple masked fields and the layout is intuitive. There are several export options, with some compatibility with other formats as well as the standard unencrypted CSV excel file.
I've been using the password "neeXa6Re" for years. See, I opened an AOL account, it asked me for a password, and of course, "neeXa6Re" was the first thing that popped into my head. Now, here you go just posting it out on the interwebs for everyone to see.
http://supergenpass.com/ From the site: Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit. There’s no software to install.
https://www.ironkey.com/
Just throwing my suggestion on the heap of hundreds: Take the first letter of the chorus of a song you like, and make that the password. If you forget it, you can just think of the song and punch out the password. For example, Iron Maiden's "Run To The Hills", you have "Run to the hills, run for your lives", which comes out as rtthfryl, which is not likely to come up in any brute force dictionary based attack, and it has a built in method for you to remember it. Feel free to add characters or numbers if necessary, I really like the !1, or *8.
Really must remember to log in before posting :p
Lifesigns: Present Hair: Escaped Age: Increasing
http://www.passwordmaker.org/
All you have to remember is a master password. It will generate secure passwords for you depending on the "note text" you enter (whether it's a domain or something else.)
Has a firefox extension, but also a CLI / PHP / Java version, so you can use it on anything.
..mm.. I've been using Keepass for a couple of years,http://keepass.info/ ..mm.. it's a small standalone program that'll run as a Portable App http://portableapps.com/ on a Flash/USB stick drive or on your hard drive it's Password protected and Free to use.. I find the database easy and useful and you only have to remember 1 password to let you in - all your passwords in one place..
No doubt there are some clever hackers out there who would delight in trying to crack the opening password.. but I'm not Paranoid..are you?
If you have PalmOS, I suggest Strip. There is also an iPhone version, but I don't know that platform very well.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
Also as some have recommended techniques with written "password," type out your password but add a common or nonsense word into the middle of it. Then you just know to remove that word.
I have a text file that I edit with vim that automagically decrypts the file when I view/edit it and re-encrypts it when done. Very secure, don't have to worry about a single use application going the way of the dodo.
Salut,
Jacques
I have this problem where I work. Last spring they upped the requirement to 12 characters, which must include numbers and special characters. They do not yet require squirrel noises, but that is certainly next.
I did a study of memory aids and came up with a system that has worked fairly well for me.
Here are the tricks:
1. I remember pictures but not words. I can remember the first three letters of the name of many animals that I can picture in my mind.
2. Silly stories are much easier to remember than reasonable ones, so string animal pictures and action verbs together into a foolish story.
3. The special characters can be used to make simple picture or represent action verbs: ^ jump over, and || wall becomes ^|| jumped over the wall.
4. I know a few strong visual nouns that come with numbers attached: ME109, P38, 56Chev, V8, 03Flyer, 707, 747.
Putting this all together you get:
The elephant jumped over the wall and landed on the flea. The elephant had four legs; the wall had no legs, and the flea had six legs. Ele^||Fle+406
The Frog in his ME109 shot the shield of the Walrus: FroME109()Wal
It is also easy to leave yourself an effective hint: Kermit in his WWII fighter did what?
You can also progress the story a little every time you need a new password: Then the Whale in his P38 caught the Frog hiding behind the wall with his six shooter: WhaP38||Fog6
Of course, if too many people start using this scheme it will not remain secure very long.
Tom Riley TomRiley@woodwaredesigns.com http://woodwaredesigns.com/woodware.html
I still keep a PSION Series 5mx Pro for my everyday agenda, address book and else. (Still looking for a *good* alternative for my iPhone, including migration/synchronisation software - got any?).
The PSION is secured with a 3 letter password (to allow for easy log-in). *ALL* my passwords, credit card numbers, PIN &c. are stored there in an encrypted file. The CompactFlash card of the device holds an impressive 128 MB (yes Meg - not Gig) but 80 Meg remain almost always free. It is regularly backuped to my PC being regularly backuped to my Synology DS-408 being regularly backuped independendly to two 1,5 TB external hard drives. From a previous SDK there does still exist an emulator for PC that even allowed to access the file from there. But last time I used that is ages ago - literally.
As the devices used to be pretty cheap recently, I do still hold 2 spare ones in my drawer for replacement in case of emergency...
I like Clipperz. You don't need to have anything installed, which is nice. They host your passwords in encrypted form.
Tried this. wsjp133 is your password for some obscure account you don't need for 6 months. Then you have to track down your old cube neighbors PC. Plus even the most benign sights these days force a special character, number and upper and lower case.
Because I'm a Flemish-American.....