Slashdot Mirror
Best Tool For Remembering Passwords?
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Keep them on a slip of paper, in your wallet.
but DONT list what each is for - you can remember that part easily enough
I want to delete my account but Slashdot doesn't allow it.
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
http://keepass.info/download.html
1password for mac and iPhone/iTouch is a good product
Just use the same password for everything. I use "1234".. its the same as my luggage combo
I have to return some videotapes...
Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/
If you have a mac, definitely get 1password. It encrypts all of your passwords in a database that is accessed via 1 password that temporarily unlocks it. You can have it generate very long passwords on the fly too to make it very secure. It stores passwords from all websites that can be recalled during a session by pressing apple+\ but it locks after a period of time where it asks for the master password. You can also store secure notes, and keychains from applications.
I've used Keepassx for a few years now. It's cross platform (Windows / Linux) and stores the files encrypted. I tried one of Bruce Schneier's public domain solutions previously, but the Linux install (Password Gorilla ???) was rather painful on some systems if I recall correctly.
Just be sure to use a substantial password for the database...
I first saw the link to PasswordSafe from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.
Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password. Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)
If you have access to any other box, how about a plain-text file there? Even a little security through obscurity (ie hidden file burried in the filesystem somewhere) would be better than letting Firefox automagically fill it in. I guess you could always encrypt the file so you only have a single one you absolutely must remember (shades of Flourish and Blott's losing all those copies of the Invisible Book of Invisibility though).
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
KeePass.
* Stores all of your passwords in a secure encrypted file
* Has auto-type so you don't have to type or remember your passwords
* Has a great password generator tool, so that you can reset all of your passwords to something secure
* Easily transferable password database.
* Can run off a USB stick
I checked it out a month ago on the recommendation of a mate, and have been using it ever since.
It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!
And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.
And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).
Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Taxation is legalized theft, no more, no less.
I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.
It was me, I did it, I moved your cheese
I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:
http://passwordsafe.sourceforge.net/
Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.
Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.
'Thats they exact same thing a banana wrench monkey.'
I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/), it's essentially a self-contained AES encrypting Notepad.
And it's extremely stand-alone/portable, so you can just stick it on a USB stick.
That's not the best idea. If a secure location becomes compromised, you just gave up access to everything you do. Not to say people don't do it, but people also set their passwords to "password".
Here's an old post I did here 4 years ago on the subject. Users haven't gotten any smarter. Just poorer when their bank account gets compromised.
Serious? Seriousness is well above my pay grade.
Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).
Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.
I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).
I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.
Once you start using a full disk encryption solution like Truecrypt or others, all the "insecure" electronic methods you discussed suddenly become secure.
Firefox has a "master password" feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.
On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.
For my PC at work, TrueCrypt with a spreadsheet inside.
LastPass is definitely nice - it encrypts passwords so that they're not transmitted or stored on the server in the clear. It's also one of the best integrated pieces of software I've used - it generally just does what you want it to.
I recommended it to a non-technical user recently, and she sent me back an email later thanking me because it removed all the mess that she was dealing with before and have her a single launch off point for her web logins.
I recommend OBZVault. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.
We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).
It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.
(Disclaimer: I co-founded OffByZero, the company that produces OBZVault.)
I keep track of all my passwords using a "rootword" system I devised. I started off simply, and have made the system more complex as time passes.
As an example, all my passwords are based off a single, easily-remembered word. Then I complicate the rootword -- i.e., by replacing characters with symbols or numbers so that even in the unlikely chance anyone ever does find out my rootword, they don't know which iteration of characters make up the string of said word. If I choose "banana", then my rootword may end up being "b@Nan4" or "BAn@n@" or "b4n4n@" etc.
Next, I simply add extra characters as identifiers to the rootword depending on the services or sites for which it is used. It may have something to do with the site or service name, the person that introduced me to it, or something completely random that reminds me of it. Thus, my "b@Nan4" may end up as "g00b@Nan4" for a Gmail account.
You'd be surprised at how simple it is to remember a couple hundred different passwords using a system like this.
UNIX: Find it, fsck it, forget it.
I've been using this for years. I've tried KeePass, 1Password, etc for weeks each, and kept coming back to Roboform. Roboform is MUCH better than any of these I've tried at filling forms easily/fast - not just passwords, but identity and credit card/payment information. My biggest complaint with it has always been syncing my encrypted roboform directory files between different machines - used live sync, sugarsync, etc - but now they do that also, with a free RoboForm Online account. Data still encrypted, but I can now get to it with my master password and any web browser. (Even dumb phones). PLUS - they've come out with clients for the iPhone. (Have had Palm, WinMobile, Blackberry, Symbian clients for quite awhile). I have full access to my codes, always synced, EVERYWHERE I go. Love it. My final favorite use for this, in addition to the password vault, is for ALL my bookmarks. I got tired of syncing/restoring/losing bookmarks between different laptops, desktops, OSs, etc some time ago - so I now have thousands saved over the last several years into my Roboform repository. I save them (as well as passcards, etc) with a few extra keywords, and use the Roboform search window to very rapidly go to any website (and login if necessary), even when I can't remember exactly what the site was called - pull it up by subject/keyword. A major timesaver. Cost some $$, but not much, and well worth it.
I use a plain old spiral bound address book. A I keep it locked in my gun safe, in the same room with with a shredder.
for a long time... it was a little keychain dongle... you push a sequence on the buttons on front and it lets you see the passwords. There are not that many buttons, so if it's stolen don't expect it to last more than a few days, but it'll slow 'em down hopefully long enough to let you change your passwords.
but mine broke :(
While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far Honestly, when is the last time you've lost your wallet? For me this was eight years ago. Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)
In these days, bleeps and bloops mean something more
I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D
A guy I used to work with told me a story about a late-night support call with the operations center. He figured out that they needed to run a job that was under someone else's account. So they conference-called in this other guy at home in the middle of the night, and asked him for his password. He refused to give it over the phone, and the operations people were getting madder and madder because the night's jobs were being held up. Finally, he agreed to give them the password but only if they turned off the speaker phone.
The guy's password was BigBlackDonkeyDick.
Hilarity ensued. I'm pretty sure the whole shop knew the guy's password by the next morning (hell, I still remember it and I didn't even know the guy!)
John
What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":
Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.
/not my password ... or is it?
http://www.passpack.com/en/home/
http://www.clipperz.com/
https://lastpass.com/
Sorry, but is NOT hard to guess. I guess Ngbu9E. See, it is not that difficult after all.
Just hide it in plain sight: if nobody knows that there is a password, nobody will find it. And if you put it on the internet, you can access if from everywhere. You could even hide it in some stupid text you post on some stupid forum for dumb 13 year old kids.
Available in three ways:
Constructs a one-way hash of
to get a domain-specific password. Memorize one strong password and use this utility to get distinct passwords for each domain. The generated passwords are (usually) complicated enough to pass any conceivable non-triviality test.