Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Tool For Remembering Passwords?

Posted by kdawson on from the encrypted-plain-text-file-on-a-stick dept.

StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"

28 of 1,007 comments (clear)

  1. paper in your wallet by Gothmolly · · Score: 5, Interesting

    Keep them on a slip of paper, in your wallet.

    but DONT list what each is for - you can remember that part easily enough

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:paper in your wallet by JohnFen · · Score: 4, Insightful

      I agree.

      100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.

      Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.

      If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.

      So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.

    2. Re:paper in your wallet by sopssa · · Score: 5, Funny

      Websites could do more to protect their users too. For example if you accidentally write your password here on Slashdot comments, it comes up as masked. Like for example my password is ********.

    3. Re:paper in your wallet by Benaiah · · Score: 5, Funny

      Really? That works? My password is hunter32.
      Seems like i can see it still though. :P

    4. Re:paper in your wallet by TheGreenNuke · · Score: 4, Funny

      Really? I couldn't see it. this is what i saw

      Really? That works? My password is ********.

    5. Re:paper in your wallet by fredklein · · Score: 4, Funny

      You only see it because it's your password. Everyone else sees it like this:

      Really? That works? My password is ********.

    6. Re:paper in your wallet by NevarMore · · Score: 5, Informative

      I do something similar, but its the default output of pwgen. All I have to do is recall the first few syllables, the general grid location of the password, or just a part of the password.

      I carry this around in my wallet, sure my password is on there, but with no real frame of reference its hard to decipher and make a guess.

      Also, suggest printing with a fixed width font.

      $ pwgen
      gah5eiP2 Ga4cie3c ya6gaiTi eic1EeCo Shaisae5 ChaeXah2 Jaet0ooz ahThai3j
      Yie7UH9f Iefie1ja ooghu8Oh uot7aeL0 gughes2M fahGh9ah Ohz7ohto wae2Seh1
      avah3Oog Iechie2f eiPhoZi9 Mavohli9 Kohshis7 Meilo8ce Queis5hu Eiz9aij8
      Pae9ahPu Equ0zoo9 Oothahk3 pich2Xao IeZai3ae aiLa7Ath Eol2aes7 aeZ5raht
      AVai9nee Aam7ahzo Ioch2oqu faiGh0th eYae2ohl si7Te0we einai3Wa oash6Ahj
      Eik5uul2 opai8zoY ohw5Ihaf Mi7keix9 aevi1Wa3 mo9ohJ5I Piek2yoR Si1phieZ
      Ahc9luch ohNg6Oon daghieP9 reCh7jas joo4ooVi yooR6yeu eeph5Aip shie3Ahp
      quoVeg8U Nee3phah CahXee0r aoD8Thai Ai5Aigha eePh0zee Cheip5Ch xeebe0Oy
      laeFeez4 Ag9sheeR Ga4gooph Oijae9da aePao2ta ahz8ieNg bu9EhieS quooWoo3
      ahghea7N Bot9hieC He3eeGhi ouli8Oof ik3Ohsoh Rahz9Che aeXaNg1e soh3Thee
      Ahkith6u Ahs2Zuid eth6Ej0o Go0iho1d xaPhah9z aiNg1yoh Aer8Eet3 juZ3aThu
      gee4KooK Hee9iqu3 Duh4aipu AiP6ahph Shaec5ne neeXa6Re Roh6fief Baef9ieM
      eeGoo4ie eva1aeQu lu4hiJoh sae2DuYu fahGae7b Doh5Ifi6 jeish9Ae Rierieb5
      Eedae7Iu moo6aiG3 ohNei0ie ew9ieHeu xoh5caeL NeiD0ohs iipe4aeP Lich0xak
      Oozei5ao gaNgieV2 Dei0ae9l us3Loh8k phal5aeN aip0KeeV Aeg1rais oth1Ahdi
      was3ow8Y Oquud1bu emee7Ohr iewa6baJ ao8Airie beegooL9 heiveF7u ongooD9w
      iic4uGh0 Ohn9zeiC Neen4noh kei1Seng chieV3oh QuuQu2ju Eex1gaf3 aot8Dah1
      EDoh1aej eaBae1ri Eih0woh6 Eiw3Johp Yi3aizuu Og9shohl ho6mi6Xu AeT8eihu
      Iev5ohph lies0Iev eeV4jiek Tha1xoo8 gua9biiT aa4Maiga ohXoh3ai eisi8Jee
      Ieloh3mo Quoch6sh Eecha0Ra zahnguM8 ieP5Jeye Mao5maec Ephae8af quihei8A

    7. Re:paper in your wallet by WuphonsReach · · Score: 4, Insightful

      You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)

      GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).

      Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.

      --
      Wolde you bothe eate your cake, and have your cake?
    8. Re:paper in your wallet by colenski · · Score: 4, Insightful

      enjoy explaining that bit of paper to DHS when they decide to look in your wallet as you go through airport security

    9. Re:paper in your wallet by RedWizzard · · Score: 4, Insightful

      Congrats, and thanks.

      Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.

      160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.

    10. Re:paper in your wallet by Barefoot+Monkey · · Score: 5, Funny

      Hey, wait...how did you know my password?

      He didn't know your password. He just typed "********" but you saw it as "hunter32" because that's your password.

    11. Re:paper in your wallet by RobDollar · · Score: 5, Funny

      I have a similar setup, I have this on a piece of paper in my wallet

      ABCDEFGHIJKLMNOPQRSTUVWXYZ

      and I simply remember which letter my password starts with, and then what letter comes second etc.

      For example, if my password was SLASHDOT, I would start by remembering the first letter, which is S, then remember the second letter, which is L, and I continue remembering until I have completed the password.

    12. Re:paper in your wallet by selven · · Score: 4, Insightful

      160 characters * 8 letters = 1280 characters.

      Number of one-character passwords: 1280 (actually it's even less but stay with me)
      Number of two-character passwords: 1279
      Number of three-character passwords: 1278
      Number of 100-character passwords: 1180
      Number of 1280-character passwords: 1

      Total number of passwords = 1 + 2 + 3 + ... + 1280 = (1638400 + 1280) / 2 = 819840 passwords

      Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)

  2. Truecrypt by Wingman+5 · · Score: 5, Insightful

    Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.

    1. Re:Truecrypt by yttrstein · · Score: 4, Insightful

      Where does he keep the Truecrypt password?

    2. Re:Truecrypt by Yvan256 · · Score: 5, Funny

      Inside the plain text file, of course!

    3. Re:Truecrypt by Korin43 · · Score: 4, Interesting

      Why make them mount a Truecrypt volume and search through text files? KeePass gives you an encrypted searchable password database that's much easier to use: While it's running, click the system tray icon, type in your password and your passwords are listed and searchable. When you're done, minimize it back to the tray and it's locked again.

    4. Re:Truecrypt by Graff · · Score: 4, Informative

      keepass is available for windows linux and osx

      Dunno why you'd need it on Mac OS X though, the built-in Keychain and Keychain Access.app does the same thing and more. It will do autofill, autofill after asking you for the master password, or you can just use it to store the passwords and look them up manually.

      Keychain can also store secure notes and certificates for websites and such. It's pretty nifty how well it all works, you hardly ever have to worry about manually managing passwords and certificates.

      --
      Sapere aude!
  3. Keepass by gad_zuki! · · Score: 4, Informative

    http://keepass.info/download.html

  4. PasswordSafe by Avenger546 · · Score: 5, Interesting

    I first saw the link to PasswordSafe from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.

  5. KeePass - fantastic software. by clockwise_music · · Score: 4, Informative

    KeePass.

    * Stores all of your passwords in a secure encrypted file

    * Has auto-type so you don't have to type or remember your passwords

    * Has a great password generator tool, so that you can reset all of your passwords to something secure

    * Easily transferable password database.

    * Can run off a USB stick

    I checked it out a month ago on the recommendation of a mate, and have been using it ever since.

    It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!

    And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.

    And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).

    Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!

    1. Re:KeePass - fantastic software. by internic · · Score: 4, Informative

      Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!

      If you turn on the master password then the password file is encrypted.

      --
      "You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
  6. Post-It Note on the Monitor by Prototerm · · Score: 4, Funny

    Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.

    --
    "My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
  7. Hashing Works by Aaron_Pike · · Score: 5, Interesting

    I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.

  8. Use the master password feature and stop worrying by tomhudson · · Score: 4, Informative

    Firefox has a "master password" feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.

  9. Re:if you use a mac... by 93+Escort+Wagon · · Score: 4, Informative

    I prefer the built-in Mac Keychain. With the Mac OS Keychain plugin, Firefox will save its passwords there as well (and it can share them with Safari).

    One important consideration - change your Keychain password so it's different than your login password. Use something that's easy to remember but hard to guess, e.g. the price of a cheese pizza and a large soda at Panucci's Pizza ($10.77).

    --
    #DeleteChrome
  10. PassGorithm - One Algorithm, infinite passwords by abdielillo · · Score: 4, Interesting

    I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D

  11. Re:How I remember passes by plover · · Score: 4, Funny

    A guy I used to work with told me a story about a late-night support call with the operations center. He figured out that they needed to run a job that was under someone else's account. So they conference-called in this other guy at home in the middle of the night, and asked him for his password. He refused to give it over the phone, and the operations people were getting madder and madder because the night's jobs were being held up. Finally, he agreed to give them the password but only if they turned off the speaker phone.

    The guy's password was BigBlackDonkeyDick.

    Hilarity ensued. I'm pretty sure the whole shop knew the guy's password by the next morning (hell, I still remember it and I didn't even know the guy!)

    --
    John