Slashdot Mirror
Ask Slashdot: How Do You Manage Your Passwords?
Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"
It's not portable, and this is just what I do at home so may not scale well to the office, but I've basically got an old intel atom box (MSI Wind PC) running linux (slackware) with no network connection and full disk encryption just using luks/dm-crypt. I keep passwords, banking numbers, and other bits of sensitive info on there. No fancy management software, just plain old text files. I have it hooked up through a KVM and I just leave it running all the time (with locked screen), so it's nothing to switch to it when I need to use an old password or update a password when I change one.
Files are backed up locally using rsnapshot (for history), and then that's periodically copied to one of 2 (also encrypted) USB thumb drives (I leave on plugged in the back and periodically swap them).
Primitive, but sometimes that's what works. You could probably do the same with a raspberry pi at this point (disk encryption might be fun though).
Also this topic comes up like once a month, and the answer has not changed in years. Stop asking!
Completely off topic: what would be the best way to physically disable the wifi capability of a device. Obviously you can disable in software, but I'm the paranoid sort, and would love a way of knowing that my IP web cam is not gonna be doing anything with that wifi antenna. Thinking maybe some kind of terminator or some other way of "absorbing" the signals.
keep that piece of paper in my wallet
simple
keep them in your head or rely on the reset mechanisms
I keep them in plaintext files on my dropbox, lol.
on my desktop.
extensible, open source, active project...what's not to like?
I just use a simple text file and gpg.
For work, write them down on physical paper and keep them in your physical wallet.
You'll notice if your wallet goes missing.
For home, write them down on physical paper and keep that somewhere safe.
I have 18 account passwd's at work. Every one of them is 30 characters in length and every one of them is different.
Hint... They refer to the actual system they're used on.
Tattooed on the inner thigh. Forget a password? Just find the nearest restroom. With these new non-permanent tats its better than ever, and much less of a space issue. For extra security (in case anyone has X-ray specs) you can do a rot-13. Of course you do have to be careful if you go swimming, such as wear an old style suit or a maybe a "burkini" if a woman.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
A small notebook kept in a passport belt that never leaves your side should work well.
If you are required to have such a high level of security that this is not a good idea then you should use your memory. A failing memory means that you are not suitable for the job and should find something else, like working in a retirement home.
Does it go on forever?
Why is LastPass not an option? The password database is always synced to your laptop/cellphone so there is no problem accessing your passwords when you are offline. The security is the most robust I have found when it comes to password management, especially when you use 2-factor auth.
I use 1password, it's great. Perhaps not suitable for an IT pro saving critical, but great for me.
They'll be collecting them anyway
Get 1Password. There is a version for every platform, including mobiles. It stores your full logins and integrates with popular browsers: just click a toolbar icon, enter the one master password you have to remember, and you can log onto MightyMegaBank just by clicking on its name. The program will also optionally generate big random passwords to replace the short crappy ones that you used to be able to remember.
I have a unique password for every domain I log into. I created an algorithm based on the domain i'm visiting. So I only have one algorithm to remember. The interesting part is when I have to change my password. I just have to try and keep track of the increments in my head to feed back into the algorithm.
I use Keepass.
I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.
Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.
I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.
If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.
Try to hack my 31337 firewall!
Why are you unable to use one of the online systems like Lastpass? It's been very well vetted, offers offline and online modes. I personally find 1pass to be very Mac centric and expensive but it's a good product too. Keypass is a good opensource alternative, although its a local program so there are those downsides. It has android and iOS apps too so you can have access on a mobile device if needed.
I run 1Password on Mac, PC, and iOS. Everything is kept in sync with Dropbox, but 1Password has other sync options as well.
Would I trust the setup with nuclear launch codes? No.
Should such systems have two factor auth anyways? You bet.
Maybe I'm an idiot but I don't get why these options are obviously bad. I use 1Password on a regular basis.
Password Safe, designed by Bruce Schneier.
Sure, in theory, my system could be trojaned, which means once I enter in the decryption key for the password safe, someone could be snooping on the passwords. Then again, in theory, if the system is trojaned, then someone could be snooping on the password as it is entered.
In practice, the usability/risk ratio is probably good enough for most people.
I keep a KeePass database for each of my consulting clients and encrypt them with a unique master password for each client that gets shared with the client. Then, another KeePass database with all of the client's master passwords inside of it encrypted with yet another master password that gets shared with my fellow consultants. This lets me give my clients access to their password documentation without having to give them the master password for all of my clients' databases. It also ensures that my colleagues have access to my client's passwords should they need to cover for me. Or, if you want to spend some money on a commercial product, look at Secret Server.
I like KeePass it uses a database file that you can copy manually and you don't need to sync, or you could place the file on a dropbox share and use it from there. The file is encrypted and you need to enter a Master password each time. If you ever needed to give someone passwords you can export just the ones you need to share and set a new password so they can use it. Its been my favorite one to use since I use crazy complex passwords for everything online.
Why not http://passwordsafe.sourceforge.net/ ? It was designed by "renowned security technologist" Bruce Schneier.
It is available for Windows, but also runs great in WINE (so Mac and Linux are not left out).
PasswordSafe works for me.
Several passwords I need commonly, are written in my wallet, with nothing to indicate what, or what usernname, or system they are for. There are about 5 passwords written on a sticky note stuck to the back of a seldom used credit card.
Everything else is in PasswordSafe.
If I were God, wouldn't I protect my churches from acts of me?
I created a web app. The password (decyption key) is sent on every request, so it's never at rest. Under the hood, entries are encrypted and decrypted with openssl using a reasonably secure algorithm. Each entry in the database is just a plain text file. I can include passwords, accounting information, URLs, whatever I want.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I find that hard to believe. There's a website called Fark.com full of middle-aged people swearing up and down on a stack of bibles that being old is the best thing ever.
LastPass is fine if you trust the network (except for the NSA sniffing everyone's master keys). Keepass is a good offline solution.
1. Access should only be available to systems you currently and actively manage. If you're using the system so infrequently that you can forget, your account should suspended. 2. Admins should keep a secure log of access credentials stored in a secure area with controlled access. Any "in case of my death" information should be recorded. If there isn't a local site, you might want to consider storing the documents in a safe deposit box at your bank.
Come up with an algorithm only you know, that is generally different for each system you use, and for added security contains some personal thoughts about the site that make it hard to figure out your algorithm (although that last one might stump yourself too, lol). The problem is when you're forced to change your password, but it's usually some regular cycle, so I'm sure you could figure something out for that too.
randomly. three options. 1. slashdot starts with s: password is sw23edcx. 2. two s words: semaphoreslinky. 3. for those that require combos: Sw@3edcx.
I use KeePass as well, synced to a dropbox as well as on a thumb-drive.
I gave up on password managers a long time ago. They are prone to compromise at some point. Instead, I use an algorithm that uses some element of the target as a seed to a simple formula. This gives me one thing to remember only ( or a few ), yet gives me a different password for every single site. A simple to understand, yet bad forumula to use, would be something like this: password = siteurl[2] + mySecret + siteurl[4]; So password for google would be 'omySecretl' Use a better formula for increased protection. Again, easy to remember,no password manager to get to/install, and a different password for every site, Likes it simple, Jim
... people in the office are storing their passwords in a Word or Excel file and saving it as a password protected document...
What I use is a text file on a thumb drive also backed up on several local drives.
The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.
For rarely used passwords and places I will put a hint under the half pass.
I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.
Use an algorithm. This way you don't have to know your password, you just know how to figure out your password. Make it between 8-14 characters and base it off of what you are logging into.
For example, Slashdot. Slashdot ends in a T, so T can be my first character. Then i can put something arbitrary like camels. So i have Tcamels. Now i can create some numbers..how about the number letters in slashdot. Tcamels8. Sure, somebody could eventually figure out the algorithm, but it wont be easy.
A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software. If I need a password, I just open that file up and copy / paste the password needed - then close it again. If I make a change to a password I can just change it once and that populates to all the other locations where my Google Docs are stored, but it is fully and safely encrypted the whole time.
I even have an app for my phone in case I need it, but there is three factor authentication: my phone's login, a short PIN for the app, and then my full encryption password.
William George
I'm using a big fat binder on my shelf.
Chris
I use vim -x passwordfile.txt. It uses Blowfish encryption. You only need the -x flag when you create the file. I keep it on one computer at home, only, with a hardcopy (lots of index cards) in a desk drawer. If I need it on the road I temporarily copy required passwords on a USB thumb, encrypted. It's not an enterprise solution, but I'm just one person, so it works OK. Actually, I refer to the index cards way more often than the password file.
Just keep them on physical paper, with multiple copies in secure places. But then encrypt the text by devising a simple ROT style replacement algorithm against an OTP , which could be a physical book that you know and love. Just remember the specific page/passage, even memorize it, and then do the replacement manually against the list.
Passwords you use frequently you will memorize to avoid the hassle of processing against the text. Even if they are quite long.
This isn't necessarily the strongest use of a One Time Pad, but is pretty secure as long as nobody sees which book keep looking at!
The problem with any password manager/tool (of course aside from a simple text file, which is obviously out of the question) is that you are dependent on that piece of technology. A commercial password manager may exist for Desktop OS 1 today, but may not be supported in Mobile Phone OS 2 tomorrow. The cumulative turnaround time for your password inventory is often much longer than that of any particular device in your possession.
I've resorted to a lower tech solution for my own password inventory: A scheme that is based on the particular website (or other service name) in question. For instance, you may have an invariable prefix or suffix (perhaps an "encoded" phrase that's meaningful to you), a special character or two, and a component that is based on the web site or other name in question. In other words, something like:
FiXeD#pArT.service-specific-part
How you would "encrypt" that service specific component is really up to you - the point is that everyone would do so differently. But it should be something that you could train yourself to do relatively quickly.
The only downside with this approach is that with so many different services with so many different password rules (some require a minimum number of characters but no more than a maximum, some REQUIRE uppercase or special characters; others do not support special characters at all.... etc), it's hard to find a single universal scheme that works everywhere. However I've found that with a couple of different schemes of this nature, I've gotten by so far.
Another thing to think about is almost the opposite - how to enable access for your loved ones to certain places (e.g. to inventory your financial records etc) in the event of your death. Of course most of this can and should be done with signed affidavits etc, however, it can be difficult for them to get a complete view of all your accounts, policies, services etc unless you have a comprehensive summary somewhere.
I made a password system mapping names of things requiring passwords to the passwords. The output passwords look like long strings of gibberish letters with uppercase, digits and symbols mixed in. It allows me to just change one input into the system for which iteration it is. It produces different passwords for each thing I need a password for.
It is not as secure as lastpass, keepass, 1password, etc. but it is more flexible and portable, sufficiently strong, and easy on the memory.
Now if only someone would create an ownCloud app to view KeePass files...
...that would be a security risk.
systemd is Roko's Basilisk.
http://www.quest.com/privilege... http://www.liebsoft.com/ http://www.thycotic.com/produc... All of these support multi-user / groups of users access. That is what you actually want. And yes, they cost money, but if you are in IT and need password management, and don't want to pay any money, find a better employer!
For the most part I don't save or memorize passwords. I regenerate them as needed with SuperGenPass. SuperGenPass algorithmically generates passwords by hashing the site's domain name together with a single memorized password. This always generates the same password for any given site. So, I don't have to remember them or store them anywhere, I just need to know how they're generated.
But what if I'm at someone else's computer without SGP installed? The SGP website has a "mobile" version, which is just javascript that runs entirely within the browser. Go there, type in the domain and password, and generate it. (Yes, I've checked the javascript. It's not sending your password out to the mothership or saving anything locally.)
I do keep a notebook in a plaintext file with all the sites I use. This contains the domain name that the site had when I first signed up. Domain names sometimes change, or are ambiguous (ie., the same site is available via both foobar.org and foobar.com). The text file lets me keep track of what I need in order to regenerate the password.
What about sites that require periodic password changes? I use the domain and just suffix my memorized password with a sequence number. And I write the sequence number in my notebook.
What's that? Security questions? I generate the answer by hashing the question itself rather than the domain with my memorized password. And of course, I copy the question verbatim into my text file so I can regenerate the answer when I need to.
The only failing is when I hit a site that doesn't allow certain punctuation, or has length limits, or something of that nature. Then I modify the parameters that I give to SGP and write down the specific parameters that I used.
The notebook is stored on my home fileserver in an svn repository which gets backed up every night. I'm completely screwed if I ever forget my one secret, but it's one I've been using for literally decades now. It's going to be one of the last things to go when my brain develops bit rot.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
At the office where I work, we use GPG keys and a text file. It doesn't sound like much, but it means that searching for services or machine names and other "keywords" if you're having a space-out moment is pretty simple because adding comments is very easy. It also doubles as a way to select against people who don't want to understand BASH / Linux, which we rely on heavily.
Naturally SSH keys do the bulk of the real work in our environment, but when we need to store a password the "less is more" approach has worked out well for us.
Memorized the passwords. Know your limit on how many random letters, numbers, symbols you can memorize and then remember them. This is especially useful because my data dies with me.
Yubikey supports static passwords in addition to OTP. No drivers nor software is required.
I add a pin to the end of mine that I type in on the keyboard for extra security.
Also LastPass has an Android app as well as iOS. You didn't state why you couldn't use that.
So you keep all your passwords in .bash_history? If by any chance the way you generated it for one site spills (from watching over your shoulder to putting a keylogger or whatever), all the others could fall.
Btw, just adding a space at the start of the line will make bash to not save it in history.
OK, why not?
(Truly curious as to why a password manager is considered better than an encrypted spreadsheet, using the same password or pass phrase).
You never know what is enough unless you know what is more than enough. - Blake
These cyber criminals are babes in the woods, compared to my brilliance. I pull wool over their eyes easily. See? I enter the password in the username textbox and the username in the password textbox when I created the account. That is the last place they will look while trying to hack my password. haa haaa. The jokes on you script kiddies...
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
https://github.com/zdia/gorilla/wiki
KeePass. With the encrypted datafile in dropbox.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
Your system is pretty much online... :}
I keep all my work passwords in a file that is saved in a TrueCrypt volume. This volume is kept on a network share where only domain admins can access it. I also keep some of the important passwords on a piece of paper that is locked in a safe in the data center. Generally I remember all the passwords I need, but sometimes (especially after a vacation) I need to refer to the TrueCrypt volume. If I ever forgot the password to access the volume, I have it stored in the safe. If I forget the combination to the safe...I'm screwed. Thankfully that hasn't happened yet.
I use SplashID on my phone (and it's probably the single biggest usage of my phone). Don't get the current version though - 7 is pretty much unusable. I had to fall back to 6, which is usable, though not quite as simple as 4 was (I think that's what I upgraded to 7 from, which was a terrible mistake). Like the submitter, I refuse to use the cloud offerings (which SpashID has as an option now). A cell phone is a risk, but I choose to believe that I could change the passwords before the database could be cracked, and that my risk from malware is low because I don't install every shiny new app that comes along. I do so mostly because there really isn't a practical alternative at the moment.
Break your password up into two parts: the root and the suffix. The root part of the password is the complex part, that you want to change periodically yet is the same for all of your services. The suffix part is simple to remember and unique to each service, and should be consistently derived from the service itself.
For example, lets say you are setting up a password for your Yahoo account. The root part is "TLi945!zx" and the suffix would be "yahoo" resulting in a password of "TLi945!zxyahoo".
Your password for Outlook might be "TLi945!zxoutlook". And so on. Each password is strong enough to hold up to pretty much any brute force attack, and when it comes time to changing your passwords, all you have to worry about memorizing is the root part. Then you just think about what service you are logging into and append it. Since the root part of your password gets used very frequently across all of your accounts, you can make it more complex than normal due to muscle memory building up faster.
Also, it might be worth making the suffix a little less obvious than the name of the service. You could instead do something like the first, second, and last letter of the name, so the Yahoo password would look like "TLi945zxyao" and the Outlook password would look like "TLi945zxouk".
One password to remember; database is encrypted, designed so you can logon with a few mouse clicks. Some of you will be disappointed to hear its' for Windows only, and it's so stable it hasn't been updated in years. See http://www.clrpc.com/index.htm
are the same as my luggage.
...attached to monitors.
I write them on my genitals. Every /. reader could do that without risk of compromised credentials.
I use KeePass stored in a TrueCrypt file. I sync the TrueCrypt file on a cloud service in order toshare it between devices. The key file is stored separately and never on the same physical media.
I memorize them. It's not always easy but it's really the only 100% secure way, and no they are not simple and they do get changed often.
I use a copy of the community edition of ClipperZ: https://clipperz.is/
I run it securely on my own servers, although I've made a few modifications to prevent brute force logins and to brand it to my liking.
I create separate accounts for all my clients and give them access to their account. They seem to love it as I have all their shit in one place for them if anyone else needs it.
Where ever you can get away without having to use passwords, I would not. Password-less solutions like LaunchKey can often easily be integrated into your systems and are MORE secure with less hassle.
Linux can be installed on tablets. I would research a seven inch tablet, a distro that suits you, install Linux, encrypt the hard-drive, and power-down the device when not in use.
I'm pretty awful at password management.
One "simple" password, used for web services that don't have any sort of financial or other "real" interaction with me beyond a pseudonym and a download I needed to access or an article behind registration that I needed to read.
One "complex" password with a little bit of ever-changing entropy used for things like Google or Microsoft type services, banking/mortgage sites that don't offer me two-factor, etc. Your basic 7724hAppy!d0G$$smil3s sort of affair. Next year they'll all rotate slowly into 8562saD^DOG$$fr0wnz, if they're still in use, rendering abandoned site's passwords useless.
And either two-factor authentication (RSA + "complex") or a unique "complex" password for accessing my work or accessing my uber-secrets.
I frankly can't be bothered with much beyond that.
3x5 card (literally). Stored in a fireproof box for emergencies (like - I kicked off, now family owns my web site && how to maintain it, etc.). Yes, I do minimize the number of passwords I use to about 4-6 (and they are based upon mnemonic triggers that are _highly_ specific to me as a person).
http://www.youtube.com/watch?v...
I'm 60 and I have about 20 passwords. Some are to my wife's accounts.
I memorize them. BUT they are all memorable to me.
Let's say I had a very memorable event - my first kiss at an amusment park in 1969 - i'll create a password 'mfkaaapi69' and then switch it up a little bit so it ends up mFka&api6(
This pasword might be resused for a few accounts, that I consider low level security (ie no money, no real identity). Banking/financial logins are unique and are longer mnemonics.
Work is a pain - every 60 days we have to come up with a new one, so my work password is has a number I increment. KISS since they force the changing. Strangely some of my work logins still have the original password, while other logins are crazed about the changing. Must be different admins controling some of the domains and accounts.
I do write my personal ones down, but that list is in our family papers stash, and it's clearly labeled what the accounts are - in case I kick the bucket.
I've had a few scares and changed all passwords to all account at once. I had to rely on that written list for a few days.
*click**beep**beep* Scotty, One to Mod up!
What I use is a text file on a thumb drive also backed up on several local drives.
The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.
For rarely used passwords and places I will put a hint under the half pass.
I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.
Youy mean like this?
Yeah, they're a bit pricey, but not totally out of the ballpark for the concerned user :)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
I have a truecrypt virtual disk that I store in a dropbox folder. Because dropbox can sync differentially the entire thing doesn't have to sync every time I disconnect the file. Because all dropbox sees is the encrypted file, unless someone can decrypt it it is useless even if they breach my dropbox account or in some other way gain access to the file.
It works a treat, to be honest. I keep sensitive passwords, of course, but also use it as encrypted storage for my notetaking app, sensitive diagrams, images etc.
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
It is good for iOS, Android, or web. Passwords available offline or online. Documents online. Can enable two factor authentication - send SMS to phone.
http://securesafe.com/
Really good product and very happy with it.
(1st sig) If this were a snappy sig, you'd be reading it right now. (2nd sig) I'm a karma whore. >Insert FUD here
unset HISTFILE
I have Secret! and KeePass on a company smart phone. Secret stores my personal passwords, and Keepass stores system passwords. Both are synced to/from a company server. The master password for Keepass is known to the other admins, and the Secret password is known only to me. (And no, it's not Correct Horse Battery Staple, sorry.)
If the company has a problem with you keeping company passwords on a personal phone, have them issue you a phone with remote kill.
The advantage of using a repository is that you're never tempted to make passwords easier to remember (IE: guess) or to reuse a password across multiple systems. The repository password is (ok I'll tell you...) a random string of characters arrived at by pounding the keyboard with both hands for several seconds and then choosing a sequence out of the center of the garbage. But you can remember any random string if you only have to do it once.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I'm at a loss to understand what the security issues you would have such that cloud-based password managers are a hazard. And yet, such that you can get away with passwords that you can commit to memory.
Any password you can remember is a password that is already in thousands of crackers' try-these-first password lists. All of the online security breaches of password database have provided a rich and extensive database of passwords that people actually use. No, you need to use a password manager. Like five years ago. But a password-managing device is the worst possible option you can consider. How can you back up your password database?
A good, completely off-line option is Steve Gibson's 'Off the Grid' password generator here: https://www.grc.com/offthegrid.... You could generate a paper grid and use that. It can be reprinted as needed, and even if you lose it, no problem.
Some/all of the cloud-based managers can be used offline. I know for a fact that LastPass does not need to be connected to the 'Net to work. It's free, try it out - see if it works for you. There are 'LastPass Portable' versions, designed to run off a thumbdrive.
For a buck a month, LastPass provides stellar technical support (one of the programmers called me at home to sort out an issue I was having when using 'LastPass for Applications' with the steaming pile of a crap that is iTunes): https://lastpass.com/go-premiu... Their security has been vetted by trusted reviewers, they use best practice encryption and protocols. Perhaps their Enterprise services will fit the bill?
Cheap at twice the price. I can't recommend them enough.
for all
problem solved....
I keep a leather book for my passwords in my safe. Leaving them anywhere on the computer or online program makes them vulnerable. Must unimportant passwords, like message boards I use the same password since it dose not hurt me if someone feels like stealing that. lol
My phone book is effectively a codebook, where I am the only one who knows a format. If I write down on my password list as "Slashdot = Jane", then I can translate the password to something like "JaneSmith15555555555!". Not perfect but very effective for all of the medium security passwords you encounter.
Bonus: You can actually remember people's phone number after a while.
I use this chrome extension https://chrome.google.com/webstore/detail/password-hasher-plus-pass/glopbmohkffbnplcjbbbfmmimfhfnhgd which is based on one that was originally made for firefox. I use the portable html page on my phone or on a thumb drive, but there is an android app available too.
If one of the very-short-ranged devices like a wristwatch can be handed the task of keeping your temporary key, then go for it. A crook has to cut it or your hand off, or a court has to write a order to let the police at it. That's reasonabley secure, at least as good as a door-key on a keyring. The magic words are "short ranged".
davecb@spamcop.net
If you use a simple prefix you can remember, a different one for each system, then you can program a complex suffix into a YubiKey configured in "static mode". This avoids changing the existing password based system.
Of course, it's not as secure as other options, like One Time Passwords or challenge-response systems, but is an improvement.
(Another option would be to have a seperate YubiKey for each system, then each system could have a completely unique password.)
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
I cant believe that nobody has mentioned what is used in a lot of high security areas...
http://www.mandylionlabs.com/
Get one of their fobs, works for all and will self destruct if you enter the master password in wrong.
Do not look at laser with remaining good eye.
I etch them into stone plates then hide them deep in a cave in the Amazon surrounded by deadly booby-traps.
It's pretty secure but it's a bit of a pain to access them when I forget the login for my hockey pool.
I stole this Sig
I'm like the luddite here. I have a system of a handful of passwords I use. I have one unique that I use for gmail. I have a secure one that i use on a few sites. a secondary secure pass. I have an unimportant password that i use for junk things things like forums I don't care about. I has a few backup passwords I switch to when someone gets hacked like kickstarter.
Just another second banana
None of these methods of password storage are resistant to the twelve dollar wrench attack.
the way i do it is i create a small DMG file, turn on good encryption and save it in Dropbox. Put a simple text file in there. done. Just eject it when you're done and make sure to not store the password in your keychain. OS X only, but if you need in you can get into DMGs with 7-ZIp on Windows or just mount it under linux.
Type them out in a text file:
1. Organize them by the service or name but not IP address.
2. Record the password using the first letter and last letter. That should jog your memory.
3. If you really need to, symmetrically encrypt the text file.
I type my passwords in openOffice.org because I can't afford M$ office. Just kidding. I use http://keepass.info/
I keep multiple backups of the password database.
I have levels of security. Any ordinary web site that demands a password gets my lowest-level password, which is the same on any such site. This happens to be my Slashdot password - who cares if somebody hacks that one?
I have a special password that I use for my bank account. It could cost me all my money. Same password for any bank.
Sometimes I have an intermediate level, but not often. It's surprising how little security is really necessary.
Total of two or three passwords, each memorized.
notebooks
Once I got past the post-it level many years ago I put them all in a notebook but not too obvious or near computer. Afterall, the daily ones are memorized.
Actually 2 notebooks as I copied it all for a copy at home and work. The new passwords go on a page in the front and that gets copied to take and enter in the opposing book to keep them reasonably sync'd. If it is new enough that it is not in the other book I probably remember it still :)
I store all of them on dropbox and google docs.
Where encryption has been cracked by the NSA. So everyone knows it. "Pass-Wurd-1"
~/passwords.txt.gpg contains all my important passwords, I have copies of it everywhere. For non-important passwords (like Slashdot logon), I just use a password I can remember, which is the same or minor variants based on the site's password limitations.
You never know what things can go wrong with electronic systems, but a book with written passwords in a place where the boss knows where to look if you get hit by a bus is almost foolproof.
There are three forms of authentication. Something you know. Something you have. Something you are. When properly implemented, that list is in order of increasing strength.
Something you know can be easily stolen without you your realizing it. These are passwords.
Something you are is what we call biometrics, and it's still not ready for primetime.
Something you have is generally like a hardware security token for challenge-response password systems, but can also be something like your smartphone/tablet passing cryptographic signatures. Or
http://www.barnesandnoble.com/p/home-gift-basic-black-lined-journal-5-x-8/26454278?ean=9780641586040
One page per web site, computer system, account, etc. I also wrote a bash script to generate random, yet easy to type passwords of arbitrary length, that look like modem line noise. I generate a password and then write it down in the notebook using unambiguous glyphs (I1l) (oO0) followed by the date I generated it and subsequently changed the password for that web site, computer, account, etc. to that new password. If I need to login afresh, I just turn to the page in the notebook for that system and type the password while guarding against shoulder surfers. If the password gets old, I just generate a new password, add it to the system's page, and draw a line through the old one.
This also has the benefit that I can have it to give to my lawyer or next of kin should I be indisposed for a long time. This literal "little black book" of passwords insures that your passwords are as hard to guess as humanly possible, thus eliminating the inherent vulnerability of "something you know" by turning it into "something you have".
I'm a sys admin for a large chain of retailers, And I use a small notebook, with the password written in a substitution cipher. I have a large amount of passwords to manage (52 Stores) + Admin passwords, I often find myself with non-standard hardware and as such I cannot rely on a cloud's access and I like the extra layer of security if my laptop is compromised my passwords are still safe.
Emacs + Org mode + EasyPG
Here is the approach I use. I am posting anonymously, because there are people who know my username, and who know enough about me in real life to have a chance to reverse engineer my passwords.
0) I need to create a new password.
1) I describe the task for which I need the password in a language I speak. Not Russian, but if it were, and if the site were Flicker, it would look something like: "ÐоÐÐÐÐÑÑOE ÑÐмÐÐнÑÐ ÑоÑоÐÑÐÑÐÐ" (displaying family pictures)
2) I use a few specific, rather easy rules to go from the above language to a Latin transcription. For example (not my rules) I could use the first three letters of each word (ÐоÐÑÐмÑоÑ) translate them phonetically (PokSemFot) and replace all vowels with numbers (P0kS3mF0t)
I have been doing something very similar since 1993, and I have been unable to retrieve a password only once. I remember describing the task vaguely like 'preparing something ghastly'... I got too fancy, and paid for it.
But this works for me. And there are enough languages out there, and enough ways to transcribe from one alphabet to another, that I feel I'm safe, even after publicizing my trick.
Oh that is a nice thing!!!
Thank you!!!
Yeah a little pricey but not crazy expensive at all and totally worth it.
Sync 1Password to your drop box from your mobile/Windows/Mac and you can view it in Dropbox securely via a web browser.
Windows, Android pretty sure there is an iPhone version. keep it sync'd and use a complicated password. 3 shots at the password and the database is wiped. A website accounts are random generated different passwords for each site. No two sites has the same password. Most don't have the same user account. Also good for devices, and other info where you need to keep notes, date purchased, sn, license keys, setup info etc...
I have used Password Safe, Bruce Schneier's solution for a number of years. (pwsafe.org)
Linux version is in beta with Windows and Android versions available
...is just the letter "a"
IronKey comes with a good password manager. I find it invaluable for remembering everything for me.
I just keep them in a google doc using their 2 factor authentication system.
Only computers that are allow to open it are my home computer, and a work computer.
Now its not safe from Google (or the NSa), but do I really care?
This sounds like some sort of office environment. Why not simply write the passwords down and put them in a safe or other [secure location]?
If you still have problems with passwords, YOU are the problem.
http://xkcd.com/936/
plain text file in a Truecrypt volume, and little scripts to query/add to the file. It used to be batch scripts when I used Windows. Now I use bash in Linux, which should also work on Mac. The "t" script is to mount the Truecrypt volume if needed.
$ cat `which p` /media/truecrypt1 ] || t on
#!/bin/bash
[ -d
# accept up to 3 arguments, and filter on all 3 /media/truecrypt1/p /media/truecrypt1/p | grep -i "$2" | grep -i "$3"
if [ -z "$2" ]; then
grep -ni "$1"
else
grep -ni "$1"
fi
$ cat `which padd` /media/truecrypt1 ] || t on
#!/bin/bash
[ -d
echo `date +%F` " $@" >>/media/truecrypt1/p
My system:
1st, 3rd, 4th letters of key identifier, their sum, and passphrase. Example:
www.slashdot.org would generate pw:sas39dogfarts
Every site gets a unique password, and all you need is to glance at the URL to generate your password. Also, I plan on having it in my will so my family can access my accounts post mordum.
Just use the same password everywhere. "monkey" is always a good choice.
Alzheimers.
Seriously this is a PITA today. .txt file slightly munged.
For random ones I do not care about...
For less random ones vim -x
Serious ones -- if I told ya I might have to silence ya.
At work I had an old school photo book with 4"x5" cards in a well locked drawer equivalent.
I could hand a card to someone that needed it. Cross out the old and enter a new when the card comes back (think library checkout).
where a card was a log of who got it.
I could hand the book to my x-boss when I left ;-) :}
after he signed for it
"ssh" keys help a lot of things.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
I like to save my passwords in a word/open/libre document, then encrypt that using TrueCrypt using a keyfile I will remember what it is, and making sure it can be downloaded from the internet and still work(a random song stuck in your head will work nicely, just as long you don't mind keeping it stuck in your head(key file should be burried with many like files for best effect)). Then if I need it in multiply places I'd either grab a USB and carry it to where it's needed, or toss the encrypted file into the favored cloud/ acessable data host and either have a sit down to tell them where to get the keyfile or hand it over, or some other secured channel. If you have such a thing, a rot13(or what have you) run on the passwords themselves, just to screw with anyone who hasn't got the manual but still got that far.
Then again, my methods aren't that practical for average use, nor ease of use. It's just the way I do things when I need a string of passwords to be stored and secure, though the hassel of this method isn't worth it to most people, it has the advantage of being able to slap new things into place or take old ones out; also, many people do not expect rot13 or even older methods of hiding information.
One password for your email. One for your banking sites. One for online stores. One for everything else. Everything that needs to be secure is secure and everything that doesn't really need to be secure is still pretty secure, and you only have four passwords to remember.
Vi has an :X option for writing a file with encryption.
The encryption option has recently been enhanced with an option to use a Blowfish algorithm.
See "help encryption" in vi for the details.
I generate 200 passwords at a time using apg.
I have been using this scheme for 10 years and my password file is now a 22 page printout.
On a Linux system with vi in a terminal window, you can avoid typing passwords. I use long untypable passwords for virtually everything.
One use of such a system is I created several alternate usernames and passwords several years ago. I can use these Internet relationships with relatively little connection back to my current relationships. The recent news reports about NSA email monitoring have made me much more interested in detatching myself from my established identities.
Regarding my Slashdot postings, the new sophistication of this website combined with the NSA's obvious ability to look at my previous posts leads me to wish I had made an alternate Slashdot username. Hindsight not good enough, yes?
I see some mixed reviews. Was there some large hole in the way it is secured? Also it seems difficult to obtain one of these. Also, it seems like it comes in 5 packs for ~$270.
Well, I keep a plasticized Password Card [1] for keeping the passwords that actually matter, along with a PGP passphrase, which is used to open up my password store [2]. The program itself is available on any major distribution, and its really easy to install if its not; it's also very easy to use. The only "disadvantage" is that there's no Windows version. [1] https://www.passwordcard.org/e... [2] http://www.zx2c4.com/projects/...
I do this... Service/Website Name+GeneralPassword spaced by $'s $Slashdot$Password$ This gives you a unique password for each site and I can remember it easily.
I picked one robust password, and then I add a prefix to the front that relates to the site or service it is for. For instance, for Google it would be go************, where ************ is the common portion.
That is similar to what I have been doing for years, I have a base password, then I add characters generated for the domain name using my own algorithm. Easy to figure out in a few seconds and every PW is different.
If you could reason with religious people, there would be no religious people
You can use LastPass offline. Maybe try looking into all of the options instead of making assumptions.
I store all my passwords in an openoffice calc file that's password protected. Additionally, that file is hidden on a truecrypt non discoverable drive. I feel relatively safe doing that.
The only person who ever sees it is my girlfriend, and she can't read it because it's upside down to her.
I've started using a concatenation of many easy words, related to the system and my daydreams. According to xkcd, long plain word passwords are more secure. So at work, one password is "servertwomybitterlife". At home, it's "Anypornonthis24inchmonitor?" My bank account is "Ohlookabalancebelowzeroagain!"
KeepassX, it works on Windows/Linux/OSX/iOS/Android... You could also use TrueCrypt to protect the hard drive where the password database is located.
To keep database synced you could use Google Drive or Dropbox
Password Safe from source forge was designed by a cryptographer, is totally sedentary on your drive and can hold an unlimited number of passwords. To back it up, just mail the encrypted data file to yourself once in a while. You have a Notes area so you can put in when you opened the account at the website, and what you bought and also put in the URL of the site in case you forget. When I download software I put in the key so I never lose it. Just come up with one, long personal pass-phrase that is your master key. If you like you can use your Yubikey (on the secondary non-networked channel) to be the master password. (Keep a spare clone key in the safe.)
Password Safe has no bells nor whistles. Mine is a decade old and has hundreds of passwords, each different. It makes up nice randomish ones in a trice. Simple, sweet, stable. What's not to like?
Well at home I just use the same pw for everything, at work I just write it on a post-it and put it on my monitor, after changing it to "never expires" in the AD.
Saves me no end of trouble..
Hash a secret ("master password") with basic information (domain or domain+username). and use the result as the password.
You get unique passwords for each site, which are at least casually indistinguishable from randomly generated passwords (provided you don't have a hash type prefix attached), and the ability to quickly set your self back up on a new computer with only knowledge of the master secret.
There are plugins similar to this Firefox one https://addons.mozilla.org/en-US/firefox/addon/password-hasher/ available to automate the process.
I have been using Roboform for over 5 years. Currently I have 600 sites/passwords, all different, stored on my laptop & password-protected. The beauty of Roboform is that it will fill in passwords for Windows programs like SSH & SFTP & VNC as well as logging you in to sites automatically.
Off my laptop I store Roboform2Go in a Truecrypt volume on a thumb drive.
In the cloud I use SpiderOak to store the password-protected passwords.
I'd like to know any reasons why this is not safe? It is most convenient & runs on my Linux box too.
I do NOT use Roboform online sync, only locally.
Nico M, London, GB.
I use pass (http://www.zx2c4.com/projects/password-store/). Passwords are stored gpg-encrypted in a git repository. Command line can copy the decrypted plaintext password to the clipboard with expiry.
I then only have to remember my full disk encryption password, my login password, and my gpg passphrase. These are each quite long, but gpg-agent and muscle memory minimize the hassle.
I've been using it for years. Works well for me. Just pick a long cryptic master password (or perhaps a small handful), and then hash away. Plugins available for all modern browsers.
My passwords are usually more than 16 characters and they are non-dictionary words. They are all types of characters some using non-Romanised letters. I literally could not! cannot remember my passwords for my server for my WordPress for my email system and various different formal and non-formal email accounts managed by me. My Amazon password my eBay password my blah blah blah password even for this website even though it's a smaller password. I keep all my passwords in a plain text file on a external hard drive. I make a policy of not telling people what type of desktop operating system, I use for security reasons my web browser has no identifiable user agent because I do not want to give a potential enemy information to attack my computer system through email and various brute force programs or Trojans and viruses Java exploits and drive-by malware. I run a very secure system and the only weakness I have is remembering those bloody passwords! I'm sick of the fucking things.. Get through my external hardware firewall and my internal software firewall and my intrusion detection and there is my passwords in plain text all in the centre of a pretend dummy boring read-me document. I need to encrypt them some day and yes with another fucking password I hate the bastards. I often use a language and browse websites that have a similar language to 1,338,299,512 people who all think they are master "Hackers." So there is probably 1,338,299,512 people with my passwords plus the NSA and GCHQ and somebody's granny at Tristan da Cunha.
Personally, I use a password protected secure not in an OSX keychain. Fine, rail me for that, but if someone gets into my keychain, I already lose anyway.
For work, I've been trying WebPasswordSafe for the last several months. This is to get away from the melange of different un-sync'd password lists in various password managers people in the IT department had. So far it works well, it offers group policies, so theoretically it could be rolled out company wide and each user and group could have their separate password lists.
I'd been guided to look at SecretServer, but the features I need are in WPS, and it's easier to sell Free in my company than Several Hundred or Thousand dollars, for many things at least.
I like music
I've just constructed my own simple password manager. Attach a short ident for each password to a strong master password, and then SHA512 and base64, truncate the result as necessary. Can be easily reconstructed wherever you want.
KeePass has served me well for four years now. Used in conjunction with dropbox. I've also got plugins for use with Chrome and TrueCrypt. As a personal solution it is fine. Not sure if it works as well for multiple users. Like the OP I've had problems with corporate password management. Software solutions seem to be either personal and cheap/free or large and eye wateringly expensive. I looked seriously at one about ten years back until I discovered that it was going to costs us approx. $20k
Maybe I just old, but pencil and paper. Or, if you're really tech savvy, type it out on a typewriter. For those of us from the future, we can make a document, print it, and then not save it. Probably the most secure system ever created, assuming you don't leave it lying around.
I use the community version of Clipperz which I host on one of my servers. The password to the Clipperz account is generated by PasswordMaker (http://www.passwordmaker.org/) from a master password and changed every month by changing the Modifier to the month number and year (eg: 02-2014). In Clipperz the passwords are all random and I have some high security accounts that I change the password every 6 months (I have calendar reminders for this).
All my passwords consists of two parts. The first part is always the same, have digits and non alphabetic characters, and the last 4 characters is dependent on the system or website I am working with. I use a cipher to change the last 4 characters to something intelligible. If I come back to a website I havent been to in a year, I can always figure out what password i used before.
I memorize set of transforms on words that spits out different words. e.g. Transform1: always replace "apple" with "orange" Transform2: Replace the letter "e" with "eat" Then I write down all the passwords against each site and mark which transform I have used for each i.e. Transform1 or Transform2. Since only I know what each transform means, even if someone sees my list of passwords, they can't do anything about it. I don't have to refer to the table of passwords for all the commonly used passwords coz my fingers remember it somehow. So this is working out pretty well so far.
AnyPassword Pro for years and have never had any problems with it.
With AES encryption? Good enough or not?
I have a few different ways to manage login information, depending on the service:
1. If it supports any login method that isn't a password, I use that. Often my private key or Mozilla Persona.
2. If it is remote but supports password resets, I reset the password to something random every time I login.
3. If it is remote but does not support password resets, I use bugmenot. (This rarely happens.)
4. If it is local and I do not trust the software, I firewall the device and keep the default password.
5. Otherwise, I use my 15+ characters master password.
This means I only need to remember 1 password that protects my harddisk crypto and private key, or otherwise (for servers that I might need to access in rescue mode) is securely hashed.
I encourage projects (like Google Authenticator) that promote password-free authentication. Using the password-reset feature for login is the same 'One-Time Password' idea, but using email instead of a time-based algorithm, and is already implemented virtually everywhere.
Passwords at home, I write down and file (with the exception of hyper-important stuff like bank access, where I choose passwords significant to to me and just write down clear hints that will help me get them but no-one else). I reckon that, if anyone gets access to those, I have bigger problems to worry about.
At work (softwear techie) I had, on average, 20-40 different password-protected access of various types. I (a) followed a theme meaningful to me (usually based on hobby things I'd been doing away from work); (b) used a single password on all systems; (c) guarded it carefully and changed it if I had the slightest suspicion it had been compromised; (d) changed it everywhere at the same time, regularly; (e) wrote down expired passwords so that I could recover any I accidentally failed to change; and (f) tried NEVR changed it immediately before going on leave. I found the combination of a password meaningful to me and the drill inherent in changing it multiple times in succession (and them using it regularly from that point on) meant that I never had a problem. Yes, I only had one password - one breach would have been a bigger exposure. But I NEVER had to write it down - and on the few occasions on which I had a brief memory glitch I could, in the worst case, give myself a big clue by looking back at my previous passwords to remind myself of my current "theme".
My user password is set to something random, I don't know it, remember it, or even use is.
To connect to the systems, I use a SSH key pair. Just one private key password to remember.
I use strip, on my phone. They encrypt all the passwords and let me sync the encrypted file elsewhere in case I lose my phone. The phone is locked, with an alphanumeric pin and the app is locked with an additional pin.
Thieves will have a hell of a time breaking in.
I have 3 classes accounts. work accounts, important personal accounts, and junk accounts. I use an easy to remember 8 to 12 word phrase that describes the 'class' of account (Longer phrase where I deem more security is needed). I take one of the letters from each word in the phrase (all first letters, or 2nd, or 3rd, . . .), use "special character substitution" (like 3 for e, @ for a, etc.). This becomes the 'class password'. I then add a two character description for the specific account or computer I am using. I either wrap the 'class password' in these two leters, or stick them both at the front or end. I change the class passwords around every 6 months. Sometimes up to a year for "junk" acounts (FB, Twiter, et. al.) I have around 40 different accounts, in three 'classes', that I remember easily, and for long periods of time. Because I only have to remember very little. I never tell anyone any of my passwords, and never let them use my machines. And I don't obsess about the passwords. Physical access & "social engineering" are the easiest ways into a system, anyway.
Like many other posters here, I also use KeePass and put the password file on DropBox.
The only issue for me is that I also use a "keyfile" file on all my computers (work, home, laptop), and that I could not yet find an iOS version of KeePass which would support keyfiles.
Any idea ?
I have so many I use a master password list written in a simple text document that is in two places. My main machine and a flash drive both protected by Truecrypt. The flash drive actually has a small binary on it so the computer I use it on does not have to have Truecrypt installed on it for me to use it. It supports Windows, Macintosh, and Linux. http://www.truecrypt.org/
Chris Sheppard
echo -n mysecret+slashdot.org | md5sum = 9c4862dedf....
echo -n mysecret+facebook.com | md5sum = ac9487eccc....
Just remember mysecret.
I still have some big encrypted file here, were i forgot the password. I know i did change it to something secure once, and i have a bit of a clue, what the password was. But every variation i can think of did not work. So i still hope, i remember the password someday ...
Is there any good trick to recall a password you once knew by heart?
Preface: I am an IT security professional.
I actually have a small set of passwords I use everywhere. Quite honestly, 90% of the forums, communities, blogs or whatever that I have an account on aren't worth having a different password for. If they get hacked, the password lost, you can post an irritating rant in my name - big deal.
It's all about thinking about the actual risk instead of applying one formula to everything. Yes, my PayPal account has a different password, as does my e-mail or my server account password and my root password - all of those have their own individual passwords not used anywhere else.
But for everything else, I have 3 or 4 passwords that I assign based on context and importance. All the online-games I play have the same password, for example. Go on, break into my LoL account. You can ruin my MMR until I find out, wow, I'm so afraid.
So in sum total I have about 10 passwords, and I can keep them in memory. I have an encrypted textfile (network-shared) where they're stored, just in case I have an accident or something. Since that's just for backup purposes, I have no need for any of the password management tools.
Assorted stuff I do sometimes: Lemuria.org
Password Repository both on desktop and on iOS because it allows to share data between Mac and iPhone / iPad without using any cloud services. All my passwords are just mine.
My dad has a bunch of cards for various tasks, including credit cards, fuel station cards, access cards for the various company locations he needs to access and so on. I think he has at least 15 different cards either on him or in his work vehicle at all times, and they all have unique PINs.
So, being a guy who's worked with electronics for nearly 40 years, he puts the PINs right on the cards, in the format of resistor color codes. For instance, 1234 becomes "BRREORYE". Perfectly indecipherable to anyone who isn't into electronics, and still indecipherable to most electronics people if they don't know the secret.
Eat the rich.
Well I just use "123456" as password for all services.
It is easy to remember and you therefore won't get the problem you have. Also it's supposed to be very secure, as this is probably reason why so many people use it.
A few years ago I meant to try out KeePass but accidentally installed a totally different app called KeepAss.
On the plus side, I still have my ass, so it must be working.
Koans and fables for the software engineer
I really like mSecure. The data is encrypted on your device (phone/tablet/pc) and you can protect it behind one big fat passphrase. The encrypted version of the file can be synced across devices or the cloud. Seems like my most realistic risk is a key logger that might grab a username/password one at a time as they're used. Then again, this move was graduating from a poorly cloaked excel file; a hardcopy in my desk; and 90% identical username/password combinations (awakening).
I use a vim plugin that allows me to read a gpg encrypted file to get to my passwords, which lately are random 12 character strings of letters, numbers and symbols generated with pwgen. The system ssh account and the gpg keys should have different passwords. I avoid entering passwords remotely from secured systems using ssh keys (with ssh-add, or in more recent years this is handled by gnome). I do not want to put my trust in other password safes, especially those on smart phones. I do use firefox with a master password to store less sensitive passwords and feel relatively secure doing so but would never store anything like banking passwords there.
Salut,
Jacques
Encrypts the file, has a portable exe for simple use, and wipes the password out of clipboard when the program is closed. You can set password complexity requirements on the random generation either for all passwords, a group of passwords, or a single password. Set password aging if you have to, and make notes on each password entry. I use it extensively and it is a great convenience.
I've been using it for a very long time, it's a Windows stand alone program.
http://www.dexadine.com/aceros...
After installing a new OS, I'll pull a short-cut to the desktop. It's rather old I think it was XP that broke it (they claim Win7) - It used to call a site then automatically log-in, but I never used it when it worked, so no big deal.
That Pitbull Wallet looks nice but I don't use passwords over my cell phone or tablet, just my PC; exceptions being gmail (not my main account) and Netflix. I don't because I don't have to.
I have so many passwords that I have to write them down. First I make them as obscure as possible and what I write down is NOT the password but a memory device to help me recall what the password is. For me, that has worked better than any software, especially for work where I cannot add any software to my workstation.
I use kiskis, a program just like keepas, but older, in java and uses AES to encrypt the file.... choose a good password as master password and you are good to go!
The java allow me to run in almost any system, have the program and the encrypted db in a pendrive (where i have some basic passwords) and i also have my main password db at home. For more important passwords, i ssh to home, do a quick gpg -d password.db.gpg | less and search for the password.
This way i can access the passwords from whatever i am, i have the the passwords in a standard secure encryption and in a secure location (home and office) on different passwords db for different objectives
Higuita
Next you'll ask me how I hide my gold.
Keepass. There is a plugin for generating various levels of security of passwords and still is user friendly. Plugin for using a sync application such as dropbox or google drive. Also there is an app for your phone and it can use up to 3 levels of security.
1: Windows User account - Not so useful if you have to use on multiple computers but if only for one, someone tries to rebuild your account elsewhere it won't allow for use of your file.
2. Password - Good security requires a bigger and harder password. This one should be memorize-able but insane to track or learn for anyone else. As if you took 3 secure passwords and put them together as a longer one. The key is long an secure.
3. Security file - This one is cool. You take a file that you name whatever you like and link it in to the project. You can either keep it synched in your sych system (such as Dropbox or Google Drive or whatever you use as mentioned above) or you keep separate copies for each device to keep it random.
From this your file is encrypted so nobody but you can decode it and without the key file the password is useless and vice-versa, without the password the key file is useless.
The application also provides other nice features such as - auto type and clipboard cleanup. The application uses your clipboard and pastes the username and password into the textboxes in your application/webbrowser. Then after a timelimit has expired it will delete your clipboard or if you use the username/password it will auto delete as well. It provides also password timers for both your main access password and also for all of the passwords inside the application so you know when you need to replace them. The phone application is pretty powerful with it's own keyboard that is secure and links into the application on your phone so it can also do the autotype features.
I used to use a simple indexed array for remembering passwords but as the OP noted the number gets too large (thousands) so I switched over to a formula combined with an indexed array. Low security passwords get the least protection under this system and the high security passwords get stored in the array which is much harder to crack.
Roboform is the best by far than all these mentioned in the comments. Even the Military uses it. All your usernames and passwords are encrypted and from what I have heard....Has never been cracked yet.
I actually generate my passwords with a spreadsheet. It displays the new password in large type, then I take a picture of it with my cell and store it.
I use KeePass as well. I store the database in a Truecrypt volume which then is propagated across my OSes via one of the cloud backup services.
paper
Casteism
I made password generator/recall rings, which I wear combined with a secret word for 2 factor authentication. I have them for sale onlne here:
http://russtopialabs.bigcartel.com
Size 9 only at the moment by t that fits most people on some finger at least :) Now all of my passwords are unique per site and I don't even have to worry about expiring domain passwords and all that crap.
I've been using them for years, and I love it so much that I subscribe to their premium service, even though I don't have a use for it, to provide support for them...their basic service is free.
It autofills my username and password on any machine where I have the app installed. If I don't have the app installed but need to get to my username/passwords, they have an online vault I can log on to.
And searching is easy - I can search by username or site or keyword in description. They auto-filter my passwords as I type into the search box.
https://lastpass.com/
I just set them all to "abc123".
I just wanted to point out that users of a password manager need of course to highly trust it as it is of course a very security critical software.
Such trust shouldn't come just from warm promises of some company or software author (otherwise you'll have a bad day when you notice that your trust was based on either nothing or just lies or half-truths or ...).
The software must be FOSS (free and open source software) AND development must be done in the open (== public source code repositories and issue tracker). Without this, you (or anybody else willing to) can not review the software and the individual changes that are made to it. Bugs might stay undiscovered, peer review is not or not easily possible, and in the days of daily NSA news, you maybe can think of some more possibilities that might happen.
If you look at commercial software, you usually can't review it and you have to completely trust in whoever makes it.
But also, just being FOSS is not enough, you really need the public issue tracker and the public source code repositories and an open development culture.
E.g. if the author of the software just publishes a bunch of source code for every release (like keepass author does), but not a repository with changesets, this is not enough to review the changes done from release to release in any sane way. As a consequence, this is only slightly better than closed-source software.
About keepass, see here: http://sourceforge.net/p/keepass/discussion/329220/thread/b0bb5457 (it is from 2009, but situation seems unchanged).
If you look at keepassx and passwordsafe, they have a public repository / issue tracker and work in the open.
Leaving your passwords on the desktop is not fully secure.
I have elaborated on the concept and came up with the following: I stick a piece of paper on the bottom of my keyboard and write my passwords on it.
This is clever because other people in the room will NOT see my passwords! (Only when I need to look them up, but I do that quickly.)
Never had any security breaches since.
My mom keeps them in an address book in her apartment. it makes a lot of sense.
I use one very secure one for my mail account and then a lot of derivates of a common idea which change slightly based on the website I'm on and a key that I have remembered.
Not on my PC (Fedora 20):
$ bash --version
GNU bash, version 4.2.45(1)-release (i686-redhat-linux-gnu)
And the test:
1001 ls
1002 ls
1003 history
I run it across all my OSX and iOS devices. It's AES256 encrypted. I only sync via wifi between devices , no cloud ever. Copy of that database and copies of will, POA, deeds, insurance, account statements, tax returns, etc. are stored on an encrypted thumb drive, refreshed quarterly and held by my attorney. Two Master passwords are with my executor. I recon this gives me daily utility and security, and they can settle my estate if the plane goes down. I am sure the G can get to any of it, and my executor could run off with my attorney, but the only secret you can keep is one you never share.
Being "old" I still remember all the passwords I need to. That being said I have a few co-workers that use a password protected Excel Sheet
no matter how good it is, it is human nature always wants to make things better
I use my national id number as a seed for a card on passwordcard.org, from then i print the card and carry it with me. That way i have a lot of passwords and all i have to remember is password patterns
unset HISTFILE
Not good enough. You at least want:
$ srm ~/.bash_history
and even that may not help you if $HOME is on a CF drive since it's difficult to securely delete anything on flash and sure it's gone. You should encrypt the home drive. But then what's in your DRAM? (google: cold boot attack). It all depends on your threat model. Does someone really want to get at those passwords or not?
in "inlaws" folder on my desktop.
I've been using Ascendo DataVault since my Blackberry days. I needed something that would cross platform with Blackberry & Windows and that was it at the time. They have since added IOS and Android to the mix. The database is resident only on your devices and can be synced between them. It may not be the best or the cheapest out there, but it works. I use it for logins, credit card account data, inventory and just about any small stuff that I don't want to leave out in the clear.
"As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords."
If you cant remember passwords, or, optimize your passwords for specific areas, your not an IT professional.
Its your job to remember them. Putting them anywhere but inside your brain is just lazy on your part, and, asking for trouble.
Dont use the "old age" excuse, do your job and take the extra time to learn them if needed.
I dare you to tell your CEO/Manager you plan to store your company passwords on Dropbox, or some open source password program, i dare you.
like god intended
Star Trek transporters are just 3d printers.
My long-term memory is stuffed with things I memorized out of necessity or boredom when I was a kid--my Aunt Marie's phone number, my high school locker combination, mnemonic devices that I made up, the punch line to a joke. So, I figure if I still remember them today, they will be around for a while longer and I assign them to sites as a password is needed. Then, I add the site to a list on my desktop with just the clue. The list is of no use to anyone but me.
AMEN...
KeePass with cloud stored datafile and keyfile on another cloud, User locked specific.
I'm fucking smart. That's how.
I don't even remember the last time I heard of a large scale data compromise from passwords being either brute forced or guessed. By a massive amount - bordering on 100% - compromises are from backdoors, social engineering, and zero day vulnerabilities that lengthy, encrypted, impossible to remember passwords don't help.
For internal passwords, and its ability to securely allow teams to share access to a password list I can highly recommend password state.
Its a great program with a really responsive team behind it. I've used it in two companies now and its proven popular both times.
I remember all my passwords and each account has their own password, I don't use a password twice.. I'm pretty good at remembering passwords, license plates, phone numbers, etc. :)
I use LastPass for less relevant stuff for more relevant stuff I memorize passwords that depend on the site I use.
I use passwordmaker.org which doesn't require keeping anything in a database. It uses a master password combined with a URL to generate a one-way hash which you use as a password. There are browser extensions to make it easy to fill in passwords when logging in (they pre-fill the URL in for you). You can customize the password hash algorithm, character set to use, length of password, and also any prefix or suffix that is to be applied. Since many sites need a capital letter, a number, and a special character I have them static as a suffix to apply to the hash. With these settings it'll generate a password that meets 95% of the sites password requirements.
http://passwordmaker.org/ is also free.
Honestly, the harder part is now remembering the username for each site (usually email or a few variations of usernames). I keep a database of my usernames for each site in the cloud.
I don't write passwords down nor do I store them anywhere. Instead I keep 2 to 4 base passwords and a key in my head at all times. I regularly change the base passwords and key. The passwords are sentences such as "C12hg@S14" from the sentence, "Canada won 2 hockey golds at Sochi 14". Sports events, records and dates make easily remembered sentences. Because some sites don't allow non-alphanumeric characters, I keep a base password with only alphanumerics, such as "Spr2g7r" from the sentence "Slashdot posts are too good to resist" (7 looks enough like 2. Avoid 2 much duplication.) With the key I add two more letters to the password, making the passwords unique for each site. If my current key is 231 and the password is for my Slashdot account, then using the key I would use the 2nd letter of "slashdot" and insert it in the 3rd space of the base password and the 2nd last letter from "slashdot" and insert it in the 1st space from the end of the base password. My password for slashdot would thus become "C12lhg@S1o4". Facebook's password would become "C12ahg@S1o4". I have a single non-alphanumeric character in use at any given time for base passwords that don't have them. If it's currently "+" then I insert it before the second insertion and Spr2g7r"" becomes "Splr2g7+or" for the slashdot account. With this scheme I can operate with only 2 to 4 passwords, complex but easily remembered, and a numeric key. It also allows every site to have its own password using the site's own name. The key tells me what letters come from the site's name and where to insert them. It sounds complicated but, in fact, I can always figure out the password from the base passwords and the key.
It runs in windows only (IIS, blech), and it's not cheap.. But it has a lot of great enterprise features built in. Supports two-factor auth, multiple party password control, autochanging and expiration. I like the fact that when anyone goes for a password at work, I get an email notifying me. Helps me be proactive in assisting people with their tasks. :)
Their mobile app is pretty decent. It doesn't actually have to have the entire password database cached in the app, but it will of you configure that to be allowed.
They seem to have the crypto side of this pretty nailed down. They even support hardware crypto tokens to decrypt the backed SQL database.
They have a personal version for $10 year limited to 100 secrets.. And you can eval for free.
Www.thycotic.com
unset HISTFILE
Not good enough. You at least want:
$ srm ~/.bash_history
Really? I would think that preventing stuff from being written to the history file is superior to attempting to securely delete it afterwards...
But then what's in your DRAM? (google: cold boot attack). It all depends on your threat model. Does someone really want to get at those passwords or not?
I know what a cold boot attack is, thank you. They're just not very straightforward to execute remotely, and not a very common threat in general. But yeah, your point stands that 'unset HISTFILE' won't protect you against that, so if you're really paranoid, you need to combine it with HISTSIZE=0. And pray that the commands aren't somehow left behind somewhere in memory anyway, which sounds a lot like wishful thinking. Which leads us to the argument that if you really want to prevent your computer from giving away any useful information to an advanced attacker with physical access, you have your work cut out for you.
Hypnosis. You'll either remember the forgotten password or you will become stiff as a board and members of the audience will be able to sit on you while you are placed like the seat of a bench between two chairs. Hopefully you'll remember the password. And then bark like a dog.
I have a 10-letter base password that consists of capital and small letters, numbers and special characters which I memorized. To that I add a name or abbreviation of the account I am using it for which I can also remember or re-guess after time. This has worked very well over the years and generally leads to 15+ character passwords that are complex but easy to recall.
I have a 10-character base password that consists of numbers, upper- and lowercase letters and special characters which I memorized. To this I add a service specific name/code that I can always easily recall or even reguess. This yields me 15-20+ character passwords that are complex (strong) yet easy to remember. I have used this approach for years and it has never let me down, I was even able to access accounts that I did not remember having since they were connected to my eMail address. When the site told me that specific user already existed I re-guessed my password and was able to login.
Oh that is a nice thing!!!
Thank you!!!
Yeah a little pricey but not crazy expensive at all and totally worth it.
No problem, I had actually forgotten all about them, so thanks for the reminder! I was looking into them a while back for this very application but I ultimately went with an encrypted password manager on cloud storage instead. Might have to give them another look-see... :)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
I've been using the same password for 18 years and have not been hacked yet. I strengthened the password a few years ago by adding an extra symbol to it. The key was to use a non-sensical phrase mixed with numbers and symbols. It stands up against any dictionary attack since it does not use any real words. There's a XKCD comic that covers strong password creation, i'm sure someone will link it if it hasn't been already.
I use 2 other old passwords, one of them 5 characters, the other 6 characters, for sites I don't care about the security at (forums, Slashdot, Twitch, etc...). I have another long password that I use as an alternate to my original long password, and it happened to also work quite nicely from breaking off a part of it and adding numbers+symbols to form multiple 8-character passwords to use for slightly more important sites (Twitter, Facebook, Steam, Origin, and so on).
The most important thing is to ensure you have a strong password for your email account and use 2-factor authentication. If someone breaches your email account they can likely take over any of your other accounts with ease.
Fortunately there's a simple trick I've been using for years, and it's good enough to stop the average hacker. Plus, it costs nothing at all to use. The trick is, don't REMEMBER your passwords - DERIVE them. Here's a simple example using a two phase algorithm - seed selection, and keyboard mapping. It will pseudo-randomize any password.
Start with a seed that's in front of you as you log on to the site, for instance Microsoft. A simple seed would be the first four letters "micr". There. You're halfway done. Now simply expand this seed onto the keyboard in a visually consistent way. Let's use the two keys above the seed key for this example. "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$". No, don't try to memorize this mess, just watch your fingers as they move.
See the pattern? The visual pattern is the trick. This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.
More detail:
http://suddendisruption.blogspot.com/search/label/Passwords
Let me know what you think.
I use Steganos Locknote. Found it a long time ago (I think I was using W95) but it also runs om W7 (and Linux using Wine). It is a single executable file which shows some kind of notepad after running it and entering a master password, and saves after closing. Very convenient. Not sure how secure it really is though.
good point
I've seen tons of suggestions for managing passwords for one or two people but what do you do when you need to manage passwords for hundreds of individual systems with passwords URLs? We tested out KeePass but it didn't give any granular controls. Is there anything out there that doesn't break the bank like Thyotic or ManageEngine? Thyotic http://www.thycotic.com/produc... ManageEngine http://www.manageengine.com/pr...
I have lot of passwords in every accounts I created before to remember. So eventually I can't remember those all. But those are already listed and have saved in my Google spreadsheet. I also use Passpack aside from spreadsheet. I also used to have them in my desktop, but when I realized with my privacy on it... So that's why I'm now using Google spreadsheet and Passpack. Realizing as well when I have new new account to make is I'm going to make my password short. Then like the password I am using for my other account shall be the same to the new account I am making so that it will be easy for me to remember.