Slashdot Mirror
Ask Slashdot: How Do You Manage Your Passwords?
Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"
It's not portable, and this is just what I do at home so may not scale well to the office, but I've basically got an old intel atom box (MSI Wind PC) running linux (slackware) with no network connection and full disk encryption just using luks/dm-crypt. I keep passwords, banking numbers, and other bits of sensitive info on there. No fancy management software, just plain old text files. I have it hooked up through a KVM and I just leave it running all the time (with locked screen), so it's nothing to switch to it when I need to use an old password or update a password when I change one.
Files are backed up locally using rsnapshot (for history), and then that's periodically copied to one of 2 (also encrypted) USB thumb drives (I leave on plugged in the back and periodically swap them).
Primitive, but sometimes that's what works. You could probably do the same with a raspberry pi at this point (disk encryption might be fun though).
Also this topic comes up like once a month, and the answer has not changed in years. Stop asking!
Completely off topic: what would be the best way to physically disable the wifi capability of a device. Obviously you can disable in software, but I'm the paranoid sort, and would love a way of knowing that my IP web cam is not gonna be doing anything with that wifi antenna. Thinking maybe some kind of terminator or some other way of "absorbing" the signals.
on my desktop.
extensible, open source, active project...what's not to like?
I just use a simple text file and gpg.
For work, write them down on physical paper and keep them in your physical wallet.
You'll notice if your wallet goes missing.
For home, write them down on physical paper and keep that somewhere safe.
Why is LastPass not an option? The password database is always synced to your laptop/cellphone so there is no problem accessing your passwords when you are offline. The security is the most robust I have found when it comes to password management, especially when you use 2-factor auth.
Get 1Password. There is a version for every platform, including mobiles. It stores your full logins and integrates with popular browsers: just click a toolbar icon, enter the one master password you have to remember, and you can log onto MightyMegaBank just by clicking on its name. The program will also optionally generate big random passwords to replace the short crappy ones that you used to be able to remember.
I have a unique password for every domain I log into. I created an algorithm based on the domain i'm visiting. So I only have one algorithm to remember. The interesting part is when I have to change my password. I just have to try and keep track of the increments in my head to feed back into the algorithm.
I use Keepass.
I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.
Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.
I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.
If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.
Try to hack my 31337 firewall!
Why are you unable to use one of the online systems like Lastpass? It's been very well vetted, offers offline and online modes. I personally find 1pass to be very Mac centric and expensive but it's a good product too. Keypass is a good opensource alternative, although its a local program so there are those downsides. It has android and iOS apps too so you can have access on a mobile device if needed.
Maybe I'm an idiot but I don't get why these options are obviously bad. I use 1Password on a regular basis.
I too am thinking of how to carry my passwords with me. My memory isn't as great. At home I have 1password running in the browser and in the menu bar at the top of the screen. But when I'm away from home i'm often lost. Before I was using the same password everywhere but am trying to move away from that because it is bad habit.
I have 1 password installed on my phone, so presumably when I want to enter a pwd on a website I could take out my phone, open the app, look up the pwd, and manually type it in. But I'm looking for a really automated way. for example, having a pwd manager installed on a small USB thing on my keychain, then plugging it in and having all my pwds.
any advice on how i could do this? the best solution is super clean and transparent, one step away from having the plugin installed in the browser. I was literally just looking the internet for it.
thanks.
I keep a KeePass database for each of my consulting clients and encrypt them with a unique master password for each client that gets shared with the client. Then, another KeePass database with all of the client's master passwords inside of it encrypted with yet another master password that gets shared with my fellow consultants. This lets me give my clients access to their password documentation without having to give them the master password for all of my clients' databases. It also ensures that my colleagues have access to my client's passwords should they need to cover for me. Or, if you want to spend some money on a commercial product, look at Secret Server.
The problem already exists (reset mechanisms are a huge hole in most systems), using it shouldn't make it any more vulnerable to attack.
I like KeePass it uses a database file that you can copy manually and you don't need to sync, or you could place the file on a dropbox share and use it from there. The file is encrypted and you need to enter a Master password each time. If you ever needed to give someone passwords you can export just the ones you need to share and set a new password so they can use it. Its been my favorite one to use since I use crazy complex passwords for everything online.
PasswordSafe works for me.
Several passwords I need commonly, are written in my wallet, with nothing to indicate what, or what usernname, or system they are for. There are about 5 passwords written on a sticky note stuck to the back of a seldom used credit card.
Everything else is in PasswordSafe.
If I were God, wouldn't I protect my churches from acts of me?
I created a web app. The password (decyption key) is sent on every request, so it's never at rest. Under the hood, entries are encrypted and decrypted with openssl using a reasonably secure algorithm. Each entry in the database is just a plain text file. I can include passwords, accounting information, URLs, whatever I want.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I find that hard to believe. There's a website called Fark.com full of middle-aged people swearing up and down on a stack of bibles that being old is the best thing ever.
1. Access should only be available to systems you currently and actively manage. If you're using the system so infrequently that you can forget, your account should suspended. 2. Admins should keep a secure log of access credentials stored in a secure area with controlled access. Any "in case of my death" information should be recorded. If there isn't a local site, you might want to consider storing the documents in a safe deposit box at your bank.
Come up with an algorithm only you know, that is generally different for each system you use, and for added security contains some personal thoughts about the site that make it hard to figure out your algorithm (although that last one might stump yourself too, lol). The problem is when you're forced to change your password, but it's usually some regular cycle, so I'm sure you could figure something out for that too.
randomly. three options. 1. slashdot starts with s: password is sw23edcx. 2. two s words: semaphoreslinky. 3. for those that require combos: Sw@3edcx.
A failing memory means that you are not suitable for the job and should find something else, like working in a retirement home.
Yeah, how many passwords like: R;3m|/|iv%{^B$
do you have memorized? I have several passwords on that scale of arbitrary, that I did not pick, that I cannot change, that are changed on someone else's schedule, cannot be re-used, and that I tend to need to actually enter maybe once a quarter, if that.
I gave up on password managers a long time ago. They are prone to compromise at some point. Instead, I use an algorithm that uses some element of the target as a seed to a simple formula. This gives me one thing to remember only ( or a few ), yet gives me a different password for every single site. A simple to understand, yet bad forumula to use, would be something like this: password = siteurl[2] + mySecret + siteurl[4]; So password for google would be 'omySecretl' Use a better formula for increased protection. Again, easy to remember,no password manager to get to/install, and a different password for every site, Likes it simple, Jim
What I use is a text file on a thumb drive also backed up on several local drives.
The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.
For rarely used passwords and places I will put a hint under the half pass.
I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.
A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software. If I need a password, I just open that file up and copy / paste the password needed - then close it again. If I make a change to a password I can just change it once and that populates to all the other locations where my Google Docs are stored, but it is fully and safely encrypted the whole time.
I even have an app for my phone in case I need it, but there is three factor authentication: my phone's login, a short PIN for the app, and then my full encryption password.
William George
I use vim -x passwordfile.txt. It uses Blowfish encryption. You only need the -x flag when you create the file. I keep it on one computer at home, only, with a hardcopy (lots of index cards) in a desk drawer. If I need it on the road I temporarily copy required passwords on a USB thumb, encrypted. It's not an enterprise solution, but I'm just one person, so it works OK. Actually, I refer to the index cards way more often than the password file.
The problem with any password manager/tool (of course aside from a simple text file, which is obviously out of the question) is that you are dependent on that piece of technology. A commercial password manager may exist for Desktop OS 1 today, but may not be supported in Mobile Phone OS 2 tomorrow. The cumulative turnaround time for your password inventory is often much longer than that of any particular device in your possession.
I've resorted to a lower tech solution for my own password inventory: A scheme that is based on the particular website (or other service name) in question. For instance, you may have an invariable prefix or suffix (perhaps an "encoded" phrase that's meaningful to you), a special character or two, and a component that is based on the web site or other name in question. In other words, something like:
FiXeD#pArT.service-specific-part
How you would "encrypt" that service specific component is really up to you - the point is that everyone would do so differently. But it should be something that you could train yourself to do relatively quickly.
The only downside with this approach is that with so many different services with so many different password rules (some require a minimum number of characters but no more than a maximum, some REQUIRE uppercase or special characters; others do not support special characters at all.... etc), it's hard to find a single universal scheme that works everywhere. However I've found that with a couple of different schemes of this nature, I've gotten by so far.
Another thing to think about is almost the opposite - how to enable access for your loved ones to certain places (e.g. to inventory your financial records etc) in the event of your death. Of course most of this can and should be done with signed affidavits etc, however, it can be difficult for them to get a complete view of all your accounts, policies, services etc unless you have a comprehensive summary somewhere.
...that would be a security risk.
systemd is Roko's Basilisk.
http://www.quest.com/privilege... http://www.liebsoft.com/ http://www.thycotic.com/produc... All of these support multi-user / groups of users access. That is what you actually want. And yes, they cost money, but if you are in IT and need password management, and don't want to pay any money, find a better employer!
For the most part I don't save or memorize passwords. I regenerate them as needed with SuperGenPass. SuperGenPass algorithmically generates passwords by hashing the site's domain name together with a single memorized password. This always generates the same password for any given site. So, I don't have to remember them or store them anywhere, I just need to know how they're generated.
But what if I'm at someone else's computer without SGP installed? The SGP website has a "mobile" version, which is just javascript that runs entirely within the browser. Go there, type in the domain and password, and generate it. (Yes, I've checked the javascript. It's not sending your password out to the mothership or saving anything locally.)
I do keep a notebook in a plaintext file with all the sites I use. This contains the domain name that the site had when I first signed up. Domain names sometimes change, or are ambiguous (ie., the same site is available via both foobar.org and foobar.com). The text file lets me keep track of what I need in order to regenerate the password.
What about sites that require periodic password changes? I use the domain and just suffix my memorized password with a sequence number. And I write the sequence number in my notebook.
What's that? Security questions? I generate the answer by hashing the question itself rather than the domain with my memorized password. And of course, I copy the question verbatim into my text file so I can regenerate the answer when I need to.
The only failing is when I hit a site that doesn't allow certain punctuation, or has length limits, or something of that nature. Then I modify the parameters that I give to SGP and write down the specific parameters that I used.
The notebook is stored on my home fileserver in an svn repository which gets backed up every night. I'm completely screwed if I ever forget my one secret, but it's one I've been using for literally decades now. It's going to be one of the last things to go when my brain develops bit rot.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Memorized the passwords. Know your limit on how many random letters, numbers, symbols you can memorize and then remember them. This is especially useful because my data dies with me.
So you keep all your passwords in .bash_history? If by any chance the way you generated it for one site spills (from watching over your shoulder to putting a keylogger or whatever), all the others could fall.
Btw, just adding a space at the start of the line will make bash to not save it in history.
OK, why not?
(Truly curious as to why a password manager is considered better than an encrypted spreadsheet, using the same password or pass phrase).
You never know what is enough unless you know what is more than enough. - Blake
These cyber criminals are babes in the woods, compared to my brilliance. I pull wool over their eyes easily. See? I enter the password in the username textbox and the username in the password textbox when I created the account. That is the last place they will look while trying to hack my password. haa haaa. The jokes on you script kiddies...
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
KeePass. With the encrypted datafile in dropbox.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
I keep all my work passwords in a file that is saved in a TrueCrypt volume. This volume is kept on a network share where only domain admins can access it. I also keep some of the important passwords on a piece of paper that is locked in a safe in the data center. Generally I remember all the passwords I need, but sometimes (especially after a vacation) I need to refer to the TrueCrypt volume. If I ever forgot the password to access the volume, I have it stored in the safe. If I forget the combination to the safe...I'm screwed. Thankfully that hasn't happened yet.
I use SplashID on my phone (and it's probably the single biggest usage of my phone). Don't get the current version though - 7 is pretty much unusable. I had to fall back to 6, which is usable, though not quite as simple as 4 was (I think that's what I upgraded to 7 from, which was a terrible mistake). Like the submitter, I refuse to use the cloud offerings (which SpashID has as an option now). A cell phone is a risk, but I choose to believe that I could change the passwords before the database could be cracked, and that my risk from malware is low because I don't install every shiny new app that comes along. I do so mostly because there really isn't a practical alternative at the moment.
I also have them written on a piece of paper, but it wouldn't do you much good if you stole it. if you see "god#" what would you type? It reminds me of what password I actually used (which doesn't contain English words).
Now if someone REALLY wanted access to my accounts they could probably use that hint to reduce their search. If they had cracked some accounts, they could probably figure out some of the schemes I use as reminders and quickly figure out the rest.
Of course they could also just hack my home wireless, or put me in a van and drill holes in my kneecaps until I told them.
Break your password up into two parts: the root and the suffix. The root part of the password is the complex part, that you want to change periodically yet is the same for all of your services. The suffix part is simple to remember and unique to each service, and should be consistently derived from the service itself.
For example, lets say you are setting up a password for your Yahoo account. The root part is "TLi945!zx" and the suffix would be "yahoo" resulting in a password of "TLi945!zxyahoo".
Your password for Outlook might be "TLi945!zxoutlook". And so on. Each password is strong enough to hold up to pretty much any brute force attack, and when it comes time to changing your passwords, all you have to worry about memorizing is the root part. Then you just think about what service you are logging into and append it. Since the root part of your password gets used very frequently across all of your accounts, you can make it more complex than normal due to muscle memory building up faster.
Also, it might be worth making the suffix a little less obvious than the name of the service. You could instead do something like the first, second, and last letter of the name, so the Yahoo password would look like "TLi945zxyao" and the Outlook password would look like "TLi945zxouk".
To late, I stole your wallet this morning and already logged into your bank and drained your accounts.
Well, you have my driver's license, credit cards, and bank card, you already stole my identity, maxed out my cards, drained my bank account, and stole all my cash, what are passwords gonna get you that those other things haven't?
are the same as my luggage.
The reset mechanisms exist regardless of how complex I make my passwords. They're generally not my systems.
Systems that generate passwords like that - that you can't change - pretty much demand users write them down on a post-it note under their keyboard :(
I memorize them. It's not always easy but it's really the only 100% secure way, and no they are not simple and they do get changed often.
I also have them written on a piece of paper, but it wouldn't do you much good if you stole it.
Same here. I use the names of common fruits and vegetables as my passwords. So if anyone steals my wallet, they will assume that my list of passwords is a grocery shopping list.
I use a copy of the community edition of ClipperZ: https://clipperz.is/
I run it securely on my own servers, although I've made a few modifications to prevent brute force logins and to brand it to my liking.
I create separate accounts for all my clients and give them access to their account. They seem to love it as I have all their shit in one place for them if anyone else needs it.
Where ever you can get away without having to use passwords, I would not. Password-less solutions like LaunchKey can often easily be integrated into your systems and are MORE secure with less hassle.
Linux can be installed on tablets. I would research a seven inch tablet, a distro that suits you, install Linux, encrypt the hard-drive, and power-down the device when not in use.
You must use very short passwords.
Sacred cows make the best burgers.
I'm pretty awful at password management.
One "simple" password, used for web services that don't have any sort of financial or other "real" interaction with me beyond a pseudonym and a download I needed to access or an article behind registration that I needed to read.
One "complex" password with a little bit of ever-changing entropy used for things like Google or Microsoft type services, banking/mortgage sites that don't offer me two-factor, etc. Your basic 7724hAppy!d0G$$smil3s sort of affair. Next year they'll all rotate slowly into 8562saD^DOG$$fr0wnz, if they're still in use, rendering abandoned site's passwords useless.
And either two-factor authentication (RSA + "complex") or a unique "complex" password for accessing my work or accessing my uber-secrets.
I frankly can't be bothered with much beyond that.
http://www.youtube.com/watch?v...
I'm 60 and I have about 20 passwords. Some are to my wife's accounts.
I memorize them. BUT they are all memorable to me.
Let's say I had a very memorable event - my first kiss at an amusment park in 1969 - i'll create a password 'mfkaaapi69' and then switch it up a little bit so it ends up mFka&api6(
This pasword might be resused for a few accounts, that I consider low level security (ie no money, no real identity). Banking/financial logins are unique and are longer mnemonics.
Work is a pain - every 60 days we have to come up with a new one, so my work password is has a number I increment. KISS since they force the changing. Strangely some of my work logins still have the original password, while other logins are crazed about the changing. Must be different admins controling some of the domains and accounts.
I do write my personal ones down, but that list is in our family papers stash, and it's clearly labeled what the accounts are - in case I kick the bucket.
I've had a few scares and changed all passwords to all account at once. I had to rely on that written list for a few days.
*click**beep**beep* Scotty, One to Mod up!
What I use is a text file on a thumb drive also backed up on several local drives.
The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.
For rarely used passwords and places I will put a hint under the half pass.
I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.
Youy mean like this?
Yeah, they're a bit pricey, but not totally out of the ballpark for the concerned user :)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
I have a truecrypt virtual disk that I store in a dropbox folder. Because dropbox can sync differentially the entire thing doesn't have to sync every time I disconnect the file. Because all dropbox sees is the encrypted file, unless someone can decrypt it it is useless even if they breach my dropbox account or in some other way gain access to the file.
It works a treat, to be honest. I keep sensitive passwords, of course, but also use it as encrypted storage for my notetaking app, sensitive diagrams, images etc.
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
It is good for iOS, Android, or web. Passwords available offline or online. Documents online. Can enable two factor authentication - send SMS to phone.
http://securesafe.com/
Really good product and very happy with it.
(1st sig) If this were a snappy sig, you'd be reading it right now. (2nd sig) I'm a karma whore. >Insert FUD here
unset HISTFILE
I have Secret! and KeePass on a company smart phone. Secret stores my personal passwords, and Keepass stores system passwords. Both are synced to/from a company server. The master password for Keepass is known to the other admins, and the Secret password is known only to me. (And no, it's not Correct Horse Battery Staple, sorry.)
If the company has a problem with you keeping company passwords on a personal phone, have them issue you a phone with remote kill.
The advantage of using a repository is that you're never tempted to make passwords easier to remember (IE: guess) or to reuse a password across multiple systems. The repository password is (ok I'll tell you...) a random string of characters arrived at by pounding the keyboard with both hands for several seconds and then choosing a sequence out of the center of the garbage. But you can remember any random string if you only have to do it once.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
To late, I stole your wallet this morning and already logged into your bank and drained your accounts.
That's quite a trick, because before you can figure out the account name I used for the passwords you have, you are going to have to know the code.
So, I have passwords on paper, but I'm going to guess you won't come up with the *real* password any time soon.
Here, give it a try... My managed switch at home: "09"
Let me know what the password is...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I'm at a loss to understand what the security issues you would have such that cloud-based password managers are a hazard. And yet, such that you can get away with passwords that you can commit to memory.
Any password you can remember is a password that is already in thousands of crackers' try-these-first password lists. All of the online security breaches of password database have provided a rich and extensive database of passwords that people actually use. No, you need to use a password manager. Like five years ago. But a password-managing device is the worst possible option you can consider. How can you back up your password database?
A good, completely off-line option is Steve Gibson's 'Off the Grid' password generator here: https://www.grc.com/offthegrid.... You could generate a paper grid and use that. It can be reprinted as needed, and even if you lose it, no problem.
Some/all of the cloud-based managers can be used offline. I know for a fact that LastPass does not need to be connected to the 'Net to work. It's free, try it out - see if it works for you. There are 'LastPass Portable' versions, designed to run off a thumbdrive.
For a buck a month, LastPass provides stellar technical support (one of the programmers called me at home to sort out an issue I was having when using 'LastPass for Applications' with the steaming pile of a crap that is iTunes): https://lastpass.com/go-premiu... Their security has been vetted by trusted reviewers, they use best practice encryption and protocols. Perhaps their Enterprise services will fit the bill?
Cheap at twice the price. I can't recommend them enough.
Systems that generate passwords like that - that you can't change - pretty much demand users write them down on a post-it note under their keyboard :(
Yea. Stupid rules end up with stupid results, and having passwords that are too complex is nuts.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I have 26 like that.
So if I generate 26 more, you'll have no trouble memorize them all? Assuming that is the case, good for you, you are a special flower.
To suggest that anyone else is unfit to work in any field requiring security is absurd.
I also have a generic "Password123" password for sites that are use once and forget.
I agree this is sensible.
He definitely wasn't in charge of network security.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
To suggest that anyone else is unfit to work in any field requiring security is absurd.
I think he was saying if you're in an environment where you both need to use very strong passwords *and* its not acceptable to write them down in something you carry securely all the time, *then* that suggests you either have to have a very good memory or you're not qualified to operate with those restrictions.
If one of the very-short-ranged devices like a wristwatch can be handed the task of keeping your temporary key, then go for it. A crook has to cut it or your hand off, or a court has to write a order to let the police at it. That's reasonabley secure, at least as good as a door-key on a keyring. The magic words are "short ranged".
davecb@spamcop.net
If you use a simple prefix you can remember, a different one for each system, then you can program a complex suffix into a YubiKey configured in "static mode". This avoids changing the existing password based system.
Of course, it's not as secure as other options, like One Time Passwords or challenge-response systems, but is an improvement.
(Another option would be to have a seperate YubiKey for each system, then each system could have a completely unique password.)
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
I cant believe that nobody has mentioned what is used in a lot of high security areas...
http://www.mandylionlabs.com/
Get one of their fobs, works for all and will self destruct if you enter the master password in wrong.
Do not look at laser with remaining good eye.
I etch them into stone plates then hide them deep in a cave in the Amazon surrounded by deadly booby-traps.
It's pretty secure but it's a bit of a pain to access them when I forget the login for my hockey pool.
I stole this Sig
I'm like the luddite here. I have a system of a handful of passwords I use. I have one unique that I use for gmail. I have a secure one that i use on a few sites. a secondary secure pass. I have an unimportant password that i use for junk things things like forums I don't care about. I has a few backup passwords I switch to when someone gets hacked like kickstarter.
Just another second banana
None of these methods of password storage are resistant to the twelve dollar wrench attack.
congratulations your password of "password=password" is rated "Fair" strength.
Just another second banana
the way i do it is i create a small DMG file, turn on good encryption and save it in Dropbox. Put a simple text file in there. done. Just eject it when you're done and make sure to not store the password in your keychain. OS X only, but if you need in you can get into DMGs with 7-ZIp on Windows or just mount it under linux.
I have levels of security. Any ordinary web site that demands a password gets my lowest-level password, which is the same on any such site. This happens to be my Slashdot password - who cares if somebody hacks that one?
I have a special password that I use for my bank account. It could cost me all my money. Same password for any bank.
Sometimes I have an intermediate level, but not often. It's surprising how little security is really necessary.
Total of two or three passwords, each memorized.
notebooks
Once I got past the post-it level many years ago I put them all in a notebook but not too obvious or near computer. Afterall, the daily ones are memorized.
Actually 2 notebooks as I copied it all for a copy at home and work. The new passwords go on a page in the front and that gets copied to take and enter in the opposing book to keep them reasonably sync'd. If it is new enough that it is not in the other book I probably remember it still :)
~/passwords.txt.gpg contains all my important passwords, I have copies of it everywhere. For non-important passwords (like Slashdot logon), I just use a password I can remember, which is the same or minor variants based on the site's password limitations.
You never know what things can go wrong with electronic systems, but a book with written passwords in a place where the boss knows where to look if you get hit by a bus is almost foolproof.
Oh that is a nice thing!!!
Thank you!!!
Yeah a little pricey but not crazy expensive at all and totally worth it.
Sync 1Password to your drop box from your mobile/Windows/Mac and you can view it in Dropbox securely via a web browser.
Windows, Android pretty sure there is an iPhone version. keep it sync'd and use a complicated password. 3 shots at the password and the database is wiped. A website accounts are random generated different passwords for each site. No two sites has the same password. Most don't have the same user account. Also good for devices, and other info where you need to keep notes, date purchased, sn, license keys, setup info etc...
I have used Password Safe, Bruce Schneier's solution for a number of years. (pwsafe.org)
Linux version is in beta with Windows and Android versions available
...is just the letter "a"
IronKey comes with a good password manager. I find it invaluable for remembering everything for me.
I love my wife and her name is lesa 53
good luck with cracking the below
Ilvemywfenderamesesa53
GRC 2 X 10 ^ 39
or
my car is a 2004 vw jetta
YaRSa004WettA
GRC 2x10^23
next car is a 2014 nissan leaf sv
NexCaIA201NissaLeaS
It really is not that hard.
plain text file in a Truecrypt volume, and little scripts to query/add to the file. It used to be batch scripts when I used Windows. Now I use bash in Linux, which should also work on Mac. The "t" script is to mount the Truecrypt volume if needed.
$ cat `which p` /media/truecrypt1 ] || t on
#!/bin/bash
[ -d
# accept up to 3 arguments, and filter on all 3 /media/truecrypt1/p /media/truecrypt1/p | grep -i "$2" | grep -i "$3"
if [ -z "$2" ]; then
grep -ni "$1"
else
grep -ni "$1"
fi
$ cat `which padd` /media/truecrypt1 ] || t on
#!/bin/bash
[ -d
echo `date +%F` " $@" >>/media/truecrypt1/p
Just use the same password everywhere. "monkey" is always a good choice.
Alzheimers.
Seriously this is a PITA today. .txt file slightly munged.
For random ones I do not care about...
For less random ones vim -x
Serious ones -- if I told ya I might have to silence ya.
At work I had an old school photo book with 4"x5" cards in a well locked drawer equivalent.
I could hand a card to someone that needed it. Cross out the old and enter a new when the card comes back (think library checkout).
where a card was a log of who got it.
I could hand the book to my x-boss when I left ;-) :}
after he signed for it
"ssh" keys help a lot of things.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Same here. The database is encrypted, so the risk is minimal even when it's on my phone. Any malware that could get at the database password as I type it could get at any password I type, and I'd frankly be more worried about malware circulating on the company network.
i think he was also saying "i am a fucking dick".
haha, captcha: "elderly"
Well, I keep a plasticized Password Card [1] for keeping the passwords that actually matter, along with a PGP passphrase, which is used to open up my password store [2]. The program itself is available on any major distribution, and its really easy to install if its not; it's also very easy to use. The only "disadvantage" is that there's no Windows version. [1] https://www.passwordcard.org/e... [2] http://www.zx2c4.com/projects/...
I do this... Service/Website Name+GeneralPassword spaced by $'s $Slashdot$Password$ This gives you a unique password for each site and I can remember it easily.
I picked one robust password, and then I add a prefix to the front that relates to the site or service it is for. For instance, for Google it would be go************, where ************ is the common portion.
That is similar to what I have been doing for years, I have a base password, then I add characters generated for the domain name using my own algorithm. Easy to figure out in a few seconds and every PW is different.
If you could reason with religious people, there would be no religious people
You can use LastPass offline. Maybe try looking into all of the options instead of making assumptions.
I store all my passwords in an openoffice calc file that's password protected. Additionally, that file is hidden on a truecrypt non discoverable drive. I feel relatively safe doing that.
I've started using a concatenation of many easy words, related to the system and my daydreams. According to xkcd, long plain word passwords are more secure. So at work, one password is "servertwomybitterlife". At home, it's "Anypornonthis24inchmonitor?" My bank account is "Ohlookabalancebelowzeroagain!"
I have been using Roboform for over 5 years. Currently I have 600 sites/passwords, all different, stored on my laptop & password-protected. The beauty of Roboform is that it will fill in passwords for Windows programs like SSH & SFTP & VNC as well as logging you in to sites automatically.
Off my laptop I store Roboform2Go in a Truecrypt volume on a thumb drive.
In the cloud I use SpiderOak to store the password-protected passwords.
I'd like to know any reasons why this is not safe? It is most convenient & runs on my Linux box too.
I do NOT use Roboform online sync, only locally.
Nico M, London, GB.
Well, come back when you find a network security guy who accomplished more then Einstein.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
My passwords are usually more than 16 characters and they are non-dictionary words. They are all types of characters some using non-Romanised letters. I literally could not! cannot remember my passwords for my server for my WordPress for my email system and various different formal and non-formal email accounts managed by me. My Amazon password my eBay password my blah blah blah password even for this website even though it's a smaller password. I keep all my passwords in a plain text file on a external hard drive. I make a policy of not telling people what type of desktop operating system, I use for security reasons my web browser has no identifiable user agent because I do not want to give a potential enemy information to attack my computer system through email and various brute force programs or Trojans and viruses Java exploits and drive-by malware. I run a very secure system and the only weakness I have is remembering those bloody passwords! I'm sick of the fucking things.. Get through my external hardware firewall and my internal software firewall and my intrusion detection and there is my passwords in plain text all in the centre of a pretend dummy boring read-me document. I need to encrypt them some day and yes with another fucking password I hate the bastards. I often use a language and browse websites that have a similar language to 1,338,299,512 people who all think they are master "Hackers." So there is probably 1,338,299,512 people with my passwords plus the NSA and GCHQ and somebody's granny at Tristan da Cunha.
Personally, I use a password protected secure not in an OSX keychain. Fine, rail me for that, but if someone gets into my keychain, I already lose anyway.
For work, I've been trying WebPasswordSafe for the last several months. This is to get away from the melange of different un-sync'd password lists in various password managers people in the IT department had. So far it works well, it offers group policies, so theoretically it could be rolled out company wide and each user and group could have their separate password lists.
I'd been guided to look at SecretServer, but the features I need are in WPS, and it's easier to sell Free in my company than Several Hundred or Thousand dollars, for many things at least.
I like music
I've just constructed my own simple password manager. Attach a short ident for each password to a strong master password, and then SHA512 and base64, truncate the result as necessary. Can be easily reconstructed wherever you want.
KeePass has served me well for four years now. Used in conjunction with dropbox. I've also got plugins for use with Chrome and TrueCrypt. As a personal solution it is fine. Not sure if it works as well for multiple users. Like the OP I've had problems with corporate password management. Software solutions seem to be either personal and cheap/free or large and eye wateringly expensive. I looked seriously at one about ten years back until I discovered that it was going to costs us approx. $20k
Maybe I just old, but pencil and paper. Or, if you're really tech savvy, type it out on a typewriter. For those of us from the future, we can make a document, print it, and then not save it. Probably the most secure system ever created, assuming you don't leave it lying around.
I memorize set of transforms on words that spits out different words. e.g. Transform1: always replace "apple" with "orange" Transform2: Replace the letter "e" with "eat" Then I write down all the passwords against each site and mark which transform I have used for each i.e. Transform1 or Transform2. Since only I know what each transform means, even if someone sees my list of passwords, they can't do anything about it. I don't have to refer to the table of passwords for all the commonly used passwords coz my fingers remember it somehow. So this is working out pretty well so far.
Passwords at home, I write down and file (with the exception of hyper-important stuff like bank access, where I choose passwords significant to to me and just write down clear hints that will help me get them but no-one else). I reckon that, if anyone gets access to those, I have bigger problems to worry about.
At work (softwear techie) I had, on average, 20-40 different password-protected access of various types. I (a) followed a theme meaningful to me (usually based on hobby things I'd been doing away from work); (b) used a single password on all systems; (c) guarded it carefully and changed it if I had the slightest suspicion it had been compromised; (d) changed it everywhere at the same time, regularly; (e) wrote down expired passwords so that I could recover any I accidentally failed to change; and (f) tried NEVR changed it immediately before going on leave. I found the combination of a password meaningful to me and the drill inherent in changing it multiple times in succession (and them using it regularly from that point on) meant that I never had a problem. Yes, I only had one password - one breach would have been a bigger exposure. But I NEVER had to write it down - and on the few occasions on which I had a brief memory glitch I could, in the worst case, give myself a big clue by looking back at my previous passwords to remind myself of my current "theme".
I have 3 classes accounts. work accounts, important personal accounts, and junk accounts. I use an easy to remember 8 to 12 word phrase that describes the 'class' of account (Longer phrase where I deem more security is needed). I take one of the letters from each word in the phrase (all first letters, or 2nd, or 3rd, . . .), use "special character substitution" (like 3 for e, @ for a, etc.). This becomes the 'class password'. I then add a two character description for the specific account or computer I am using. I either wrap the 'class password' in these two leters, or stick them both at the front or end. I change the class passwords around every 6 months. Sometimes up to a year for "junk" acounts (FB, Twiter, et. al.) I have around 40 different accounts, in three 'classes', that I remember easily, and for long periods of time. Because I only have to remember very little. I never tell anyone any of my passwords, and never let them use my machines. And I don't obsess about the passwords. Physical access & "social engineering" are the easiest ways into a system, anyway.
Like many other posters here, I also use KeePass and put the password file on DropBox.
The only issue for me is that I also use a "keyfile" file on all my computers (work, home, laptop), and that I could not yet find an iOS version of KeePass which would support keyfiles.
Any idea ?
I have so many I use a master password list written in a simple text document that is in two places. My main machine and a flash drive both protected by Truecrypt. The flash drive actually has a small binary on it so the computer I use it on does not have to have Truecrypt installed on it for me to use it. It supports Windows, Macintosh, and Linux. http://www.truecrypt.org/
Chris Sheppard
I still have some big encrypted file here, were i forgot the password. I know i did change it to something secure once, and i have a bit of a clue, what the password was. But every variation i can think of did not work. So i still hope, i remember the password someday ...
Is there any good trick to recall a password you once knew by heart?
Preface: I am an IT security professional.
I actually have a small set of passwords I use everywhere. Quite honestly, 90% of the forums, communities, blogs or whatever that I have an account on aren't worth having a different password for. If they get hacked, the password lost, you can post an irritating rant in my name - big deal.
It's all about thinking about the actual risk instead of applying one formula to everything. Yes, my PayPal account has a different password, as does my e-mail or my server account password and my root password - all of those have their own individual passwords not used anywhere else.
But for everything else, I have 3 or 4 passwords that I assign based on context and importance. All the online-games I play have the same password, for example. Go on, break into my LoL account. You can ruin my MMR until I find out, wow, I'm so afraid.
So in sum total I have about 10 passwords, and I can keep them in memory. I have an encrypted textfile (network-shared) where they're stored, just in case I have an accident or something. Since that's just for backup purposes, I have no need for any of the password management tools.
Assorted stuff I do sometimes: Lemuria.org
My dad has a bunch of cards for various tasks, including credit cards, fuel station cards, access cards for the various company locations he needs to access and so on. I think he has at least 15 different cards either on him or in his work vehicle at all times, and they all have unique PINs.
So, being a guy who's worked with electronics for nearly 40 years, he puts the PINs right on the cards, in the format of resistor color codes. For instance, 1234 becomes "BRREORYE". Perfectly indecipherable to anyone who isn't into electronics, and still indecipherable to most electronics people if they don't know the secret.
Eat the rich.
A few years ago I meant to try out KeePass but accidentally installed a totally different app called KeepAss.
On the plus side, I still have my ass, so it must be working.
Koans and fables for the software engineer
I use a vim plugin that allows me to read a gpg encrypted file to get to my passwords, which lately are random 12 character strings of letters, numbers and symbols generated with pwgen. The system ssh account and the gpg keys should have different passwords. I avoid entering passwords remotely from secured systems using ssh keys (with ssh-add, or in more recent years this is handled by gnome). I do not want to put my trust in other password safes, especially those on smart phones. I do use firefox with a master password to store less sensitive passwords and feel relatively secure doing so but would never store anything like banking passwords there.
Salut,
Jacques
Nonsense! Clearly the god number is +5 Insightful!
Encrypts the file, has a portable exe for simple use, and wipes the password out of clipboard when the program is closed. You can set password complexity requirements on the random generation either for all passwords, a group of passwords, or a single password. Set password aging if you have to, and make notes on each password entry. I use it extensively and it is a great convenience.
I've been using it for a very long time, it's a Windows stand alone program.
http://www.dexadine.com/aceros...
After installing a new OS, I'll pull a short-cut to the desktop. It's rather old I think it was XP that broke it (they claim Win7) - It used to call a site then automatically log-in, but I never used it when it worked, so no big deal.
That Pitbull Wallet looks nice but I don't use passwords over my cell phone or tablet, just my PC; exceptions being gmail (not my main account) and Netflix. I don't because I don't have to.
I use kiskis, a program just like keepas, but older, in java and uses AES to encrypt the file.... choose a good password as master password and you are good to go!
The java allow me to run in almost any system, have the program and the encrypted db in a pendrive (where i have some basic passwords) and i also have my main password db at home. For more important passwords, i ssh to home, do a quick gpg -d password.db.gpg | less and search for the password.
This way i can access the passwords from whatever i am, i have the the passwords in a standard secure encryption and in a secure location (home and office) on different passwords db for different objectives
Higuita
Unfortunately, my body is already full of tattoos about John G.
SJW: Someone who has run out of real oppression, and has to fake it.
I used to use a simple indexed array for remembering passwords but as the OP noted the number gets too large (thousands) so I switched over to a formula combined with an indexed array. Low security passwords get the least protection under this system and the high security passwords get stored in the array which is much harder to crack.
I actually generate my passwords with a spreadsheet. It displays the new password in large type, then I take a picture of it with my cell and store it.
I use KeePass as well. I store the database in a Truecrypt volume which then is propagated across my OSes via one of the cloud backup services.
paper
Casteism
I've been using them for years, and I love it so much that I subscribe to their premium service, even though I don't have a use for it, to provide support for them...their basic service is free.
It autofills my username and password on any machine where I have the app installed. If I don't have the app installed but need to get to my username/passwords, they have an online vault I can log on to.
And searching is easy - I can search by username or site or keyword in description. They auto-filter my passwords as I type into the search box.
https://lastpass.com/
Not on my PC (Fedora 20):
$ bash --version
GNU bash, version 4.2.45(1)-release (i686-redhat-linux-gnu)
And the test:
1001 ls
1002 ls
1003 history
Being "old" I still remember all the passwords I need to. That being said I have a few co-workers that use a password protected Excel Sheet
no matter how good it is, it is human nature always wants to make things better
I've been using Ascendo DataVault since my Blackberry days. I needed something that would cross platform with Blackberry & Windows and that was it at the time. They have since added IOS and Android to the mix. The database is resident only on your devices and can be synced between them. It may not be the best or the cheapest out there, but it works. I use it for logins, credit card account data, inventory and just about any small stuff that I don't want to leave out in the clear.
Would I trust the setup with nuclear launch codes? No.
They were set to 00000000 for decades anyway, so why not?
like god intended
Star Trek transporters are just 3d printers.
My long-term memory is stuffed with things I memorized out of necessity or boredom when I was a kid--my Aunt Marie's phone number, my high school locker combination, mnemonic devices that I made up, the punch line to a joke. So, I figure if I still remember them today, they will be around for a while longer and I assign them to sites as a password is needed. Then, I add the site to a list on my desktop with just the clue. The list is of no use to anyone but me.
I'm fucking smart. That's how.
I don't even remember the last time I heard of a large scale data compromise from passwords being either brute forced or guessed. By a massive amount - bordering on 100% - compromises are from backdoors, social engineering, and zero day vulnerabilities that lengthy, encrypted, impossible to remember passwords don't help.
For internal passwords, and its ability to securely allow teams to share access to a password list I can highly recommend password state.
Its a great program with a really responsive team behind it. I've used it in two companies now and its proven popular both times.
I use passwordmaker.org which doesn't require keeping anything in a database. It uses a master password combined with a URL to generate a one-way hash which you use as a password. There are browser extensions to make it easy to fill in passwords when logging in (they pre-fill the URL in for you). You can customize the password hash algorithm, character set to use, length of password, and also any prefix or suffix that is to be applied. Since many sites need a capital letter, a number, and a special character I have them static as a suffix to apply to the hash. With these settings it'll generate a password that meets 95% of the sites password requirements.
http://passwordmaker.org/ is also free.
Honestly, the harder part is now remembering the username for each site (usually email or a few variations of usernames). I keep a database of my usernames for each site in the cloud.
I don't write passwords down nor do I store them anywhere. Instead I keep 2 to 4 base passwords and a key in my head at all times. I regularly change the base passwords and key. The passwords are sentences such as "C12hg@S14" from the sentence, "Canada won 2 hockey golds at Sochi 14". Sports events, records and dates make easily remembered sentences. Because some sites don't allow non-alphanumeric characters, I keep a base password with only alphanumerics, such as "Spr2g7r" from the sentence "Slashdot posts are too good to resist" (7 looks enough like 2. Avoid 2 much duplication.) With the key I add two more letters to the password, making the passwords unique for each site. If my current key is 231 and the password is for my Slashdot account, then using the key I would use the 2nd letter of "slashdot" and insert it in the 3rd space of the base password and the 2nd last letter from "slashdot" and insert it in the 1st space from the end of the base password. My password for slashdot would thus become "C12lhg@S1o4". Facebook's password would become "C12ahg@S1o4". I have a single non-alphanumeric character in use at any given time for base passwords that don't have them. If it's currently "+" then I insert it before the second insertion and Spr2g7r"" becomes "Splr2g7+or" for the slashdot account. With this scheme I can operate with only 2 to 4 passwords, complex but easily remembered, and a numeric key. It also allows every site to have its own password using the site's own name. The key tells me what letters come from the site's name and where to insert them. It sounds complicated but, in fact, I can always figure out the password from the base passwords and the key.
unset HISTFILE
Not good enough. You at least want:
$ srm ~/.bash_history
Really? I would think that preventing stuff from being written to the history file is superior to attempting to securely delete it afterwards...
But then what's in your DRAM? (google: cold boot attack). It all depends on your threat model. Does someone really want to get at those passwords or not?
I know what a cold boot attack is, thank you. They're just not very straightforward to execute remotely, and not a very common threat in general. But yeah, your point stands that 'unset HISTFILE' won't protect you against that, so if you're really paranoid, you need to combine it with HISTSIZE=0. And pray that the commands aren't somehow left behind somewhere in memory anyway, which sounds a lot like wishful thinking. Which leads us to the argument that if you really want to prevent your computer from giving away any useful information to an advanced attacker with physical access, you have your work cut out for you.
Hypnosis. You'll either remember the forgotten password or you will become stiff as a board and members of the audience will be able to sit on you while you are placed like the seat of a bench between two chairs. Hopefully you'll remember the password. And then bark like a dog.
Oh that is a nice thing!!!
Thank you!!!
Yeah a little pricey but not crazy expensive at all and totally worth it.
No problem, I had actually forgotten all about them, so thanks for the reminder! I was looking into them a while back for this very application but I ultimately went with an encrypted password manager on cloud storage instead. Might have to give them another look-see... :)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
For good measure, if your Facebook password is "pickles" and your Gmail password is "bananas", you should set your Dropbox password to "condoms" and your Slashdot password to "anal lube". Then the thief is unlikely to even keep reading the 'shopping list'.
I've seen tons of suggestions for managing passwords for one or two people but what do you do when you need to manage passwords for hundreds of individual systems with passwords URLs? We tested out KeePass but it didn't give any granular controls. Is there anything out there that doesn't break the bank like Thyotic or ManageEngine? Thyotic http://www.thycotic.com/produc... ManageEngine http://www.manageengine.com/pr...
I have lot of passwords in every accounts I created before to remember. So eventually I can't remember those all. But those are already listed and have saved in my Google spreadsheet. I also use Passpack aside from spreadsheet. I also used to have them in my desktop, but when I realized with my privacy on it... So that's why I'm now using Google spreadsheet and Passpack. Realizing as well when I have new new account to make is I'm going to make my password short. Then like the password I am using for my other account shall be the same to the new account I am making so that it will be easy for me to remember.