Slashdot Mirror
Ask Slashdot: How Do You Manage Your Passwords?
Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"
extensible, open source, active project...what's not to like?
Why is LastPass not an option? The password database is always synced to your laptop/cellphone so there is no problem accessing your passwords when you are offline. The security is the most robust I have found when it comes to password management, especially when you use 2-factor auth.
I use Keepass.
I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.
Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.
I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.
If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.
Try to hack my 31337 firewall!
A failing memory means that you are not suitable for the job and should find something else, like working in a retirement home.
Yeah, how many passwords like: R;3m|/|iv%{^B$
do you have memorized? I have several passwords on that scale of arbitrary, that I did not pick, that I cannot change, that are changed on someone else's schedule, cannot be re-used, and that I tend to need to actually enter maybe once a quarter, if that.
For the most part I don't save or memorize passwords. I regenerate them as needed with SuperGenPass. SuperGenPass algorithmically generates passwords by hashing the site's domain name together with a single memorized password. This always generates the same password for any given site. So, I don't have to remember them or store them anywhere, I just need to know how they're generated.
But what if I'm at someone else's computer without SGP installed? The SGP website has a "mobile" version, which is just javascript that runs entirely within the browser. Go there, type in the domain and password, and generate it. (Yes, I've checked the javascript. It's not sending your password out to the mothership or saving anything locally.)
I do keep a notebook in a plaintext file with all the sites I use. This contains the domain name that the site had when I first signed up. Domain names sometimes change, or are ambiguous (ie., the same site is available via both foobar.org and foobar.com). The text file lets me keep track of what I need in order to regenerate the password.
What about sites that require periodic password changes? I use the domain and just suffix my memorized password with a sequence number. And I write the sequence number in my notebook.
What's that? Security questions? I generate the answer by hashing the question itself rather than the domain with my memorized password. And of course, I copy the question verbatim into my text file so I can regenerate the answer when I need to.
The only failing is when I hit a site that doesn't allow certain punctuation, or has length limits, or something of that nature. Then I modify the parameters that I give to SGP and write down the specific parameters that I used.
The notebook is stored on my home fileserver in an svn repository which gets backed up every night. I'm completely screwed if I ever forget my one secret, but it's one I've been using for literally decades now. It's going to be one of the last things to go when my brain develops bit rot.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
If the file is encrypted before it goes on dropbox, then its as secure as your encryption. And if you don't trust any encryption, then why are you trusting any website with any data that would require you to put up a password to protect?
Because the OP is totally wrong, is why. 1Password keeps its data file locally. There are all kinds of synchronization features, which you don't have to use if you want to avoid online operations.
OP may have been thinking of 1PasswordAnywhere, which is the all-online version.
I also have them written on a piece of paper, but it wouldn't do you much good if you stole it.
Same here. I use the names of common fruits and vegetables as my passwords. So if anyone steals my wallet, they will assume that my list of passwords is a grocery shopping list.