Best Tool For Remembering Passwords?

StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"

paper in your wallet

[Gothmolly]

Keep them on a slip of paper, in your wallet.

but DONT list what each is for - you can remember that part easily enough

Re:

[AdmiralXyz]

I second this. If you have them in your wallet, they are immediately accessible, and if your wallet is lost/stolen, not identifying each password with a particular site will give you enough time to change the passwords before you can be compromised (since most people know pretty quick when their wallet goes missing). Obviously this would necessitate having a second copy somewhere, probably on an encrypted file on your computer that you would use only for the purpose of changing your passwords.

Re:paper in your wallet

[sopssa]

Websites could do more to protect their users too. For example if you accidentally write your password here on Slashdot comments, it comes up as masked. Like for example my password is ********.

Re:paper in your wallet

[Benaiah]

Really? That works? My password is hunter32.
Seems like i can see it still though. :P

Re:paper in your wallet

[TheGreenNuke]

Really? I couldn't see it. this is what i saw

Really? That works? My password is ********.

Re:

[DittoBox]

I put on my robe and wizard hat...

Re:paper in your wallet

[fredklein]

You only see it because it's your password. Everyone else sees it like this:

Really? That works? My password is ********.

Re:

[Zalbik]

Hey, wait...how did you know my password?

Re:paper in your wallet

[Barefoot Monkey]

Hey, wait...how did you know my password?

He didn't know your password. He just typed "********" but you saw it as "hunter32" because that's your password.

Re:

[kninja]

brilliant social engineering.

I almost tried it for a second...

Re:

[cayenne8]

"That's so weird I have the exact same password! I'd better change it..."

Not me...my password is:

1...2...3....4............5

Re:

[Drinking Bleach]

I have the same combination on my luggage!

Re:

[Anonymous Coward]

This is only security against shoulder surfing which isn't how most passwords are stolen.

People rarely steal passwords that way because of masking. Get rid of masking, and shoulder-surfing will flourish.

Re:

[Nefarious Wheel]

and if your wallet is lost/stolen, not identifying each password with a particular site will give you enough time to change the passwords before you can be compromised

But I needed the wallet to know what the passwords were so I could change them! DOH!

Re:paper in your wallet

[JohnFen]

I agree.

100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.

Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.

If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.

So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.

Re:

[dtml-try MyNick]

A while ago I decided I needed a new password system. I had 9 or 10 different passwords I used for basicly everything.
It became increasingly anoying to remember which password I used where. And with the increasing number of password protected sites and apps I also started using the same passwords over and over.So I needed a new scheme.

My requirements were that:
it had to be long (14 chars minimum),
had to contain letters and digits,
should not be guessable, or at least parts of it (duh!),
must be unique for eve

Re:

[rhild]

It seems like some financial sites don't use case sensitivity for passwords because the want users to be able to use the same password via their phone system, where case sensitivity isn't possible.

Re:

[apdyck]

You could keep them on a 5.25" floppy disk...not very many people would bother with that!

Re:

[Jared555]

100% security is possible if you have physical control of a device and want to make sure that nobody ever gets access to it again. (Turning the device into a fine powder and then either melting it down or distributing it across a very large area).... I believe at one point at least that is how the government handled things.

Storing a backup version of your data that you do not need frequent access to on the other hand is possible to get 99.999% secure but as you increase the security level you also frequent

Re:

[JohnFen]

Then I revert to my backup backup, which I keep on a post-it note stuck to my work computer.

Re:paper in your wallet

[NevarMore]

I do something similar, but its the default output of pwgen. All I have to do is recall the first few syllables, the general grid location of the password, or just a part of the password.

I carry this around in my wallet, sure my password is on there, but with no real frame of reference its hard to decipher and make a guess.

Also, suggest printing with a fixed width font.

$ pwgen
gah5eiP2 Ga4cie3c ya6gaiTi eic1EeCo Shaisae5 ChaeXah2 Jaet0ooz ahThai3j
Yie7UH9f Iefie1ja ooghu8Oh uot7aeL0 gughes2M fahGh9ah Ohz7ohto wae2Seh1
avah3Oog Iechie2f eiPhoZi9 Mavohli9 Kohshis7 Meilo8ce Queis5hu Eiz9aij8
Pae9ahPu Equ0zoo9 Oothahk3 pich2Xao IeZai3ae aiLa7Ath Eol2aes7 aeZ5raht
AVai9nee Aam7ahzo Ioch2oqu faiGh0th eYae2ohl si7Te0we einai3Wa oash6Ahj
Eik5uul2 opai8zoY ohw5Ihaf Mi7keix9 aevi1Wa3 mo9ohJ5I Piek2yoR Si1phieZ
Ahc9luch ohNg6Oon daghieP9 reCh7jas joo4ooVi yooR6yeu eeph5Aip shie3Ahp
quoVeg8U Nee3phah CahXee0r aoD8Thai Ai5Aigha eePh0zee Cheip5Ch xeebe0Oy
laeFeez4 Ag9sheeR Ga4gooph Oijae9da aePao2ta ahz8ieNg bu9EhieS quooWoo3
ahghea7N Bot9hieC He3eeGhi ouli8Oof ik3Ohsoh Rahz9Che aeXaNg1e soh3Thee
Ahkith6u Ahs2Zuid eth6Ej0o Go0iho1d xaPhah9z aiNg1yoh Aer8Eet3 juZ3aThu
gee4KooK Hee9iqu3 Duh4aipu AiP6ahph Shaec5ne neeXa6Re Roh6fief Baef9ieM
eeGoo4ie eva1aeQu lu4hiJoh sae2DuYu fahGae7b Doh5Ifi6 jeish9Ae Rierieb5
Eedae7Iu moo6aiG3 ohNei0ie ew9ieHeu xoh5caeL NeiD0ohs iipe4aeP Lich0xak
Oozei5ao gaNgieV2 Dei0ae9l us3Loh8k phal5aeN aip0KeeV Aeg1rais oth1Ahdi
was3ow8Y Oquud1bu emee7Ohr iewa6baJ ao8Airie beegooL9 heiveF7u ongooD9w
iic4uGh0 Ohn9zeiC Neen4noh kei1Seng chieV3oh QuuQu2ju Eex1gaf3 aot8Dah1
EDoh1aej eaBae1ri Eih0woh6 Eiw3Johp Yi3aizuu Og9shohl ho6mi6Xu AeT8eihu
Iev5ohph lies0Iev eeV4jiek Tha1xoo8 gua9biiT aa4Maiga ohXoh3ai eisi8Jee
Ieloh3mo Quoch6sh Eecha0Ra zahnguM8 ieP5Jeye Mao5maec Ephae8af quihei8A

Re:paper in your wallet

[colenski]

enjoy explaining that bit of paper to DHS when they decide to look in your wallet as you go through airport security

It is not hard to guess

[G3ckoG33k]

Sorry, but is NOT hard to guess. I guess Ngbu9E. See, it is not that difficult after all.

Re:

[CvD]

I would advise against your method, because you just reduced the search space for anyone wanting to get in from millions of possibilities to just 160 different passwords. Having a list with your actual password on it makes it pretty easy to brute-force.

Same goes with an earlier suggestion of having your passwords on a slip of paper in your wallet but not indicate which passwords are for what. Very easy to brute force.

Re:paper in your wallet

[RobDollar]

I have a similar setup, I have this on a piece of paper in my wallet

ABCDEFGHIJKLMNOPQRSTUVWXYZ

and I simply remember which letter my password starts with, and then what letter comes second etc.

For example, if my password was SLASHDOT, I would start by remembering the first letter, which is S, then remember the second letter, which is L, and I continue remembering until I have completed the password.

Re:paper in your wallet

[RedWizzard]

Congrats, and thanks.

Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.

160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.

Re:paper in your wallet

[selven]

160 characters * 8 letters = 1280 characters.

Number of one-character passwords: 1280 (actually it's even less but stay with me)
Number of two-character passwords: 1279
Number of three-character passwords: 1278
Number of 100-character passwords: 1180
Number of 1280-character passwords: 1

Total number of passwords = 1 + 2 + 3 + ... + 1280 = (1638400 + 1280) / 2 = 819840 passwords

Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)

Re:

[Overzeetop]

That's interesting, but for mine I will sometimes choose a password that wraps and (more commonly) one which is backwards. Funny thing about it, though, is that for my "secure" sites I add a non-alphanumaric to the end (bang is my normal, but I've used the asterisk in the past). My list is shorter than the GP's, though. I've used this method since the early 90s when my group at NASA implemented a draconian password regimen which required a new password every 30 days, 8 character minimum, 2 non-alpha charact

Re:

[Jared555]

Good luck trying even 100 passwords in a reasonable time on any relatively secure system. Most lock you out if you fail 3-5 tries within 5-15 minutes. Say you can try 5 per 5 minutes, at a minimum it is going to take about 2 hours. I know some systems by default base lockout time on number of password failures increasing up to 24 hours to 2 weeks for remotely accessed systems. On more secure systems the system administrator gets a brute force notice and/or a semi permanent to permanent ban from that IP,

Re:

[dAzED1]

would you trust those same people with your bank account password? Because that's what he mentioned.

Further, and forgive me for having used unspoken assumptions, but I would imagine that if someone is going to the trouble of setting up a password manager then they might actually end up using those passwords for more than just websites. The anecdotal "it works fine for me" is nearly meaningless; he could have 1 password for all the sites, and have it be something like his street address or such, and guess

Re:

[account_deleted]

Comment removed based on user account deletion

Re:paper in your wallet

[WuphonsReach]

You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)

GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).

Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.

How about...

[bytethese]

Passwords in a file that you keep on an external drive locked in a safe? :)

Truecrypt

[Wingman 5]

Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.

Re:Truecrypt

[yttrstein]

Where does he keep the Truecrypt password?

Re:Truecrypt

[Yvan256]

Inside the plain text file, of course!

Re:Truecrypt

[Korin43]

Why make them mount a Truecrypt volume and search through text files? KeePass gives you an encrypted searchable password database that's much easier to use: While it's running, click the system tray icon, type in your password and your passwords are listed and searchable. When you're done, minimize it back to the tray and it's locked again.

Re:

[peragrin]

what if your not using windows. what about using it from multiple computers.

Mine is on a USB drive in an encrypted drive image, which stores the application and data files which which themselves are encrypted. my current problem is that it is OSX specific. I would love a way to be able to mount that drive on windows and Linux too.

Of course such things don't work well unless you use a java app, which may or may not run depending if java is installed or not.

Re:Truecrypt

[fabs64]

keepass is available for windows linux and osx. You can run the windows version as a standalone binary.

I keep my keyfile and db on usb key (with backups of the db strewn around all over the place), and the master password in my head

Re:Truecrypt

[Graff]

keepass is available for windows linux and osx

Dunno why you'd need it on Mac OS X though, the built-in Keychain and Keychain Access.app does the same thing and more. It will do autofill, autofill after asking you for the master password, or you can just use it to store the passwords and look them up manually.

Keychain can also store secure notes and certificates for websites and such. It's pretty nifty how well it all works, you hardly ever have to worry about manually managing passwords and certificates.

Re:Truecrypt

[fabs64]

KeepassX is a truly cross platform version of keepass. It does not run under wine and is just about indistinguishable from the windows-only keepass.

Re:Truecrypt

[darkpixel2k]

Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.

Why bother with passwords?

Start authenticating with your GPG key. (http://gpgauth.com)

Your GPG key logs you in, compromised sites don't hurt you.

Re:

[Darinbob]

I do this also. I don't have a laptop I carry around, so I just have a USB storage lying on my desk with the passwords. Probably safer to put in a file drawer I suppose.

I also have a copy of less important passwords at work, such as vendor support sites. This is stored in a secure drive partition on a Mac, and the password for that is in my wallet if I forget it. There aren't any vital passwords on it, so I'm not too concerned about how secure this is (if I start making intelligent posts on slashdot, th

PassGorithm - One Algorithm, infinite passwords

[abdielillo]

I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D

Re:

[RKThoadan]

I used to do something like this, but as companies buy each other out, rebrand parts of themselves and other such shenanigans the website name and URL tend to change. This can get confusing.

Re:

[Hatta]

Why is it on a USB key? You're not carrying around your Truecrypt volume and typing your passphrase into strange computers are you?

Xmarks, KeePass and Encrypted Zip combination

[ancientt]

I recommend this three step method:
Step 1) Memorize one very long complex password. Take your time and pick something out that is long enough that someone could watch you type it a dozen times and have absolutely no hope of getting close to it. Use this password to encrypt a zip file, 256 bit AES, with separate text files for each system where you need a password. Never type this password on a computer you can't trust implicitly and save the archive somewhere safe online and on a thumb drive. Update this p

Re:

[JWSmythe]

    Did you ever play with AccessDiver? If I remember right, that was one of the default brute force cracking schemes.

Keepass

[gad_zuki!]

http://keepass.info/download.html [keepass.info]

Re:

[digitalderbs]

I run keepassx [keepassx.org] myself. It generates strong passwords for you, if you'd like, or it stores all of your passwords in an encrypted file. It gives you the option to copy a password to the clipboard for a given amount of time (10 secs) before it is delete--it removes them on close too.I admit that I was uncomfortable with this at first, but this is no different than decrypting the password, and storing it in memory, before it's shown on screen.

Keepassx also works great on Linux, Macs, and Windows, which I hav

if you use a mac...

[Anonymous Coward]

1password for mac and iPhone/iTouch is a good product

Re:if you use a mac...

[93 Escort Wagon]

I prefer the built-in Mac Keychain. With the Mac OS Keychain plugin, Firefox will save its passwords there as well (and it can share them with Safari).

One important consideration - change your Keychain password so it's different than your login password. Use something that's easy to remember but hard to guess, e.g. the price of a cheese pizza and a large soda at Panucci's Pizza ($10.77).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[nelsonal]

That's amazing. I've got the same combination on my planetary air shield.

Re:

[Yvan256]

Then you remember wrong. Your planetary air shield combination is 12345.

Hashapass

[PercentSevenC]

Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/ [hashapass.com]

Re:

[internic]

Hashapass is a clever idea, but don't you run into the problem of various sites having different requirements for a valid password?

In my experience some sites want you to have a long passwords, others actually limit the length. Some only allow alphanumeric characters, and others mandate the presence of a non-alphanumeric character. Even worse, a lot of sites don't state clearly at the login prompt what their requirements are (you might need to fail once to see or even find it on another page), so doing

1password

[excalibur313]

If you have a mac, definitely get 1password. It encrypts all of your passwords in a database that is accessed via 1 password that temporarily unlocks it. You can have it generate very long passwords on the fly too to make it very secure. It stores passwords from all websites that can be recalled during a session by pressing apple+\ but it locks after a period of time where it asks for the master password. You can also store secure notes, and keychains from applications.

Re:

[Jerry Rivers]

I'll second this. 1Password also works with both Safari and Firefox (and maybe others), allowing you to disable the browser's ability to remember passwords. All you need to do is remember the master password. It's an excellent utility for corporate environments too.

Try Keepassx

[willyg]

I've used Keepassx for a few years now. It's cross platform (Windows / Linux) and stores the files encrypted. I tried one of Bruce Schneier's public domain solutions previously, but the Linux install (Password Gorilla ???) was rather painful on some systems if I recall correctly.

Just be sure to use a substantial password for the database...

PasswordSafe

[Avenger546]

I first saw the link to PasswordSafe [sourceforge.net] from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.

Re:

[darthwader]

I agree. I haven't tried all the others, but I use and am happy with PasswordSafe. It's native Windows only, but there is a Java version by someone else which works just fine on Linux x86 (and x64 with some hacking). I don't think the Java one works on other Linux platforms, since it uses JNI and requires some native libraries.

Easiest one is...

[JimboFBX]

Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password. Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)

Plain-text on a different computer?

[Capsaicin]

If you have access to any other box, how about a plain-text file there? Even a little security through obscurity (ie hidden file burried in the filesystem somewhere) would be better than letting Firefox automagically fill it in. I guess you could always encrypt the file so you only have a single one you absolutely must remember (shades of Flourish and Blott's losing all those copies of the Invisible Book of Invisibility though).

KeePass - fantastic software.

[clockwise_music]

KeePass [keepass.info].

* Stores all of your passwords in a secure encrypted file

* Has auto-type so you don't have to type or remember your passwords

* Has a great password generator tool, so that you can reset all of your passwords to something secure

* Easily transferable password database.

* Can run off a USB stick

I checked it out a month ago on the recommendation of a mate, and have been using it ever since.

It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!

And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.

And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).

Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!

Re:KeePass - fantastic software.

[internic]

Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!

If you turn on the master password then the password file is encrypted [luxsci.com].

Never store your passwords!

[JWSmythe]

Never ever ever ever (EVER!) store your passwords where they can be retrieved by unauthorized 3rd parties! That includes password storing utilities, scraps of paper under your keyboard, or a little note in your wallet.

Written down, in a lockbox, in a safe, in the floor of your basement, under a rug, in your house that has an active alarm system (that you use), in a armed guard and gated community is ok. Ok, most of us can be a bit less secure than that, but I don't recommend

Post-It Note on the Monitor

[Prototerm]

Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.

Re:

[ya really]

Doesn't account for "backdoor" exploits like curious girlfriends who might soon be ex's, pointy haired bosses or spiteful coworkers though :p

Opera Password Manager

[ya really]

Opera stores multiple passwords for sites (like say if you have a few gmails). Unlike normally with most built in password managers, Opera allows you to set a master password that prompts you to enter it before it'll show your current passwords for a website. It works sort of like this:

Opera does not store its Master Password in the plaintext format. Moreover, Opera doesn't even store its hash. The developers have chosen a different route: the password along with the salt participates in the encryption o

Can't be 100% secure

[Darkness404]

The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.

Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.

There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.

Write your own

[mobets]

I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.

Re:

[MichaelSmith]

I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.

Well okay but how do you remember it? Unless the password generator always generates the same password.

Password Safe

[antic]

I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:

http://passwordsafe.sourceforge.net/ [sourceforge.net]

Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.

Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.

KeePass

[bbdd]

Another vote for KeePass

Gringotts

[elwinc]

Gringotts used to be goog. Gringotts saves info in encrypted files. You still need 1 password to decrypt the file, but you can have copies of the file in multiple places. See http://directory.fsf.org/project/gringotts/ [fsf.org]

All kinds of solutions that work, really ....

[King_TJ]

I've researched this one for my boss, as well as for personal use. I agree that for Mac users, 1password isn't too bad a program.

If you want a *hardware* based solution, I've looked at Mandylion Labs' Password Manager before too.

Personally, I thought the Mandylion Labs solution was overkill for anything less than corporate use, though. Its "strong points" are largely centered around an I.T. staff centrally administering password policies for the keyfob and so on.

Another basic, but potentially effective an

Keepass

[Lorien_the_first_one]

Keepass is cross platform works on PC and Linux. :) Makes it easy to keep different credentials for every site you go to. Keeps passwords in an encrypted file.

http://keepass.info/ [keepass.info]

LockNote

[scott_karana]

I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/ [steganos.com]), it's essentially a self-contained AES encrypting Notepad.
And it's extremely stand-alone/portable, so you can just stick it on a USB stick.

How I remember passes

[ya really]

I make my passwords something totally ridiculous that would probably be offensive to most people or certain groups I dont care for, haha. Something like macFanb0ysRghey&. Sure, I remember it, but if there's ever a chance you have to share that password with someone else, you either have to change it or see the person's face look like O.o

Re:How I remember passes

[plover]

A guy I used to work with told me a story about a late-night support call with the operations center. He figured out that they needed to run a job that was under someone else's account. So they conference-called in this other guy at home in the middle of the night, and asked him for his password. He refused to give it over the phone, and the operations people were getting madder and madder because the night's jobs were being held up. Finally, he agreed to give them the password but only if they turned off the speaker phone.

The guy's password was BigBlackDonkeyDick.

Hilarity ensued. I'm pretty sure the whole shop knew the guy's password by the next morning (hell, I still remember it and I didn't even know the guy!)

Simple - a spreadsheet

[seifried]

A spread sheet kept securely (encrypted file, not excel/etc. encryption but something like PGP or TrueCrypt). There are specific programs for this but I find a spread sheet works better.

Prepended or Appended Passphrase

[codermotor]

Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).

Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.

I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).

Re:

[Anonymous Coward]

Create a passphrase which you prepend or append to every important password.

Bad idea. You should never use the same password (or part thereof) on two or more systems (that you do not control). In your case, if an attacker managed to get two of your passwords (say to two different web sites) then they could simply compare them and determine your super-secret pass phrase that you attach to all your passwords. Combine that with your list and you're owned.

Re:

[Kattspya]

So not only do they need control of your computer or at least two different servers but they also need physical access to your home or your person? Yeah, that's a likely scenario that is well worth protecting against. If you're that compromised or interesting keeping the password in your head won't be enough.

Hashing Works

[Aaron_Pike]

I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.

Re:

[RJFerret]

Mod parent up.

I once wanted to make an account at a new website, only my rather unique account name was used, I tried logging in with my "password system" based on the site name and sure enough, I don't know how many years ago I setup an account (long enough to not remember the place) but unbeknownst to me, I was golden.

The advantages is you never write them down, you never have to seek a resource to decrypt anything, you have unique passwords for everyplace.

I have since modified this so it's just as easy t

Re:

[ChameleonDave]

Yes, I have a similar mental hash, although it is more complicated and so the password is longer. It makes sure that no two sites have the same password, so no one can get into my e-mail, say, just because they have found my Slashdot password. They take too long to type in, though, so I let Firefox remember them. Firefox protects them all with one master password that I enter once per session. In turn, my entire home directory (including the Firefox profile) is on a TrueCrypt partition (protected by a c

Re:

[fulldecent]

everyone uses this method but nobody want to reply and agree with you because then someone could find that person, reverse engineer their hash and then own them.

shit!

Re:

[EEBaum]

I've been doing this for years... great system. The one problem I've run into is when a site changes names or is bought out (e.g. Chase now owns WaMu). I then have to either change my password or try to remember how the history of mergers and acquisitions went down.

Use the master password feature and stop worrying

[tomhudson]

Firefox has a "master password" [mozilla.com] feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.

1Password

[barzok]

On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.

For my PC at work, TrueCrypt with a spreadsheet inside.

OBZVault: runs on Linux, Mac OS X, and Windows

[duncan bayne]

I recommend OBZVault [offbyzero.com]. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.

We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).

It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.

(Disclaimer: I co-founded OffByZero [offbyzero.com], the company that produces OBZVault.)

Old School

[pilsner.urquell]

I use a plain old spiral bound address book. A I keep it locked in my gun safe, in the same room with with a shredder.

Notecard In Wallet For Life

[Enti]

While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far Honestly, when is the last time you've lost your wallet? For me this was eight years ago. Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)

Passphrases from books

[Potor]

What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":

Stately, plump Buck Mulligan came from the stairhead

Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.

/not my password ... or is it?

Re:

[clang_jangle]

Agreed, use it or lose it. Having said that, I do compromise a little -- I memorize a new 30 character password quarterly, and create several easy to remember variations to replace the original first 4 and last four characters. Then there is the one "easy" password used for everything non-critical. Of course, the idiots who run both banks I use hire coders stuck in the 90s who can only accomodate 8 character, alpha-numeric-only passwords, so I have to have unique passwords for those. I think it's crazy tha

Re:

[AdmiralXyz]

Is your head. Plain and simple. Never write a password down on your hand and NEVER on a sticky note on your monitor. Make at least two or three passwords. One for forum and slashdot and another for banking and secure sites. Use firefox's "master password" lock and set that password to your third password.

Congrats on completely ignoring every part of the OP's question. Your head is not the most secure place if your memory ain't what it used to be, because you'll inevitably be writing it down, and the OP specifically mentioned that he is using Firefox for password management now and wants to move away from that.

It always baffles me when people obviously don't read the question on an Ask Slashdot before jumping in with an answer. What the hell makes you think you can solve someone's problem when you can't ev

Re:

[JWSmythe]

    That's not the best idea. If a secure location becomes compromised, you just gave up access to everything you do. Not to say people don't do it, but people also set their passwords to "password".

    Here's an old post [slashdot.org] I did here 4 years ago on the subject. Users haven't gotten any smarter. Just poorer when their bank account gets compromised.

Re:

[vivek7006]

Mod parent up.

I have been using pwdhash for more than 2 years and I absolutely love it. It generates tough passwords based on the website URL and a master password. The password generation happens in *your* browser, there is no remote server holding your password. Absolutely safe. All you need to remember is a master password!