×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How Do You Manage Your Passwords?

Soulskill posted about 2 months ago | from the alternate-between-12345-and-54321 dept.

Security 445

Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

445 comments

Air Gapped Box (4, Interesting)

Anonymous Coward | about 2 months ago | (#46306985)

It's not portable, and this is just what I do at home so may not scale well to the office, but I've basically got an old intel atom box (MSI Wind PC) running linux (slackware) with no network connection and full disk encryption just using luks/dm-crypt. I keep passwords, banking numbers, and other bits of sensitive info on there. No fancy management software, just plain old text files. I have it hooked up through a KVM and I just leave it running all the time (with locked screen), so it's nothing to switch to it when I need to use an old password or update a password when I change one.

Files are backed up locally using rsnapshot (for history), and then that's periodically copied to one of 2 (also encrypted) USB thumb drives (I leave on plugged in the back and periodically swap them).

Primitive, but sometimes that's what works. You could probably do the same with a raspberry pi at this point (disk encryption might be fun though).

Also this topic comes up like once a month, and the answer has not changed in years. Stop asking!

Completely off topic: what would be the best way to physically disable the wifi capability of a device. Obviously you can disable in software, but I'm the paranoid sort, and would love a way of knowing that my IP web cam is not gonna be doing anything with that wifi antenna. Thinking maybe some kind of terminator or some other way of "absorbing" the signals.

Re:Air Gapped Box (2)

Lanforod (1344011) | about 2 months ago | (#46307009)

Find and physically remove the wifi chip?

Re:Air Gapped Box (0)

Anonymous Coward | about 2 months ago | (#46307025)

I have to assume that would render the whole device unusable. Also everything's SMD these days, and don't have the skills :(

Re:Air Gapped Box (1)

Garble Snarky (715674) | about 2 months ago | (#46307117)

Some older laptops actually do have easily replaceable wifi modules (just unscrew and pry out), and if not, they still might have removeable antennae. Removing the antennae may not totally disable the wifi though.

"Obviously" not Last Pass or 1Password (4, Interesting)

immaterial (1520413) | about 2 months ago | (#46307093)

Maybe I'm an idiot but I don't get why these options are obviously bad. I use 1Password on a regular basis.

Re:"Obviously" not Last Pass or 1Password (3, Insightful)

andrews (12425) | about 2 months ago | (#46307125)

I don't see the "obviously" either. I use 1Password and it's not web based, the secure password database file sits in Dropbox and is synced to all my computers and my iPhone. Works great.

Re:"Obviously" not Last Pass or 1Password (-1)

Anonymous Coward | about 2 months ago | (#46307247)

Did you not get the dropbox email yesterday in regards to sharing your data with the NSA?

If it's online, or on a device with data connectivity and rootkits (as all smartphones are) it's at risk.

I use keepass - and backup my database to multiple USB sticks for safe keeping.

Re:Air Gapped Box (1)

Garble Snarky (715674) | about 2 months ago | (#46307121)

Can you disable in BIOS?

Re:Air Gapped Box (0)

Anonymous Coward | about 2 months ago | (#46307195)

That's really just a slightly lower level software disabling (also it's a web cam, no bios so to speak of, but you can disable wifi through their software).

Ideally I want it physically impossible at a hardware level for the wifi functionality to.. function.

Assume some evil ne'er-do-well had the opportunity to install whatever software he wanted to on the device (but somehow didn't have any physical access to it). I'd want nothing they could do in software to be able to use that wifi antenna for any useful purpose.

write them on a piece of paper (0)

Anonymous Coward | about 2 months ago | (#46306989)

keep that piece of paper in my wallet

Re:write them on a piece of paper (0)

Anonymous Coward | about 2 months ago | (#46307031)

To late, I stole your wallet this morning and already logged into your bank and drained your accounts.

Re:write them on a piece of paper (1)

noh8rz10 (2716597) | about 2 months ago | (#46307099)

I too am thinking of how to carry my passwords with me. My memory isn't as great. At home I have 1password running in the browser and in the menu bar at the top of the screen. But when I'm away from home i'm often lost. Before I was using the same password everywhere but am trying to move away from that because it is bad habit.

I have 1 password installed on my phone, so presumably when I want to enter a pwd on a website I could take out my phone, open the app, look up the pwd, and manually type it in. But I'm looking for a really automated way. for example, having a pwd manager installed on a small USB thing on my keychain, then plugging it in and having all my pwds.

any advice on how i could do this? the best solution is super clean and transparent, one step away from having the plugin installed in the browser. I was literally just looking the internet for it.

thanks.

remember or reset (0)

Anonymous Coward | about 2 months ago | (#46306991)

simple

keep them in your head or rely on the reset mechanisms

Re:remember or reset (0)

Anonymous Coward | about 2 months ago | (#46307059)

This seems to introduce whatever vulnerability you have in reset mechanisms. Effectively, using a single password. Unless you use two-factor authentication, this is a fail too.

Re:remember or reset (1)

Anrego (830717) | about 2 months ago | (#46307105)

The problem already exists (reset mechanisms are a huge hole in most systems), using it shouldn't make it any more vulnerable to attack.

I better not piss off dropbox (0)

Anonymous Coward | about 2 months ago | (#46306993)

I keep them in plaintext files on my dropbox, lol.

passwords.txt (4, Funny)

Anonymous Coward | about 2 months ago | (#46306999)

on my desktop.

Keepass (5, Informative)

Anonymous Coward | about 2 months ago | (#46307001)

extensible, open source, active project...what's not to like?

Re:Keepass (4)

gmuslera (3436) | about 2 months ago | (#46307257)

Also works or have alternatives that use the same data files for most OSs, including mobile ones. You can backup/sync your password file between devices using online services while have a secure enough master password for it. Of course, you must keep in mind that if you have a keylogger in the device you are using that password file it will become compromised. Maybe having different password files for different uses would make it safer.

Text File with GPG (1)

Anonymous Coward | about 2 months ago | (#46307013)

I just use a simple text file and gpg.

Write them down. (4, Insightful)

khasim (1285) | about 2 months ago | (#46307015)

For work, write them down on physical paper and keep them in your physical wallet.

You'll notice if your wallet goes missing.

For home, write them down on physical paper and keep that somewhere safe.

Re:Write them down. (4, Insightful)

Anrego (830717) | about 2 months ago | (#46307079)

For an extra layer of security, come up with some really basic cypher that you can do in your head. It doesn't have to withstand rigorous cryptanalysis, just has to hold up long enough for you to notice your wallet is missing and change all your passwords.

Even something silly like taking the third character and sticking it on the end is probably enough.

Re:Write them down. (2)

msauve (701917) | about 2 months ago | (#46307189)

If your passwords are in your wallet, and your wallet is missing, how do you change your passwords? Not everything with a password will email you a new random one.

And, you still need to have a list of all the accounts which have passwords somewhere, so you know what needs to be changed.

Re:Write them down. (1)

Delarth799 (1839672) | about 2 months ago | (#46307263)

A list of services in a text file with no meaning or obvious connection to the passwords written down would be easy enough. Maybe split them up have the services they are used for stored somewhere and the passwords written down with no connection to the service they are used for. That way someone who takes the wallet would get a piece of paper with crap written on it and no way to know what it's for.

Re:Write them down. (4, Insightful)

khasim (1285) | about 2 months ago | (#46307277)

If your passwords are in your wallet, and your wallet is missing, how do you change your passwords?

If they're in your wallet then they're work passwords. So you contact the other admin and have her change your passwords.

And, you still need to have a list of all the accounts which have passwords somewhere, so you know what needs to be changed.

And for work this should be documented already. Along with reset procedures and contact numbers.

For home, having them stolen is less of a risk. But you can always keep a copy (encrypted or not) with someone else in your family or a trusted friend or a safety deposit box. You're probably more at risk of them being destroyed in a fire or something. So treat them the same as any other important document.

Re:Write them down. (3, Insightful)

khasim (1285) | about 2 months ago | (#46307233)

Sounds good.

And you might also want to keep a few additional passwords on that piece of paper. For those circumstances where you're suddenly required to have a new one (X characters, Y capitals, Z numerals) for a new application or whatever. Always nice to have one ready instead of trying to think one up on the spot.

Re:Write them down. (2)

Archimonde (668883) | about 2 months ago | (#46307291)

That's pretty much what I do during my contract on the ship. I don't have a wallet, but have a pocket notebook and there I write down the network configuration, some usernames/passwords for some servers etc (every ship is different). With time, I remember all of this stuff so I destroy the papers anyway.

I never write down which credentials are used for what, this is what I know, and always add some logical sounding letters/number to every piece of information but in some way that I always know what is garbage and what is real information. If I lose the notebook I don't think anyone onboard would be able to figure out what information is used for what, and also what piece of garbage to remove. Even if someone would be resourceful enough to do it, I would still have a much better head start because I would notice that my notebook is missing and I would have plenty of time to change the passwords.

All of this is much better than having a document on a usb drive with your password list which has to be decrypted every time you want to read it. Of course, all of the info and much more is stored on some document which is encrypted for safekeeping.
 

Re:Write them down. (1)

Anonymous Coward | about 2 months ago | (#46307103)

Even better, write them down wrong. Use a random password with a trivial cipher that "you know" and can do in your head. Like add 2 characters to each one, ignore the first 2 and last 4 characters. replace the end characters with A and B.

Anything you can come up with.

This dramatically lowers the potential damage if they're lost (since they're not instantly usable).

Re:Write them down. (0)

Anonymous Coward | about 2 months ago | (#46307191)

This isn't a horrible idea, really, but I would highly suggest not writing them in plaintext. Use keywords that mean something to you, but not to anyone else.
Seed your passwords based on usage so you can keep a few basic passwords that you have to actually 'remember', and can rebuild based on the seed. (ie, the website)
Since the login name as well as the password can sometimes be hard to remember as well, it is easy to write reminders for both.
You can even write 'reminders' for what the website or system is, so nothing is directly mappable.

so your notes might be:
myIRA daughter1 / seeded 544 maiden fav celeb

go obfuscation!

are you kidding (0)

Anonymous Coward | about 2 months ago | (#46307019)

I have 18 account passwd's at work. Every one of them is 30 characters in length and every one of them is different.

Hint... They refer to the actual system they're used on.

Simple solution (0)

cold fjord (826450) | about 2 months ago | (#46307027)

Tattooed on the inner thigh. Forget a password? Just find the nearest restroom. With these new non-permanent tats its better than ever, and much less of a space issue. For extra security (in case anyone has X-ray specs) you can do a rot-13. Of course you do have to be careful if you go swimming, such as wear an old style suit or a maybe a "burkini" [telegraph.co.uk] if a woman.

Passport belt (0)

scum-e-bag (211846) | about 2 months ago | (#46307037)

A small notebook kept in a passport belt that never leaves your side should work well.

If you are required to have such a high level of security that this is not a good idea then you should use your memory. A failing memory means that you are not suitable for the job and should find something else, like working in a retirement home.

Re:Passport belt (5, Insightful)

vux984 (928602) | about 2 months ago | (#46307199)

A failing memory means that you are not suitable for the job and should find something else, like working in a retirement home.

Yeah, how many passwords like: R;3m|/|iv%{^B$
do you have memorized? I have several passwords on that scale of arbitrary, that I did not pick, that I cannot change, that are changed on someone else's schedule, cannot be re-used, and that I tend to need to actually enter maybe once a quarter, if that.

Re: Passport belt (0)

Anonymous Coward | about 2 months ago | (#46307201)

Einstein said "Never memorize something that you can look up."

LastPass (5, Insightful)

ZerXes (1986108) | about 2 months ago | (#46307039)

Why is LastPass not an option? The password database is always synced to your laptop/cellphone so there is no problem accessing your passwords when you are offline. The security is the most robust I have found when it comes to password management, especially when you use 2-factor auth.

Re:LastPass (2)

neiras (723124) | about 2 months ago | (#46307119)

That and Lastpass encrypts/decrypts the password store on the client side. Only the encrypted database is ever sent over the wire. It's not perfect, but Lastpass has been great for me. Worth the $12/year. I don't know any of my passwords now except one, and my yubikey protects the Lastpass master password.

Re:LastPass (1)

ColdWetDog (752185) | about 2 months ago | (#46307131)

Or 1Password. You can use an iPhone or Android phone. The data is encrypted. Yes, the NSA can probably get to it, no they probably wont bother. Should be adequate for most users. If you lose the phone and you're worried about somebody breaking the encryption you can log into DropBox (or whoever you have the file stored with) and delete it or just change the password from another device.

Not perfect, but pretty damned good and a hell of a lot more user friendly than some of the Totally Paranoid suggestions around here.

  If you need security beyond this level, you should hone up on your ninja skills, get a bodyguard and not sleep in the same bed twice.

Re:LastPass (4, Interesting)

gmuslera (3436) | about 2 months ago | (#46307293)

What if they are required by the NSA (along with the "don't disclose that we are asking this") to give them your passwords? Giving the control to an US company could go very wrong. Even Hushmail that promised to have all your information encrypted gave it to the feds [wired.com] ... and they are Canadians.

Re:LastPass (1)

AdamWill (604569) | about 2 months ago | (#46307325)

From TFA you cite:

"However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages."

Hushmail was aware of the weakness of the server-side option and explicitly told its customers about it. These customers, foolishly given what they were doing, accepted that.

Lastpass doesn't have the same problem; you don't need anything messy to do the client-side encryption and decryption. There is no server-side 'option' for Lastpass, nor would anyone have a reason to use it if there was one, really.

1Password (0)

Anonymous Coward | about 2 months ago | (#46307045)

I use 1password, it's great. Perhaps not suitable for an IT pro saving critical, but great for me.

Hash functions. (-1)

Anonymous Coward | about 2 months ago | (#46307047)

Just use hash(master_password+site_prefix).

E.g. md5('mysuperlongpassword_somesite.org')

This way you only have to remember your master password, and can therefore make it very long and strong. Every site will get a completely different password, and if one site is compromised, the attacker has no access to your other sites.

Re:Hash functions. (1)

gmuslera (3436) | about 2 months ago | (#46307331)

So you keep all your passwords in .bash_history? If by any chance the way you generated it for one site spills (from watching over your shoulder to putting a keylogger or whatever), all the others could fall.

Btw, just adding a space at the start of the line will make bash to not save it in history.

I email them to the NSA (0)

Anonymous Coward | about 2 months ago | (#46307051)

They'll be collecting them anyway

There is but one true password manager (1, Informative)

Applehu Akbar (2968043) | about 2 months ago | (#46307061)

Get 1Password. There is a version for every platform, including mobiles. It stores your full logins and integrates with popular browsers: just click a toolbar icon, enter the one master password you have to remember, and you can log onto MightyMegaBank just by clicking on its name. The program will also optionally generate big random passwords to replace the short crappy ones that you used to be able to remember.

Re:There is but one true password manager (4, Informative)

sconeu (64226) | about 2 months ago | (#46307173)

I can understand not reading TFA, but did you even RTFS? What part of

I am obviously unable to use something online, like Last Pass and 1Password.

were you unable to understand?

Now, I have absolutely no idea why poster "obviously" is unable to use it, but it's already ruled out.

Algorithms (1)

Anonymous Coward | about 2 months ago | (#46307063)

I have a unique password for every domain I log into. I created an algorithm based on the domain i'm visiting. So I only have one algorithm to remember. The interesting part is when I have to change my password. I just have to try and keep track of the increments in my head to feed back into the algorithm.

Keepass (5, Informative)

Mr. Flibble (12943) | about 2 months ago | (#46307065)

I use Keepass.

I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.

Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.

I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.

If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.

Re:Keepass (4, Insightful)

jakeguffey (587607) | about 2 months ago | (#46307141)

Came here to say this.

I've used KeePass (or, in my case, KeePassX since I'm on *NIX) for about 6 years and it's been great. Encrypted local storage that I can sync between devices if I want, with an Android app (KeePassDroid) available makes life easy. It's also the only approved password storage method where I work.

Re:Keepass (0)

Anonymous Coward | about 2 months ago | (#46307165)

Also use KeePass and it's great.
http://keepass.info/ [keepass.info]
I use it for personal use, at $current_job, and did at $last_job.
At work we use a https shared db with a key, LDAP/AD auth, and master passphrase.

Re:Keepass (1)

Garble Snarky (715674) | about 2 months ago | (#46307177)

So, do you put the keyfile in your Dropbox folder, or no? If so, how is that more secure than using a password? Otherwise, do you just manually move it to different devices with a thumb drive or email, or what?

Re:Keepass (3, Informative)

Mr. Flibble (12943) | about 2 months ago | (#46307223)

The keyfile is in my dropbox folder, I have dropbox installed on all my devices. On the iphone or ipad I just need to select the keepass file and it will open in the keepass app.

Then my passphrase is required to open the encrypted file that contains the list of my passwords.

This step is only required on my iphone/ipad if the keystore is out of sync with the dropbox folder. Otherwise the file remains cached on my portable device.

Re:Keepass (1)

kwalker (1383) | about 2 months ago | (#46307237)

Same here. I use KeePassX, other members of my team use KeePass on Windows or Mac. I also use KeePassDroid on my Android phone. The database is compatible between all versions, and encrypted so it can be stored on a file share (In our case, our departmental drive). I also use ownCloud to sync it automatically between devices whenever a password is updated.

I don't use the plugins though. I don't need to. KeePassX allows me to auto-type in named windows by hitting a global hot-key. Very useful.

Re:Keepass (1)

CCarrot (1562079) | about 2 months ago | (#46307353)

I use Keepass.

I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.

Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.

I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.

If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.

Why not both? KeePass allows you to do that.

I also use KeePass (despite how silly the name looks when it's not properly capitalized :) but I use both a strong passphrase and a keyfile, then keep the KP database on Dropbox. The keyfile is manually transferred to any computer or device that I want to access Keepass from, so even if someone scrapes my DropBox, they can crack away at the database all they want, they still don't have the keyfile needed to decrypt it... I guess if someone gets my phone or laptop, they'll have the keyfile and a copy of the KP database, but still not my (pretty strong) passphrase.

Meh. It's secure enough for my needs :)

Why (2)

Liquidretro (1590189) | about 2 months ago | (#46307067)

Why are you unable to use one of the online systems like Lastpass? It's been very well vetted, offers offline and online modes. I personally find 1pass to be very Mac centric and expensive but it's a good product too. Keypass is a good opensource alternative, although its a local program so there are those downsides. It has android and iOS apps too so you can have access on a mobile device if needed.

Re:Why (0)

Anonymous Coward | about 2 months ago | (#46307205)

LastPass also can use Google Authenticator, so you'll have 2-factor authentication. This shouldn't be overlooked.

Re:Why (1)

Agent0013 (828350) | about 2 months ago | (#46307251)

I like KeyPass because the same database file can be used in my Android phone and on me PC. I don't want to use a cloud based password storage as that might be a vulnerability. I also like that KeyPass allows you to use more than just a password to protect the database, you can also have it use a keyfile. So it turns into something you know (the password) and something you have (the keyfile on a USB key). Then you just need to keep the database synchronized between the different systems you use it on. That could be a problem if you add passwords very frequently, but in my useage it has not been a problem. KeePassDroid is a nice Android version.

Re:Why (1)

Liquidretro (1590189) | about 2 months ago | (#46307281)

I like KeyPass because the same database file can be used in my Android phone and on me PC. I don't want to use a cloud based password storage as that might be a vulnerability. I also like that KeyPass allows you to use more than just a password to protect the database, you can also have it use a keyfile. So it turns into something you know (the password) and something you have (the keyfile on a USB key). Then you just need to keep the database synchronized between the different systems you use it on. That could be a problem if you add passwords very frequently, but in my useage it has not been a problem. KeePassDroid is a nice Android version.

Cloud isn't a concern as long as your software is done right. By all accounts Lastpass has been done well. The cloud only gets an encrypted blob. Let the NSA go to town on it, not a concern. So do you manually sync your phone to PC then with your keypass DB?

1Password + Dropbox sync (0)

Anonymous Coward | about 2 months ago | (#46307083)

I run 1Password on Mac, PC, and iOS. Everything is kept in sync with Dropbox, but 1Password has other sync options as well.

Would I trust the setup with nuclear launch codes? No.
Should such systems have two factor auth anyways? You bet.

Password Safe (0)

Anonymous Coward | about 2 months ago | (#46307095)

Password Safe, designed by Bruce Schneier.

Sure, in theory, my system could be trojaned, which means once I enter in the decryption key for the password safe, someone could be snooping on the passwords. Then again, in theory, if the system is trojaned, then someone could be snooping on the password as it is entered.

In practice, the usability/risk ratio is probably good enough for most people.

Encrypted Databases (2)

kroby (1391819) | about 2 months ago | (#46307101)

I keep a KeePass database for each of my consulting clients and encrypt them with a unique master password for each client that gets shared with the client. Then, another KeePass database with all of the client's master passwords inside of it encrypted with yet another master password that gets shared with my fellow consultants. This lets me give my clients access to their password documentation without having to give them the master password for all of my clients' databases. It also ensures that my colleagues have access to my client's passwords should they need to cover for me. Or, if you want to spend some money on a commercial product, look at Secret Server.

KeePass (2)

ZenMatrix (1299517) | about 2 months ago | (#46307107)

I like KeePass it uses a database file that you can copy manually and you don't need to sync, or you could place the file on a dropbox share and use it from there. The file is encrypted and you need to enter a Master password each time. If you ever needed to give someone passwords you can export just the ones you need to share and set a new password so they can use it. Its been my favorite one to use since I use crazy complex passwords for everything online.

Password Safe (0)

Anonymous Coward | about 2 months ago | (#46307135)

Why not http://passwordsafe.sourceforge.net/ ? It was designed by "renowned security technologist" Bruce Schneier.
It is available for Windows, but also runs great in WINE (so Mac and Linux are not left out).

http://passwordsafe.sourceforge.net/ (2)

Capt.DrumkenBum (1173011) | about 2 months ago | (#46307139)

PasswordSafe works for me.
Several passwords I need commonly, are written in my wallet, with nothing to indicate what, or what usernname, or system they are for. There are about 5 passwords written on a sticky note stuck to the back of a seldom used credit card.
Everything else is in PasswordSafe.

Re:http://passwordsafe.sourceforge.net/ (1)

Melkman (82959) | about 2 months ago | (#46307349)

Also worth mentioning is that the PasswordSafe database format has many different clients many of which are open source so you can check how your passwords are protected. Examples are Password Gorilla for Linux, MacOS and Windows and PwSafe for iOS .

Re:http://passwordsafe.sourceforge.net/ (1)

godrik (1287354) | about 2 months ago | (#46307365)

I use a few password for common systems I log in. For all the rest I use pwsafe to generate random passwords. I keep the password file on a git repository cloned on all my machines so it is difficult to lose that file.

Web aoo (1)

Spazmania (174582) | about 2 months ago | (#46307145)

I created a web app. The password (decyption key) is sent on every request, so it's never at rest. Under the hood, entries are encrypted and decrypted with openssl using a reasonably secure algorithm. Each entry in the database is just a plain text file. I can include passwords, accounting information, URLs, whatever I want.

Harder with age? (1)

Anonymous Coward | about 2 months ago | (#46307151)

I find that hard to believe. There's a website called Fark.com full of middle-aged people swearing up and down on a stack of bibles that being old is the best thing ever.

LastPass or Keepass (0)

Anonymous Coward | about 2 months ago | (#46307155)

LastPass is fine if you trust the network (except for the NSA sniffing everyone's master keys). Keepass is a good offline solution.

Establish a secure area at the office (1)

daveywest (937112) | about 2 months ago | (#46307157)

1. Access should only be available to systems you currently and actively manage. If you're using the system so infrequently that you can forget, your account should suspended. 2. Admins should keep a secure log of access credentials stored in a secure area with controlled access. Any "in case of my death" information should be recorded. If there isn't a local site, you might want to consider storing the documents in a safe deposit box at your bank.

Custom algorithm (1)

Jumunquo (2988827) | about 2 months ago | (#46307159)

Come up with an algorithm only you know, that is generally different for each system you use, and for added security contains some personal thoughts about the site that make it hard to figure out your algorithm (although that last one might stump yourself too, lol). The problem is when you're forced to change your password, but it's usually some regular cycle, so I'm sure you could figure something out for that too.

passwords management Allen Ludden style (2)

turkeydance (1266624) | about 2 months ago | (#46307163)

randomly. three options. 1. slashdot starts with s: password is sw23edcx. 2. two s words: semaphoreslinky. 3. for those that require combos: Sw@3edcx.

KeePass or KeePass2 (0)

Anonymous Coward | about 2 months ago | (#46307183)

I use KeePass as well, synced to a dropbox as well as on a thumb-drive.

Use an Algorithm (1)

clifwlkr (614327) | about 2 months ago | (#46307203)

I gave up on password managers a long time ago. They are prone to compromise at some point. Instead, I use an algorithm that uses some element of the target as a seed to a simple formula. This gives me one thing to remember only ( or a few ), yet gives me a different password for every single site. A simple to understand, yet bad forumula to use, would be something like this: password = siteurl[2] + mySecret + siteurl[4]; So password for google would be 'omySecretl' Use a better formula for increased protection. Again, easy to remember,no password manager to get to/install, and a different password for every site, Likes it simple, Jim

Re:Use an Algorithm (1)

vivek7006 (585218) | about 2 months ago | (#46307323)

or just use pwdhash https://www.pwdhash.com/ [pwdhash.com] . There is firefox and Chrome addons

Re:Use an Algorithm (1)

clifwlkr (614327) | about 2 months ago | (#46307375)

I like to use something that is in my head and I always have with me. That way it works when I scp, ssh, or whatever. Many times, I am not on a browser or necessarily even connected to the net. But I've been around a bit too so I am probably not typical that way..... Never mind embedded devices.

In the real world... (0)

Anonymous Coward | about 2 months ago | (#46307211)

... people in the office are storing their passwords in a Word or Excel file and saving it as a password protected document...

Insecure but secure enough to keep most people out (1)

JDeane (1402533) | about 2 months ago | (#46307219)

What I use is a text file on a thumb drive also backed up on several local drives.

The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.

For rarely used passwords and places I will put a hint under the half pass.

I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.

Zix (0)

Anonymous Coward | about 2 months ago | (#46307225)

Use an algorithm. This way you don't have to know your password, you just know how to figure out your password. Make it between 8-14 characters and base it off of what you are logging into.

For example, Slashdot. Slashdot ends in a T, so T can be my first character. Then i can put something arbitrary like camels. So i have Tcamels. Now i can create some numbers..how about the number letters in slashdot. Tcamels8. Sure, somebody could eventually figure out the algorithm, but it wont be easy.

Answer too long to fit in subject line (2)

WilliamGeorge (816305) | about 2 months ago | (#46307227)

A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software. If I need a password, I just open that file up and copy / paste the password needed - then close it again. If I make a change to a password I can just change it once and that populates to all the other locations where my Google Docs are stored, but it is fully and safely encrypted the whole time.

I even have an app for my phone in case I need it, but there is three factor authentication: my phone's login, a short PIN for the app, and then my full encryption password.

Re:Answer too long to fit in subject line (2)

sylvandb (308927) | about 2 months ago | (#46307327)

A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software

This. However s/password/passphrase/ and I don't use google docs but similar propagation.

My text file also contains credit card account and phone numbers in case I need to cancel a card, routing and account numbers for if I need to set up direct deposit or other EFT, my kids social security numbers, and other similarly confidential reference information. I've even at times (not currently) kept a regularly needed signing cert in the file as my backup.

I've tried many of the desktop password apps. But I've been doing my text file for about 20 years and nothing else is nearly as useful -- flexible and with ubiquitous availability.

I recommend also to print a copy every now and then, with a date, sealing it up in an envelope or two, and keeping it with important "should I die or be incapacitated" papers (such as your will), replacing and shredding the older version.

Write the date also on the envelope. The dates are so it is easy to tell which is the most recent in case multiple copies are found (e.g. a copy with your lawyer and a copy in the fireproof safe in the basement that is updated more frequently). The envelope(s) are to tell if someone has compromised the passwords so seal it up however makes you comfortable depending on who has access and how often you check (and update).

Really free password software! (0)

Anonymous Coward | about 2 months ago | (#46307231)

I'm using a big fat binder on my shelf.
Chris

Vim (1)

twistedcubic (577194) | about 2 months ago | (#46307235)

I use vim -x passwordfile.txt. It uses Blowfish encryption. You only need the -x flag when you create the file. I keep it on one computer at home, only, with a hardcopy (lots of index cards) in a desk drawer. If I need it on the road I temporarily copy required passwords on a USB thumb, encrypted. It's not an enterprise solution, but I'm just one person, so it works OK. Actually, I refer to the index cards way more often than the password file.

One Time Pad (sorta) (0)

Anonymous Coward | about 2 months ago | (#46307243)

Just keep them on physical paper, with multiple copies in secure places. But then encrypt the text by devising a simple ROT style replacement algorithm against an OTP , which could be a physical book that you know and love. Just remember the specific page/passage, even memorize it, and then do the replacement manually against the list.

Passwords you use frequently you will memorize to avoid the hassle of processing against the text. Even if they are quite long.

This isn't necessarily the strongest use of a One Time Pad, but is pretty secure as long as nobody sees which book keep looking at!

Use a scheme (1)

Tor (2685) | about 2 months ago | (#46307245)

The problem with any password manager/tool (of course aside from a simple text file, which is obviously out of the question) is that you are dependent on that piece of technology. A commercial password manager may exist for Desktop OS 1 today, but may not be supported in Mobile Phone OS 2 tomorrow. The cumulative turnaround time for your password inventory is often much longer than that of any particular device in your possession.

I've resorted to a lower tech solution for my own password inventory: A scheme that is based on the particular website (or other service name) in question. For instance, you may have an invariable prefix or suffix (perhaps an "encoded" phrase that's meaningful to you), a special character or two, and a component that is based on the web site or other name in question. In other words, something like:

            FiXeD#pArT.service-specific-part

How you would "encrypt" that service specific component is really up to you - the point is that everyone would do so differently. But it should be something that you could train yourself to do relatively quickly.

The only downside with this approach is that with so many different services with so many different password rules (some require a minimum number of characters but no more than a maximum, some REQUIRE uppercase or special characters; others do not support special characters at all.... etc), it's hard to find a single universal scheme that works everywhere. However I've found that with a couple of different schemes of this nature, I've gotten by so far.

Another thing to think about is almost the opposite - how to enable access for your loved ones to certain places (e.g. to inventory your financial records etc) in the event of your death. Of course most of this can and should be done with signed affidavits etc, however, it can be difficult for them to get a complete view of all your accounts, policies, services etc unless you have a comprehensive summary somewhere.

Re:Use a scheme (1)

pspahn (1175617) | about 2 months ago | (#46307351)

I can't even remember what service it was (this was mid 90's) but I once got an auto-generated password string from a site I registered on (might have been my online banking).

I ended up using that short string as a base password for everything and have continued to do so even today. I did this by doing the same thing you suggest, taking a small chunk and devising your own system for encrypting it while leaving it easy to recall.

Yes, there are certain site with overly simplistic password rules. For those I simply use a generic password that I would use on other sites as well. Obviously, those are what I consider "throwaway" logins and I am not concerned at all about someone finding the password as that site/service has no long-term value to me.

The sites/services that really mean something (web hosting panels, email, SSH stuff, etc) will always work with my scheme because they will always have robust password rules. If they don't, I choose another provider. This allows me to always know a password for something even though I may have not used the service in many months. Something like &Google-!@#$(mystring)$#@! or &Facebook-!@#$(mystring)$#@! is a simple enough way to do it, but you could certainly get more inventive if you like.

Remember one system instead of a dozen passwords (0)

Anonymous Coward | about 2 months ago | (#46307265)

I made a password system mapping names of things requiring passwords to the passwords. The output passwords look like long strings of gibberish letters with uppercase, digits and symbols mixed in. It allows me to just change one input into the system for which iteration it is. It produces different passwords for each thing I need a password for.
It is not as secure as lastpass, keepass, 1password, etc. but it is more flexible and portable, sufficiently strong, and easy on the memory.

KeePass + ownCloud (0)

Anonymous Coward | about 2 months ago | (#46307299)

Now if only someone would create an ownCloud app to view KeePass files...

SuperGenPass (5, Interesting)

Chelloveck (14643) | about 2 months ago | (#46307305)

For the most part I don't save or memorize passwords. I regenerate them as needed with SuperGenPass [supergenpass.com] . SuperGenPass algorithmically generates passwords by hashing the site's domain name together with a single memorized password. This always generates the same password for any given site. So, I don't have to remember them or store them anywhere, I just need to know how they're generated.

But what if I'm at someone else's computer without SGP installed? The SGP website has a "mobile" version, which is just javascript that runs entirely within the browser. Go there, type in the domain and password, and generate it. (Yes, I've checked the javascript. It's not sending your password out to the mothership or saving anything locally.)

I do keep a notebook in a plaintext file with all the sites I use. This contains the domain name that the site had when I first signed up. Domain names sometimes change, or are ambiguous (ie., the same site is available via both foobar.org and foobar.com). The text file lets me keep track of what I need in order to regenerate the password.

What about sites that require periodic password changes? I use the domain and just suffix my memorized password with a sequence number. And I write the sequence number in my notebook.

What's that? Security questions? I generate the answer by hashing the question itself rather than the domain with my memorized password. And of course, I copy the question verbatim into my text file so I can regenerate the answer when I need to.

The only failing is when I hit a site that doesn't allow certain punctuation, or has length limits, or something of that nature. Then I modify the parameters that I give to SGP and write down the specific parameters that I used.

The notebook is stored on my home fileserver in an svn repository which gets backed up every night. I'm completely screwed if I ever forget my one secret, but it's one I've been using for literally decades now. It's going to be one of the last things to go when my brain develops bit rot.

GPG (0)

Anonymous Coward | about 2 months ago | (#46307313)

At the office where I work, we use GPG keys and a text file. It doesn't sound like much, but it means that searching for services or machine names and other "keywords" if you're having a space-out moment is pretty simple because adding comments is very easy. It also doubles as a way to select against people who don't want to understand BASH / Linux, which we rely on heavily.

Naturally SSH keys do the bulk of the real work in our environment, but when we need to store a password the "less is more" approach has worked out well for us.

Safely (2)

Aiden Wright (3547051) | about 2 months ago | (#46307317)

Memorized the passwords. Know your limit on how many random letters, numbers, symbols you can memorize and then remember them. This is especially useful because my data dies with me.

Yubikey supports static passwords (0)

Anonymous Coward | about 2 months ago | (#46307319)

Yubikey supports static passwords in addition to OTP. No drivers nor software is required.

I add a pin to the end of mine that I type in on the keyboard for extra security.

Also LastPass has an Android app as well as iOS. You didn't state why you couldn't use that.

Password protected spreadsheet (1)

Sesostris III (730910) | about 2 months ago | (#46307335)

OK, why not?

(Truly curious as to why a password manager is considered better than an encrypted spreadsheet, using the same password or pass phrase).

I hide it plain sight. (2)

140Mandak262Jamuna (970587) | about 2 months ago | (#46307339)

These cyber criminals are babes in the woods, compared to my brilliance. I pull wool over their eyes easily. See? I enter the password in the username textbox and the username in the password textbox when I created the account. That is the last place they will look while trying to hack my password. haa haaa. The jokes on you script kiddies...

Password Gorilla (0)

Anonymous Coward | about 2 months ago | (#46307345)

https://github.com/zdia/gorilla/wiki

Dude, storing online? (0)

Anonymous Coward | about 2 months ago | (#46307359)

Your system is pretty much online... :}

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...