Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Memory Tools for Password Management?

Cliff posted more than 7 years ago | from the sometimes-mnemonics-aren't-enough dept.

Security 125

New Media Blogger asks: "A co-worker of mine recently got burned hard because they used the same password for all of their online accounts. This experience led me to compile a list of easy-to-use password management memory tools (all free, of course), which make it infinitely easier for me to keep track of my dozens of passwords. I am sure many of the Slashdot crowd have memory tools of their own — what are you favourite password memorization tools?"

cancel ×

125 comments

Sorry! There are no comments related to the filter you selected.

Hiding (3, Funny)

halcyon1234 (834388) | more than 7 years ago | (#19077785)

Hiding my passwords in first post yt66axe

Re:Hiding (0)

Anonymous Coward | more than 7 years ago | (#19077913)

I hide my passwords in the last post. Nobody reply to this please. =) yaslkjtl15435$#

Re:Hiding (1)

fireman sam (662213) | more than 7 years ago | (#19078297)

ok

Parody (5, Funny)

Anonymous Coward | more than 7 years ago | (#19077967)

* Getting halcyon1234's password from his own post                     - 5 seconds
* Checking to make sure it was real                                    - 20 seconds
* Customizing his user account to display a custom "goatse" slashbox   - Priceless

There are some things money can't buy.  For everything else, you should change your password!

Re:Hiding (0)

Anonymous Coward | more than 7 years ago | (#19077989)

My memory tool is my head. I don't need to worry about anyone accessing it when I'm not around =)

Re:Hiding (4, Informative)

AKAImBatman (238306) | more than 7 years ago | (#19078029)

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever. There are a few sites like these that can help you generate these passwords:

http://passwordmaker.org/ [passwordmaker.org]
http://angel.net/~nic/passwdlet.html [angel.net]
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ [xs4all.nl]

Re:Hiding (1)

YrWrstNtmr (564987) | more than 7 years ago | (#19078463)

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever.

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

Re:Hiding (4, Informative)

AKAImBatman (238306) | more than 7 years ago | (#19078517)

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

I don't think you understand how it works. What you do is you enter the password (it can be the same for all sites), then enter the name of the site (which can be pulled from a bookmarklet). A bit of Javascript on the client then hashes that information using the MD5 algorithm, and spits the result back out as a secure password.

The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.

Re:Hiding (3, Funny)

Short Circuit (52384) | more than 7 years ago | (#19079059)

The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.
Until the site with the hashing algorithm you're using goes offline. (Unless you saved it, of course.)

My system is similar, yet much easier. The first portion of my password is the name of the computer or service I'm connecting to, while the second half is a random string that only I know. Which string I use depends on what group of people I need to share the account with--in such cases where an account needs to be shared. Otherwise, I have my own string.

The downside, is that if someone were to sniff one of my passwords, and if they're familiar with my system, they could then guess the passwords to most of my accounts. Which is why I change that suffix relatively frequently. The upside, of course, is that I have a different password for every single computer and service I log into.

Re:Hiding (3, Informative)

AKAImBatman (238306) | more than 7 years ago | (#19079089)

Until the site with the hashing algorithm you're using goes offline.

So get a downloadable version [passwordmaker.org] and back it up. ;-)

The online version is common because these passwords are for websites. So making a web-enabled version is a no-brainer. But the algo is so straightforward that it was pretty easy for the guys who made it to port it to different platforms.

Re:Hiding (2, Informative)

Short Circuit (52384) | more than 7 years ago | (#19079155)

Now we run into portability issues. I'm not always using an account where I can install FF extensions. Heck...If I forget my flash drives at home, I'm stuck running Firefox 1.5 at the latest, and IE6 in places on campus where they still haven't installed Firefox.

Maybe if I memorized the table for a simple substitution cipher. Like ROT13, but less common.

The best system is one that you can keep in your head.

Re:Hiding (3, Funny)

AKAImBatman (238306) | more than 7 years ago | (#19079207)

Look again. The download page has:
  • Browser Extension
  • Yahoo! Widget
  • JavaScript Edition
  • Command-Line Edition
  • PHP Edition
  • Mobile Edition
  • PDF Manual

The best system is one that you can keep in your head.
Certainly. So download the source code and memorize the algorithm. Then you can do the hash in your head. :-P

Re:Hiding (1)

Lehk228 (705449) | more than 7 years ago | (#19079313)

it's md5

there are md5 calculators all over the interwebs

Re:Hiding (1)

Short Circuit (52384) | more than 7 years ago | (#19079343)

It's a salted md5 algorithm, meaning it's not quite the same as virtually any other implementation.

Re:Hiding (1)

AKAImBatman (238306) | more than 7 years ago | (#19081793)

The "salt" is in the text for encoding, not the MD5 algo itself. The MD5 algo used is the vanilla algo described in RFC1321. In this case, the salting comes from a variety of options such as the web address, whether or not to encode the protocol part of the URL, extra path info, etc. Ram them all into one string using a standardized method, and you've got yourself a salted string for hashing.

Re:Hiding (2, Funny)

simm1701 (835424) | more than 7 years ago | (#19080053)

You mean you can't run a md5 hash then base 64 encode it in your head???

What kind of geek are you!! ;)

Re:Hiding (1)

KeithIrwin (243301) | more than 7 years ago | (#19080611)

The best system is one that you can keep in your head.

Oddly enough, this isn't usually a good quality in an encryption system. What's best is if you can keep the needed secrets in your head, but use a computer to do the math. Computers are good for that. I mean, it was helpful for spies dropped behind enemy during World War II to be able to do the whole thing by themselves, but these days, there are computers all around there's nothing suspicious about using one.

And frankly, And Password Maker has the following features:

  1. It runs virtually anywhere. If you can't install the happy Firefox plugin, then you can still download the javascript version and run that, no installation required. If you're really trusting, you can even run the version which lives on their web site, although I don't recommend it.
  2. It's stateless. There's no password database to get corrupted. There's no flash drive to forget. As long as you can remember your master password and your settings (you can use the defaults or simply write down your settings on a card in for your wallet if you don't want to have to remember them) then you can generate all your passwords, whether at home, at work, at a computer lab or wherever.
  3. It's secure. Figuring out the password for any one place from any other site's password or figuring out your master password from a site-specific password can only be done by guessing the password or by breaking the cryptography. I should note that it is a good idea to have a longer password when using password maker because there is a possibility of a distributed or inside dictionary attack, but then you only have to remember one password, so that shouldn't be as hard. Take two of your old passwords, put them together, and you're golden.

So, frankly, I don't see why anyone uses anything else or, for that matter, nothing at all.

Keith

Re:Hiding (2, Insightful)

PopeRatzo (965947) | more than 7 years ago | (#19080617)

The upside, of course, is that I have a different password for every single computer and service I log into.

That's an upside??

Re:Hiding (1)

snoyberg (787126) | more than 7 years ago | (#19078539)

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever.

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

If I'm not mistaken, there's no need for those websites to store your password, so there's no admin leak to worry about. Unless there's log files and such...

Re:Hiding (1)

Bloke down the pub (861787) | more than 7 years ago | (#19082307)

If I'm not mistaken, there's no need for those websites to store your password
How else can the compare it when you try to log on?

And yes, there are some that do it like that, because on ocassion I've forgotten my password and I recognised the one emailed to me - it wasn't a new random one.

Re:Hiding (1)

snoyberg (787126) | more than 7 years ago | (#19082801)

If I'm not mistaken, there's no need for those websites to store your password
How else can the compare it when you try to log on?

And yes, there are some that do it like that, because on ocassion I've forgotten my password and I recognised the one emailed to me - it wasn't a new random one.

We're talking about two different things here. The sites being referred to generate hashes of passwords you give them that you then use as your password on a website. For example, let's say I use the password "bubblegum". Then perhaps my GMail password will be MD5(bubblegum-gmail.com) etc etc.

So for that kind of system, no storage would be necesary.

Re:Hiding (1)

thepotoo (829391) | more than 7 years ago | (#19082191)

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

That's why my password is 09f911029d74e35bd84156c5635688c0. Easy to remember, and if anyone leaks it, the MPAA will crack down on them!

Re:Hiding (0)

Anonymous Coward | more than 7 years ago | (#19079099)

I use to MD5 stuff, but then I decided it was easier for me to write down a hash of a password so I have a copy of it, but don't actually need the password written anywhere. Once you start using the system, it faster for you to remember.

Since we all use specific passwords a lot, and other passwords a few times, it's easier to remember them if you have the count - but that doesn't mean anyone can get in. For instance: 4L1U2n2S looks like a password but its not: 4 Lower-case, 1 Upper Case, 2 Numbers, 2 Special. The password can be anything but I can recognize that pattern, or at least think about it for a minute and remember that al43Lah!# matches that. There are a few other things you can do with this scenario to make these strings look more like passwords, but I won't go into that.

I've caught people at my computer at work attempting to use my hashes to get into my computer. Thought they could 'hack' into my computer to change some settings and teach me a lesson for writing down passwords.

Now - this method works for quick passwords, but for the super secret squirrel stuff on my Linux boxes, I just use several passwords stringed together with a few words here and there for a full sentence password.

I just use KeePass (2, Informative)

PhrostyMcByte (589271) | more than 7 years ago | (#19077809)

Having a seperate password for 50+ websites is not realistic when you plan to memorize them all. I use KeePass [keepass.info] to have very random 16+ char passwords (that I do not bother to remember) for every place I visit, and one master password to access the database.

or hashapass (1, Informative)

Anonymous Coward | more than 7 years ago | (#19077933)

I used to use a password-storage tool, but these days for trivial website passwords, I use hashapass [hashapass.com] , which does a one-way hash (surprise!) of a seed password with a salt like the website domain name.

That way, if I'm on a different computer or can't pull up my password storage for some reason, I can still generate my password for a website. But intercepting that individual password won't help anyone figure out any of my other passwords.

It's still weak in that the master password, not only unlocks but also determines the rest. Still, for stuff like non-financial website logins, it's a godsend.

Re:or hashapass (1)

qbwiz (87077) | more than 7 years ago | (#19078801)

Yes, this is a great idea, but it doesn't work as well if you can't keep the same username at every site. A password database helps you remember usernames too.

Re:I just use KeePass (1)

FraterNLST (922749) | more than 7 years ago | (#19078223)

I think really the databases are better if you carry a pda or flashstick that you can store them on, so it doesn't matter which computer you're accessing.

I had a look at PasswordSafe for a while, which sounds like its similar to KeePass you mentioned.

http://passwordsafe.sourceforge.net/ [sourceforge.net]

One benefit of it is that its open source, and was originally designed by counterpane (Bruce Schneier)

Re:I just use KeePass (2, Interesting)

networkBoy (774728) | more than 7 years ago | (#19078707)

I store everything in a flat file:
sitename /t pwd /t notes

That flat file is stored in a truecrypt hidden volume of about 10 megs, with the main volume containing source code (a reasonable thing to keep locked up in a secure volume if you're paranoid) making the plausible deniability plausable. The hidden volume password is cryptographically strong, and yet I only have to remember one strong password.
-nB

Re:I just use KeePass (2, Informative)

KenAndCorey (581410) | more than 7 years ago | (#19078595)

Absolutely. KeePass even has basic scripting so it will enter the password for you on sites, or copy it to the clipboard (and erase it after 60 seconds or a set time). I'm using it for passwords as well as keeping key information (such as Social Insurance Number, Medical Numbers, credit card numbers, etc). I highly recommend it.

Re:I just use KeePass (1)

Sidn (415686) | more than 7 years ago | (#19079829)

mod up please

I also use KeePass and it works like a charm. Fits all my needs whether on Windows or Linux. Oh, and it's open source. :)

Re:I just use KeePass (1)

Phisbut (761268) | more than 7 years ago | (#19081597)

I also use KeePass and it works like a charm. Fits all my needs whether on Windows or Linux. Oh, and it's open source. :)

I didn't know about KeePass before now, and it's getting interesting. However, the Linux port [sourceforge.net] is v0.2, which sounds very, very beta (pre-beta maybe?) to me... Is it really safe to trust all your passwords to a beta software?

Abbreviated Quotes (4, Interesting)

eldavojohn (898314) | more than 7 years ago | (#19077823)

As a nerd, I memorize a lot of quotes. And, one can use this to one's advantage. Whether it be Star Wars, Futurama, Orson Scott Card, The Bible, or whatever your favorite work is, you can take a quote & turn it into an easily memorable password.

For example, one of my beloved authors is James Joyce so a great way to make a password from him is to take a memorable quote of his that I know: "Well and what's cheese? Corpse of milk." This password would transform into Wawc?Com. which has two caps, a period and a question mark. You can do the same with Futurama or whatever you find easy to remember. Then I just attach that quote with the website/machine/network or whatever it is. You can also append the name of the quoted character or author or actor in order to make it longer so the password might be Wawc?Com.JJ which just makes it even more difficult for a code cracking program to get at.

Plus, since I naturally love the quote, it's very easy to memorize.

Re:Abbreviated Quotes (1)

pbhj (607776) | more than 7 years ago | (#19078075)

What a good idea.

[goes to run brute force attacks using initial strings in James Joyce novels and futurama episodes against your IP]

Seriously it's a good idea. When I went to a LUG meeting once a Debian lover there was typing for ages, seems he was using the whole novel as his passphrase!

Re:Abbreviated Quotes (1)

Bastardchyld (889185) | more than 7 years ago | (#19079667)

I like the idea... Except posting the quote on your monitor.

Re:Abbreviated Quotes (1)

munpfazy (694689) | more than 7 years ago | (#19078261)

Nice.

I do exactly the same trick with song lyrics and lines from poems.

I never forget a password; however, I do sometimes forget which particular password is associated with a given service. The nice thing is that one can keep notes which are sufficiently obscure that they're useless to anyone who doesn't know your scheme and also recognize a given work.

Of course, if this sort of behavior becomes popular, it wouldn't be too hard to put together a brute force attack that uses variations on this on, say, the Project Gutenberg texts and quotation and poetry websites. We can only hope that easier targets make that unlikely.

Re:Abbreviated Quotes (1)

quakehead3 (988738) | more than 7 years ago | (#19078591)

Aybrb2us -> All your base are belong to us

Re:Abbreviated Quotes (1)

Dionysus (12737) | more than 7 years ago | (#19079413)

I use a variation of this. I basically do your password generation + a hash of the site I'm logging into. So that each site actually get a different password. This way I only need to remember the sentence and the hash is simple enough to generate in my head.

Re:Abbreviated Quotes (2, Interesting)

forkazoo (138186) | more than 7 years ago | (#19079561)

As a nerd, I memorize a lot of quotes. And, one can use this to one's advantage. Whether it be Star Wars, Futurama, Orson Scott Card, The Bible, or whatever your favorite work is, you can take a quote & turn it into an easily memorable password.


I try to do the exact opposite. Whenever I need a new password, I have one randomly generated, and then come up with a phraze for it. I'll adjust capitalisation and add/drop characters to make it easier, but I'll use the randomly generated password basically in entireity.

I'll just randomly bang on my keyboard to generate an example or two, rather than bother to generate proper random ones...

owgijh ... Oh, will God inject Jesus hastily? Then, to make a proper password... OwG1iJ2h? (Calling "God" number one and "Jesus" number two seemed like an easy enough way to add some complexity)

iuyfesa ... I understand you fuckers eat sausage all-day! ... Iu,Yf,Es,Ad (I just did a pattern for punctuation and capitalisation for this -- simple pattern seemed easier than remembering arbitrary capitalisation, since there were no proper names in this one...)

Re:Abbreviated Quotes (1)

morie (227571) | more than 7 years ago | (#19079939)

so,,,

How do you remember which sentence you used for a certain site?

Re:Abbreviated Quotes (1)

Phisbut (761268) | more than 7 years ago | (#19081633)

As a nerd, I memorize a lot of quotes. And, one can use this to one's advantage. Whether it be Star Wars, Futurama, Orson Scott Card, The Bible, or whatever your favorite work is, you can take a quote & turn it into an easily memorable password.

I've been doing the same thing for a while too. My GPG password is 50+ characters long with lowercase, uppercase, numbers and special characters, and I never get it wrong.

Brute force THAT!

Universal solution: (1)

rts008 (812749) | more than 7 years ago | (#19077839)

Post-It notes on my monitor bezel.
After all: "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it."
[Linus B. Torvalds]

For the pendants out there, the concept applies.

Re:Universal solution: (2, Interesting)

ArsonSmith (13997) | more than 7 years ago | (#19078411)

That reminds me. I always use to post fake passwords on sticky notes to my monitor just to see who is paying attention and willing to point it out.

Re:Universal solution: (0)

Anonymous Coward | more than 7 years ago | (#19079857)

For the pendants out there, the concept applies.

Hey, what about us medallions you insensitive clod!

Re:Universal solution: (0)

Anonymous Coward | more than 7 years ago | (#19083803)

Might as well, All the other dummies here are giving out their secrets. Let's associate their password schemes with their account names and brute force them. I use different passwords schemes for different systems and change the more sensitive ones frequently. The throwaway accounts all get the same passwords, but everything important gets a different one. I would have more than 20 passwords if I didn't use a single one for throwaway accounts like the NYTimes. I don't write them down. I should put some of them along with a will in a Safe Deposit Box in case I die and my wife needs easier access to the accounts to settle debts and the like.

Passwords are like locks on a door in your home. You can buy a ~$10 lock that can be easily picked or you can buy a ~$150 lock that's more secure. Either way, if the door is hollow or there's an open window or back door, it doesn't matter how secure your front door lock is.

Tattoos (0)

Anonymous Coward | more than 7 years ago | (#19077845)

It gives me an excuse to take off my shirt at the office.

Put it all in context (2, Interesting)

LiquidCoooled (634315) | more than 7 years ago | (#19077849)

Use a similar password for each site, but customise parts of it

password/.
passwordgm
passwordeb

You don't want to use that for your important sites, just ones which need a password.

Re:Put it all in context (1)

fredklein (532096) | more than 7 years ago | (#19079159)

Or use a password Pattern:

Bob A. Jones wants to have passwords for Slashdot, amazon.com and newegg.com.

bajp4sddc = Bob A Jones Password 4[for] SlashDot Dot Com
bajp4adc = Bob A Jones Password 4[for] Amazon Dot Com

or

bajp2nedc = Bob A Jones Password 2[to] NewEgg Dot Com

In other words, use the persons initials, a number, and the initials of the site. Not super secure as-is, but it can be mixed up a little. Bob could use his first name instead of his initials, or his nickname (Rob), or his kid's initials, or the last letter of his names ('finals'?), or whatever.
The number can be 2(password TO the site) or 4(password FOR the site), or '42' (If your name is Adams), 69 (if you're a horndog) or even dynamic- it could be the number of characters in the site's main url.
Whatever: the whole point is to have the same PATTERN to the passwords, so the person can memorize the pattern, and always be able to figure out his/her password.

Re:Put it all in context (2, Funny)

Phisbut (761268) | more than 7 years ago | (#19081657)

Or use a password Pattern

... and now I know your /. password : fkp4sddo

Never forget your password! (0)

Anonymous Coward | more than 7 years ago | (#19077863)

The simple solution to never forgetting your password is to use "password" as all of your passwords, and the best part is that its sooo unique....

ROT26 (3, Funny)

dead.phoenix.616 (948836) | more than 7 years ago | (#19077871)

I've kept this a secret to the whole community, but
I invented this super hard-to-crack encryption routine
called ROT26x(tm). There are other off-springs in the
multiples of its own 26 bits (52, 78, 104...etc).

The cool part of it is that once you encrypt your stuff,
it is soo hard to crack, because the outcome looks exactly
like the original text you encrypted!

The larger the multiples, the more its difficult to
crack (disclaimer:higher bits will be very cpu-intensive,
and will take longer to encrypt)

if anybody wants to help write up an RFC...

This is good, but there are other ways (2, Interesting)

zappepcs (820751) | more than 7 years ago | (#19077921)

While using part of the site name concatenated to your base password is good, there are other simple ways to make it stronger. I keep a list of online sites that I have passwords for. By using a 'known only to me' algorithm, I can use a list of those sites. This serves two purposes; 1) I don't have to remember what all the sites are that I have accounts on, and 2) The base password might be the same, but could change according to how I personally categorize the site content/type as well as by what number the site is listed on my written list. Nothing on the written list will tell you anything other than which sites I have an account on, but it serves to remind me what the passwords and login names are. I do have to remember some things, but not very many compared to the number of accounts. An example is:

1 google 18
2 yahoo 21
3 delicious 8

Not decipherable as important parts are missing from the list and is only in my head, such as what to do with each of the numbers and what the base password(s) might be. It's still enough to jog my memory when required. In this example, the 1 or the 8 in the third column might indicate the base password while the first column might indicate what algorithm would be used in generating the additional password parts. The ones that you use the most are easiest remembered. The list is for those that you don't always use or have trouble remembering

passwordSafe (4, Informative)

liam193 (571414) | more than 7 years ago | (#19077923)

The methods described in this article don't seem to be very useful. I have seen one method that works fairly well. Come up with a sentence you know you can remember. It can be something out of the blue like: "I prefer accessing Gmail in Firefox for the skins extension." Then make your password "IpaGiF4zse". The first letter of each word, the number 4 or 2 for for or to, too, etc. Even other ones can be used like 8 for ate and 3 for a word starting with e. The z makes sense for a replacement of t in the because if you use the pronunciation of the that sounds like thee, z and thee are fairly similar. Those types of schemes make sense.

But the better answer is:

Get a program like passwordSafe. It's GPL and it works great it even can generate the random passwords for you with whatever rules the given site or system allows. Just copy the database file to a backup every so often and all is well.

Re:passwordSafe (3, Informative)

IL-CSIXTY4 (801087) | more than 7 years ago | (#19078277)

I second this! I keep the Windows and Linux versions of PasswordSafe on a USB key I wear around my neck, and back them whole thing up weekly. It's free, secure, and usually on-hand when I need it.

Re:passwordSafe (1)

MasterOfMagic (151058) | more than 7 years ago | (#19080435)

I use Password Gorilla [www.fpx.de] . It is written in Tcl/Tk and therefore is very cross-platform. They even have a .app for Mac usage! The Windows version is a standalone executable that is completely self contained so the machine that you use it on doesn't require you to install anything. It reads Password Safe password files. It's nice to have if you're on a machine that Password Safe does not support or if you cannot install software. I keep the Windows, Linux, and Mac versions on a keychain drive along with my (encrypted) password list.

If you're more the command line type, there is also pwsafe [dyndns.org] that supports the Password Safe format but allows you to add and get passwords from the command line.

One of the benefits of both of these pieces of software is that they allow you to generate completely random passwords. Completely random passwords are quite secure, and are a great way to make it a nightmare for any script kiddie to guess or crack your password. However, that leaves one passphrase that you need to remember and guard - the passphrase to your password managing program. I personally suggest Diceware [diceware.com] as a great, truly random way to generate a completely random passphrase. You can even do it while you're away from the computer if you'd like and if you're paranoid. It's also a great way to generate passphrases for SSH keys, PGP keys, or whole-disk encryption.

Random (2, Insightful)

EvanED (569694) | more than 7 years ago | (#19077951)

Random passwords, then just learn them.

[*] Really unimportant sites just an easy password that's the same across all of them
[*] More important, but still not critical sites use variations on a couple randomly generated pronounceable passwords; the fact they are random means that no dictionary attack will find them, while the fact that they are pronounceable makes them easyish to learn
[*] Critical sites (like my bank) I either generate a random password and learn it by rote repetition, or I use PasswordSafe and store the password and then just open that each time I need it.

In general, just repeat the password over and over to yourself a dozen times a few times over the course of a couple days (you can have it written down during that window) and you'll probably get it.

After all, that's how I memorized 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

(Let's see the MPAA subpoena my brain.)

12345 (2, Funny)

liam193 (571414) | more than 7 years ago | (#19077953)

Of course you could use 12345 for all your passwords. Wait, no don't do that; that's already used for my luggage.

Re:12345 (1)

Dissman (997434) | more than 7 years ago | (#19078039)

It's also the combination for the Druidian Air Shield.

Don't tell Dark Helmet!

Obviously Offtopic! (2, Funny)

rts008 (812749) | more than 7 years ago | (#19078159)

Can I get a DMCA takedown request for your post since that's my luggage password?

Or do we have to compare receipts for date of purchace/senoirity to settle this.

My second will meet you on the Field of Honor for our duel......I suggest Tesla Coils at 25 meters, in the English Channel, at 50 meters below sea level.

You have been challenged sirrah!

Password Safe (2, Informative)

CastrTroy (595695) | more than 7 years ago | (#19077987)

I've recently discovered password safe [sourceforge.net] . You just have to remember 1 password, you have access to all your passwords. You can run it off a USB drive, so you can take your passwords with you anywhere. I used to use the same password for many sites, but now I have Password Safe generate a new password for each site.

Re:Password Safe (4, Informative)

El Cubano (631386) | more than 7 years ago | (#19078239)

I've recently discovered password safe [sourceforge.net].

If you use *nix, then MyPasswordSafe is your friend. It uses the same file format as password safe.

If you use Mac OS X, then Password Gorilla is your friend. It too uses the same file format, though it is a tad slow on open and save operations.

MyPasswordSafe is Qt-based (but it is better than the GTK-based equivalent password management program out there, and I generally prefer GTK-based apps over Qt-based apps). It should theoretically run on Mac OS X and Windows. I don't know about its status on Windows, but I know it doesn't work on Mac OS X. I have managed to get it to compile, but it segfaults. Once the semester is over, I intend to delve into it a little.

Password Gorilla also runs on practically everything. However, it is a Tcl/Tk application and looks ugly on every platform except for Mac OS X (thank you Apple for making some of these GUI toolkits not so ugly).

The neat thing about having all these programs out there is that they are compatible and make it a cinch to move your password database across machines and have it be usable everywhere.

Re:Password Safe (0)

Anonymous Coward | more than 7 years ago | (#19079217)

However, it is a Tcl/Tk application and looks ugly on every platform except for Mac OS X (thank you Apple for making some of these GUI toolkits not so ugly).
Funny how standards differ. As a long-time Mac user, Password Gorilla is unusably ugly and obviously not a native Mac app. Maybe we just don't realize how good we have it....

Re:Password Safe (0)

Anonymous Coward | more than 7 years ago | (#19080537)

Calling something unusably ugly doesn't speak to a standard so much as a meaningless affectation from someone who pretends they have elite taste.

Re:Password Safe (0)

Anonymous Coward | more than 7 years ago | (#19082869)

Or maybe you just don't realize that beauty and function often go hand in hand.

The thing is simply difficult to use. Standard keyboard shortcuts don't work, the shortcuts that it does have are completely different from what normal apps have, and the interface is extremely difficult to figure out. This all goes into making it both ugly and unusable.

Re:Password Safe (1)

TheBig1 (966884) | more than 7 years ago | (#19082253)

If you use OS X, why don't you use the Keychain? Seriously, this is a valid question, and not a troll. In addition to your login keychain (which will log you in automatically to sites, etc), you can create other keychains with separate passwords. You can store text notes, passwords, etc in it. It's secure (128 bit AES encryption, IIRC), and easy to use. The only downside is lack of cross platform-ness, which I suppose can be a problem for some. Cheers

Re:Password Safe (1)

secolactico (519805) | more than 7 years ago | (#19078265)

Heck yeah! Passwordsafe is a godsend. I run it off a truecrypt volume in an USB drive. That way I just need to remember two passwords.

Nice Ideas in TFA, but Try This... (1)

glavenoid (636808) | more than 7 years ago | (#19078021)

TFA has some nice ideas, and that comment with the quotes is pretty nifty, but I do this out of habit:


1. Spirit Write [wikipedia.org] password on sheet of paper.

2. Enter said writing in password field for new account.

3. Chew and swallow sheet with spirit writing


With this method passwords are nearly unbreakable, unless someone else can channel the spirit you used. And by eating the evidence, there is no need to memorize anything! It gets digested naturally!

The only real problem with this is that a lot of the spirits give out really crummy passwords that don't always work...

Easy (1)

Mr Jazzizle (896331) | more than 7 years ago | (#19078121)

I use the same combination as my luggage!

Re:Easy (1)

Namban-jin (1090249) | more than 7 years ago | (#19079045)

I use the same combination as my luggage!

Aah, that's good to know. Once I know that 4 digit combination, I cannot only hack your online stuff, but also sell your dirty clothes under your eBay account...

Three layer approach (3, Insightful)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19078247)

For accounts I don't care who access (like my free nytimes.com account), and in fact want people to crack to mess up the tracking data, I use the same password across all of them.

For infrequently used sites I choose a strong password, and forget it. Then, whenever I need that password, I get them to e-mail me a new one.

For accounts I use often and care about, I suck it up and memorize it. Pull a word or two, scramble the letters, add some numbers and punctuation randomly. Oftentimes, just thinking of that word, and cause I'm predicatable, I can recreate the password.

Password Management Solution (1)

StikyPad (445176) | more than 7 years ago | (#19078331)

Just e-mail me all your passwords for safe keeping!

Part numbers. (3, Interesting)

munpfazy (694689) | more than 7 years ago | (#19078367)

For years our lab (a research lab behind locked doors, open only to a few trusted people) use IC part numbers for root passwords. To avoid having to remember them, we'd just drop the device itself into the top drawer of the desk nearest a particular machine.

Not the most secure method in the world, but far better than the practices in any other academic research group I've seen. (Most do something really complicated and uncrackable. . . like taking two three or four letter English words and putting one after the other. Or, taking a short English word and misspelling it by changing one letter.)

My Password Memorization Process (2, Insightful)

Rank_Tyro (721935) | more than 7 years ago | (#19078397)

I use one basic 7 character set which consists of letters and numbers. I modify that depending on a sites sensitivity by adding characters.

For example "mi2SSrs", for common sites and forums such as /.
For technical sites where I download software I add a three letter prefix to the main.
For webmail, I capitalize the three letter prefix.
For online money transactions I capitalize the prefix and add a character such as ~ at the end.
For my home ftp server login I add in the last 4 numbers of a high school girlfriends phone number.

All of these numbers and letters are also followed or preceded by license plate numbers and letters that I choose at random and memorize from cars off the freeway. That is changed quarterly.

Bios passwords and administrator logins are pass phrases at least 8 words long with a number set.

Now, that may sound like alot to remember, but I write down mnemonic clues starting with the lowest level of protection, and as security gets higher, each set gets words associated with the add on characters.

These clues are saved to a text file and a yellow "post-it" and labeled "Passwords". The text file goes into my home directory and the post it goes underneath the keyboard on the desktops. Good luck trying to log into anything based on what is written down.

However, after using this system for a few years, I can easily remember passwords up to 25 characters without worry about losing anything. Muscle memory plays a big part too. ....(btw, all of the information posted here is true, however I intentionally mixed up the order of things)
   

Re:My Password Memorization Process (0, Troll)

Rank_Tyro (721935) | more than 7 years ago | (#19079547)

Disregard all that. I suck cock!

Re:My Password Memorization Process (0)

Anonymous Coward | more than 7 years ago | (#19082067)

Attempt at Funny moderation fails.

PwdHash (1)

Namban-jin (1090249) | more than 7 years ago | (#19078401)

Using the same password for all online stuff is indeed a bad idea, but you can still do that if you use PwdHash. http://crypto.stanford.edu/PwdHash/ [stanford.edu]
PwdHash is a browser extension that converts the entered password into a domain-specific password. This means that the same password will be converted into a different password on different websites.

I use this tool plus SplashID (http://www.splashdata.com/splashid/) which I have installed on my PDA and PC to store others passwords and PIN codes.

Brute force (1)

normuser (1079315) | more than 7 years ago | (#19078405)

Well, if you have to deal with password rules like mine it might be easier to just brute force it every time.
i.e. password must:
Be between eight and 12 characters long.
Not contain repeating characters.
Not contain consecutive characters.
Not contain the same character more than three times.
Have two special characters.
Have two uper case characters.
Have two lower case characters.
Have two numbers.
Have atleast one number within the first four characters.
Have atleast one special charater within the first four characters.
Be changed once every 30 days.

Re:Brute force (1)

normuser (1079315) | more than 7 years ago | (#19078451)

Well, if you have to deal with password rules like mine it might be easier to just brute force it every time.


correction, Those arent MY password rules. its what I'm stuck with at WORK.
Maybe I should preview next time?

Re:Brute force (1)

Aladrin (926209) | more than 7 years ago | (#19080635)

Jeeez. They might as well say 'Well, there's only 6 valid passwords you can choose. Steve, you get password 1...'

Requiring a password to be complex enough is 1 thing, but make too many requirements and it's way too easy to brute force, as you were saying.

I question the rules though... if it can't contain repeating characters, why the need for the rules for consecutive and 'more than 3 times'?

Re:Brute force (1)

Larry Lightbulb (781175) | more than 7 years ago | (#19081773)

You forgot the rule about not being able to use any of your previous passwords, or to create new ones which contain previous ones.

And worse than that - I worked at a place where very secure (in terms of random character combination) passwords were automatically generated each month, but they were then left in an envelope on your desk...

Strip (2, Informative)

flink (18449) | more than 7 years ago | (#19078447)

I've been using Strip [freshmeat.net] (Secure Tool for Remembering Important Passwords) for years on Palm. It keeps your passwords in an AES encrypted palm database with a master password. I like it over other PC-based password managers because I know that whether I sit down in front of a Windows, Linux, or Mac machine, I'll always be able to get at my passwords.

Re:Strip (1)

Dr. Manhattan (29720) | more than 7 years ago | (#19080987)

I used Strip for a while, and it's good, but I switched to Keyring [sourceforge.net] because it has a built-in conduit for Jpilot [jpilot.org] .

Password article (1)

SirTicksAlot (576078) | more than 7 years ago | (#19078501)

I actually wrote an article called The Art of Good Passwords [solar1.net] . It explains the importance of decent passwords, how to enforce them, and how to enforce them in your web app. I submitted it to slashdot earlier this morning, but it's still in the firehose. if you read it and got something out of it, let me know, or bump it up in the firehose. Or tell me if it stunk. :)

Passreminder (1)

Abattoir (16282) | more than 7 years ago | (#19078529)

I use <a href="http://eyecanseeyou.free.fr/passreminder_pas sword_manager/index.php?title=PassReminder_Main_Pa ge">Passreminder </a>. It has a "memory stick" version and is java based and works on both Windows and Linux off my FAT based usb flash drive.

Re:Passreminder (2, Informative)

Abattoir (16282) | more than 7 years ago | (#19078627)

I use Passreminder [eyecanseeyou.free.fr] . It has a "memory stick" version and is java based and works on both Windows and Linux off my FAT based usb flash drive. Stupid html formatting not default.

Do As Bruce Schneier Does (2, Funny)

Anonymous Coward | more than 7 years ago | (#19078765)

Shamelessy ripped from http://geekz.co.uk/schneierfacts/fact/27 [geekz.co.uk]

Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Belt and Braces (2, Insightful)

strangedays (129383) | more than 7 years ago | (#19079017)

Being a devious and un-trusting type with a world-view sadly twisted by experience, I tend to assume many others are the same way too, and that's way scary.

So... I prefer to entertain my full frontal paranoia by not using anything digital or on-line to actually store my keys to the things that matter.

Instead, I decided to keep my keys in a little black book, old fashioned, perhaps even quaint you exclaim!

True Squire! says I, but go ahead then, have a go.. lets see you hack that book.

Of course I do have nightmares about losing the book, however an occasional trip to a copier and a safe deposit box takes care of those, for a while. Of course if you did get to read it, you'd find yourself holding a bunch of keys... to what? aha!, thats the devious and twisted bit, remind me not to share that!

For hard passwords I choose random letters and numbers in groups of 2, at least 8, 16 or 32 chars in length, depending on the resources value. Otherwise, so I am told, the encryption becomes much easier to break.

For less significant sites, I (like many it seems)use a favorite quote, condensed into a shorter string of the letters of each word.

my solution (0)

Anonymous Coward | more than 7 years ago | (#19079273)


#!/bin/bash +x
#tafduotoo -arrt- gmail.com
cd $home

if [ -e .P ]
then
        echo "WARNING -- PLAIN TEXT PASSWORD LIST ALREADY EXISTS"
        echo "ENCRYPTING: gpg -c --force-mdc --quiet -o .E .P"
        gpg -c --force-mdc --quiet -o .E .P
        if [ $? -eq 0 ]
        then
              echo "CLEANUP"
              chmod 000 .E
              srm -mv .P &
              echo ""
        else
              echo "!!!!!!!! FAILED TO ENCRYPT !!!!!!!!!!!!! "
              ls -la .E .P .scratch
              exit 2
        fi
exit 1
fi

if [ -e .E ]

then

        echo "DECRYPTING: gpg --decrypt -o .P --quiet .E"
        chmod 400 .E
        gpg --decrypt -o .P --quiet .E

        if [ $? -eq 0 ]
                then

                echo "EDITING"
                echo -n "Start Lines:"
                wc -l .P
                emacs -nw .P #THIS IS ONE WE WAIT ON EXIT
                echo -n "Final Lines:"
                wc -l .P
                rm -f .E

                echo "ENCRYPTING: gpg -c --force-mdc --quiet -o .E .P"
                gpg -c --force-mdc --quiet -o .E .P

                if [ $? -eq 0 ]
                        then
                        echo "CLEANUP"
                        chmod 000 .E
                        srm -mv .P &
                        echo ""
                else
                        echo "!!!!!!!! FAILED TO ENCRYPT !!!!!!!!!!!!! "
                        echo Do the following:
                        echo "cd ~; gpg -c --force-mdc --quiet -o .E .P"
                        echo "srm -mv .P"
                        echo ""
                        exit 2
                fi

        else
                chmod 000 .E
                echo "FAILED"
                exit 3
        fi

else

        echo Error. Excrypted pw file does not exist.
        exit 1

fi

my password (1)

asLEEpy (1075353) | more than 7 years ago | (#19079487)

My password is the regular expression .*

kwallet and Apple Keychain (1)

DarkDust (239124) | more than 7 years ago | (#19079807)

Maybe I'm not understanding the question, or maybe it came from a Windows user, but the KDE kwallet and the Apple KeyChain serve me very well for managing my various passwords... especially since they get filled in automatically in Konqueror and Safari.

no password tools necessary (1)

utnapistim (931738) | more than 7 years ago | (#19080821)

I don't use password management tools, but mnemonics. Usually I pick a text I remember (like a commercial, or some poem I remember from highschool). Then, I use the first letters of all words (or of the first n words) and use those as a password, translated to l337speak.

It sounds complicated, but for example let's say you take "Where do you want to go today?(Ms)" (I know I'll get modded to troll for this). It becomes Wdyw2gt?(m$)

Its (pseudo)random enough to be impossible to guess if you're not choosing something obvious as source (and it may be hard to guess even if you are), easy to remember and easy to customize/lengthen/add salt to it.

Also, you don't need to rely on a tool for it, and don't need to write anything down either.



Or, just you could just use 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ... I mean, who'd be able to think about that?

Using a hash as a password (0)

Anonymous Coward | more than 7 years ago | (#19080839)

I just use the MD5 hash of a much stupider password. Like 014D08BBED2681389DDEDD2A43859B07. This changes depending on which site I go to. Don't forget the salt. I use a little program I made to accept the password, then spit out the 32 hex-char hash.
Only thing that really pisses me off is sites with inconsistent character limits on passwords.
Only problem? You're tied to your own computer.

The best product I've ran into in this area (1)

zukinux (1094199) | more than 7 years ago | (#19080973)

I've got a demo of this product named etoken by Aladdin, it gives you the ability to take with you your passwords on a usb token which you'll have to remember its password only, and it will contain passwords for many sites/applications.
I used it few years ago.. actually it was nice, the token itself is encrypted (3 years ago it was encrypted with 128 bit key)..
here's a link for those of you who actually needs this kind of solution (I actually don't think it worth the money, for me atleast) : EToken - Aladdin [aladdin.com]

Four rulesets (0)

Anonymous Coward | more than 7 years ago | (#19081109)

I'm posting anonymously because I'm talking about how I generate my passwords.

I use five rulesets:

  • One for websites I visit but don't give a damn about. If all I'm doing is downloading a .torrent file, reading the news, or posting a snarky comment like this one, I don't view it as security-critical. I also suspect that the hosting site does a lousy job of password protection and that the odds of a compromise are high. I use a very simple rule: A six-letter word with a digit at either end. It's always the same two digits and always one of three words.
  • One for websites I visit but give a damn about because there's financial or other personal data there. Okay, here I start paying attention. I'm a little more confident about the site protecting my p/w, and a little more serious about keeping passwords unguessable. I memorized a list of ten pronounceable non-word three-letter strings (things like "feg" and "sha") and intersperse them with digits and capital letters. I select the letter strings based on the first, third and fourth letter of the site's name. The capital letters and digits tend to be more static, and their position never changes. So slashdot.org may be sha3bro2Wsha and etrade.com would be $feg3sha2Wbro (the "$" to remind me there's money involved).
  • One for my personal computers. Okay, I use the same password for all root/admin accounts and the same password on all (my) mortal accounts. My wife uses whatever the hell she wants. The fact is, I run a loose little network at home because I don't want the hassle of memorizing a shit-ton of everything. Okay, the WPA key for the WiFi I generated by running the root password through MD5, but that's the only fancypants thing I do.
  • Two for work. The network security gits think making passwords nigh-impossible to remember is a good thing, despite the fact it only ever results in sticky notes everywhere. Also, they expire every three months. Best of all, your new password must be dissimilar to the old one and you can't reuse any of your last five passwords. So I use two passwords that are mnemonic strings with a two-digit number in the middle I increment with each use. I alternate with every change, so first comes Icoymf1tln!, then !TchfmIta1tsf, then Icoymf2tln!, and so forth.
It all works out rather well, actually, and the contexts are sufficiently different that having multiple rulesets isn't too difficult. The nice thing about using simple variations on a common theme is that if I do have to write a password down (often for a few days after a change) I just have to write down the characters different from the base theme.

And please, folks, you must make regular sweeps for intrusions, viruses and spyware, because no matter how strong your passwords are, if someone's installed a keystroke logger, you're screwed. If you think a password has been compromised, change it immediately, and not to another one within the scheme. Abandon the scheme. Password compromises are like mice -- if you see one, that usually means there are lots of them you don't see.

When I suspected my ex-fiancee's was cheating on me, I installed a key logger on computer. Caught her. When I confronted her with the e-mails she'd been exchanging with her lover, she eventually changed the password on that account -- to one she used everywhere else. That was six years ago and she still uses the same passwords everywhere. One day last year, out of curiousity and boredom I tried to log in to her Hotmail account. It worked. She's married now, to the guy she was cheating on me with. Now, though, she's cheating on him. Whore.

Cheers.

there is a new software (1)

hesaigo999ca (786966) | more than 7 years ago | (#19081227)

There is a new software on the market of which the source code is not really available anywhere therefor can not be cracked, I state , can not be cracked..no matter how much proding you do inside, you will not find any holes or leaks....as well, the more you use this software
the better at it you get, it is called BRAIN, which is really something that most people
should be able to use, but few do.

example... if Ineed a password for a website (sqlforums) and I know not to use the same passwords
over and over again, i can use a derivative, which means I use BRAIN to come up with a formulae that I use each time... hence the regular password (containing special characters AND numbers...) then
I add an abbreviation of the websites name...so hotmail could be hotml usually not too many characters as some websites actually have a maximum ( can you believe this???) to what a password should be ( 6 is the smallest I have come across!)

This works everytime, and also makes it easy to continue using the same password with derivative
without compromise...

However, now that you know my formulae(damn it!) I must change it, unfortunately my version of BRAIN is only 1.0, therefor, will take me some time to upgrade to the latest version
then, I will be able to reset the formulae....

Online password manager anyone? (1)

mbarulli (594891) | more than 7 years ago | (#19081377)

Using a password manager is not merely convenient, it's an effective way to adopt better security practices without too much stress. It basically sums up to: 1) never re-use the same password, 2) use strong passwords.

Software products are certainly an option, but you could also consider a web based solution. Yes, I'm a tad biased being the co-founder of Clipperz...

Clipperz [clipperz.com] is an online password manager that can do much more than simply storing your passwords.

  • ubiquitous access
  • direct login to online services
  • offline version
  • bookmarklet for quick data entry
  • nothing to install or backup
  • free
  • completely anonymous
Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded. The key for the encryption process is a passphrase known only to you. Clipperz simply hosts your sensitive data in encrypted form and could never actually access the data in its plain form.

Clipperz does solve the password management problem, but it mainly gives a practical demonstration of a new breed of web applications: the zero-knowledge web apps. Applications where the provider is simply in charge of delivering the Ajax code to the user's browser and then storing user's data in an encrypted form on its servers. Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.

Detailed information about the crypto foundations are available here: http://www.clipperz.com/learn_more/crypto_foundati ons [clipperz.com]

Clipperz does not use homemade cryptographic algorithms but implements standard strong encryption schemes (AES, SHA2, Fortuna, SRP, ...). Since Clipperz is a huge Javascript application, you can review the source code anytime you like. The whole source code is downloaded to your browser before you sign-in, so you can easily check if it is a genuine version.

More info about performing a security code review is available here: http://www.clipperz.com/learn_more/reviewing_the_c ode [clipperz.com]

You can even include the Javascript code of our crypto primitives in your web applications since we packed them into the Clipperz Crypto Library, released under a BSD license. Download it here: http://code.google.com/p/clipperz [google.com]

For any further information visit the discussion group http://groups.google.com/group/clipperz [google.com]

Marco
Clipperz co-founder

KeyRing (1)

LinuxWeenie (614599) | more than 7 years ago | (#19081453)

Although its a fairly old release, I would suggest KeyRing (http://gnukeyring.sourceforge.net/) for the Palm. It has several conduits (Windows, Java, JPilot, etc.) to allow synching with your system. I have used it for years. One password, to get into the database, gets you into your password list. It has a random password generator (numbers letters up/lower case characters) - you could never accuse me of using dictionary breakable passwords. Actually after you have used a randomly generated password a few times it almost becomes automatic. I have given up on trying to remember more than about 2 passwords anyway. LW

Mac OS X's Keychain (1)

wohlford (199797) | more than 7 years ago | (#19081701)

I use the Mac's built-in Keychain [apple.com] . It encrypts the passwords all the while integrating nicely with the entire operating system and the vast majority of apps. One notable exception is Firefox, but I understand Mozilla is working on that.

Also, I have my home directory encrypted using File Vault [apple.com] which contains my keychain. My virtual memory is encrypted too.

I use names of all the chicks (1)

BUTT-H34D (840273) | more than 7 years ago | (#19082387)

I use names of all the chicks I've scored with. So yeah, I do the same as the co-worker in TFA. heh heh.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>