Memory Tools for Password Management?

New Media Blogger asks: "A co-worker of mine recently got burned hard because they used the same password for all of their online accounts. This experience led me to compile a list of easy-to-use password management memory tools (all free, of course), which make it infinitely easier for me to keep track of my dozens of passwords. I am sure many of the Slashdot crowd have memory tools of their own — what are you favourite password memorization tools?"

Hiding

[halcyon1234]

Hiding my passwords in first post yt66axe

Parody

[Anonymous Coward]

* Getting halcyon1234's password from his own post                     - 5 seconds
* Checking to make sure it was real                                    - 20 seconds
* Customizing his user account to display a custom "goatse" slashbox   - Priceless

There are some things money can't buy.  For everything else, you should change your password!

Re:Hiding

[AKAImBatman]

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever. There are a few sites like these that can help you generate these passwords:

http://passwordmaker.org/ [passwordmaker.org]
http://angel.net/~nic/passwdlet.html [angel.net]
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ [xs4all.nl]

Re:

[YrWrstNtmr]

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever.

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

Re:Hiding

[AKAImBatman]

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

I don't think you understand how it works. What you do is you enter the password (it can be the same for all sites), then enter the name of the site (which can be pulled from a bookmarklet). A bit of Javascript on the client then hashes that information using the MD5 algorithm, and spits the result back out as a secure password.

The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.

Re:

[Short Circuit]

The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.

Until the site with the hashing algorithm you're using goes offline. (Unless you saved it, of course.)

My system is similar, yet much easier. The first portion of my password is the name of the computer or service I'm connecting to, while the second half is a random string that only I know. Which string I use depends on what group of people I need to share the account with--in such cases where an account needs to be shared. Otherwise, I have my own string.

The downside, is that if someone were to sniff on

Re:Hiding

[AKAImBatman]

Until the site with the hashing algorithm you're using goes offline.

So get a downloadable version [passwordmaker.org] and back it up. ;-)

The online version is common because these passwords are for websites. So making a web-enabled version is a no-brainer. But the algo is so straightforward that it was pretty easy for the guys who made it to port it to different platforms.

Re:

[Short Circuit]

Now we run into portability issues. I'm not always using an account where I can install FF extensions. Heck...If I forget my flash drives at home, I'm stuck running Firefox 1.5 at the latest, and IE6 in places on campus where they still haven't installed Firefox.

Maybe if I memorized the table for a simple substitution cipher. Like ROT13, but less common.

The best system is one that you can keep in your head.

Re:Hiding

[AKAImBatman]

Look again. The download page has:

• Browser Extension
  
• Yahoo! Widget
  
• JavaScript Edition
  
• Command-Line Edition
  
• PHP Edition
  
• Mobile Edition
  
• PDF Manual
  

The best system is one that you can keep in your head.

Certainly. So download the source code and memorize the algorithm. Then you can do the hash in your head. :-P

Re:

[Lehk228]

it's md5

there are md5 calculators all over the interwebs

Re:

[Short Circuit]

It's a salted md5 algorithm, meaning it's not quite the same as virtually any other implementation.

Re:

[AKAImBatman]

The "salt" is in the text for encoding, not the MD5 algo itself. The MD5 algo used is the vanilla algo described in RFC1321. In this case, the salting comes from a variety of options such as the web address, whether or not to encode the protocol part of the URL, extra path info, etc. Ram them all into one string using a standardized method, and you've got yourself a salted string for hashing.

Re:

[simm1701]

You mean you can't run a md5 hash then base 64 encode it in your head???

What kind of geek are you!! ;)

Re:

[KeithIrwin]

The best system is one that you can keep in your head.

Oddly enough, this isn't usually a good quality in an encryption system. What's best is if you can keep the needed secrets in your head, but use a computer to do the math. Computers are good for that. I mean, it was helpful for spies dropped behind enemy during World War II to be able to do the whole thing by themselves, but these days, there are computers all around there's nothing suspicious about using one.

And frankly, And Password Maker has the following features:

1. It runs virtually anywhere.

Re:

[PopeRatzo]

The upside, of course, is that I have a different password for every single computer and service I log into.

That's an upside??

Re:

[prgrmr]

Of course.

With a different password for each system, if someone shoulder surfs his password on one box, it isn't going to automatically grant access to any other box.

Re:

[snoyberg]

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever.

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

If I'm not mistaken, there's no need for those websites to store your password, so there's no admin leak to worry about. Unless there's log files and such...

Re:

[Bloke down the pub]

If I'm not mistaken, there's no need for those websites to store your password

How else can the compare it when you try to log on?

And yes, there are some that do it like that, because on ocassion I've forgotten my password and I recognised the one emailed to me - it wasn't a new random one.

Re:

[snoyberg]

If I'm not mistaken, there's no need for those websites to store your password

How else can the compare it when you try to log on?

And yes, there are some that do it like that, because on ocassion I've forgotten my password and I recognised the one emailed to me - it wasn't a new random one.

We're talking about two different things here. The sites being referred to generate hashes of passwords you give them that you then use as your password on a website. For example, let's say I use the password "bubblegum". Then perhaps my GMail password will be MD5(bubblegum-gmail.com) etc etc.

So for that kind of system, no storage would be necesary.

Re:

[thepotoo]

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

That's why my password is 09f911029d74e35bd84156c5635688c0. Easy to remember, and if anyone leaks it, the MPAA will crack down on them!

you don't have to use that site

[Walter Carver]

Here is an easier way. Assuming that slash454dot270 is your master password.

Then, if you want to generate a password for the site www.youtube.com, just type this on a Linux console:

echo "slash454dot270 www.youtube.com" | md5sum

for en.wikipedia.org:

echo "slash454dot270 en.wikipedia.org" | md5sum

for slashdot.org:

echo "slash454dot270 slashdot.org" | md5sum

Re:

[fireman sam]

ok

I just use KeePass

[PhrostyMcByte]

Having a seperate password for 50+ websites is not realistic when you plan to memorize them all. I use KeePass [keepass.info] to have very random 16+ char passwords (that I do not bother to remember) for every place I visit, and one master password to access the database.

or hashapass

[Anonymous Coward]

I used to use a password-storage tool, but these days for trivial website passwords, I use hashapass [hashapass.com], which does a one-way hash (surprise!) of a seed password with a salt like the website domain name.

That way, if I'm on a different computer or can't pull up my password storage for some reason, I can still generate my password for a website. But intercepting that individual password won't help anyone figure out any of my other passwords.

It's still weak in that the master password, not only unlocks but a

Re:

[qbwiz]

Yes, this is a great idea, but it doesn't work as well if you can't keep the same username at every site. A password database helps you remember usernames too.

Re:

[FraterNLST]

I think really the databases are better if you carry a pda or flashstick that you can store them on, so it doesn't matter which computer you're accessing.

I had a look at PasswordSafe for a while, which sounds like its similar to KeePass you mentioned.

http://passwordsafe.sourceforge.net/ [sourceforge.net]

One benefit of it is that its open source, and was originally designed by counterpane (Bruce Schneier)

Re:

[networkBoy]

I store everything in a flat file:
sitename /t pwd /t notes

That flat file is stored in a truecrypt hidden volume of about 10 megs, with the main volume containing source code (a reasonable thing to keep locked up in a secure volume if you're paranoid) making the plausible deniability plausable. The hidden volume password is cryptographically strong, and yet I only have to remember one strong password.
-nB

Re:

[KenAndCorey]

Absolutely. KeePass even has basic scripting so it will enter the password for you on sites, or copy it to the clipboard (and erase it after 60 seconds or a set time). I'm using it for passwords as well as keeping key information (such as Social Insurance Number, Medical Numbers, credit card numbers, etc). I highly recommend it.

Re:

[Sidn]

mod up please

I also use KeePass and it works like a charm. Fits all my needs whether on Windows or Linux. Oh, and it's open source. :)

Re:

[Phisbut]

I also use KeePass and it works like a charm. Fits all my needs whether on Windows or Linux. Oh, and it's open source. :)

I didn't know about KeePass before now, and it's getting interesting. However, the Linux port [sourceforge.net] is v0.2, which sounds very, very beta (pre-beta maybe?) to me... Is it really safe to trust all your passwords to a beta software?

Re:

[fm6]

I use Roboform, which doesn't have scripting, but still does a good job of finding the right fields. It's also handy for filling out forms with standard things like name and address. Plus there's a portable version (which I haven't tried) that you can run from a thumb driver. I prefer their PDA software (both Palm and Windows Mobile) that allows you to carry around all your passwords in your pocket, so you always have access to them.

Abbreviated Quotes

[eldavojohn]

As a nerd, I memorize a lot of quotes. And, one can use this to one's advantage. Whether it be Star Wars, Futurama, Orson Scott Card, The Bible, or whatever your favorite work is, you can take a quote & turn it into an easily memorable password.

For example, one of my beloved authors is James Joyce so a great way to make a password from him is to take a memorable quote of his that I know: "Well and what's cheese? Corpse of milk." This password would transform into Wawc?Com. which has two caps, a period and a question mark. You can do the same with Futurama or whatever you find easy to remember. Then I just attach that quote with the website/machine/network or whatever it is. You can also append the name of the quoted character or author or actor in order to make it longer so the password might be Wawc?Com.JJ which just makes it even more difficult for a code cracking program to get at.

Plus, since I naturally love the quote, it's very easy to memorize.

Re:

[pbhj]

What a good idea.

[goes to run brute force attacks using initial strings in James Joyce novels and futurama episodes against your IP]

Seriously it's a good idea. When I went to a LUG meeting once a Debian lover there was typing for ages, seems he was using the whole novel as his passphrase!

Re:

[Bastardchyld]

I like the idea... Except posting the quote on your monitor.

Re:

[funfail]

His system admin must be Mordac the preventer of information services [wikipedia.org]

Re:

[pbhj]

... bit too obscure a dilbert reference for me!

Nice though.

Re:

[munpfazy]

Nice.

I do exactly the same trick with song lyrics and lines from poems.

I never forget a password; however, I do sometimes forget which particular password is associated with a given service. The nice thing is that one can keep notes which are sufficiently obscure that they're useless to anyone who doesn't know your scheme and also recognize a given work.

Of course, if this sort of behavior becomes popular, it wouldn't be too hard to put together a brute force attack that uses variations on this on, say, the

Re:

[quakehead3]

Aybrb2us -> All your base are belong to us

Re:

[Dionysus]

I use a variation of this. I basically do your password generation + a hash of the site I'm logging into. So that each site actually get a different password. This way I only need to remember the sentence and the hash is simple enough to generate in my head.

Re:

[forkazoo]

As a nerd, I memorize a lot of quotes. And, one can use this to one's advantage. Whether it be Star Wars, Futurama, Orson Scott Card, The Bible, or whatever your favorite work is, you can take a quote & turn it into an easily memorable password.

I try to do the exact opposite. Whenever I need a new password, I have one randomly generated, and then come up with a phraze for it. I'll adjust capitalisation and add/drop characters to make it easier, but I'll use the randomly generated password basically in

Re:

[morie]

so,,,

How do you remember which sentence you used for a certain site?

Re:

[Phisbut]

As a nerd, I memorize a lot of quotes. And, one can use this to one's advantage. Whether it be Star Wars, Futurama, Orson Scott Card, The Bible, or whatever your favorite work is, you can take a quote & turn it into an easily memorable password.

I've been doing the same thing for a while too. My GPG password is 50+ characters long with lowercase, uppercase, numbers and special characters, and I never get it wrong.

Brute force THAT!

Universal solution:

[rts008]

Post-It notes on my monitor bezel.
After all: "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it."
[Linus B. Torvalds]

For the pendants out there, the concept applies.

Re:

[ArsonSmith]

That reminds me. I always use to post fake passwords on sticky notes to my monitor just to see who is paying attention and willing to point it out.

Put it all in context

[LiquidCoooled]

Use a similar password for each site, but customise parts of it

password/.
passwordgm
passwordeb

You don't want to use that for your important sites, just ones which need a password.

Re:

[fredklein]

Or use a password Pattern:

Bob A. Jones wants to have passwords for Slashdot, amazon.com and newegg.com.

bajp4sddc = Bob A Jones Password 4[for] SlashDot Dot Com
bajp4adc = Bob A Jones Password 4[for] Amazon Dot Com

or

bajp2nedc = Bob A Jones Password 2[to] NewEgg Dot Com

In other words, use the persons initials, a number, and the initials of the site. Not super secure as-is, but it can be mixed up a little. Bob could use his first name instead of his initials, or his nickname (Rob), or his kid's initials, or t

Re:

[Phisbut]

Or use a password Pattern

... and now I know your /. password : fkp4sddo

Re:

[fredklein]

Um, no.

Even if my real name WERE "Fred Klein", you'd be missing my middle initial, assuming I was stupid enough to use the simplist version of the above, which I am not.

Re:

[fredklein]

*Woooosh*

Did I miss a joke, or a point?

If it's the fact that someone who knows the pattern can guess your passwords, DUH. That's why you 'mix it up' a little like I said. And use these only for 'low security' purposes.

ROT26

[dead.phoenix.616]

I've kept this a secret to the whole community, but
I invented this super hard-to-crack encryption routine
called ROT26x(tm). There are other off-springs in the
multiples of its own 26 bits (52, 78, 104...etc).

The cool part of it is that once you encrypt your stuff,
it is soo hard to crack, because the outcome looks exactly
like the original text you encrypted!

The larger the multiples, the more its difficult to
crack (disclaimer:higher bits will be very cpu-intensive,
and will take longer to encrypt)

This is good, but there are other ways

[zappepcs]

While using part of the site name concatenated to your base password is good, there are other simple ways to make it stronger. I keep a list of online sites that I have passwords for. By using a 'known only to me' algorithm, I can use a list of those sites. This serves two purposes; 1) I don't have to remember what all the sites are that I have accounts on, and 2) The base password might be the same, but could change according to how I personally categorize the site content/type as well as by what number the site is listed on my written list. Nothing on the written list will tell you anything other than which sites I have an account on, but it serves to remind me what the passwords and login names are. I do have to remember some things, but not very many compared to the number of accounts. An example is:

1 google 18
2 yahoo 21
3 delicious 8

Not decipherable as important parts are missing from the list and is only in my head, such as what to do with each of the numbers and what the base password(s) might be. It's still enough to jog my memory when required. In this example, the 1 or the 8 in the third column might indicate the base password while the first column might indicate what algorithm would be used in generating the additional password parts. The ones that you use the most are easiest remembered. The list is for those that you don't always use or have trouble remembering

passwordSafe

[liam193]

The methods described in this article don't seem to be very useful. I have seen one method that works fairly well. Come up with a sentence you know you can remember. It can be something out of the blue like: "I prefer accessing Gmail in Firefox for the skins extension." Then make your password "IpaGiF4zse". The first letter of each word, the number 4 or 2 for for or to, too, etc. Even other ones can be used like 8 for ate and 3 for a word starting with e. The z makes sense for a replacement of t in the because if you use the pronunciation of the that sounds like thee, z and thee are fairly similar. Those types of schemes make sense.

But the better answer is:

Get a program like passwordSafe. It's GPL and it works great it even can generate the random passwords for you with whatever rules the given site or system allows. Just copy the database file to a backup every so often and all is well.

Re:passwordSafe

[IL-CSIXTY4]

I second this! I keep the Windows and Linux versions of PasswordSafe on a USB key I wear around my neck, and back them whole thing up weekly. It's free, secure, and usually on-hand when I need it.

Re:

[MasterOfMagic]

I use Password Gorilla [www.fpx.de]. It is written in Tcl/Tk and therefore is very cross-platform. They even have a .app for Mac usage! The Windows version is a standalone executable that is completely self contained so the machine that you use it on doesn't require you to install anything. It reads Password Safe password files. It's nice to have if you're on a machine that Password Safe does not support or if you cannot install software. I keep the Windows, Linux, and Mac versions on a keychain drive along with m

Random

[EvanED]

Random passwords, then just learn them.

[*] Really unimportant sites just an easy password that's the same across all of them
[*] More important, but still not critical sites use variations on a couple randomly generated pronounceable passwords; the fact they are random means that no dictionary attack will find them, while the fact that they are pronounceable makes them easyish to learn
[*] Critical sites (like my bank) I either generate a random password and learn it by rote repetition, or I use PasswordSafe

12345

[liam193]

Of course you could use 12345 for all your passwords. Wait, no don't do that; that's already used for my luggage.

Re:

[Dissman]

It's also the combination for the Druidian Air Shield.

Don't tell Dark Helmet!

Obviously Offtopic!

[rts008]

Can I get a DMCA takedown request for your post since that's my luggage password?

Or do we have to compare receipts for date of purchace/senoirity to settle this.

My second will meet you on the Field of Honor for our duel......I suggest Tesla Coils at 25 meters, in the English Channel, at 50 meters below sea level.

You have been challenged sirrah!

Password Safe

[CastrTroy]

I've recently discovered password safe [sourceforge.net]. You just have to remember 1 password, you have access to all your passwords. You can run it off a USB drive, so you can take your passwords with you anywhere. I used to use the same password for many sites, but now I have Password Safe generate a new password for each site.

Re:Password Safe

[El Cubano]

I've recently discovered password safe [sourceforge.net].

If you use *nix, then MyPasswordSafe is your friend. It uses the same file format as password safe.

If you use Mac OS X, then Password Gorilla is your friend. It too uses the same file format, though it is a tad slow on open and save operations.

MyPasswordSafe is Qt-based (but it is better than the GTK-based equivalent password management program out there, and I generally prefer GTK-based apps over Qt-based apps). It should theoretically run on Mac OS X and Windows. I don't know about its status on Windows, but I know it doesn't work on Mac OS X. I have managed to get it to compile, but it segfaults. Once the semester is over, I intend to delve into it a little.

Password Gorilla also runs on practically everything. However, it is a Tcl/Tk application and looks ugly on every platform except for Mac OS X (thank you Apple for making some of these GUI toolkits not so ugly).

The neat thing about having all these programs out there is that they are compatible and make it a cinch to move your password database across machines and have it be usable everywhere.

Re:

[TheBig1]

If you use OS X, why don't you use the Keychain? Seriously, this is a valid question, and not a troll. In addition to your login keychain (which will log you in automatically to sites, etc), you can create other keychains with separate passwords. You can store text notes, passwords, etc in it. It's secure (128 bit AES encryption, IIRC), and easy to use. The only downside is lack of cross platform-ness, which I suppose can be a problem for some. Cheers

Re:

[secolactico]

Heck yeah! Passwordsafe is a godsend. I run it off a truecrypt volume in an USB drive. That way I just need to remember two passwords.

Nice Ideas in TFA, but Try This...

[glavenoid]

TFA has some nice ideas, and that comment with the quotes is pretty nifty, but I do this out of habit:

1. Spirit Write [wikipedia.org] password on sheet of paper.

2. Enter said writing in password field for new account.

3. Chew and swallow sheet with spirit writing

With this method passwords are nearly unbreakable, unless someone else can channel the spirit you used. And by eating the evidence, there is no need to memorize anything! It gets digested naturally!

The only real problem with this is that a lot of the spiri

Easy

[Mr Jazzizle]

I use the same combination as my luggage!

Re:

[Namban-jin]

I use the same combination as my luggage!

Aah, that's good to know. Once I know that 4 digit combination, I cannot only hack your online stuff, but also sell your dirty clothes under your eBay account...

Three layer approach

[Actually, I do RTFA]

For accounts I don't care who access (like my free nytimes.com account), and in fact want people to crack to mess up the tracking data, I use the same password across all of them.

For infrequently used sites I choose a strong password, and forget it. Then, whenever I need that password, I get them to e-mail me a new one.

For accounts I use often and care about, I suck it up and memorize it. Pull a word or two, scramble the letters, add some numbers and punctuation randomly. Oftentimes, just thinking of that word, and cause I'm predicatable, I can recreate the password.

Password Management Solution

[StikyPad]

Just e-mail me all your passwords for safe keeping!

Part numbers.

[munpfazy]

For years our lab (a research lab behind locked doors, open only to a few trusted people) use IC part numbers for root passwords. To avoid having to remember them, we'd just drop the device itself into the top drawer of the desk nearest a particular machine.

Not the most secure method in the world, but far better than the practices in any other academic research group I've seen. (Most do something really complicated and uncrackable. . . like taking two three or four letter English words and putting one after the other. Or, taking a short English word and misspelling it by changing one letter.)

Re:

[bill_mcgonigle]

For years our lab (a research lab behind locked doors, open only to a few trusted people) use IC part numbers for root passwords.

Alphanumeric parts, I hope? 'i80386SX', not '8088', right?

Re:

[munpfazy]

What, you don't think '555' is a suitably secure password?

Yeah, full vendor-specific alphanumerics, and mostly obscure oddball parts you wouldn't find in a general-purpose parts bin. Still not as good as truly random passwords, but not too bad.

My Password Memorization Process

[Rank_Tyro]

I use one basic 7 character set which consists of letters and numbers. I modify that depending on a sites sensitivity by adding characters.

For example "mi2SSrs", for common sites and forums such as /.
For technical sites where I download software I add a three letter prefix to the main.
For webmail, I capitalize the three letter prefix.
For online money transactions I capitalize the prefix and add a character such as ~ at the end.
For my home ftp server login I add in the last 4 numbers of a high school girlfri

PwdHash

[Namban-jin]

Using the same password for all online stuff is indeed a bad idea, but you can still do that if you use PwdHash. http://crypto.stanford.edu/PwdHash/ [stanford.edu]
PwdHash is a browser extension that converts the entered password into a domain-specific password. This means that the same password will be converted into a different password on different websites.

I use this tool plus SplashID (http://www.splashdata.com/splashid/) which I have installed on my PDA and PC to store others passwords and PIN codes.

Brute force

[normuser]

Well, if you have to deal with password rules like mine it might be easier to just brute force it every time.
i.e. password must:
Be between eight and 12 characters long.
Not contain repeating characters.
Not contain consecutive characters.
Not contain the same character more than three times.
Have two special characters.
Have two uper case characters.
Have two lower case characters.
Have two numbers.
Have atleast one number within the first four characters.
Have atleast one special charater within the firs

Re:

[normuser]

Well, if you have to deal with password rules like mine it might be easier to just brute force it every time.

correction, Those arent MY password rules. its what I'm stuck with at WORK.
Maybe I should preview next time?

Re:

[Aladrin]

Jeeez. They might as well say 'Well, there's only 6 valid passwords you can choose. Steve, you get password 1...'

Requiring a password to be complex enough is 1 thing, but make too many requirements and it's way too easy to brute force, as you were saying.

I question the rules though... if it can't contain repeating characters, why the need for the rules for consecutive and 'more than 3 times'?

Re:

[Larry Lightbulb]

You forgot the rule about not being able to use any of your previous passwords, or to create new ones which contain previous ones.

And worse than that - I worked at a place where very secure (in terms of random character combination) passwords were automatically generated each month, but they were then left in an envelope on your desk...

Re:

[normuser]

You forgot the rule about not being able to use any of your previous passwords, or to create new ones which contain previous ones.

Looks like I'm not the only one here that works for the government.

Strip

[flink]

I've been using Strip [freshmeat.net] (Secure Tool for Remembering Important Passwords) for years on Palm. It keeps your passwords in an AES encrypted palm database with a master password. I like it over other PC-based password managers because I know that whether I sit down in front of a Windows, Linux, or Mac machine, I'll always be able to get at my passwords.

Re:

[monkeySauce]

Me too. Strip is great. I also use the strip-dump perl script on my desktop to access my passwords when I'm at my PC.
http://www.dribin.org/dave/software/perl-strip/ [dribin.org]

Re:

[Dr. Manhattan]

I used Strip for a while, and it's good, but I switched to Keyring [sourceforge.net] because it has a built-in conduit for Jpilot [jpilot.org].

Password article

[SirTicksAlot]

I actually wrote an article called The Art of Good Passwords [solar1.net]. It explains the importance of decent passwords, how to enforce them, and how to enforce them in your web app. I submitted it to slashdot earlier this morning, but it's still in the firehose. if you read it and got something out of it, let me know, or bump it up in the firehose. Or tell me if it stunk. :)

Passreminder

[Abattoir]

I use <a href="http://eyecanseeyou.free.fr/passreminder_pas sword_manager/index.php?title=PassReminder_Main_Pa ge">Passreminder </a>. It has a "memory stick" version and is java based and works on both Windows and Linux off my FAT based usb flash drive.

Re:

[Abattoir]

I use Passreminder [eyecanseeyou.free.fr]. It has a "memory stick" version and is java based and works on both Windows and Linux off my FAT based usb flash drive. Stupid html formatting not default.

Do As Bruce Schneier Does

[Anonymous Coward]

Shamelessy ripped from http://geekz.co.uk/schneierfacts/fact/27 [geekz.co.uk]

Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Belt and Braces

[strangedays]

Being a devious and un-trusting type with a world-view sadly twisted by experience, I tend to assume many others are the same way too, and that's way scary.

So... I prefer to entertain my full frontal paranoia by not using anything digital or on-line to actually store my keys to the things that matter.

Instead, I decided to keep my keys in a little black book, old fashioned, perhaps even quaint you exclaim!

True Squire! says I, but go ahead then, have a go.. lets see you hack that book.

Of course I do have nightmares about losing the book, however an occasional trip to a copier and a safe deposit box takes care of those, for a while. Of course if you did get to read it, you'd find yourself holding a bunch of keys... to what? aha!, thats the devious and twisted bit, remind me not to share that!

For hard passwords I choose random letters and numbers in groups of 2, at least 8, 16 or 32 chars in length, depending on the resources value. Otherwise, so I am told, the encryption becomes much easier to break.

For less significant sites, I (like many it seems)use a favorite quote, condensed into a shorter string of the letters of each word.

my password

[asLEEpy]

My password is the regular expression .*

Re:

[chunkyq]

I believe you mean, "My password is described by the regular expression /.*/" A regular expression is just a character string, so saying one is your password doesn't hide it all.

kwallet and Apple Keychain

[DarkDust]

Maybe I'm not understanding the question, or maybe it came from a Windows user, but the KDE kwallet and the Apple KeyChain serve me very well for managing my various passwords... especially since they get filled in automatically in Konqueror and Safari.

no password tools necessary

[utnapistim]

I don't use password management tools, but mnemonics. Usually I pick a text I remember (like a commercial, or some poem I remember from highschool). Then, I use the first letters of all words (or of the first n words) and use those as a password, translated to l337speak.

It sounds complicated, but for example let's say you take "Where do you want to go today?(Ms)" (I know I'll get modded to troll for this). It becomes Wdyw2gt?(m$)

Its (pseudo)random enough to be impossible to guess if you're not choosing s

The best product I've ran into in this area

[zukinux]

I've got a demo of this product named etoken by Aladdin, it gives you the ability to take with you your passwords on a usb token which you'll have to remember its password only, and it will contain passwords for many sites/applications.
I used it few years ago.. actually it was nice, the token itself is encrypted (3 years ago it was encrypted with 128 bit key)..
here's a link for those of you who actually needs this kind of solution (I actually don't think it worth the money, for me atleast) : EToken - [aladdin.com]

there is a new software

[hesaigo999ca]

There is a new software on the market of which the source code is not really available anywhere therefor can not be cracked, I state , can not be cracked..no matter how much proding you do inside, you will not find any holes or leaks....as well, the more you use this software
the better at it you get, it is called BRAIN, which is really something that most people
should be able to use, but few do.

example... if Ineed a password for a website (sqlforums) and I know not to use the same passwords
over and over aga

Re:

[bratwiz]

There is a new software on the market of which the source code is not really available anywhere therefor can not be cracked, I state , can not be cracked..no matter how much proding you do inside, you will not find any holes or leaks....as well, the more you use this software the better at it you get, it is called BRAIN, which is really something that most people should be able to use, but few do.

I think you'll find that even this can be cracked with a little patience and a set of sufficiently-sharp bam

Online password manager anyone?

[mbarulli]

Using a password manager is not merely convenient, it's an effective way to adopt better security practices without too much stress. It basically sums up to: 1) never re-use the same password, 2) use strong passwords.

Software products are certainly an option, but you could also consider a web based solution. Yes, I'm a tad biased being the co-founder of Clipperz...

Clipperz [clipperz.com] is an online password manager that can do much more than simply storing your passwords.

• ubiquitous access
• direct login to online ser

KeyRing

[LinuxWeenie]

Although its a fairly old release, I would suggest KeyRing (http://gnukeyring.sourceforge.net/) for the Palm. It has several conduits (Windows, Java, JPilot, etc.) to allow synching with your system. I have used it for years. One password, to get into the database, gets you into your password list. It has a random password generator (numbers letters up/lower case characters) - you could never accuse me of using dictionary breakable passwords. Actually after you have used a randomly generated password a

Mac OS X's Keychain

[wohlford]

I use the Mac's built-in Keychain [apple.com]. It encrypts the passwords all the while integrating nicely with the entire operating system and the vast majority of apps. One notable exception is Firefox, but I understand Mozilla is working on that.

Also, I have my home directory encrypted using File Vault [apple.com] which contains my keychain. My virtual memory is encrypted too.

FOR ME ITS EASY

[bratwiz]

For me its easy, I just think of all the bureaucracy and bullshit where I work puts me through and somehow, as if by magic, an appropriate password always presents itself...

My method, as seen before on Slashdot

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Prioritization

[NerveGas]

    I have a lot of accounts in different places where it really would not matter if someone were to find out my password. All of those have the same password. Things that are actually important in any way can get their own passwords (well over three dozen for me), but right off of the bat, I've eliminated at least 50% of the passwords I need to remember.

steve

Actually I'm writing one. Sort of.

[SadGeekHermit]

Up until now, I've used leatherbound journals, keeping 3 copies in a safe. If I forget a password, I dig it out and look it up. But lately I've been thinking that it would be nice if I could have a Java app on a CD that I could carry around with me, and have all my passwords securely stowed in one place.

Since I've currently got to master Java DB (the embedded database) for a work-related project, I've been thinking about rolling my own password database. You would only copy it to your PC when you were alter

Re:

[bratwiz]

I use names of all the chicks I've scored with.

So what your saying is that your passwords are like "Monica" and then "Monica!", then "!!Monica", then "Monica123" and "M0nica", "M0N1CA", "M_O_N_I_C_A"... ???






(*) humor, for the humor impaired