Coping with the Avalanche of IDs and Passwords? 120
Bitwick asks: "The number of web sites and other systems I need IDs and passwords for is finally becoming overwhelming. Right now, I tend to use a small selection of IDs and passwords. I know this isn't an ideal situation, but so far it has been the most practical. However, it has become clear to me that this needs to change. I am planning to get a USB keyfob and a password manager to keep track of my IDs and passwords. What experience have you had with password managers? What's good, what's bad, what features are important? Are there other reasonable and secure alternatives?"
Password Corral (Score:2)
Re:Password Corral (Score:1)
Re:Password Corral (Score:2)
Password manager? (Score:4, Funny)
security at its best... (Score:2, Funny)
Obsfucation? (Score:4, Interesting)
You can run Openoffice on a thumb drive and save your list of passwords in a encrypted document if you need added security.
Re: (Score:3, Interesting)
Re:Obsfucation? (Score:3, Interesting)
Look folks, it's easier to keep track of all those web registrations than you think.
First of all, choose a highly unique username that is unlikely to be taken by someone else (like ajh1198).
Next, choose a common word like pirate (change the i to a 1), so you end result is p1rate.
Now, for each site you visit, take the first letter or first two letters of the site and add that to the beginning of your password. In this case, m
Re:Obsfucation? (Score:2)
Trunc(Base64(MD5([Website subdomain or IP] + [master password])),[Maximum allowed length])
Here [voila.fr] is a webpage with client side javascript that does just that. I suggest saving a copy, modifying it to allow variable length truncation, and make it your home page.
There is a bookmarklet of a similar script (no base64) here [angel.net]
Re:Obsfucation? (Score:1)
Re:Obsfucation? (Score:2)
So here's what I go through. (names of been changed to protect the innocent) All my passwords are generally the same, with slightly different numbers. So let's say my MSN password is based on an obscure auto part called a hog ring. Here's what my list would look like:
MSN
auto12123
Yahoo
auto5
And so on... So *I* know what 'auto' really means (for this example 'hogring), but no-one else ever will. If I change my pa
Re:Obsfucation? (Score:2)
Some people have lives outside of the web.
Some even have lives outside of their computers (ATM PIN, password on bank accounts, utility accounts, etc).
Re:Obsfucation? (Score:1)
All eggs in one basket and watch that basket? (Score:4, Informative)
Re:All eggs in one basket and watch that basket? (Score:1)
i just remember them (i only have 3 aliases, and i remember the phases my passwords went through. the trick is using them enough; i forget them when i don't)
Re:All eggs in one basket and watch that basket? (Score:2)
Re:All eggs in one basket and watch that basket? (Score:2)
Really, what's so hard about memorizing a few dozen passwords?
It's hard when you only use the password once every few months. I can remember my passwords for normal stuff easily, but simpler stuff that I touch 4 times a year I keep forgetting.
Password algorithm (Score:5, Insightful)
Re:Password algorithm (Score:2)
Re: (Score:2)
Re:Password algorithm (Score:1)
Re:Password algorithm (Score:1)
Re:Password algorithm (Score:1)
Correct!! (Score:2)
Re:Password algorithm (Score:1)
Re: (Score:2)
Re: (Score:2)
Re:Password algorithm (Score:1)
Re:Password algorithm (Score:2)
Takes the domain name (plus/minus the www. if you prefer) and runs an MD5 of that plus your password, chops it to I think 10 chars. Damn near freakin impossible to work backwards from even though the domain name starts the md5, and it's a dead easy algorithm that you could do manually from the shell if you so desired.
Unfortunately, this only works well for web-based forms, though in theory one could do it via shell for other things.
Re:Password algorithm (Score:3, Funny)
Re:Password algorithm (Score:4, Informative)
Using MD5 and a single master password isn't such a good idea.
Suppose a bad guy steals your password for one site and wants to learn your master password (which you input to the hash function along with the domain name of the site). He can perform a brute force attack by checking each possible input password up to a certain length to see whether hashing it produces the stolen site password.
The problem is that MD5 is very fast to compute: for small blocks it takes <0.5us on a modern CPU. That means testing every possible password is surprisingly fast. For example, searching the space of all 8 character alphanumeric passwords (single case) would take only 16 days! With your master password in hand, the attacker can almost immediately determine your passwords for every other site where you employ this scheme. Of course, the attacker can work even faster if your password is in any way guessable.
Splitting a password with a hash function *can* work very well, but doing it securely is tricky. See this paper [princeton.edu].
Re:Password algorithm (Score:1)
now just to change them all...
Re:Password algorithm (Score:2)
I realise many people sign up with an email address, and give the same password as their email address to the website.
Hahah, silly.
Password Safe (Score:5, Informative)
http://sourceforge.net/projects/passwordsafe/ [sourceforge.net]
Bruce Schneier recomends it in many/most of his monthly crypt-o-grams
http://www.schneier.com/ [schneier.com]
Re:Password Safe (Score:1)
Re:Password Safe (Score:1)
"this Desktop Pal(tm) remembers all your passwords for you! free download from the well known gator corporation"
i thought it was funny until i looked to make sure the company was called gator (and not just the product). i was surprised to find the gator ewallet [gator.com] that fills out forms, holds passwords, and encrypts stuff, and now i don't know what to say.
Re:Password Safe (Score:2)
Password Safe for Windows/Linux/Solaris/OSX (Score:2)
Let the avalanche come. (Score:5, Funny)
The trick is, you don't actually have to memorize your passwords; after you type each one about 20 times, your fingers retain it in muscle memory. I actually couldn't tell you what any of my passwords are, I have to type them on a qwerty keyboard. (If I ever lose one of my hands, I'm screwed.)
Anyway, as backup, I have them all written down on a sheet of paper in an undisclosed location, with the format of login on one line, password on the line after it, with no identifying information on which login/password combo goes to what website, computer, etc. The text in this list is also encrypted using a one time pad encryption program (that I wrote myself), the key to which is in a different undisclosed location.
So if my fingers happen to forget one of the passwords, I can still retrieve it (with a lengthy process). You'd be surprised how many different login/password combos you can remember, even months after you've used them last, if you type them several dozen times over the course of a few days. But to each his own. That's just my system.
Re:Let the avalanche come. (Score:1)
Re:Let the avalanche come. (Score:2)
If you want to rely on that, be my guest, but please be aware that there is no such thing as "muscle memory". Your muscles don't remember anything; you're just talking about transferring the information to a different part of your brain.
The problem with this approach, of course, is that the information you remember will shift slightly with time, and when y
Password Manager XP (Score:2)
http://www.cp-lab.com/index.html [cp-lab.com]
Amongst many other features, it supports removable devices such as usb keyfobs and will install the necessary binaries on the device to run from.
From another /. story... (Score:1, Interesting)
matter where I'm at, I am always ssh'ed into my server. So, I put the following into my
augroup encrypted
au!
autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo=
autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile
autocmd BufReadPre,FileReadPre *.gpg set bin
autocmd BufReadPre,FileReadPre *.gpg,*.asc let ch_save = &ch|set ch=2
autocmd BufReadPost,FileReadPost *.gpg,*.asc '[,']!sh -c 'gpg --decrypt 2>
autocmd BufReadPost,FileReadPost *.gpg set nobin
autocmd BufReadPost,File
Re: (Score:3, Insightful)
Paper. (Score:3, Informative)
An excellent personal solution is to keep a list in your wallet. Keep another list somewhere safe and stationary, so that if you lose the first one you have a complete list of sites to go down to change all the passwords.
It's pretty much the simplest thing you could possibly have, secure, and responds well to failure.
Re: (Score:2)
Re:Paper. (Score:2)
Keep in mind where you stand: yes, you can lose your passwords with everything else. But you've lost everything else then too; I'd be more worried about losing my drivers license, credit cards, etc., than I would the couple of passwords. Even if I lost my bank's website's passwords, how is that worse than losing my debit card?
Re: (Score:2)
Re:Paper. (Score:2)
And your average mugger is going to know that how, exactly? You have a piece of paper in your wallet with "xyzzy, ncc1701a" and he's supposed to deduce that it's a username and password?
The simple, obvious solution is just one *good* username and password for everything. The odds of that becoming compromised are much smaller than the odds of you forgetting/losing one of the multiple ones.
Re:Paper. (Score:2)
First of all, let's completely rule out the trust issue you have to have with each of the site's sysadmins, which actually is something to consider (since nearly every forum around requires registration to write, and some require registration to read). You have to worry about sites being compromised. Even if the sites all store passwords encrypted, a compromised site could capture passwords in plaintext before they hit crypt(). If you use the same pa
Re:Paper. (Score:2)
You're basically right. My suggestion is balancing odds, and I still think that odds are substantially that your username/pw won't be hacked, or captured by a "rogue" site. It's like losing my house key: if I lose it while fishing, I'll just get a new one (yes, my house has one key for all locks
Re:Paper. (Score:2)
Pick a few (Score:1)
However, as a countermeasure I've been known to make my few passwords very long and obscure (full sentence method).
Re:Pick a few (Score:3, Insightful)
Crackers don't want your login and password--they want any login and password--precisely because so many people reuse passwords across multiple sites. If they manage to recover your password through a site hack or phishing scam (yes yes, you're on Slashdot, you're not going to fall for one of those) or a cross-site scr
Bruce Schneier's (Score:2)
text file on local machine with backup on external (Score:2)
yada.com: u/abc p/def
bbb.com: u/def p/ghi
K.I.S.S. Why do anything more complex?
Re: (Score:2)
KisKis (Score:1)
S.T.R.I.P (Score:1)
by having it on my handheld which is very nearly always with me I don't have to rely on the app running on whatever system I'm working on at the time (various windows, Linux, Solaris, MVS, and others)
Re:S.T.R.I.P (Score:1)
If you keep a Palm close by, look in to it!
A whacky idea (Score:3, Interesting)
Here's a whacky possible solution: use a translator pen, such as this:"SuperPen Translator" - which supports 'custom dictionaries' [languagere...online.com] , to store passwords. Run the pen across site's address bar displayed on the computer screen, and the pen translates it to your username/password for that site.
Here's another of those pens: C-Pen [cpen.com].
Of course, if none of their dictionaries are user-editable, and if they have no SDK, this won't work.
Here's a more sensible solution: Javascript password generator [angel.net]
(Video about it - flash format) [infoworld.com]
Re:A whacky idea (Score:2)
Re:A whacky idea (Score:2)
Regarding an algorithm to generate a unique password, take a look at the page source of the Javascript password generator link to in my previous post - that guy has implemented the MD5 algorithm in Javascript (see "function core_md5(x, len)")! Is this wh
Re:A whacky idea (Score:2)
Re:A whacky idea (Score:1)
Re:A whacky idea (Score:2)
Re:A whacky idea (Score:2)
At least one of the two pen readers I linked to above can translate barcodes.
What would be cool is adding a bluetooth module to one of these readers so it can associate with a computer as an additional keyboard. Like so:
Website requests authentication -> user scans browser address bar -> pen device brings up the associated credentials -> user sends them via bluetooth keyboard
Standards (Score:1)
Portable device (Score:2)
How about a USB KeyFob with a built-in display, and a means of entering a password to decrypt the database. When you want to make a change, you use a tool like Password Safe to edit the text file from a trusted system (copy the text file for backups too!). Though when you're at an untrusted system, you just snatch your password using the
Re:Portable device (Score:2)
Or how about a program such as FreeSafe [sourceforge.net] - a Java MIDP which runs on most java-enabled phones. FreeSafe even does SHA1 and MD5 OTP!
My own personal solution (Score:1)
Re:My own personal solution (Score:1)
Keyring (Score:5, Informative)
All of my passwords are there, and a few other bits of even more important personal information.
Stuff is encrypted, and lives in the Palm's RAM where it will be destroyed instantly upon power loss. So, if left in a bus terminal, chances are that the data will be gone before the hapless thief finds a charger for it to keep the RAM alive, let alone manages to crack the database or even recognize its existance.
All I have to do is remember one passphrase.
Stuff is also backed up to the machine that I hotsync to, where it remains encrypted on disk. While non-volatile, the machine does have the advantage of vastly increased physical security.
And that isn't much of a backup regime, so all of the work-related passwords and data that might affect Other People get beamed via IR to a co-worker with a similar rig. This usually happens in the windowless basement I call "work," and is thus also reasonably secure despite its plaintext-edness.
I've used Keyring on everything from old-school black-and-green Handsprings, to Treo 650s. It Just Works(tm). It is free. It is GPL'd.
I'd go on, but I shouldn't have to...
Re:Keyring (Score:1)
Yep! I use it too, and love it. It's especially handy for those occasions when somebody calls you up about work you did a couple of years ago. Those passwords have long ago faded from my memory, but not from my Palm's memory.
So, if left in a bus terminal, chances are that the data will be gone before the hapless thief finds a charger for it to keep the RAM alive,
Note th
Re:Keyring (Score:2)
I also carry a Palm-based phone, but I don't trust it. It makes mysterious 10-second data calls on its own. I also don't particularly trust the Zire's software, but I keep it mostly incommunicado, so I don't have to trust it so much.
-kb, the Kent who says: "Never reuse passwords, write down passw
http://angel.net/~nic/passwd.html (Score:2, Interesting)
http://angel.net/~nic/passwd.html [angel.net]
Come up with a master password, enter the domain name of the particular site you are browsing and a unique password is generated for that site. All you have to remember is your master password. The page uses javascript, no data is passed to the internet. Whenever you need a password, just run the saved html page, enter master password, enter domain name, click generate button and you have your password
Re:http://angel.net/~nic/passwd.html (Score:1)
I have Safari set-up so that pressing Command and 1 will auto fill-in any password fields with the site generated password.
Whilst your master password is stored in plain text in the bookmark file, as I use FileVault (AES Encrypted home folder) I think it should be OK for non banking sites...
Re: (Score:1)
PDA saves the day (Score:2)
Besides keeping cheatsheets, notes, & reference files
You get a program that will keep passwords and encrypt the datafile. Not just is it unlikely someone will be able to "steal" your passwords, but a backup copy of the data will be available when you sync the PDA.
Keep it with you and accessable (Score:2)
I would use either a PDA-based or a phone based system... something you carry with you at all times, no computer required. Mine has everything from password / logins to credit card information and bank numbers. You're not always near a computer when you n
Portable Apps (Score:2)
You might also want to consider EssentialPIM [essentialpim.com] or Getting Things Done tools like GTDTiddlyWiki or Next Action [trimpath.com] (requires firefox)
Check out portablefreeware [portablefreeware.com] for more apps and Slashdot [slashdot.org]
Microsoft usb flash manager [microsoft.com] is a way to backup you flash drive and keep the info safe, you might also want to consider a second flash drive
(PS: Getting
Re:Portable Apps (Score:2)
I suggest you consider encrypting part of the drive, TrueCrypt [truecrypt.org] is a great little app and will run from the USB Thumb Drive as a way to store any info you wish to be secure.
You might also want to consider EssentialPIM [essentialpim.com] or Getting Things Done tools like GTDTiddlyWiki [snapgrid.com] or Next Action [trimpath.com] (requires firefox)
Check out portablefreeware [portablefreeware.com] for more apps and Slashdot [slashdot.org]
Microsoft usb flash manager [microsoft.com] is a way to backup you flash drive and keep the info safe, you might also want to consider a second flash
It depends; on what platform? OS X already has it. (Score:2)
If you're running OS X on a Mac, you're already covered. All of your logins and passwords can be stored in OS X's "Keychain", which allows easy access to all of your passwords by simply logging in to OS X. All of your passwords (that you allow) will be automatically remembered and will populate any appropriate fields. In addition, individual logins and passwords can be accessed by typing your login info (for your OS X account), and it will reveal your login info for that particular item.
For more info o
Re:It depends; on what platform? OS X already has (Score:1)
KeePass Password Safe (Score:2, Informative)
KeePass [sourceforge.net] is what you are looking for I have been using it for years now and it fucking cool.
It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" [sourceforge.net] while SHA-256 is used as password hash.
YOu can Group your list with details on each password:
Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment. [sourceforge.net]
It fully open-source (OSI certified) runs under Windows and PocketPC with
Password Maker (Score:1)
My strategy: MD5 (Score:4, Interesting)
I used to use a USB key with a list of sites, usernames and passwords on it. All protected using a secure zip drive. It became a pain in the ass to get the passwords out, so I gave up. It also concerned me as a single point of vulnerability (if someone stole it and cracked it they have access to my life).
So now instead I use this algorithm:
$password = MD5($sitename . $single_password)
So I don't have any passwords written down, just the single global password in my head along with the algorithm. There's an MD5 calculator on every UNIX system, and there's javascript ones available on the web too.
The benefits of this system:
Some websites don't support 32 character passwords, for those I just use the first 10 or 20 characters of the MD5 hash.
Change password? (Score:2)
What if the system you are forced to change a password on won't allow you to use a previously-used password?
RoboForm (Score:2)
* Secure encryption
* Random Password Generator
* Storage of automatic logins
* Storage of "SafeNotes"
* Ability to fill forms with one button (CC entry, etc.)
* Storage of bookmarks (import from IE/Firefox)
* Storage of contacts (import from Outlook or file)
* Portable version that runs from a thumbdrive.
* Palm add-on
Quite nice.
Re:RoboForm (Score:2)
SafeNotes can either be password protected or cleartext. I use them to store secure pieces of information such as my driver's license and license plate numbers and other important information such as registration keys for my Palm software and such.
Single Signon and Passport (Score:2)
So, I only have two passwords to remember, ever.
Re:Single Signon and Passport (Score:1)
Its not just YOUR password that matters... (Score:2)
Let's also not forget that you should regularly check and recheck the passwords of YOUR USERS , and enforce strong password strings (length, alphanumeric, punctuation at a minimum).
Very recently, someone I know who is a very well-known talking head in the Open Source community had his box rooted, because a colleague of his had an account on his server with a default password, and never logged in.
One of those recent ssh brute-force login bots came scanning along and got in using this account. They log
Using mobile phone (Score:1)
KeYpass CRTL-Right Click Login (Score:1)
There are companies that do this for real (Score:2)
While there are plenty of home-grown and one-off solutions, it would probably be worth your time to look into the various SSO (Single Sign On) software providers and find a security product that works for you.
no extra equipment needed (Score:1)
For websites, though, I mostly use this:
Re:duh! (Score:2)
Re:duh! (Score:1)
Re:Cellphone java app (Score:2)