Memory Tools for Password Management?

New Media Blogger asks: "A co-worker of mine recently got burned hard because they used the same password for all of their online accounts. This experience led me to compile a list of easy-to-use password management memory tools (all free, of course), which make it infinitely easier for me to keep track of my dozens of passwords. I am sure many of the Slashdot crowd have memory tools of their own — what are you favourite password memorization tools?"

I just use KeePass

[PhrostyMcByte]

Having a seperate password for 50+ websites is not realistic when you plan to memorize them all. I use KeePass [keepass.info] to have very random 16+ char passwords (that I do not bother to remember) for every place I visit, and one master password to access the database.

passwordSafe

[liam193]

The methods described in this article don't seem to be very useful. I have seen one method that works fairly well. Come up with a sentence you know you can remember. It can be something out of the blue like: "I prefer accessing Gmail in Firefox for the skins extension." Then make your password "IpaGiF4zse". The first letter of each word, the number 4 or 2 for for or to, too, etc. Even other ones can be used like 8 for ate and 3 for a word starting with e. The z makes sense for a replacement of t in the because if you use the pronunciation of the that sounds like thee, z and thee are fairly similar. Those types of schemes make sense.

But the better answer is:

Get a program like passwordSafe. It's GPL and it works great it even can generate the random passwords for you with whatever rules the given site or system allows. Just copy the database file to a backup every so often and all is well.

or hashapass

[Anonymous Coward]

I used to use a password-storage tool, but these days for trivial website passwords, I use hashapass [hashapass.com], which does a one-way hash (surprise!) of a seed password with a salt like the website domain name.

That way, if I'm on a different computer or can't pull up my password storage for some reason, I can still generate my password for a website. But intercepting that individual password won't help anyone figure out any of my other passwords.

It's still weak in that the master password, not only unlocks but also determines the rest. Still, for stuff like non-financial website logins, it's a godsend.

Password Safe

[CastrTroy]

I've recently discovered password safe [sourceforge.net]. You just have to remember 1 password, you have access to all your passwords. You can run it off a USB drive, so you can take your passwords with you anywhere. I used to use the same password for many sites, but now I have Password Safe generate a new password for each site.

Re:Hiding

[AKAImBatman]

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever. There are a few sites like these that can help you generate these passwords:

http://passwordmaker.org/ [passwordmaker.org]
http://angel.net/~nic/passwdlet.html [angel.net]
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/ [xs4all.nl]

Re:Password Safe

[El Cubano]

I've recently discovered password safe [sourceforge.net].

If you use *nix, then MyPasswordSafe is your friend. It uses the same file format as password safe.

If you use Mac OS X, then Password Gorilla is your friend. It too uses the same file format, though it is a tad slow on open and save operations.

MyPasswordSafe is Qt-based (but it is better than the GTK-based equivalent password management program out there, and I generally prefer GTK-based apps over Qt-based apps). It should theoretically run on Mac OS X and Windows. I don't know about its status on Windows, but I know it doesn't work on Mac OS X. I have managed to get it to compile, but it segfaults. Once the semester is over, I intend to delve into it a little.

Password Gorilla also runs on practically everything. However, it is a Tcl/Tk application and looks ugly on every platform except for Mac OS X (thank you Apple for making some of these GUI toolkits not so ugly).

The neat thing about having all these programs out there is that they are compatible and make it a cinch to move your password database across machines and have it be usable everywhere.

Re:passwordSafe

[IL-CSIXTY4]

I second this! I keep the Windows and Linux versions of PasswordSafe on a USB key I wear around my neck, and back them whole thing up weekly. It's free, secure, and usually on-hand when I need it.

Strip

[flink]

I've been using Strip [freshmeat.net] (Secure Tool for Remembering Important Passwords) for years on Palm. It keeps your passwords in an AES encrypted palm database with a master password. I like it over other PC-based password managers because I know that whether I sit down in front of a Windows, Linux, or Mac machine, I'll always be able to get at my passwords.

Re:Hiding

[AKAImBatman]

Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.

I don't think you understand how it works. What you do is you enter the password (it can be the same for all sites), then enter the name of the site (which can be pulled from a bookmarklet). A bit of Javascript on the client then hashes that information using the MD5 algorithm, and spits the result back out as a secure password.

The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.

Re:I just use KeePass

[KenAndCorey]

Absolutely. KeePass even has basic scripting so it will enter the password for you on sites, or copy it to the clipboard (and erase it after 60 seconds or a set time). I'm using it for passwords as well as keeping key information (such as Social Insurance Number, Medical Numbers, credit card numbers, etc). I highly recommend it.

Re:Passreminder

[Abattoir]

I use Passreminder [eyecanseeyou.free.fr]. It has a "memory stick" version and is java based and works on both Windows and Linux off my FAT based usb flash drive. Stupid html formatting not default.

Re:Hiding

[AKAImBatman]

Until the site with the hashing algorithm you're using goes offline.

So get a downloadable version [passwordmaker.org] and back it up. ;-)

The online version is common because these passwords are for websites. So making a web-enabled version is a no-brainer. But the algo is so straightforward that it was pretty easy for the guys who made it to port it to different platforms.

Re:Hiding

[Short Circuit]

Now we run into portability issues. I'm not always using an account where I can install FF extensions. Heck...If I forget my flash drives at home, I'm stuck running Firefox 1.5 at the latest, and IE6 in places on campus where they still haven't installed Firefox.

Maybe if I memorized the table for a simple substitution cipher. Like ROT13, but less common.

The best system is one that you can keep in your head.