Memory Tools for Password Management? 125
New Media Blogger asks: "A co-worker of mine recently got burned hard because they used the same password for all of their online accounts. This experience led me to compile a list of easy-to-use password management memory tools (all free, of course), which make it infinitely easier for me to keep track of my dozens of passwords. I am sure many of the Slashdot crowd have memory tools of their own — what are you favourite password memorization tools?"
Hiding (Score:4, Funny)
Parody (Score:5, Funny)
* Checking to make sure it was real - 20 seconds
* Customizing his user account to display a custom "goatse" slashbox - Priceless
There are some things money can't buy. For everything else, you should change your password!
Re:Hiding (Score:5, Informative)
http://passwordmaker.org/ [passwordmaker.org]
http://angel.net/~nic/passwdlet.html [angel.net]
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pas
Re: (Score:2)
Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.
Re:Hiding (Score:5, Informative)
I don't think you understand how it works. What you do is you enter the password (it can be the same for all sites), then enter the name of the site (which can be pulled from a bookmarklet). A bit of Javascript on the client then hashes that information using the MD5 algorithm, and spits the result back out as a secure password.
The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.
Re: (Score:3, Funny)
The beauty of this is that no one has your password except you. And if you forget the generated password, you can always regen it by entering the exact same information. However, since hashes can't be reversed, your master password will not be compromised even if a lame admin compromises your generated password on his site.
Until the site with the hashing algorithm you're using goes offline. (Unless you saved it, of course.)
My system is similar, yet much easier. The first portion of my password is the name of the computer or service I'm connecting to, while the second half is a random string that only I know. Which string I use depends on what group of people I need to share the account with--in such cases where an account needs to be shared. Otherwise, I have my own string.
The downside, is that if someone were to sniff on
Re:Hiding (Score:4, Informative)
So get a downloadable version [passwordmaker.org] and back it up.
The online version is common because these passwords are for websites. So making a web-enabled version is a no-brainer. But the algo is so straightforward that it was pretty easy for the guys who made it to port it to different platforms.
Re: (Score:2, Informative)
Maybe if I memorized the table for a simple substitution cipher. Like ROT13, but less common.
The best system is one that you can keep in your head.
Re:Hiding (Score:4, Funny)
- Browser Extension
- Yahoo! Widget
- JavaScript Edition
- Command-Line Edition
- PHP Edition
- Mobile Edition
- PDF Manual
Certainly. So download the source code and memorize the algorithm. Then you can do the hash in your head.Re: (Score:2)
there are md5 calculators all over the interwebs
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Funny)
What kind of geek are you!!
Re: (Score:1)
The best system is one that you can keep in your head.
Oddly enough, this isn't usually a good quality in an encryption system. What's best is if you can keep the needed secrets in your head, but use a computer to do the math. Computers are good for that. I mean, it was helpful for spies dropped behind enemy during World War II to be able to do the whole thing by themselves, but these days, there are computers all around there's nothing suspicious about using one.
And frankly, And Password Maker has the following features:
Re: (Score:3, Insightful)
That's an upside??
Re: (Score:2)
With a different password for each system, if someone shoulder surfs his password on one box, it isn't going to automatically grant access to any other box.
Re: (Score:1)
Until some idiot admin leaks, or lets leak, all those oh-so-secret passwords.
If I'm not mistaken, there's no need for those websites to store your password, so there's no admin leak to worry about. Unless there's log files and such...
Re: (Score:2)
And yes, there are some that do it like that, because on ocassion I've forgotten my password and I recognised the one emailed to me - it wasn't a new random one.
Re: (Score:1)
How else can the compare it when you try to log on?
And yes, there are some that do it like that, because on ocassion I've forgotten my password and I recognised the one emailed to me - it wasn't a new random one.
We're talking about two different things here. The sites being referred to generate hashes of passwords you give them that you then use as your password on a website. For example, let's say I use the password "bubblegum". Then perhaps my GMail password will be MD5(bubblegum-gmail.com) etc etc.
So for that kind of system, no storage would be necesary.
Re: (Score:2)
That's why my password is 09f911029d74e35bd84156c5635688c0. Easy to remember, and if anyone leaks it, the MPAA will crack down on them!
you don't have to use that site (Score:1)
Then, if you want to generate a password for the site www.youtube.com, just type this on a Linux console:
Re: (Score:2)
I just use KeePass (Score:3, Informative)
or hashapass (Score:1, Informative)
I used to use a password-storage tool, but these days for trivial website passwords, I use hashapass [hashapass.com], which does a one-way hash (surprise!) of a seed password with a salt like the website domain name.
That way, if I'm on a different computer or can't pull up my password storage for some reason, I can still generate my password for a website. But intercepting that individual password won't help anyone figure out any of my other passwords.
It's still weak in that the master password, not only unlocks but a
Re: (Score:2)
Re: (Score:1)
I had a look at PasswordSafe for a while, which sounds like its similar to KeePass you mentioned.
http://passwordsafe.sourceforge.net/ [sourceforge.net]
One benefit of it is that its open source, and was originally designed by counterpane (Bruce Schneier)
Re: (Score:3, Interesting)
sitename
That flat file is stored in a truecrypt hidden volume of about 10 megs, with the main volume containing source code (a reasonable thing to keep locked up in a secure volume if you're paranoid) making the plausible deniability plausable. The hidden volume password is cryptographically strong, and yet I only have to remember one strong password.
-nB
Re: (Score:2, Informative)
Re: (Score:1)
I also use KeePass and it works like a charm. Fits all my needs whether on Windows or Linux. Oh, and it's open source.
Re: (Score:2)
I didn't know about KeePass before now, and it's getting interesting. However, the Linux port [sourceforge.net] is v0.2, which sounds very, very beta (pre-beta maybe?) to me... Is it really safe to trust all your passwords to a beta software?
Re: (Score:2)
Abbreviated Quotes (Score:5, Interesting)
For example, one of my beloved authors is James Joyce so a great way to make a password from him is to take a memorable quote of his that I know: "Well and what's cheese? Corpse of milk." This password would transform into Wawc?Com. which has two caps, a period and a question mark. You can do the same with Futurama or whatever you find easy to remember. Then I just attach that quote with the website/machine/network or whatever it is. You can also append the name of the quoted character or author or actor in order to make it longer so the password might be Wawc?Com.JJ which just makes it even more difficult for a code cracking program to get at.
Plus, since I naturally love the quote, it's very easy to memorize.
Re: (Score:2)
[goes to run brute force attacks using initial strings in James Joyce novels and futurama episodes against your IP]
Seriously it's a good idea. When I went to a LUG meeting once a Debian lover there was typing for ages, seems he was using the whole novel as his passphrase!
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Nice though.
Re: (Score:2)
I do exactly the same trick with song lyrics and lines from poems.
I never forget a password; however, I do sometimes forget which particular password is associated with a given service. The nice thing is that one can keep notes which are sufficiently obscure that they're useless to anyone who doesn't know your scheme and also recognize a given work.
Of course, if this sort of behavior becomes popular, it wouldn't be too hard to put together a brute force attack that uses variations on this on, say, the
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Interesting)
I try to do the exact opposite. Whenever I need a new password, I have one randomly generated, and then come up with a phraze for it. I'll adjust capitalisation and add/drop characters to make it easier, but I'll use the randomly generated password basically in
Re: (Score:2)
How do you remember which sentence you used for a certain site?
Re: (Score:2)
I've been doing the same thing for a while too. My GPG password is 50+ characters long with lowercase, uppercase, numbers and special characters, and I never get it wrong.
Brute force THAT!
Universal solution: (Score:2)
After all: "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it."
[Linus B. Torvalds]
For the pendants out there, the concept applies.
Re: (Score:3, Interesting)
Put it all in context (Score:2, Interesting)
password/.
passwordgm
passwordeb
You don't want to use that for your important sites, just ones which need a password.
Re: (Score:2)
Bob A. Jones wants to have passwords for Slashdot, amazon.com and newegg.com.
bajp4sddc = Bob A Jones Password 4[for] SlashDot Dot Com
bajp4adc = Bob A Jones Password 4[for] Amazon Dot Com
or
bajp2nedc = Bob A Jones Password 2[to] NewEgg Dot Com
In other words, use the persons initials, a number, and the initials of the site. Not super secure as-is, but it can be mixed up a little. Bob could use his first name instead of his initials, or his nickname (Rob), or his kid's initials, or t
Re: (Score:3, Funny)
Re: (Score:2)
Even if my real name WERE "Fred Klein", you'd be missing my middle initial, assuming I was stupid enough to use the simplist version of the above, which I am not.
Re: (Score:2)
Did I miss a joke, or a point?
If it's the fact that someone who knows the pattern can guess your passwords, DUH. That's why you 'mix it up' a little like I said. And use these only for 'low security' purposes.
ROT26 (Score:2, Funny)
I invented this super hard-to-crack encryption routine
called ROT26x(tm). There are other off-springs in the
multiples of its own 26 bits (52, 78, 104...etc).
The cool part of it is that once you encrypt your stuff,
it is soo hard to crack, because the outcome looks exactly
like the original text you encrypted!
The larger the multiples, the more its difficult to
crack (disclaimer:higher bits will be very cpu-intensive,
and will take longer to encrypt)
This is good, but there are other ways (Score:3, Interesting)
1 google 18
2 yahoo 21
3 delicious 8
Not decipherable as important parts are missing from the list and is only in my head, such as what to do with each of the numbers and what the base password(s) might be. It's still enough to jog my memory when required. In this example, the 1 or the 8 in the third column might indicate the base password while the first column might indicate what algorithm would be used in generating the additional password parts. The ones that you use the most are easiest remembered. The list is for those that you don't always use or have trouble remembering
passwordSafe (Score:5, Informative)
But the better answer is:
Get a program like passwordSafe. It's GPL and it works great it even can generate the random passwords for you with whatever rules the given site or system allows. Just copy the database file to a backup every so often and all is well.
Re:passwordSafe (Score:4, Informative)
Re: (Score:2)
Random (Score:2, Insightful)
[*] Really unimportant sites just an easy password that's the same across all of them
[*] More important, but still not critical sites use variations on a couple randomly generated pronounceable passwords; the fact they are random means that no dictionary attack will find them, while the fact that they are pronounceable makes them easyish to learn
[*] Critical sites (like my bank) I either generate a random password and learn it by rote repetition, or I use PasswordSafe
12345 (Score:3, Funny)
Re: (Score:1)
Don't tell Dark Helmet!
Obviously Offtopic! (Score:3, Funny)
Or do we have to compare receipts for date of purchace/senoirity to settle this.
My second will meet you on the Field of Honor for our duel......I suggest Tesla Coils at 25 meters, in the English Channel, at 50 meters below sea level.
You have been challenged sirrah!
Password Safe (Score:3, Informative)
Re:Password Safe (Score:5, Informative)
I've recently discovered password safe [sourceforge.net].
If you use *nix, then MyPasswordSafe is your friend. It uses the same file format as password safe.
If you use Mac OS X, then Password Gorilla is your friend. It too uses the same file format, though it is a tad slow on open and save operations.
MyPasswordSafe is Qt-based (but it is better than the GTK-based equivalent password management program out there, and I generally prefer GTK-based apps over Qt-based apps). It should theoretically run on Mac OS X and Windows. I don't know about its status on Windows, but I know it doesn't work on Mac OS X. I have managed to get it to compile, but it segfaults. Once the semester is over, I intend to delve into it a little.
Password Gorilla also runs on practically everything. However, it is a Tcl/Tk application and looks ugly on every platform except for Mac OS X (thank you Apple for making some of these GUI toolkits not so ugly).
The neat thing about having all these programs out there is that they are compatible and make it a cinch to move your password database across machines and have it be usable everywhere.
Re: (Score:1)
Re: (Score:2)
Nice Ideas in TFA, but Try This... (Score:1)
1. Spirit Write [wikipedia.org] password on sheet of paper.
2. Enter said writing in password field for new account.
3. Chew and swallow sheet with spirit writing
With this method passwords are nearly unbreakable, unless someone else can channel the spirit you used. And by eating the evidence, there is no need to memorize anything! It gets digested naturally!
The only real problem with this is that a lot of the spiri
Easy (Score:1)
Re: (Score:1)
Aah, that's good to know. Once I know that 4 digit combination, I cannot only hack your online stuff, but also sell your dirty clothes under your eBay account...
Three layer approach (Score:3, Insightful)
For accounts I don't care who access (like my free nytimes.com account), and in fact want people to crack to mess up the tracking data, I use the same password across all of them.
For infrequently used sites I choose a strong password, and forget it. Then, whenever I need that password, I get them to e-mail me a new one.
For accounts I use often and care about, I suck it up and memorize it. Pull a word or two, scramble the letters, add some numbers and punctuation randomly. Oftentimes, just thinking of that word, and cause I'm predicatable, I can recreate the password.
Password Management Solution (Score:2)
Part numbers. (Score:4, Interesting)
Not the most secure method in the world, but far better than the practices in any other academic research group I've seen. (Most do something really complicated and uncrackable. . . like taking two three or four letter English words and putting one after the other. Or, taking a short English word and misspelling it by changing one letter.)
Re: (Score:2)
Alphanumeric parts, I hope? 'i80386SX', not '8088', right?
Re: (Score:2)
Yeah, full vendor-specific alphanumerics, and mostly obscure oddball parts you wouldn't find in a general-purpose parts bin. Still not as good as truly random passwords, but not too bad.
My Password Memorization Process (Score:2, Insightful)
For example "mi2SSrs", for common sites and forums such as
For technical sites where I download software I add a three letter prefix to the main.
For webmail, I capitalize the three letter prefix.
For online money transactions I capitalize the prefix and add a character such as ~ at the end.
For my home ftp server login I add in the last 4 numbers of a high school girlfri
PwdHash (Score:1)
PwdHash is a browser extension that converts the entered password into a domain-specific password. This means that the same password will be converted into a different password on different websites.
I use this tool plus SplashID (http://www.splashdata.com/splashid/) which I have installed on my PDA and PC to store others passwords and PIN codes.
Brute force (Score:1)
i.e. password must:
Be between eight and 12 characters long.
Not contain repeating characters.
Not contain consecutive characters.
Not contain the same character more than three times.
Have two special characters.
Have two uper case characters.
Have two lower case characters.
Have two numbers.
Have atleast one number within the first four characters.
Have atleast one special charater within the firs
Re: (Score:1)
correction, Those arent MY password rules. its what I'm stuck with at WORK.
Maybe I should preview next time?
Re: (Score:2)
Requiring a password to be complex enough is 1 thing, but make too many requirements and it's way too easy to brute force, as you were saying.
I question the rules though... if it can't contain repeating characters, why the need for the rules for consecutive and 'more than 3 times'?
Re: (Score:2)
And worse than that - I worked at a place where very secure (in terms of random character combination) passwords were automatically generated each month, but they were then left in an envelope on your desk...
Re: (Score:1)
Looks like I'm not the only one here that works for the government.
Strip (Score:2, Informative)
Re: (Score:1)
http://www.dribin.org/dave/software/perl-strip/ [dribin.org]
Re: (Score:2)
Password article (Score:1)
Passreminder (Score:1)
Re: (Score:2, Informative)
Do As Bruce Schneier Does (Score:2, Funny)
Belt and Braces (Score:3, Insightful)
So... I prefer to entertain my full frontal paranoia by not using anything digital or on-line to actually store my keys to the things that matter.
Instead, I decided to keep my keys in a little black book, old fashioned, perhaps even quaint you exclaim!
True Squire! says I, but go ahead then, have a go.. lets see you hack that book.
Of course I do have nightmares about losing the book, however an occasional trip to a copier and a safe deposit box takes care of those, for a while. Of course if you did get to read it, you'd find yourself holding a bunch of keys... to what? aha!, thats the devious and twisted bit, remind me not to share that!
For hard passwords I choose random letters and numbers in groups of 2, at least 8, 16 or 32 chars in length, depending on the resources value. Otherwise, so I am told, the encryption becomes much easier to break.
For less significant sites, I (like many it seems)use a favorite quote, condensed into a shorter string of the letters of each word.
my password (Score:1)
Re: (Score:1)
kwallet and Apple Keychain (Score:2)
no password tools necessary (Score:2)
I don't use password management tools, but mnemonics. Usually I pick a text I remember (like a commercial, or some poem I remember from highschool). Then, I use the first letters of all words (or of the first n words) and use those as a password, translated to l337speak.
It sounds complicated, but for example let's say you take "Where do you want to go today?(Ms)" (I know I'll get modded to troll for this). It becomes Wdyw2gt?(m$)
Its (pseudo)random enough to be impossible to guess if you're not choosing s
The best product I've ran into in this area (Score:1)
I used it few years ago.. actually it was nice, the token itself is encrypted (3 years ago it was encrypted with 128 bit key)..
here's a link for those of you who actually needs this kind of solution (I actually don't think it worth the money, for me atleast) : EToken - [aladdin.com]
there is a new software (Score:1)
the better at it you get, it is called BRAIN, which is really something that most people
should be able to use, but few do.
example... if Ineed a password for a website (sqlforums) and I know not to use the same passwords
over and over aga
Re: (Score:1)
I think you'll find that even this can be cracked with a little patience and a set of sufficiently-sharp bam
Online password manager anyone? (Score:1)
Software products are certainly an option, but you could also consider a web based solution. Yes, I'm a tad biased being the co-founder of Clipperz...
Clipperz [clipperz.com] is an online password manager that can do much more than simply storing your passwords.
KeyRing (Score:1)
Mac OS X's Keychain (Score:1)
I use the Mac's built-in Keychain [apple.com]. It encrypts the passwords all the while integrating nicely with the entire operating system and the vast majority of apps. One notable exception is Firefox, but I understand Mozilla is working on that.
Also, I have my home directory encrypted using File Vault [apple.com] which contains my keychain. My virtual memory is encrypted too.
FOR ME ITS EASY (Score:1)
For me its easy, I just think of all the bureaucracy and bullshit where I work puts me through and somehow, as if by magic, an appropriate password always presents itself...
My method, as seen before on Slashdot (Score:3, Interesting)
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
Prioritization (Score:2)
I have a lot of accounts in different places where it really would not matter if someone were to find out my password. All of those have the same password. Things that are actually important in any way can get their own passwords (well over three dozen for me), but right off of the bat, I've eliminated at least 50% of the passwords I need to remember.
steve
Actually I'm writing one. Sort of. (Score:2)
Since I've currently got to master Java DB (the embedded database) for a work-related project, I've been thinking about rolling my own password database. You would only copy it to your PC when you were alter
Re: (Score:1)
So what your saying is that your passwords are like "Monica" and then "Monica!", then "!!Monica", then "Monica123" and "M0nica", "M0N1CA", "M_O_N_I_C_A"... ???
(*) humor, for the humor impaired