Best Tool For Remembering Passwords? 1007
Posted
by
kdawson
from the encrypted-plain-text-file-on-a-stick dept.
from the encrypted-plain-text-file-on-a-stick dept.
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Keepass (Score:5, Informative)
http://keepass.info/download.html [keepass.info]
if you use a mac... (Score:2, Informative)
Roboform! (Score:1, Informative)
The passwords are saved in files and are encrypted and you an password protect roboform so they can't access your passwords, after saving your passwords in roboform be sure to clear firefox or IE's saved passwords. Also get a USB stick and backup all you passwords, it's very easy to do. Then you can keep your master password to access editing the encrypted pass files as something you use all the time like your bank pin + some other word fudge factor you'll easiy remember
http://www.roboform.com/ [roboform.com]
1password (Score:2, Informative)
KeePass - fantastic software. (Score:5, Informative)
* Stores all of your passwords in a secure encrypted file
* Has auto-type so you don't have to type or remember your passwords
* Has a great password generator tool, so that you can reset all of your passwords to something secure
* Easily transferable password database.
* Can run off a USB stick
I checked it out a month ago on the recommendation of a mate, and have been using it ever since.
It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!
And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.
And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).
Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
Re:1password (Score:3, Informative)
I'll second this. 1Password also works with both Safari and Firefox (and maybe others), allowing you to disable the browser's ability to remember passwords. All you need to do is remember the master password. It's an excellent utility for corporate environments too.
supergenpass ? (Score:1, Informative)
no one mentioned http://supergenpass.com ?
supergenpass hashes the base url with your main password. you can also customize the length of the final password.
it works in every browser (bookmarklet) and you can also use it if you aren't on your computer with the mobile version.
Password Safe (Score:3, Informative)
I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:
http://passwordsafe.sourceforge.net/ [sourceforge.net]
Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.
Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.
LockNote (Score:3, Informative)
I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/ [steganos.com]), it's essentially a self-contained AES encrypting Notepad.
And it's extremely stand-alone/portable, so you can just stick it on a USB stick.
Re:Simple (Score:1, Informative)
Re:Simple (Score:2, Informative)
Re:Simple (Score:2, Informative)
Lazy ass. Even President Skroob used one more digit.
LK
Full Disk Encryption (Score:2, Informative)
Once you start using a full disk encryption solution like Truecrypt or others, all the "insecure" electronic methods you discussed suddenly become secure.
Use the master password feature and stop worrying (Score:5, Informative)
Re:KeePass - fantastic software. (Score:5, Informative)
If you turn on the master password then the password file is encrypted [luxsci.com].
Re:if you use a mac... (Score:5, Informative)
I prefer the built-in Mac Keychain. With the Mac OS Keychain plugin, Firefox will save its passwords there as well (and it can share them with Safari).
One important consideration - change your Keychain password so it's different than your login password. Use something that's easy to remember but hard to guess, e.g. the price of a cheese pizza and a large soda at Panucci's Pizza ($10.77).
1Password (Score:3, Informative)
On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.
For my PC at work, TrueCrypt with a spreadsheet inside.
LastPass (Score:2, Informative)
LastPass is definitely nice - it encrypts passwords so that they're not transmitted or stored on the server in the clear. It's also one of the best integrated pieces of software I've used - it generally just does what you want it to.
I recommended it to a non-technical user recently, and she sent me back an email later thanking me because it removed all the mess that she was dealing with before and have her a single launch off point for her web logins.
OBZVault: runs on Linux, Mac OS X, and Windows (Score:3, Informative)
I recommend OBZVault [offbyzero.com]. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.
We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).
It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.
(Disclaimer: I co-founded OffByZero [offbyzero.com], the company that produces OBZVault.)
SplashID (AES & Blowfish) on my Cellphone (Score:1, Informative)
I keep my passwords encrypted on my cellphone, backed up on my PC.
LastPass (Score:1, Informative)
I can't believe nobody mentioned LastPass yet. I've been using this for a year or two now and its awesome.
Works everywhere and fills out the form for you... under IE, Firefox, Chrome, etc... has apps for iPhone and whatnot. Works under Linux, Mac, Windows...
Keeps the password stored on the lastpass servers, encrypted. Can backup easily...
I tried many password managers, this one is easily the best.
Re:1password (Score:2, Informative)
....If you have a mac....
Why not use the built in keychain program? Are they key chains not encrypted when locked? It has been working pretty well for me.
PasswordVault (Score:1, Informative)
How about PasswordVault by Lava Software --> http://www.lavasoftware.com/PasswordVault [lavasoftware.com]
They have binaries for Windows, Linux, Mac
There's also a portable version to put on a USB stick that will sync up with the Desktop version.
You can categorize you passwords and it has auto-fill features, amongst other features.
you could try some online password managers... (Score:2, Informative)
http://www.clipperz.com/ [clipperz.com]
https://lastpass.com/ [lastpass.com]
Re:paper in your wallet (Score:5, Informative)
I do something similar, but its the default output of pwgen. All I have to do is recall the first few syllables, the general grid location of the password, or just a part of the password.
I carry this around in my wallet, sure my password is on there, but with no real frame of reference its hard to decipher and make a guess.
Also, suggest printing with a fixed width font.
$ pwgen
gah5eiP2 Ga4cie3c ya6gaiTi eic1EeCo Shaisae5 ChaeXah2 Jaet0ooz ahThai3j
Yie7UH9f Iefie1ja ooghu8Oh uot7aeL0 gughes2M fahGh9ah Ohz7ohto wae2Seh1
avah3Oog Iechie2f eiPhoZi9 Mavohli9 Kohshis7 Meilo8ce Queis5hu Eiz9aij8
Pae9ahPu Equ0zoo9 Oothahk3 pich2Xao IeZai3ae aiLa7Ath Eol2aes7 aeZ5raht
AVai9nee Aam7ahzo Ioch2oqu faiGh0th eYae2ohl si7Te0we einai3Wa oash6Ahj
Eik5uul2 opai8zoY ohw5Ihaf Mi7keix9 aevi1Wa3 mo9ohJ5I Piek2yoR Si1phieZ
Ahc9luch ohNg6Oon daghieP9 reCh7jas joo4ooVi yooR6yeu eeph5Aip shie3Ahp
quoVeg8U Nee3phah CahXee0r aoD8Thai Ai5Aigha eePh0zee Cheip5Ch xeebe0Oy
laeFeez4 Ag9sheeR Ga4gooph Oijae9da aePao2ta ahz8ieNg bu9EhieS quooWoo3
ahghea7N Bot9hieC He3eeGhi ouli8Oof ik3Ohsoh Rahz9Che aeXaNg1e soh3Thee
Ahkith6u Ahs2Zuid eth6Ej0o Go0iho1d xaPhah9z aiNg1yoh Aer8Eet3 juZ3aThu
gee4KooK Hee9iqu3 Duh4aipu AiP6ahph Shaec5ne neeXa6Re Roh6fief Baef9ieM
eeGoo4ie eva1aeQu lu4hiJoh sae2DuYu fahGae7b Doh5Ifi6 jeish9Ae Rierieb5
Eedae7Iu moo6aiG3 ohNei0ie ew9ieHeu xoh5caeL NeiD0ohs iipe4aeP Lich0xak
Oozei5ao gaNgieV2 Dei0ae9l us3Loh8k phal5aeN aip0KeeV Aeg1rais oth1Ahdi
was3ow8Y Oquud1bu emee7Ohr iewa6baJ ao8Airie beegooL9 heiveF7u ongooD9w
iic4uGh0 Ohn9zeiC Neen4noh kei1Seng chieV3oh QuuQu2ju Eex1gaf3 aot8Dah1
EDoh1aej eaBae1ri Eih0woh6 Eiw3Johp Yi3aizuu Og9shohl ho6mi6Xu AeT8eihu
Iev5ohph lies0Iev eeV4jiek Tha1xoo8 gua9biiT aa4Maiga ohXoh3ai eisi8Jee
Ieloh3mo Quoch6sh Eecha0Ra zahnguM8 ieP5Jeye Mao5maec Ephae8af quihei8A
Re:Truecrypt (Score:4, Informative)
keepass is available for windows linux and osx. You can run the windows version as a standalone binary.
I keep my keyfile and db on usb key (with backups of the db strewn around all over the place), and the master password in my head
Re:Truecrypt (Score:5, Informative)
keepass is available for windows linux and osx
Dunno why you'd need it on Mac OS X though, the built-in Keychain and Keychain Access.app does the same thing and more. It will do autofill, autofill after asking you for the master password, or you can just use it to store the passwords and look them up manually.
Keychain can also store secure notes and certificates for websites and such. It's pretty nifty how well it all works, you hardly ever have to worry about manually managing passwords and certificates.
Re:Truecrypt (Score:4, Informative)
KeepassX is a truly cross platform version of keepass. It does not run under wine and is just about indistinguishable from the windows-only keepass.
Re:KeePass - fantastic software. (Score:1, Informative)
I used to use KeePass, but I switched to LastPass. LastPass keeps your passwords accessible on the web in their (encrypted) database. I found it much easier to use strong passwords on multiple computers that way. It integrates with firefox seamlessly via plugin, too. Linux compatible.
Re:paper in your wallet (Score:3, Informative)
It became increasingly anoying to remember which password I used where. And with the increasing number of password protected sites and apps I also started using the same passwords over and over.So I needed a new scheme.
My requirements were that:
it had to be long (14 chars minimum),
had to contain letters and digits,
should not be guessable, or at least parts of it (duh!),
must be unique for every application or website, so it wouldnt create a domino effect if compromised
must be easy to remember or memorize
I decided that the key was to categorise everything.
So I came up with about 10 or 12 different categories. (e.g. forums, social networks, design, workrelated, etc)
Then I started to fidle arround to get 2 combinations of keys, 5 chars long, that were very fast to type and random (as in, not a existing word)
For the numbers I took 3 chars of the app or site. You could take the first or last three, of make a offset (start + 2 (so char 3, 4 & 5) whatever works.. and translated those 3 chars in digits.. for example a = 11, b = 22 etc.. or make a scheme for that a = 26, b = 25, a = 2., b = 3. etc.. whatever works again
Then I threw all of that in a mix. So I ended up with something like <random fasttypechars><category acronym><random fasttypechars> <coded app/sitename>
Of course you can think of several other options to make such a scheme.
It's certainly not flawless but I think it's good enough for everything non-mission critical.
Every pass is unique and can easily remember them as long as I recognise the right category
Re:paper in your wallet (Score:3, Informative)
Re:PassGorithm - One Algorithm, infinite passwords (Score:2, Informative)
That doesn't explain it...
(replace 'letters' with 'consonants' and 6 makes sense though)
Re:Hashing Works (Score:3, Informative)
PwdHash (Score:2, Informative)
Available in three ways:
Constructs a one-way hash of
to get a domain-specific password. Memorize one strong password and use this utility to get distinct passwords for each domain. The generated passwords are (usually) complicated enough to pass any conceivable non-triviality test.
Re:PwdHash (Score:3, Informative)
Mod parent up.
I have been using pwdhash for more than 2 years and I absolutely love it. It generates tough passwords based on the website URL and a master password. The password generation happens in *your* browser, there is no remote server holding your password. Absolutely safe. All you need to remember is a master password!
Re:paper in your wallet (Score:3, Informative)
100% security is possible if you have physical control of a device and want to make sure that nobody ever gets access to it again. (Turning the device into a fine powder and then either melting it down or distributing it across a very large area).... I believe at one point at least that is how the government handled things.
Storing a backup version of your data that you do not need frequent access to on the other hand is possible to get 99.999% secure but as you increase the security level you also frequently increase the chances of complete data loss because you lost part or all of the key.