Best Tool For Remembering Passwords? 1007
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
Truecrypt (Score:5, Insightful)
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
Use your head and quit your bitching. (Score:1, Insightful)
You underestimate the capacity of a human brain to store information.
The most secure place (Score:1, Insightful)
Re:Keepass (Score:3, Insightful)
Keepassx also works great on Linux, Macs, and Windows, which I have not yet tried.
Can't be 100% secure (Score:4, Insightful)
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Re:Truecrypt (Score:4, Insightful)
Write your own (Score:2, Insightful)
I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.
Firefox is okay (Score:1, Insightful)
The Firefox automatic password remembering thingy is okay. Not too worried about if the computer is stolen as I have a BIOS password plus there's not exactly enough money in my bank account to be worth bothering with, and my bank system doesn't actually let you do a lot without human intervention. My biggest worry, actually, was if Firefox would ever show me these saved passwords in case I do wish to make an attempt to remember. It can. Cool.
What I can't believe is how many people are giving their best ideas for remembering passwords. Was this a serious question or a cleverly disguised bit of social engineering?
Re:The most secure place (Score:3, Insightful)
That's not the best idea. If a secure location becomes compromised, you just gave up access to everything you do. Not to say people don't do it, but people also set their passwords to "password".
Here's an old post [slashdot.org] I did here 4 years ago on the subject. Users haven't gotten any smarter. Just poorer when their bank account gets compromised.
Re:Hashapass (Score:1, Insightful)
I use such a method, except in my head. I have a master half-password that I combine with a quick hash of the name of the thing it's for.
For instance, suppose your master password is "UNIQUE" and you want to use it for Google.
Further suppose you've settled on the hash of second and last leters---(o,e) in the case of Google---and always split your master into two parts. Then you could form the password UNIoQUEe for Google.
For Yahoo, you'd pull out the (a, o) and similarly produce UNIaQUEo
For Microsoft (i,t) resulting in UNIiQUEt
etc.
Then you just have to remember that your password for anything is UNI(something)QUE(something else).
You can form this hash different ways and more complexly, of course--whatever works for you.
Re:paper in your wallet (Score:5, Insightful)
I agree.
100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.
Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.
If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.
So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.
Re:Write your own (Score:3, Insightful)
I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.
Well okay but how do you remember it? Unless the password generator always generates the same password.
Re:Hashapass (Score:3, Insightful)
Hashapass is a clever idea, but don't you run into the problem of various sites having different requirements for a valid password?
In my experience some sites want you to have a long passwords, others actually limit the length. Some only allow alphanumeric characters, and others mandate the presence of a non-alphanumeric character. Even worse, a lot of sites don't state clearly at the login prompt what their requirements are (you might need to fail once to see or even find it on another page), so doing an on-the-fly conversion of the password to the right form may still require you to remember which form they accept. Actually, for me this is the hardest part about remembering my passwords for various sites.
Re:PassGorithm - One Algorithm, infinite passwords (Score:2, Insightful)
So as soon as anybody gets a single one of your passwords, they now get the whole kit-n-kabootle.
well look at one of the examples above... g33e_w00t ..... you will actually need the algorithm to decrypt anything else. It's encryption. You need a decription key
Re:Truecrypt (Score:3, Insightful)
Why is it on a USB key? You're not carrying around your Truecrypt volume and typing your passphrase into strange computers are you?
Re:paper in your wallet (Score:3, Insightful)
and if your wallet is lost/stolen, not identifying each password with a particular site will give you enough time to change the passwords before you can be compromised
But I needed the wallet to know what the passwords were so I could change them! DOH!
Re:PassGorithm - One Algorithm, infinite passwords (Score:3, Insightful)
I used to do something like this, but as companies buy each other out, rebrand parts of themselves and other such shenanigans the website name and URL tend to change. This can get confusing.
Re:paper in your wallet (Score:3, Insightful)
People rarely steal passwords that way because of masking. Get rid of masking, and shoulder-surfing will flourish.
Re:paper in your wallet (Score:5, Insightful)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
Re:paper in your wallet (Score:5, Insightful)
Re:paper in your wallet (Score:3, Insightful)
I would advise against your method, because you just reduced the search space for anyone wanting to get in from millions of possibilities to just 160 different passwords. Having a list with your actual password on it makes it pretty easy to brute-force.
Same goes with an earlier suggestion of having your passwords on a slip of paper in your wallet but not indicate which passwords are for what. Very easy to brute force.
Re:paper in your wallet (Score:5, Insightful)
Congrats, and thanks.
Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.
160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.
Re:Prepended or Appended Passphrase (Score:3, Insightful)
Create a passphrase which you prepend or append to every important password.
Bad idea. You should never use the same password (or part thereof) on two or more systems (that you do not control). In your case, if an attacker managed to get two of your passwords (say to two different web sites) then they could simply compare them and determine your super-secret pass phrase that you attach to all your passwords. Combine that with your list and you're owned.
Re:Prepended or Appended Passphrase (Score:3, Insightful)
Re:paper in your wallet (Score:5, Insightful)
160 characters * 8 letters = 1280 characters.
Number of one-character passwords: 1280 (actually it's even less but stay with me)
Number of two-character passwords: 1279
Number of three-character passwords: 1278
Number of 100-character passwords: 1180
Number of 1280-character passwords: 1
Total number of passwords = 1 + 2 + 3 + ... + 1280 = (1638400 + 1280) / 2 = 819840 passwords
Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)
Re:paper in your wallet (Score:1, Insightful)
If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.
And how do you reset your passwords if you don't have your current password list?
Re:paper in your wallet (Score:3, Insightful)
That's interesting, but for mine I will sometimes choose a password that wraps and (more commonly) one which is backwards. Funny thing about it, though, is that for my "secure" sites I add a non-alphanumaric to the end (bang is my normal, but I've used the asterisk in the past). My list is shorter than the GP's, though. I've used this method since the early 90s when my group at NASA implemented a draconian password regimen which required a new password every 30 days, 8 character minimum, 2 non-alpha characters, and no more than 3 repeated characters. There was no sensitive information, and it was an internal network.
Somehow, the need to know both my user name (may be easily guessed, sometimes, but that does multiply the number of tries) and have to go through even 100,000 passwords* before I realize my wallet is lost/stolen is pretty low probability. And that's really what security is about. Not the complete inability to break in, but the inability to do so in a reasonable length of time.
*without hacking the interface of my particular institutions to bypass timeout limits and account locks, a fully automated script to enter those over a remote link would likely take a couple of days at a minimum. If you are both lucky enough to steal/find my wallet and 1337 enough to get direct access to the bank's server, I'd say there are bigger problems.
Re:Hashing Works (Score:3, Insightful)
everyone uses this method but nobody want to reply and agree with you because then someone could find that person, reverse engineer their hash and then own them.
shit!
Re:paper in your wallet (Score:1, Insightful)
Re:paper in your wallet (Score:2, Insightful)
Re:paper in your wallet (Score:2, Insightful)
Umm.. your calculations are a bit off.
You're assuming that the matrix can only be traversed serially from top left to lower right in a line-by-line fashion.
Assuming that the matrix uses [A-Z,a-z,0-9] as it's base and each of these characters is represented at least once in the list, there are actually 62^1280 passwords of 1280 characters in length, just as if you "randomly" created a 1280 character password using that base. If you limit the password to 64 characters, you still have 62^64 (5.16497386 x 10^114).
The matrix can be traversed using a virtually unlimited number of algorithms (limited only by your ability to remember the algorithm used to traverse the matrix).
The main benefit in using such a matrix is that it provides a crutch to the creation of fairly random passwords. As such, it does limit the number of passwords likely to be used since complex algorithms for traversing the matrix are unlikely to be used. But this isn't necessarily true either. Even if poorly implemented, the password dictionary of the average person would likely be improved to the point where a brute-force attack would be a more reasonable means of attack even if you had access to the original matrix since you don't know what algorithm would be used to traverse it.
Re:paper in your wallet (Score:3, Insightful)
would you trust those same people with your bank account password? Because that's what he mentioned.
Further, and forgive me for having used unspoken assumptions, but I would imagine that if someone is going to the trouble of setting up a password manager then they might actually end up using those passwords for more than just websites. The anecdotal "it works fine for me" is nearly meaningless; he could have 1 password for all the sites, and have it be something like his street address or such, and guess what? He'd still have a pretty good chance no one would ever break in to his accounts. Chances are, he'd get away with it. You've gotten away with what you're doing - whether or not that is secure enough is irrelevant to whether or not you, sample size 1, have succeeded with that method.
Re:paper in your wallet (Score:3, Insightful)
Good luck trying even 100 passwords in a reasonable time on any relatively secure system. Most lock you out if you fail 3-5 tries within 5-15 minutes. Say you can try 5 per 5 minutes, at a minimum it is going to take about 2 hours. I know some systems by default base lockout time on number of password failures increasing up to 24 hours to 2 weeks for remotely accessed systems. On more secure systems the system administrator gets a brute force notice and/or a semi permanent to permanent ban from that IP, terminal, or even account until it is reset.