Best Tool For Remembering Passwords?

StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"

paper in your wallet

[Gothmolly]

Keep them on a slip of paper, in your wallet.

but DONT list what each is for - you can remember that part easily enough

Hashapass

[PercentSevenC]

Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/ [hashapass.com]

Try Keepassx

[willyg]

I've used Keepassx for a few years now. It's cross platform (Windows / Linux) and stores the files encrypted. I tried one of Bruce Schneier's public domain solutions previously, but the Linux install (Password Gorilla ???) was rather painful on some systems if I recall correctly.

Just be sure to use a substantial password for the database...

PasswordSafe

[Avenger546]

I first saw the link to PasswordSafe [sourceforge.net] from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.

Easiest one is...

[JimboFBX]

Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password. Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)

Plain-text on a different computer?

[Capsaicin]

If you have access to any other box, how about a plain-text file there? Even a little security through obscurity (ie hidden file burried in the filesystem somewhere) would be better than letting Firefox automagically fill it in. I guess you could always encrypt the file so you only have a single one you absolutely must remember (shades of Flourish and Blott's losing all those copies of the Invisible Book of Invisibility though).

Prepended or Appended Passphrase

[codermotor]

Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).

Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.

I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).

Hashing Works

[Aaron_Pike]

I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.

Re:Truecrypt

[Korin43]

Why make them mount a Truecrypt volume and search through text files? KeePass gives you an encrypted searchable password database that's much easier to use: While it's running, click the system tray icon, type in your password and your passwords are listed and searchable. When you're done, minimize it back to the tray and it's locked again.

Use a "Rootword" System

[DerKlempner]

I keep track of all my passwords using a "rootword" system I devised. I started off simply, and have made the system more complex as time passes.

As an example, all my passwords are based off a single, easily-remembered word. Then I complicate the rootword -- i.e., by replacing characters with symbols or numbers so that even in the unlikely chance anyone ever does find out my rootword, they don't know which iteration of characters make up the string of said word. If I choose "banana", then my rootword may end up being "b@Nan4" or "BAn@n@" or "b4n4n@" etc.

Next, I simply add extra characters as identifiers to the rootword depending on the services or sites for which it is used. It may have something to do with the site or service name, the person that introduced me to it, or something completely random that reminds me of it. Thus, my "b@Nan4" may end up as "g00b@Nan4" for a Gmail account.

You'd be surprised at how simple it is to remember a couple hundred different passwords using a system like this.

Re:Truecrypt

[darkpixel2k]

Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.

Why bother with passwords?

Start authenticating with your GPG key. (http://gpgauth.com)

Your GPG key logs you in, compromised sites don't hurt you.

Re:Hashing Works

[RJFerret]

Mod parent up.

I once wanted to make an account at a new website, only my rather unique account name was used, I tried logging in with my "password system" based on the site name and sure enough, I don't know how many years ago I setup an account (long enough to not remember the place) but unbeknownst to me, I was golden.

The advantages is you never write them down, you never have to seek a resource to decrypt anything, you have unique passwords for everyplace.

I have since modified this so it's just as easy to enter the password on a mobile phone keyboard (my old system even *I* didn't know my passwords, only the physical manifestation of them via a qwerty keyboard which was a pita when driving and trying to check an appointment time or to do or whatever).

The other system that makes sense to me is a phrase password, combined with site name and other elements. If your phrase is "Best Tool For Remembering Passwords", then "Sd8Btfrp" could be your pw for Slashdot, while it would be "Go6Btfrp" for Google and you only remember one thing.

I have circumstantial evidence of someone trying to hack into an account of mine--they were unsuccessful.

Roboform - ubiquitous, multi-device viewable, easy

[Wizmon]

I've been using this for years. I've tried KeePass, 1Password, etc for weeks each, and kept coming back to Roboform. Roboform is MUCH better than any of these I've tried at filling forms easily/fast - not just passwords, but identity and credit card/payment information. My biggest complaint with it has always been syncing my encrypted roboform directory files between different machines - used live sync, sugarsync, etc - but now they do that also, with a free RoboForm Online account. Data still encrypted, but I can now get to it with my master password and any web browser. (Even dumb phones). PLUS - they've come out with clients for the iPhone. (Have had Palm, WinMobile, Blackberry, Symbian clients for quite awhile). I have full access to my codes, always synced, EVERYWHERE I go. Love it. My final favorite use for this, in addition to the password vault, is for ALL my bookmarks. I got tired of syncing/restoring/losing bookmarks between different laptops, desktops, OSs, etc some time ago - so I now have thousands saved over the last several years into my Roboform repository. I save them (as well as passcards, etc) with a few extra keywords, and use the Roboform search window to very rapidly go to any website (and login if necessary), even when I can't remember exactly what the site was called - pull it up by subject/keyword. A major timesaver. Cost some $$, but not much, and well worth it.

Old School

[pilsner.urquell]

I use a plain old spiral bound address book. A I keep it locked in my gun safe, in the same room with with a shredder.

Re:Truecrypt

[Darinbob]

I do this also. I don't have a laptop I carry around, so I just have a USB storage lying on my desk with the passwords. Probably safer to put in a file drawer I suppose.

I also have a copy of less important passwords at work, such as vendor support sites. This is stored in a secure drive partition on a Mac, and the password for that is in my wallet if I forget it. There aren't any vital passwords on it, so I'm not too concerned about how secure this is (if I start making intelligent posts on slashdot, then you'll know it's been compromised).

In some sense, just losing the "nomad" lifestyle helps. Do you really need to have the password for your bank account on your laptop, so that you can do some banking while waiting for your lunch order? Probably not, so leave that password at home. If it's something you don't want compromised, then see if you can get away with not having that password with you. Even if it means you may have to wait until you get home to remember what the password is. If you have to have it on the road (say your frequent flyer club access) then a piece of paper in your wallet could work, but be sure it's not the same password as something important.

Notecard In Wallet For Life

[Enti]

While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far Honestly, when is the last time you've lost your wallet? For me this was eight years ago. Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)

PassGorithm - One Algorithm, infinite passwords

[abdielillo]

I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D

Re:paper in your wallet

[Anonymous Coward]

You can also obfuscate them somewhat - add extra characters at the beginning and end that aren't actually used. You know to skip them but anyone trying to compromise accounts wouldn't. On the other hand, you could also put just enough of your passwords on paper that you can remember the full password but others wouldn't know what the extra characters are or even that they exist.

You can also do things like alternate the legitimate characters in your passwords with random characters that aren't really used. Your passwords all look extra long but that also hides that they are even passwords. Or, you can split a password onto two lines so it looks like two separate passwords, but the padding characters that are throwaways, make them look like they are standalone. But all of these steps further hide the real passwords.

As long as you are consistent, it's easy for you to recreate the real passwords but it makes it that much harder for anyone else to even know what they are looking at.

Re:Truecrypt

[peragrin]

what if your not using windows. what about using it from multiple computers.

Mine is on a USB drive in an encrypted drive image, which stores the application and data files which which themselves are encrypted. my current problem is that it is OSX specific. I would love a way to be able to mount that drive on windows and Linux too.

Of course such things don't work well unless you use a java app, which may or may not run depending if java is installed or not.

pwmd

[Anonymous Coward]

There is password manager daemon (pwmd [sourceforge.net]). But there is no GUI. Applications that want to use it need to be patched to use libpwmd which also includes a command line client that can send passwords to stdout and then piped to xclip or whatever.

Passphrases from books

[Potor]

What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":

Stately, plump Buck Mulligan came from the stairhead

Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.

/not my password ... or is it?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Hashing Works

[ChameleonDave]

Yes, I have a similar mental hash, although it is more complicated and so the password is longer. It makes sure that no two sites have the same password, so no one can get into my e-mail, say, just because they have found my Slashdot password. They take too long to type in, though, so I let Firefox remember them. Firefox protects them all with one master password that I enter once per session. In turn, my entire home directory (including the Firefox profile) is on a TrueCrypt partition (protected by a completely different passphrase). Incidentally, any sensitive files are encrypted with GPG (with a completely different, long passphrase) before being stored on the TrueCrypt partition for good measure.

If you are worried that your mental hash is easily crackable (e.g. you use "SDpass" for Slashdot, "FBpass" for Facebook... haha, OK that's an exaggeration), then obfuscate it further by using a real hash. Run "SDpass" through md5sum, and you get "6809ec345ad1a2b72f9f8a6e3f96266b". "FBpass" becomes "5b128c5443f4467dfdd4553c3f9a6733". It is not realistically possible for anyone to see any connection between the two. Should you find yourself on a computer lacking md5sum, you could use online services such as http://www.fileformat.info/tool/hash.htm [fileformat.info] in order to get the hash. (The paranoid will obviously want to do so only in an emergency, as it will be sent over the Web in plaintext, although nobody will have any reason to think it is a password.)

Since md5sum output is limited to the characters 0123456789abcdef, you may want to manually add a few more fixed characters (such as "#@S|-|") to the final product. That way no one can get access, even if they see you generating the hash.

Hide it on the internet

[formfeed]

Just hide it in plain sight: if nobody knows that there is a password, nobody will find it. And if you put it on the internet, you can access if from everywhere. You could even hide it in some stupid text you post on some stupid forum for dumb 13 year old kids.