StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.
Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.
If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.
So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.
I do something similar, but its the default output of pwgen. All I have to do is recall the first few syllables, the general grid location of the password, or just a part of the password.
I carry this around in my wallet, sure my password is on there, but with no real frame of reference its hard to decipher and make a guess.
I have a similar setup, I have this on a piece of paper in my wallet
ABCDEFGHIJKLMNOPQRSTUVWXYZ
and I simply remember which letter my password starts with, and then what letter comes second etc.
For example, if my password was SLASHDOT, I would start by remembering the first letter, which is S, then remember the second letter, which is L, and I continue remembering until I have completed the password.
Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.
160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.
Number of one-character passwords: 1280 (actually it's even less but stay with me) Number of two-character passwords: 1279 Number of three-character passwords: 1278 Number of 100-character passwords: 1180 Number of 1280-character passwords: 1
Total number of passwords = 1 + 2 + 3 +... + 1280 = (1638400 + 1280) / 2 = 819840 passwords
Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)
Websites could do more to protect their users too. For example if you accidentally write your password here on Slashdot comments, it comes up as masked. Like for example my password is ********.
You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
Why make them mount a Truecrypt volume and search through text files? KeePass gives you an encrypted searchable password database that's much easier to use: While it's running, click the system tray icon, type in your password and your passwords are listed and searchable. When you're done, minimize it back to the tray and it's locked again.
what if your not using windows. what about using it from multiple computers.
Mine is on a USB drive in an encrypted drive image, which stores the application and data files which which themselves are encrypted. my current problem is that it is OSX specific. I would love a way to be able to mount that drive on windows and Linux too.
Of course such things don't work well unless you use a java app, which may or may not run depending if java is installed or not.
Dunno why you'd need it on Mac OS X though, the built-in Keychain and Keychain Access.app does the same thing and more. It will do autofill, autofill after asking you for the master password, or you can just use it to store the passwords and look them up manually.
Keychain can also store secure notes and certificates for websites and such. It's pretty nifty how well it all works, you hardly ever have to worry about manually managing passwords and certificates.
I do this also. I don't have a laptop I carry around, so I just have a USB storage lying on my desk with the passwords. Probably safer to put in a file drawer I suppose. I also have a copy of less important passwords at work, such as vendor support sites. This is stored in a secure drive partition on a Mac, and the password for that is in my wallet if I forget it. There aren't any vital passwords on it, so I'm not too concerned about how secure this is (if I start making intelligent posts on slashdot, th
I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account.
For example:
1) Take the first letter on the website name
eg : slashdot = 's'
2) Count letters in the website name:
eg : slashdot = '6'
3) Count the vowels
eg : slashdot = '2'
4) Take the last letter
eg : slashdot = 't'
5) Add and underscore and a keyword in common to the end of the 4 previous characters
eg : 's62t_w00t'
Here's another example with google.com
1) 'g'
2) '3'
3) '3'
4) 'e'
5) 'g33e_w00t'
Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE.
Hope this helps.
Note: the above example is not my PassGorithm:D
I run keepassx [keepassx.org] myself. It generates strong passwords for you, if you'd like, or it stores all of your passwords in an encrypted file. It gives you the option to copy a password to the clipboard for a given amount of time (10 secs) before it is delete--it removes them on close too.I admit that I was uncomfortable with this at first, but this is no different than decrypting the password, and storing it in memory, before it's shown on screen.
Keepassx also works great on Linux, Macs, and Windows, which I hav
I first saw the link to PasswordSafe [sourceforge.net] from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.
Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password.
Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)
* Stores all of your passwords in a secure encrypted file
* Has auto-type so you don't have to type or remember your passwords
* Has a great password generator tool, so that you can reset all of your passwords to something secure
* Easily transferable password database.
* Can run off a USB stick
I checked it out a month ago on the recommendation of a mate, and have been using it ever since.
It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!
And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.
And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).
Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.
Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.
Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).
Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.
I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).
I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.
I once wanted to make an account at a new website, only my rather unique account name was used, I tried logging in with my "password system" based on the site name and sure enough, I don't know how many years ago I setup an account (long enough to not remember the place) but unbeknownst to me, I was golden.
The advantages is you never write them down, you never have to seek a resource to decrypt anything, you have unique passwords for everyplace.
Firefox has a "master password" [mozilla.com] feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.
On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.
For my PC at work, TrueCrypt with a spreadsheet inside.
I recommend OBZVault [offbyzero.com]. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.
We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).
It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.
(Disclaimer: I co-founded OffByZero [offbyzero.com], the company that produces OBZVault.)
While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far
Honestly, when is the last time you've lost your wallet? For me this was eight years ago.
Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature
Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)
What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":
Stately, plump Buck Mulligan came from the stairhead
Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.
I'll second this. 1Password also works with both Safari and Firefox (and maybe others), allowing you to disable the browser's ability to remember passwords. All you need to do is remember the master password. It's an excellent utility for corporate environments too.
That's not the best idea. If a secure location becomes compromised, you just gave up access to everything you do. Not to say people don't do it, but people also set their passwords to "password".
Here's an old post [slashdot.org] I did here 4 years ago on the subject. Users haven't gotten any smarter. Just poorer when their bank account gets compromised.
I prefer the built-in Mac Keychain. With the Mac OS Keychain plugin, Firefox will save its passwords there as well (and it can share them with Safari).
One important consideration - change your Keychain password so it's different than your login password. Use something that's easy to remember but hard to guess, e.g. the price of a cheese pizza and a large soda at Panucci's Pizza ($10.77).
Hashapass is a clever idea, but don't you run into the problem of various sites having different requirements for a valid password?
In my experience some sites want you to have a long passwords, others actually limit the length. Some only allow alphanumeric characters, and others mandate the presence of a non-alphanumeric character. Even worse, a lot of sites don't state clearly at the login prompt what their requirements are (you might need to fail once to see or even find it on another page), so doing
A guy I used to work with told me a story about a late-night support call with the operations center. He figured out that they needed to run a job that was under someone else's account. So they conference-called in this other guy at home in the middle of the night, and asked him for his password. He refused to give it over the phone, and the operations people were getting madder and madder because the night's jobs were being held up. Finally, he agreed to give them the password but only if they turned off the speaker phone.
The guy's password was BigBlackDonkeyDick.
Hilarity ensued. I'm pretty sure the whole shop knew the guy's password by the next morning (hell, I still remember it and I didn't even know the guy!)
paper in your wallet (Score:5, Interesting)
Keep them on a slip of paper, in your wallet.
but DONT list what each is for - you can remember that part easily enough
Re:paper in your wallet (Score:5, Insightful)
I agree.
100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.
Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.
If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.
So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.
Parent
Re:paper in your wallet (Score:5, Informative)
I do something similar, but its the default output of pwgen. All I have to do is recall the first few syllables, the general grid location of the password, or just a part of the password.
I carry this around in my wallet, sure my password is on there, but with no real frame of reference its hard to decipher and make a guess.
Also, suggest printing with a fixed width font.
$ pwgen
gah5eiP2 Ga4cie3c ya6gaiTi eic1EeCo Shaisae5 ChaeXah2 Jaet0ooz ahThai3j
Yie7UH9f Iefie1ja ooghu8Oh uot7aeL0 gughes2M fahGh9ah Ohz7ohto wae2Seh1
avah3Oog Iechie2f eiPhoZi9 Mavohli9 Kohshis7 Meilo8ce Queis5hu Eiz9aij8
Pae9ahPu Equ0zoo9 Oothahk3 pich2Xao IeZai3ae aiLa7Ath Eol2aes7 aeZ5raht
AVai9nee Aam7ahzo Ioch2oqu faiGh0th eYae2ohl si7Te0we einai3Wa oash6Ahj
Eik5uul2 opai8zoY ohw5Ihaf Mi7keix9 aevi1Wa3 mo9ohJ5I Piek2yoR Si1phieZ
Ahc9luch ohNg6Oon daghieP9 reCh7jas joo4ooVi yooR6yeu eeph5Aip shie3Ahp
quoVeg8U Nee3phah CahXee0r aoD8Thai Ai5Aigha eePh0zee Cheip5Ch xeebe0Oy
laeFeez4 Ag9sheeR Ga4gooph Oijae9da aePao2ta ahz8ieNg bu9EhieS quooWoo3
ahghea7N Bot9hieC He3eeGhi ouli8Oof ik3Ohsoh Rahz9Che aeXaNg1e soh3Thee
Ahkith6u Ahs2Zuid eth6Ej0o Go0iho1d xaPhah9z aiNg1yoh Aer8Eet3 juZ3aThu
gee4KooK Hee9iqu3 Duh4aipu AiP6ahph Shaec5ne neeXa6Re Roh6fief Baef9ieM
eeGoo4ie eva1aeQu lu4hiJoh sae2DuYu fahGae7b Doh5Ifi6 jeish9Ae Rierieb5
Eedae7Iu moo6aiG3 ohNei0ie ew9ieHeu xoh5caeL NeiD0ohs iipe4aeP Lich0xak
Oozei5ao gaNgieV2 Dei0ae9l us3Loh8k phal5aeN aip0KeeV Aeg1rais oth1Ahdi
was3ow8Y Oquud1bu emee7Ohr iewa6baJ ao8Airie beegooL9 heiveF7u ongooD9w
iic4uGh0 Ohn9zeiC Neen4noh kei1Seng chieV3oh QuuQu2ju Eex1gaf3 aot8Dah1
EDoh1aej eaBae1ri Eih0woh6 Eiw3Johp Yi3aizuu Og9shohl ho6mi6Xu AeT8eihu
Iev5ohph lies0Iev eeV4jiek Tha1xoo8 gua9biiT aa4Maiga ohXoh3ai eisi8Jee
Ieloh3mo Quoch6sh Eecha0Ra zahnguM8 ieP5Jeye Mao5maec Ephae8af quihei8A
Parent
Re:paper in your wallet (Score:5, Insightful)
Parent
It is not hard to guess (Score:4, Funny)
Parent
Re:paper in your wallet (Score:5, Funny)
I have a similar setup, I have this on a piece of paper in my wallet
ABCDEFGHIJKLMNOPQRSTUVWXYZ
and I simply remember which letter my password starts with, and then what letter comes second etc.
For example, if my password was SLASHDOT, I would start by remembering the first letter, which is S, then remember the second letter, which is L, and I continue remembering until I have completed the password.
Parent
Re:paper in your wallet (Score:5, Insightful)
Congrats, and thanks.
Now I have an oh-so-sort dictionary (only 160 entries!) to feed to my favorite password-cracking program. The odds of my success just went from potentially being neigh-impossible to almost-certain.
160? Why are you assuming the password must start on a "word" boundary? I guess you're also assuming it's 8 characters long? So if it's "ao2taahz8ieNgbu9" you'll miss it.
Parent
Re:paper in your wallet (Score:5, Insightful)
160 characters * 8 letters = 1280 characters.
Number of one-character passwords: 1280 (actually it's even less but stay with me)
Number of two-character passwords: 1279
Number of three-character passwords: 1278
Number of 100-character passwords: 1180
Number of 1280-character passwords: 1
Total number of passwords = 1 + 2 + 3 + ... + 1280 = (1638400 + 1280) / 2 = 819840 passwords
Not that good, actually. And if you limit password length to 64 characters, you get only 79904 passwords (equivalent to a three-letter password using lowercase, numbers and simple punctuation only)
Parent
Re:paper in your wallet (Score:5, Funny)
Websites could do more to protect their users too. For example if you accidentally write your password here on Slashdot comments, it comes up as masked. Like for example my password is ********.
Parent
Re:paper in your wallet (Score:5, Funny)
Really? That works? My password is hunter32. :P
Seems like i can see it still though.
Parent
Re:paper in your wallet (Score:5, Funny)
Really? I couldn't see it. this is what i saw
Really? That works? My password is ********.
Parent
Re:paper in your wallet (Score:5, Funny)
You only see it because it's your password. Everyone else sees it like this:
Really? That works? My password is ********.
Parent
Re:paper in your wallet (Score:5, Funny)
He didn't know your password. He just typed "********" but you saw it as "hunter32" because that's your password.
Parent
Re:paper in your wallet (Score:5, Insightful)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
Parent
Truecrypt (Score:5, Insightful)
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
Re:Truecrypt (Score:4, Insightful)
Parent
Re:Truecrypt (Score:5, Funny)
Parent
Re:Truecrypt (Score:5, Interesting)
Parent
Re: (Score:3, Interesting)
what if your not using windows. what about using it from multiple computers.
Mine is on a USB drive in an encrypted drive image, which stores the application and data files which which themselves are encrypted. my current problem is that it is OSX specific. I would love a way to be able to mount that drive on windows and Linux too.
Of course such things don't work well unless you use a java app, which may or may not run depending if java is installed or not.
Re:Truecrypt (Score:4, Informative)
keepass is available for windows linux and osx. You can run the windows version as a standalone binary.
I keep my keyfile and db on usb key (with backups of the db strewn around all over the place), and the master password in my head
Parent
Re:Truecrypt (Score:5, Informative)
keepass is available for windows linux and osx
Dunno why you'd need it on Mac OS X though, the built-in Keychain and Keychain Access.app does the same thing and more. It will do autofill, autofill after asking you for the master password, or you can just use it to store the passwords and look them up manually.
Keychain can also store secure notes and certificates for websites and such. It's pretty nifty how well it all works, you hardly ever have to worry about manually managing passwords and certificates.
Parent
Re:Truecrypt (Score:4, Informative)
KeepassX is a truly cross platform version of keepass. It does not run under wine and is just about indistinguishable from the windows-only keepass.
Parent
Re:Truecrypt (Score:4, Interesting)
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
Why bother with passwords?
Start authenticating with your GPG key. (http://gpgauth.com)
Your GPG key logs you in, compromised sites don't hurt you.
Parent
Re: (Score:3, Interesting)
I also have a copy of less important passwords at work, such as vendor support sites. This is stored in a secure drive partition on a Mac, and the password for that is in my wallet if I forget it. There aren't any vital passwords on it, so I'm not too concerned about how secure this is (if I start making intelligent posts on slashdot, th
PassGorithm - One Algorithm, infinite passwords (Score:4, Interesting)
Parent
Keepass (Score:5, Informative)
http://keepass.info/download.html [keepass.info]
Re: (Score:3, Insightful)
Keepassx also works great on Linux, Macs, and Windows, which I hav
PasswordSafe (Score:5, Interesting)
I first saw the link to PasswordSafe [sourceforge.net] from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.
Easiest one is... (Score:3, Interesting)
KeePass - fantastic software. (Score:5, Informative)
* Stores all of your passwords in a secure encrypted file
* Has auto-type so you don't have to type or remember your passwords
* Has a great password generator tool, so that you can reset all of your passwords to something secure
* Easily transferable password database.
* Can run off a USB stick
I checked it out a month ago on the recommendation of a mate, and have been using it ever since.
It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!
And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.
And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).
Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
Re:KeePass - fantastic software. (Score:5, Informative)
If you turn on the master password then the password file is encrypted [luxsci.com].
Parent
Post-It Note on the Monitor (Score:5, Funny)
Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.
Can't be 100% secure (Score:4, Insightful)
Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.
There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
Password Safe (Score:3, Informative)
I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:
http://passwordsafe.sourceforge.net/ [sourceforge.net]
Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.
Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.
LockNote (Score:3, Informative)
I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/ [steganos.com]), it's essentially a self-contained AES encrypting Notepad.
And it's extremely stand-alone/portable, so you can just stick it on a USB stick.
Prepended or Appended Passphrase (Score:3, Interesting)
Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).
Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.
I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).
Hashing Works (Score:5, Interesting)
Re: (Score:3, Interesting)
Mod parent up.
I once wanted to make an account at a new website, only my rather unique account name was used, I tried logging in with my "password system" based on the site name and sure enough, I don't know how many years ago I setup an account (long enough to not remember the place) but unbeknownst to me, I was golden.
The advantages is you never write them down, you never have to seek a resource to decrypt anything, you have unique passwords for everyplace.
I have since modified this so it's just as easy t
Use the master password feature and stop worrying (Score:5, Informative)
1Password (Score:3, Informative)
On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.
For my PC at work, TrueCrypt with a spreadsheet inside.
OBZVault: runs on Linux, Mac OS X, and Windows (Score:3, Informative)
I recommend OBZVault [offbyzero.com]. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.
We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).
It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.
(Disclaimer: I co-founded OffByZero [offbyzero.com], the company that produces OBZVault.)
Old School (Score:3, Interesting)
Notecard In Wallet For Life (Score:3, Interesting)
Passphrases from books (Score:3, Interesting)
What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":
Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.
/not my password ... or is it?
Re: (Score:3, Informative)
I'll second this. 1Password also works with both Safari and Firefox (and maybe others), allowing you to disable the browser's ability to remember passwords. All you need to do is remember the master password. It's an excellent utility for corporate environments too.
Re: (Score:3, Insightful)
That's not the best idea. If a secure location becomes compromised, you just gave up access to everything you do. Not to say people don't do it, but people also set their passwords to "password".
Here's an old post [slashdot.org] I did here 4 years ago on the subject. Users haven't gotten any smarter. Just poorer when their bank account gets compromised.
Re: (Score:3, Insightful)
I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.
Well okay but how do you remember it? Unless the password generator always generates the same password.
Re:if you use a mac... (Score:5, Informative)
I prefer the built-in Mac Keychain. With the Mac OS Keychain plugin, Firefox will save its passwords there as well (and it can share them with Safari).
One important consideration - change your Keychain password so it's different than your login password. Use something that's easy to remember but hard to guess, e.g. the price of a cheese pizza and a large soda at Panucci's Pizza ($10.77).
Parent
Re: (Score:3, Insightful)
Hashapass is a clever idea, but don't you run into the problem of various sites having different requirements for a valid password?
In my experience some sites want you to have a long passwords, others actually limit the length. Some only allow alphanumeric characters, and others mandate the presence of a non-alphanumeric character. Even worse, a lot of sites don't state clearly at the login prompt what their requirements are (you might need to fail once to see or even find it on another page), so doing
Re:How I remember passes (Score:5, Funny)
A guy I used to work with told me a story about a late-night support call with the operations center. He figured out that they needed to run a job that was under someone else's account. So they conference-called in this other guy at home in the middle of the night, and asked him for his password. He refused to give it over the phone, and the operations people were getting madder and madder because the night's jobs were being held up. Finally, he agreed to give them the password but only if they turned off the speaker phone.
The guy's password was BigBlackDonkeyDick.
Hilarity ensued. I'm pretty sure the whole shop knew the guy's password by the next morning (hell, I still remember it and I didn't even know the guy!)
Parent