Forgot your password?
typodupeerror
Security

Best Tool For Remembering Passwords? 1007

Posted by kdawson
from the encrypted-plain-text-file-on-a-stick dept.
StonyCreekBare writes "Lately I've been rethinking my personal security practices. Should my laptop be stolen, having Firefox 'fill in' passwords automatically for me when I go to my bank's site seems sub-optimal. Keeping passwords for all the varied sites on the computer in a plain-text file seems unwise as well. Keeping them in my brain is a prescription for disaster, as my brain is increasingly leaky. A paper notepad likewise has its disadvantages. I have looked at a number of password managers, password 'vaults' and so on. The number of tools out there is a bit overwhelming. Magic Password Generator add-in for Firefox seems competent, but it's tied to Firefox, and I have other places and applications where I want passwords. And I might be accessing my sites from other computers that don't have it installed. The ideal tool in my mind should be something that is independent of any application, browser, or computer; something that is easily carried, but which if lost poses no risk of compromise. What does the Slashdot crowd like in password tools?"
This discussion has been archived. No new comments can be posted.

Best Tool For Remembering Passwords?

Comments Filter:
  • paper in your wallet (Score:5, Interesting)

    by Gothmolly (148874) on Tuesday November 10, 2009 @09:31PM (#30054472)

    Keep them on a slip of paper, in your wallet.

    but DONT list what each is for - you can remember that part easily enough

    • I second this. If you have them in your wallet, they are immediately accessible, and if your wallet is lost/stolen, not identifying each password with a particular site will give you enough time to change the passwords before you can be compromised (since most people know pretty quick when their wallet goes missing). Obviously this would necessitate having a second copy somewhere, probably on an encrypted file on your computer that you would use only for the purpose of changing your passwords.
    • by JohnFen (1641097) on Tuesday November 10, 2009 @09:57PM (#30054822)

      I agree.

      100% security is impossible. Any data you transmit or store on a physical device can be recovered, regardless of encryption. All you can do is make it more costly to recover that data -- the best security makes it more expensive than it is worth.

      Given that's true, then all security is a tradeoff. Storing passwords on a piece of paper in your wallet is actually very secure for the majority of people, more secure than you can really hope for without going to extreme lengths.

      If you have communications or data that are so sensitive that you really have to go to extreme lengths to protect it, then you need the help of a security professional, not encryption and advice on password management.

      So, make your passwords random, different for each thing that requires a password, and write it down on a cheat sheet. Guard that sheet like you would your credit cards. If your wallet is lost, immediately set all your passwords to something temporary then build a new password list all over again.

      • Re: (Score:3, Informative)

        A while ago I decided I needed a new password system. I had 9 or 10 different passwords I used for basicly everything.
        It became increasingly anoying to remember which password I used where. And with the increasing number of password protected sites and apps I also started using the same passwords over and over.So I needed a new scheme.

        My requirements were that:
        it had to be long (14 chars minimum),
        had to contain letters and digits,
        should not be guessable, or at least parts of it (duh!),
        must be unique for eve
      • Re: (Score:3, Informative)

        by Jared555 (874152)

        100% security is possible if you have physical control of a device and want to make sure that nobody ever gets access to it again. (Turning the device into a fine powder and then either melting it down or distributing it across a very large area).... I believe at one point at least that is how the government handled things.

        Storing a backup version of your data that you do not need frequent access to on the other hand is possible to get 99.999% secure but as you increase the security level you also frequent

    • by NevarMore (248971) on Tuesday November 10, 2009 @11:13PM (#30055600) Homepage Journal

      I do something similar, but its the default output of pwgen. All I have to do is recall the first few syllables, the general grid location of the password, or just a part of the password.

      I carry this around in my wallet, sure my password is on there, but with no real frame of reference its hard to decipher and make a guess.

      Also, suggest printing with a fixed width font.

      $ pwgen
      gah5eiP2 Ga4cie3c ya6gaiTi eic1EeCo Shaisae5 ChaeXah2 Jaet0ooz ahThai3j
      Yie7UH9f Iefie1ja ooghu8Oh uot7aeL0 gughes2M fahGh9ah Ohz7ohto wae2Seh1
      avah3Oog Iechie2f eiPhoZi9 Mavohli9 Kohshis7 Meilo8ce Queis5hu Eiz9aij8
      Pae9ahPu Equ0zoo9 Oothahk3 pich2Xao IeZai3ae aiLa7Ath Eol2aes7 aeZ5raht
      AVai9nee Aam7ahzo Ioch2oqu faiGh0th eYae2ohl si7Te0we einai3Wa oash6Ahj
      Eik5uul2 opai8zoY ohw5Ihaf Mi7keix9 aevi1Wa3 mo9ohJ5I Piek2yoR Si1phieZ
      Ahc9luch ohNg6Oon daghieP9 reCh7jas joo4ooVi yooR6yeu eeph5Aip shie3Ahp
      quoVeg8U Nee3phah CahXee0r aoD8Thai Ai5Aigha eePh0zee Cheip5Ch xeebe0Oy
      laeFeez4 Ag9sheeR Ga4gooph Oijae9da aePao2ta ahz8ieNg bu9EhieS quooWoo3
      ahghea7N Bot9hieC He3eeGhi ouli8Oof ik3Ohsoh Rahz9Che aeXaNg1e soh3Thee
      Ahkith6u Ahs2Zuid eth6Ej0o Go0iho1d xaPhah9z aiNg1yoh Aer8Eet3 juZ3aThu
      gee4KooK Hee9iqu3 Duh4aipu AiP6ahph Shaec5ne neeXa6Re Roh6fief Baef9ieM
      eeGoo4ie eva1aeQu lu4hiJoh sae2DuYu fahGae7b Doh5Ifi6 jeish9Ae Rierieb5
      Eedae7Iu moo6aiG3 ohNei0ie ew9ieHeu xoh5caeL NeiD0ohs iipe4aeP Lich0xak
      Oozei5ao gaNgieV2 Dei0ae9l us3Loh8k phal5aeN aip0KeeV Aeg1rais oth1Ahdi
      was3ow8Y Oquud1bu emee7Ohr iewa6baJ ao8Airie beegooL9 heiveF7u ongooD9w
      iic4uGh0 Ohn9zeiC Neen4noh kei1Seng chieV3oh QuuQu2ju Eex1gaf3 aot8Dah1
      EDoh1aej eaBae1ri Eih0woh6 Eiw3Johp Yi3aizuu Og9shohl ho6mi6Xu AeT8eihu
      Iev5ohph lies0Iev eeV4jiek Tha1xoo8 gua9biiT aa4Maiga ohXoh3ai eisi8Jee
      Ieloh3mo Quoch6sh Eecha0Ra zahnguM8 ieP5Jeye Mao5maec Ephae8af quihei8A

      • by colenski (552404) on Wednesday November 11, 2009 @01:16AM (#30056450) Homepage
        enjoy explaining that bit of paper to DHS when they decide to look in your wallet as you go through airport security
      • by G3ckoG33k (647276) on Wednesday November 11, 2009 @02:08AM (#30056812)
        Sorry, but is NOT hard to guess. I guess Ngbu9E. See, it is not that difficult after all.
      • Re: (Score:3, Insightful)

        by CvD (94050)

        I would advise against your method, because you just reduced the search space for anyone wanting to get in from millions of possibilities to just 160 different passwords. Having a list with your actual password on it makes it pretty easy to brute-force.

        Same goes with an earlier suggestion of having your passwords on a slip of paper in your wallet but not indicate which passwords are for what. Very easy to brute force.

      • by RobDollar (1137885) on Wednesday November 11, 2009 @06:02AM (#30057950)

        I have a similar setup, I have this on a piece of paper in my wallet

        ABCDEFGHIJKLMNOPQRSTUVWXYZ

        and I simply remember which letter my password starts with, and then what letter comes second etc.

        For example, if my password was SLASHDOT, I would start by remembering the first letter, which is S, then remember the second letter, which is L, and I continue remembering until I have completed the password.

    • Re: (Score:3, Interesting)

      by hairyfeet (841228)

      Or he could just use KeePass [portablefreeware.com]. It is free, uses AES crypto, easy to back up and have in multiple places/computers, works great from a thumbdrive, and if he cooks up a nice and nasty password for KeePass (since he only needs the one to get to the others) the odds of anybody figuring it out is pretty much squat.

      So while carrying around scraps of paper might be one "low tech" way to do it, I'd prefer nice AES crypto. It seems like KeePass is what the guy is looking for, at least from the way I read TFS.

      • by WuphonsReach (684551) on Wednesday November 11, 2009 @01:07AM (#30056402)
        You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)

        GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).

        Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
  • Passwords in a file that you keep on an external drive locked in a safe? :)
  • Truecrypt (Score:5, Insightful)

    by Wingman 5 (551897) on Tuesday November 10, 2009 @09:32PM (#30054486)

    Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.

    • Re:Truecrypt (Score:4, Insightful)

      by yttrstein (891553) on Tuesday November 10, 2009 @09:43PM (#30054630) Homepage
      Where does he keep the Truecrypt password?
    • Re:Truecrypt (Score:5, Interesting)

      by Korin43 (881732) on Tuesday November 10, 2009 @10:12PM (#30054986) Homepage
      Why make them mount a Truecrypt volume and search through text files? KeePass gives you an encrypted searchable password database that's much easier to use: While it's running, click the system tray icon, type in your password and your passwords are listed and searchable. When you're done, minimize it back to the tray and it's locked again.
      • Re: (Score:3, Interesting)

        by peragrin (659227)

        what if your not using windows. what about using it from multiple computers.

        Mine is on a USB drive in an encrypted drive image, which stores the application and data files which which themselves are encrypted. my current problem is that it is OSX specific. I would love a way to be able to mount that drive on windows and Linux too.

        Of course such things don't work well unless you use a java app, which may or may not run depending if java is installed or not.

    • Re:Truecrypt (Score:4, Interesting)

      by darkpixel2k (623900) <aaron@heyaaron.com> on Tuesday November 10, 2009 @10:16PM (#30055024) Homepage

      Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.

      Why bother with passwords?

      Start authenticating with your GPG key. (http://gpgauth.com)

      Your GPG key logs you in, compromised sites don't hurt you.

    • Re: (Score:3, Interesting)

      by Darinbob (1142669)
      I do this also. I don't have a laptop I carry around, so I just have a USB storage lying on my desk with the passwords. Probably safer to put in a file drawer I suppose.

      I also have a copy of less important passwords at work, such as vendor support sites. This is stored in a secure drive partition on a Mac, and the password for that is in my wallet if I forget it. There aren't any vital passwords on it, so I'm not too concerned about how secure this is (if I start making intelligent posts on slashdot, th
    • by abdielillo (869806) on Tuesday November 10, 2009 @10:37PM (#30055264)
      I invented this method and has worked for me perfectly since then. What I did was to develop an algorithm by which I can reconstruct my passwords based on the website or account. For example: 1) Take the first letter on the website name eg : slashdot = 's' 2) Count letters in the website name: eg : slashdot = '6' 3) Count the vowels eg : slashdot = '2' 4) Take the last letter eg : slashdot = 't' 5) Add and underscore and a keyword in common to the end of the 4 previous characters eg : 's62t_w00t' Here's another example with google.com 1) 'g' 2) '3' 3) '3' 4) 'e' 5) 'g33e_w00t' Be creative with the rules... like for example, if its a bank account, make all letters UPPERCASE. Hope this helps. Note: the above example is not my PassGorithm :D
      • Re: (Score:3, Insightful)

        by RKThoadan (89437)

        I used to do something like this, but as companies buy each other out, rebrand parts of themselves and other such shenanigans the website name and URL tend to change. This can get confusing.

    • Re: (Score:3, Insightful)

      by Hatta (162192)

      Why is it on a USB key? You're not carrying around your Truecrypt volume and typing your passphrase into strange computers are you?

  • I recommend this three step method:
    Step 1) Memorize one very long complex password. Take your time and pick something out that is long enough that someone could watch you type it a dozen times and have absolutely no hope of getting close to it. Use this password to encrypt a zip file, 256 bit AES, with separate text files for each system where you need a password. Never type this password on a computer you can't trust implicitly and save the archive somewhere safe online and on a thumb drive. Update this p

  • Keepass (Score:5, Informative)

    by gad_zuki! (70830) on Tuesday November 10, 2009 @09:32PM (#30054494)
    • Re: (Score:3, Insightful)

      by digitalderbs (718388)
      I run keepassx [keepassx.org] myself. It generates strong passwords for you, if you'd like, or it stores all of your passwords in an encrypted file. It gives you the option to copy a password to the clipboard for a given amount of time (10 secs) before it is delete--it removes them on close too.I admit that I was uncomfortable with this at first, but this is no different than decrypting the password, and storing it in memory, before it's shown on screen.

      Keepassx also works great on Linux, Macs, and Windows, which I hav
  • if you use a mac... (Score:2, Informative)

    by Anonymous Coward
    1password for mac and iPhone/iTouch is a good product
    • by 93 Escort Wagon (326346) on Tuesday November 10, 2009 @10:06PM (#30054924)

      I prefer the built-in Mac Keychain. With the Mac OS Keychain plugin, Firefox will save its passwords there as well (and it can share them with Safari).

      One important consideration - change your Keychain password so it's different than your login password. Use something that's easy to remember but hard to guess, e.g. the price of a cheese pizza and a large soda at Panucci's Pizza ($10.77).

  • Simple (Score:2, Funny)

    by CrAlt (3208)

    Just use the same password for everything. I use "1234".. its the same as my luggage combo

  • Hashapass (Score:2, Interesting)

    by PercentSevenC (981780)
    Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/ [hashapass.com]
    • Re: (Score:3, Insightful)

      by internic (453511)

      Hashapass is a clever idea, but don't you run into the problem of various sites having different requirements for a valid password?

      In my experience some sites want you to have a long passwords, others actually limit the length. Some only allow alphanumeric characters, and others mandate the presence of a non-alphanumeric character. Even worse, a lot of sites don't state clearly at the login prompt what their requirements are (you might need to fail once to see or even find it on another page), so doing

  • 1password (Score:2, Informative)

    by excalibur313 (920557)
    If you have a mac, definitely get 1password. It encrypts all of your passwords in a database that is accessed via 1 password that temporarily unlocks it. You can have it generate very long passwords on the fly too to make it very secure. It stores passwords from all websites that can be recalled during a session by pressing apple+\ but it locks after a period of time where it asks for the master password. You can also store secure notes, and keychains from applications.
    • Re: (Score:3, Informative)

      by Jerry Rivers (881171) *

      I'll second this. 1Password also works with both Safari and Firefox (and maybe others), allowing you to disable the browser's ability to remember passwords. All you need to do is remember the master password. It's an excellent utility for corporate environments too.

  • Try Keepassx (Score:2, Interesting)

    by willyg (159173)

    I've used Keepassx for a few years now. It's cross platform (Windows / Linux) and stores the files encrypted. I tried one of Bruce Schneier's public domain solutions previously, but the Linux install (Password Gorilla ???) was rather painful on some systems if I recall correctly.

    Just be sure to use a substantial password for the database...

  • PasswordSafe (Score:5, Interesting)

    by Avenger546 (69810) on Tuesday November 10, 2009 @09:37PM (#30054544)

    I first saw the link to PasswordSafe [sourceforge.net] from Bruce Schneier's site. If I have to take advice from someone on keeping something secure, it's Bruce.

    • I agree. I haven't tried all the others, but I use and am happy with PasswordSafe. It's native Windows only, but there is a Java version by someone else which works just fine on Linux x86 (and x64 with some hacking). I don't think the Java one works on other Linux platforms, since it uses JNI and requires some native libraries.
  • Easiest one is... (Score:3, Interesting)

    by JimboFBX (1097277) on Tuesday November 10, 2009 @09:38PM (#30054548)
    Memorize an e-mail address and change the @ to a '2'. Instantly you have a 14 - 20 character password. Use a shorter 8 character password with a number you can rotate on for sites you dont necessarily trust (i.e. where an administrator could potentially google your username or e-mail and try out your password at other web sites)
  • If you have access to any other box, how about a plain-text file there? Even a little security through obscurity (ie hidden file burried in the filesystem somewhere) would be better than letting Firefox automagically fill it in. I guess you could always encrypt the file so you only have a single one you absolutely must remember (shades of Flourish and Blott's losing all those copies of the Invisible Book of Invisibility though).

  • by clockwise_music (594832) on Tuesday November 10, 2009 @09:39PM (#30054574) Homepage Journal
    KeePass [keepass.info].

    * Stores all of your passwords in a secure encrypted file

    * Has auto-type so you don't have to type or remember your passwords

    * Has a great password generator tool, so that you can reset all of your passwords to something secure

    * Easily transferable password database.

    * Can run off a USB stick

    I checked it out a month ago on the recommendation of a mate, and have been using it ever since.

    It has everything that you need. Fantastic program and has been serving me brilliantly for the past month. I have now gone through all of the sites that I use regularly and have been resetting my passwords to something random. If any of those passwords are leaked then it won't be the disaster it could have been!

    And on the plus side, for the sites that I login to very occasionally (eg, once every six months) I don't have to scrounge around in my memory trying to figure out what my username+password is.

    And for those horrible sites that have mandatory minimum password requirements, it makes it really easy to generate a password that fits their bizarre criteria. (Eg, only 6-10 characters long, certain characters not allowed, must contain upper and lower case etc etc etc).

    Don't use Firefox's password storage! They are all stored in plain text! Anyone can view them!!
  • Never ever ever ever (EVER!) store your passwords where they can be retrieved by unauthorized 3rd parties! That includes password storing utilities, scraps of paper under your keyboard, or a little note in your wallet.

    Written down, in a lockbox, in a safe, in the floor of your basement, under a rug, in your house that has an active alarm system (that you use), in a armed guard and gated community is ok. Ok, most of us can be a bit less secure than that, but I don't recommend

  • by Prototerm (762512) on Tuesday November 10, 2009 @09:40PM (#30054602)

    Post-It notes have the distinct advantage that no computer virus or Trojan can steal it.

    • Doesn't account for "backdoor" exploits like curious girlfriends who might soon be ex's, pointy haired bosses or spiteful coworkers though :p
  • Opera stores multiple passwords for sites (like say if you have a few gmails). Unlike normally with most built in password managers, Opera allows you to set a master password that prompts you to enter it before it'll show your current passwords for a website. It works sort of like this:

    Opera does not store its Master Password in the plaintext format. Moreover, Opera doesn't even store its hash. The developers have chosen a different route: the password along with the salt participates in the encryption o
  • by Darkness404 (1287218) on Tuesday November 10, 2009 @09:41PM (#30054620)
    The first thing you have to realise is you can't be 100% secure. Keeping plain text files isn't that terrible of an idea in all honesty, your situation of where someone would steal your laptop and access all your files and look for passwords is unlikely. Your hardware is much, much, much more valuable to most thieves than your data. I bet most either A) just wipe with a clean install of Windows B) just randomly checks a few sites and gives up or C) scraps your laptop for individual parts. A laptop thief is not usually a tech person. When faced with encryption they aren't going to try to break in, after all your laptop is worth at least $50 on the black market no matter what the data is on there, so long as it boots up it is sellable.

    Similarly, few thieves are going to be looking for passwords on old sheets of paper. Most thieves if they break into a house look for A) cash B) jewellery C) expensive-looking technology. Even though it is much more important to us geeks, a thief is going to go for sellable things, chances are your plasma is more sellable than your Pentium 4 tower, your monitor more than your external HDD and your PS3 more than your stack of back-up DVDs.

    There is a -lot- more threat from crackers, viruses, keyloggers and other malware than the run-of-the-mill thief getting your laptop.
  • Write your own (Score:2, Insightful)

    by mobets (101759)

    I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.

    • Re: (Score:3, Insightful)

      by MichaelSmith (789609)

      I wrote my own password generator in vb.net. I'm sure it's not as random as it could be, but I think it's good enough.

      Well okay but how do you remember it? Unless the password generator always generates the same password.

  • Password Safe (Score:3, Informative)

    by antic (29198) on Tuesday November 10, 2009 @09:44PM (#30054660)

    I have to track a lot of personal passwords and also 200+ passwords for client websites, emails, etc. I use Password Safe and recommend it:

    http://passwordsafe.sourceforge.net/ [sourceforge.net]

    Hides when minimised and has a useful function that enables it to copy a password and minimise again when you double click a client name (i.e., if you need their main/default password). Quick and easy.

    Used to have Filezilla set to remember client passwords until a PDF hole led to a bot stealing Filezilla's password store and auto-hacking a lot of sites that were a serious pain to clean up.

  • by bbdd (733681)

    Another vote for KeePass

  • Gringotts used to be goog. Gringotts saves info in encrypted files. You still need 1 password to decrypt the file, but you can have copies of the file in multiple places. See http://directory.fsf.org/project/gringotts/ [fsf.org]
  • I've researched this one for my boss, as well as for personal use. I agree that for Mac users, 1password isn't too bad a program.

    If you want a *hardware* based solution, I've looked at Mandylion Labs' Password Manager before too.

    Personally, I thought the Mandylion Labs solution was overkill for anything less than corporate use, though. Its "strong points" are largely centered around an I.T. staff centrally administering password policies for the keyfob and so on.

    Another basic, but potentially effective an

  • Keepass is cross platform works on PC and Linux. :) Makes it easy to keep different credentials for every site you go to. Keeps passwords in an encrypted file.

    http://keepass.info/ [keepass.info]
  • LockNote (Score:3, Informative)

    by scott_karana (841914) on Tuesday November 10, 2009 @09:47PM (#30054706)

    I use Steganos LockNote (GPL, http://www.steganos.com/us/products/for-free/locknote/overview/ [steganos.com]), it's essentially a self-contained AES encrypting Notepad.
    And it's extremely stand-alone/portable, so you can just stick it on a USB stick.

  • I make my passwords something totally ridiculous that would probably be offensive to most people or certain groups I dont care for, haha. Something like macFanb0ysRghey&. Sure, I remember it, but if there's ever a chance you have to share that password with someone else, you either have to change it or see the person's face look like O.o
    • by plover (150551) * on Tuesday November 10, 2009 @10:45PM (#30055340) Homepage Journal

      A guy I used to work with told me a story about a late-night support call with the operations center. He figured out that they needed to run a job that was under someone else's account. So they conference-called in this other guy at home in the middle of the night, and asked him for his password. He refused to give it over the phone, and the operations people were getting madder and madder because the night's jobs were being held up. Finally, he agreed to give them the password but only if they turned off the speaker phone.

      The guy's password was BigBlackDonkeyDick.

      Hilarity ensued. I'm pretty sure the whole shop knew the guy's password by the next morning (hell, I still remember it and I didn't even know the guy!)

  • A spread sheet kept securely (encrypted file, not excel/etc. encryption but something like PGP or TrueCrypt). There are specific programs for this but I find a spread sheet works better.
  • by codermotor (4585) on Tuesday November 10, 2009 @09:53PM (#30054778)

    Create a passphrase which you prepend or append to every important password. Don't divulge that passphrase to any but the most trusted (spouse, family attorney, etc.).

    Keep a list of passwords sans the passphrase in a safe but accessible place in case you forget one. If someone finds that list, it'll do them little good since not only will they not know the passphrase, neither will they even know it exists.

    I'm assuming you have no state secrets or other seekrit stuff which may be intimidated out of you by other means (pliers, electrodes, etc.).

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Create a passphrase which you prepend or append to every important password.

      Bad idea. You should never use the same password (or part thereof) on two or more systems (that you do not control). In your case, if an attacker managed to get two of your passwords (say to two different web sites) then they could simply compare them and determine your super-secret pass phrase that you attach to all your passwords. Combine that with your list and you're owned.

      • Re: (Score:3, Insightful)

        by Kattspya (994189)
        So not only do they need control of your computer or at least two different servers but they also need physical access to your home or your person? Yeah, that's a likely scenario that is well worth protecting against. If you're that compromised or interesting keeping the password in your head won't be enough.
  • Hashing Works (Score:5, Interesting)

    by Aaron_Pike (528044) on Tuesday November 10, 2009 @09:57PM (#30054828) Homepage
    I use a mental hash for my less important passwords. That way all I have to do is look at the web site's name and run it through my hash function to come up with the password for that site. That way, I only have to remember the function and not the plethora of passwords.
    • Re: (Score:3, Interesting)

      by RJFerret (1279530)

      Mod parent up.

      I once wanted to make an account at a new website, only my rather unique account name was used, I tried logging in with my "password system" based on the site name and sure enough, I don't know how many years ago I setup an account (long enough to not remember the place) but unbeknownst to me, I was golden.

      The advantages is you never write them down, you never have to seek a resource to decrypt anything, you have unique passwords for everyplace.

      I have since modified this so it's just as easy t

      • Re: (Score:3, Interesting)

        Yes, I have a similar mental hash, although it is more complicated and so the password is longer. It makes sure that no two sites have the same password, so no one can get into my e-mail, say, just because they have found my Slashdot password. They take too long to type in, though, so I let Firefox remember them. Firefox protects them all with one master password that I enter once per session. In turn, my entire home directory (including the Firefox profile) is on a TrueCrypt partition (protected by a c

    • Re: (Score:3, Insightful)

      by fulldecent (598482)

      everyone uses this method but nobody want to reply and agree with you because then someone could find that person, reverse engineer their hash and then own them.

      shit!

    • Re: (Score:3, Informative)

      by EEBaum (520514)
      I've been doing this for years... great system. The one problem I've run into is when a site changes names or is bought out (e.g. Chase now owns WaMu). I then have to either change my password or try to remember how the history of mergers and acquisitions went down.
  • Firefox has a "master password" [mozilla.com] feature. Use it, and remember just one password. It'll prompt you for the master password the first time it visits a site that has a saved password.
  • 1Password (Score:3, Informative)

    by barzok (26681) on Tuesday November 10, 2009 @10:10PM (#30054966)

    On my Mac, I live & die by 1Password. I resisted putting all my passwords into a single store like it, but once I started, I was blown away by the program.

    For my PC at work, TrueCrypt with a spreadsheet inside.

  • by duncan bayne (544299) <dhgbayne@gmail.com> on Tuesday November 10, 2009 @10:14PM (#30055016) Homepage

    I recommend OBZVault [offbyzero.com]. OBZVault is a cross-platform encrypted text editor; with it you can secure sensitive information like passwords, quotes and messages, and access them from any operating system.

    We use OBZVault in-house to store all our important company secrets (passwords, PINs, etc.) in a single file that gets checked into our source control system. Using OBZVault we can access that file on any of the operating systems we use (Linux, Mac OS X, and MS Windows).

    It's licensed per physical machine, not per operating system, so e.g. a dual-boot Mac OS X and Ubuntu machine will only need one licence.

    (Disclaimer: I co-founded OffByZero [offbyzero.com], the company that produces OBZVault.)

  • Old School (Score:3, Interesting)

    by pilsner.urquell (734632) on Tuesday November 10, 2009 @10:17PM (#30055044)
    I use a plain old spiral bound address book. A I keep it locked in my gun safe, in the same room with with a shredder.
  • by Enti (726249) on Tuesday November 10, 2009 @10:25PM (#30055140)
    While you initially discount paper, a folded notecard in my wallet has been the most reliable method thus far Honestly, when is the last time you've lost your wallet? For me this was eight years ago. Just as you cancel your credit/debit cards when losing a wallet, significant passwords can also be changed. Consider it a security feature Besides, the slight inconvenience of taking out your wallet for a forgotten password encourages you to remember it (I have a straight-terrible memory, and this has worked)
  • by Potor (658520) <farker1@gma i l .com> on Tuesday November 10, 2009 @10:59PM (#30055466) Journal

    What's so wrong with using the opening sentences of books, with a bit of 1337 speak? Take the the first part of the opening sentence from James Joyce's "Ulysses":

    Stately, plump Buck Mulligan came from the stairhead

    Change a few letters to numbers, or introduce a misspelling. Even add different punctuation if you want. That'll be pretty stong. Then you can even email yourself a password hint: Joyce, or Dublin, or Stephen, or anything really. You'll remember it, if you're not an idiot. Follow the same pattern with different books for different important sites, and unless the CIA or Mossad is after you, you'll do fine.

    /not my password ... or is it?

Swap read error. You lose your mind.

Working...