Ask Slashdot: How Do You Manage Your Passwords? 445
Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"
Keepass (Score:5, Informative)
extensible, open source, active project...what's not to like?
There is but one true password manager (Score:2, Informative)
Get 1Password. There is a version for every platform, including mobiles. It stores your full logins and integrates with popular browsers: just click a toolbar icon, enter the one master password you have to remember, and you can log onto MightyMegaBank just by clicking on its name. The program will also optionally generate big random passwords to replace the short crappy ones that you used to be able to remember.
Keepass (Score:5, Informative)
I use Keepass.
I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.
Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.
I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.
If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.
Re:There is but one true password manager (Score:5, Informative)
I can understand not reading TFA, but did you even RTFS? What part of
I am obviously unable to use something online, like Last Pass and 1Password.
were you unable to understand?
Now, I have absolutely no idea why poster "obviously" is unable to use it, but it's already ruled out.
Re:There is but one true password manager (Score:5, Informative)
Re:Keepass (Score:4, Informative)
The keyfile is in my dropbox folder, I have dropbox installed on all my devices. On the iphone or ipad I just need to select the keepass file and it will open in the keepass app.
Then my passphrase is required to open the encrypted file that contains the list of my passwords.
This step is only required on my iphone/ipad if the keystore is out of sync with the dropbox folder. Otherwise the file remains cached on my portable device.
Re:LastPass (Score:5, Informative)
They can't, because they don't have them. They have a bunch of encrypted blobs.
Re:There is but one true password manager (Score:5, Informative)
Because the OP is totally wrong, is why. 1Password keeps its data file locally. There are all kinds of synchronization features, which you don't have to use if you want to avoid online operations.
OP may have been thinking of 1PasswordAnywhere, which is the all-online version.
Re:Keepass (Score:5, Informative)
Combine this with a keyfile that is not stored on the online syncing service. So if the keydb itself is obtained, it's useless without the keyfile (never put online) and the keyphrase. If someone obtains your phone or other device, they'll have the keydb and keyfile but not the keyphrase. Of course, nothing will protect you if your device is compromised (i.e. file access + keylogging) without your knowledge.
Re:LastPass (Score:4, Informative)
The select the option on the website that allows you store your database in europe. (requires paid version currently)
https://lastpass.com/use_eu.ph... [lastpass.com]
Re:Keepass (Score:5, Informative)
There are ports for just about everything, including Android, which is incredibly handy.
I particularly like the Firefox extension (KeeFox), which can be configured to automatically enter credentials as well as save new credentials entered in Firefox with one click.
Re:SuperGenPass (Score:4, Informative)
I too use SuperGenPass and it's absolutely great, but I recently discovered that it has some well-known weaknesses: http://akibjorklund.com/2009/supergenpass-is-not-that-secure
An alternative is PwdHash, but I haven't motivated myself to switch yet.