Ask Slashdot: How Do You Manage Your Passwords?

Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"

Air Gapped Box

[Anonymous Coward]

It's not portable, and this is just what I do at home so may not scale well to the office, but I've basically got an old intel atom box (MSI Wind PC) running linux (slackware) with no network connection and full disk encryption just using luks/dm-crypt. I keep passwords, banking numbers, and other bits of sensitive info on there. No fancy management software, just plain old text files. I have it hooked up through a KVM and I just leave it running all the time (with locked screen), so it's nothing to switch to it when I need to use an old password or update a password when I change one.

Files are backed up locally using rsnapshot (for history), and then that's periodically copied to one of 2 (also encrypted) USB thumb drives (I leave on plugged in the back and periodically swap them).

Primitive, but sometimes that's what works. You could probably do the same with a raspberry pi at this point (disk encryption might be fun though).

Also this topic comes up like once a month, and the answer has not changed in years. Stop asking!

Completely off topic: what would be the best way to physically disable the wifi capability of a device. Obviously you can disable in software, but I'm the paranoid sort, and would love a way of knowing that my IP web cam is not gonna be doing anything with that wifi antenna. Thinking maybe some kind of terminator or some other way of "absorbing" the signals.

"Obviously" not Last Pass or 1Password

[immaterial]

Maybe I'm an idiot but I don't get why these options are obviously bad. I use 1Password on a regular basis.

Re:LastPass

[gmuslera]

What if they are required by the NSA (along with the "don't disclose that we are asking this") to give them your passwords? Giving the control to an US company could go very wrong. Even Hushmail that promised to have all your information encrypted gave it to the feds [wired.com]... and they are Canadians.

SuperGenPass

[Chelloveck]

For the most part I don't save or memorize passwords. I regenerate them as needed with SuperGenPass [supergenpass.com]. SuperGenPass algorithmically generates passwords by hashing the site's domain name together with a single memorized password. This always generates the same password for any given site. So, I don't have to remember them or store them anywhere, I just need to know how they're generated.

But what if I'm at someone else's computer without SGP installed? The SGP website has a "mobile" version, which is just javascript that runs entirely within the browser. Go there, type in the domain and password, and generate it. (Yes, I've checked the javascript. It's not sending your password out to the mothership or saving anything locally.)

I do keep a notebook in a plaintext file with all the sites I use. This contains the domain name that the site had when I first signed up. Domain names sometimes change, or are ambiguous (ie., the same site is available via both foobar.org and foobar.com). The text file lets me keep track of what I need in order to regenerate the password.

What about sites that require periodic password changes? I use the domain and just suffix my memorized password with a sequence number. And I write the sequence number in my notebook.

What's that? Security questions? I generate the answer by hashing the question itself rather than the domain with my memorized password. And of course, I copy the question verbatim into my text file so I can regenerate the answer when I need to.

The only failing is when I hit a site that doesn't allow certain punctuation, or has length limits, or something of that nature. Then I modify the parameters that I give to SGP and write down the specific parameters that I used.

The notebook is stored on my home fileserver in an svn repository which gets backed up every night. I'm completely screwed if I ever forget my one secret, but it's one I've been using for literally decades now. It's going to be one of the last things to go when my brain develops bit rot.

KeePass

[CreatureComfort]

KeePass. With the encrypted datafile in dropbox.

Re:write them on a piece of paper

[joe_frisch]

I also have them written on a piece of paper, but it wouldn't do you much good if you stole it. if you see "god#" what would you type? It reminds me of what password I actually used (which doesn't contain English words).

Now if someone REALLY wanted access to my accounts they could probably use that hint to reduce their search. If they had cracked some accounts, they could probably figure out some of the schemes I use as reminders and quickly figure out the rest.

Of course they could also just hack my home wireless, or put me in a van and drill holes in my kneecaps until I told them.

Re:"Obviously" not Last Pass or 1Password

[unrtst]

What if he doesn't trust the implementation of the encryption in the password manager?

These "what if's" are getting a bit silly. I'm not saying he should trust that implementation, but if he has reason not to, I'd hope that he's also smart enough (or believes he is) to pick an encryption scheme he does trust. We're really just talking about how paranoid someone wants to get with passwords that will be used on a lot of hosts, many of which are problem secured weakly. IE. seems like you're trying to create a flow chart out of this thread :-)

* 1password +dropbox or similar stuff? - don't trust dropbox
* 1password + your own sync or backup? - don't trust 1password encryption
* clipperz + your own sync or backup (btw, clipperz is open source)? - not sure what you/he may not trust
* name-your-own-encryption + a text file? - maybe you don't trust your own network connected OS
* any of those, put inside a vm?
* any of those, put inside a vm using full disk encryption in the vm?
* ... with the vm files mounted via loopback encrypted again?
* any of those on separate hardware (Raspberry Pi, an old android phone, HDMI dongle PC, etc)? ... this list can keep getting longer and longer.

The orig question was "what do you use?", not "what should I use if I'm a paranoid schizophrenic that doesn't trust anything, especially the aliens that keep talking to me in my sleep?"

To answer the orig question: I use an encrypted text file. I occasionally check out some of the offerings out there like lastpass, keepass, clipperz, etc, and even recommend those to others, but my simple encrypted text file has served me well for a long long time, and it is by far the fastest interface there is (vim). There is a security risk with it - one could do memory scraping while it's open to read the buffers, or use a key logger to snag the password for the master key, etc; and there's portability issues - it's trivial for me to get access setup once I'm on a linux OS anywhere in the world, but I don't always have that on me, and that hasn't been a problem.