Forgot your password?
typodupeerror
Security

Ask Slashdot: How Do You Manage Your Passwords? 445

Posted by Soulskill
from the alternate-between-12345-and-54321 dept.
Albus Dumb Door writes "As an IT professional, I've got a problem common to many of you: dealing with a lot of passwords. Memorizing them all becomes harder with age and and an increasing number of passwords. I will forget them eventually. I am obviously unable to use something online, like Last Pass and 1Password. Using a single password for all the systems is also obviously out of the question. I know that there are a few apps for cell phones for managing passwords (like Phone Genie and mSecure), but a cell phone, unless it's kept in offline mode (and even then), is still a security risk and I'm pretty sure my employers wouldn't like me having their passwords on my cell phone. I've also taken a look at things like the YubiKey, but changing the authentication scheme of most of the systems is not an option. The only interesting option I've seen so far is the Pitbull Wallet, but they just started taking pre-orders on IndieGoGo and are not expected to deliver until August. Amazon has some hardware password managers as well, like the RecZone and Logio, but either the price or their reviews scared me away. So how do you guys prefer to manage your passwords and what do you recommend?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Do You Manage Your Passwords?

Comments Filter:
  • Air Gapped Box (Score:4, Interesting)

    by Anonymous Coward on Friday February 21, 2014 @06:29PM (#46306985)

    It's not portable, and this is just what I do at home so may not scale well to the office, but I've basically got an old intel atom box (MSI Wind PC) running linux (slackware) with no network connection and full disk encryption just using luks/dm-crypt. I keep passwords, banking numbers, and other bits of sensitive info on there. No fancy management software, just plain old text files. I have it hooked up through a KVM and I just leave it running all the time (with locked screen), so it's nothing to switch to it when I need to use an old password or update a password when I change one.

    Files are backed up locally using rsnapshot (for history), and then that's periodically copied to one of 2 (also encrypted) USB thumb drives (I leave on plugged in the back and periodically swap them).

    Primitive, but sometimes that's what works. You could probably do the same with a raspberry pi at this point (disk encryption might be fun though).

    Also this topic comes up like once a month, and the answer has not changed in years. Stop asking!

    Completely off topic: what would be the best way to physically disable the wifi capability of a device. Obviously you can disable in software, but I'm the paranoid sort, and would love a way of knowing that my IP web cam is not gonna be doing anything with that wifi antenna. Thinking maybe some kind of terminator or some other way of "absorbing" the signals.

    • by Lanforod (1344011)
      Find and physically remove the wifi chip?
    • by immaterial (1520413) on Friday February 21, 2014 @06:38PM (#46307093)
      Maybe I'm an idiot but I don't get why these options are obviously bad. I use 1Password on a regular basis.
      • by andrews (12425) <alan@tCOMMAieless.com minus punct> on Friday February 21, 2014 @06:42PM (#46307125)

        I don't see the "obviously" either. I use 1Password and it's not web based, the secure password database file sits in Dropbox and is synced to all my computers and my iPhone. Works great.

    • Can you disable in BIOS?
    • by scheme (19778)

      Completely off topic: what would be the best way to physically disable the wifi capability of a device. Obviously you can disable in software, but I'm the paranoid sort, and would love a way of knowing that my IP web cam is not gonna be doing anything with that wifi antenna. Thinking maybe some kind of terminator or some other way of "absorbing" the signals.

      Find and remove the antenna for wifi. If that's not possible, make an impromptu faraday cage around the body of the camera. It won't completely block the signals but it should reduce it significantly.

  • by Anonymous Coward on Friday February 21, 2014 @06:31PM (#46306999)

    on my desktop.

  • Keepass (Score:5, Informative)

    by Anonymous Coward on Friday February 21, 2014 @06:31PM (#46307001)

    extensible, open source, active project...what's not to like?

    • by gmuslera (3436) on Friday February 21, 2014 @06:54PM (#46307257) Homepage Journal
      Also works or have alternatives that use the same data files for most OSs, including mobile ones. You can backup/sync your password file between devices using online services while have a secure enough master password for it. Of course, you must keep in mind that if you have a keylogger in the device you are using that password file it will become compromised. Maybe having different password files for different uses would make it safer.
      • Re:Keepass (Score:5, Informative)

        by Anonymous Coward on Friday February 21, 2014 @07:33PM (#46307541)

        Combine this with a keyfile that is not stored on the online syncing service. So if the keydb itself is obtained, it's useless without the keyfile (never put online) and the keyphrase. If someone obtains your phone or other device, they'll have the keydb and keyfile but not the keyphrase. Of course, nothing will protect you if your device is compromised (i.e. file access + keylogging) without your knowledge.

    • Re:Keepass (Score:5, Informative)

      by FuzzNugget (2840687) on Friday February 21, 2014 @07:54PM (#46307695)
      Yup, I've used a number of password managers over the years and this one is easily one of the best. There's just no reason not to use it.

      There are ports for just about everything, including Android, which is incredibly handy.

      I particularly like the Firefox extension (KeeFox), which can be configured to automatically enter credentials as well as save new credentials entered in Firefox with one click.
  • Write them down. (Score:5, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Friday February 21, 2014 @06:32PM (#46307015)

    For work, write them down on physical paper and keep them in your physical wallet.

    You'll notice if your wallet goes missing.

    For home, write them down on physical paper and keep that somewhere safe.

    • by Anrego (830717) * on Friday February 21, 2014 @06:37PM (#46307079)

      For an extra layer of security, come up with some really basic cypher that you can do in your head. It doesn't have to withstand rigorous cryptanalysis, just has to hold up long enough for you to notice your wallet is missing and change all your passwords.

      Even something silly like taking the third character and sticking it on the end is probably enough.

      • by msauve (701917)
        If your passwords are in your wallet, and your wallet is missing, how do you change your passwords? Not everything with a password will email you a new random one.

        And, you still need to have a list of all the accounts which have passwords somewhere, so you know what needs to be changed.
        • A list of services in a text file with no meaning or obvious connection to the passwords written down would be easy enough. Maybe split them up have the services they are used for stored somewhere and the passwords written down with no connection to the service they are used for. That way someone who takes the wallet would get a piece of paper with crap written on it and no way to know what it's for.
        • by khasim (1285) <brandioch.conner@gmail.com> on Friday February 21, 2014 @06:58PM (#46307277)

          If your passwords are in your wallet, and your wallet is missing, how do you change your passwords?

          If they're in your wallet then they're work passwords. So you contact the other admin and have her change your passwords.

          And, you still need to have a list of all the accounts which have passwords somewhere, so you know what needs to be changed.

          And for work this should be documented already. Along with reset procedures and contact numbers.

          For home, having them stolen is less of a risk. But you can always keep a copy (encrypted or not) with someone else in your family or a trusted friend or a safety deposit box. You're probably more at risk of them being destroyed in a fire or something. So treat them the same as any other important document.

      • by khasim (1285) <brandioch.conner@gmail.com> on Friday February 21, 2014 @06:51PM (#46307233)

        Sounds good.

        And you might also want to keep a few additional passwords on that piece of paper. For those circumstances where you're suddenly required to have a new one (X characters, Y capitals, Z numerals) for a new application or whatever. Always nice to have one ready instead of trying to think one up on the spot.

      • That's pretty much what I do during my contract on the ship. I don't have a wallet, but have a pocket notebook and there I write down the network configuration, some usernames/passwords for some servers etc (every ship is different). With time, I remember all of this stuff so I destroy the papers anyway.

        I never write down which credentials are used for what, this is what I know, and always add some logical sounding letters/number to every piece of information but in some way that I always know what is garba

  • LastPass (Score:5, Insightful)

    by ZerXes (1986108) on Friday February 21, 2014 @06:34PM (#46307039)
    Why is LastPass not an option? The password database is always synced to your laptop/cellphone so there is no problem accessing your passwords when you are offline. The security is the most robust I have found when it comes to password management, especially when you use 2-factor auth.
    • by neiras (723124)

      That and Lastpass encrypts/decrypts the password store on the client side. Only the encrypted database is ever sent over the wire. It's not perfect, but Lastpass has been great for me. Worth the $12/year. I don't know any of my passwords now except one, and my yubikey protects the Lastpass master password.

    • Or 1Password. You can use an iPhone or Android phone. The data is encrypted. Yes, the NSA can probably get to it, no they probably wont bother. Should be adequate for most users. If you lose the phone and you're worried about somebody breaking the encryption you can log into DropBox (or whoever you have the file stored with) and delete it or just change the password from another device.

      Not perfect, but pretty damned good and a hell of a lot more user friendly than some of the Totally Paranoid suggestio

    • Re:LastPass (Score:5, Interesting)

      by gmuslera (3436) on Friday February 21, 2014 @06:59PM (#46307293) Homepage Journal
      What if they are required by the NSA (along with the "don't disclose that we are asking this") to give them your passwords? Giving the control to an US company could go very wrong. Even Hushmail that promised to have all your information encrypted gave it to the feds [wired.com]... and they are Canadians.
  • Get 1Password. There is a version for every platform, including mobiles. It stores your full logins and integrates with popular browsers: just click a toolbar icon, enter the one master password you have to remember, and you can log onto MightyMegaBank just by clicking on its name. The program will also optionally generate big random passwords to replace the short crappy ones that you used to be able to remember.

    • by sconeu (64226) on Friday February 21, 2014 @06:47PM (#46307173) Homepage Journal

      I can understand not reading TFA, but did you even RTFS? What part of

      I am obviously unable to use something online, like Last Pass and 1Password.

      were you unable to understand?

      Now, I have absolutely no idea why poster "obviously" is unable to use it, but it's already ruled out.

      • by rk (6314)

        This is called "challenging the assumptions." You, he, (and I for that matter) agree that it's not obvious why he's unable to use it. If the article poster is unaware that LastPass or 1password can work completely offline, then perhaps that information would change why they're ruled out. He might have another reason, but since it's not as obvious to us as it is to him, it's more than fair to raise it, especially when you're getting the advice for free.

        Personally, I only tolerate not being able to question a

      • by Applehu Akbar (2968043) on Friday February 21, 2014 @07:26PM (#46307493)

        Because the OP is totally wrong, is why. 1Password keeps its data file locally. There are all kinds of synchronization features, which you don't have to use if you want to avoid online operations.

        OP may have been thinking of 1PasswordAnywhere, which is the all-online version.

    • by Garble Snarky (715674) on Friday February 21, 2014 @06:48PM (#46307197)
      every platform.... except desktop linux?
  • Keepass (Score:5, Informative)

    by Mr. Flibble (12943) on Friday February 21, 2014 @06:36PM (#46307065) Homepage

    I use Keepass.

    I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.

    Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.

    I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.

    If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.

    • Re:Keepass (Score:4, Insightful)

      by jakeguffey (587607) on Friday February 21, 2014 @06:43PM (#46307141)

      Came here to say this.

      I've used KeePass (or, in my case, KeePassX since I'm on *NIX) for about 6 years and it's been great. Encrypted local storage that I can sync between devices if I want, with an Android app (KeePassDroid) available makes life easy. It's also the only approved password storage method where I work.

    • So, do you put the keyfile in your Dropbox folder, or no? If so, how is that more secure than using a password? Otherwise, do you just manually move it to different devices with a thumb drive or email, or what?
      • Re:Keepass (Score:4, Informative)

        by Mr. Flibble (12943) on Friday February 21, 2014 @06:51PM (#46307223) Homepage

        The keyfile is in my dropbox folder, I have dropbox installed on all my devices. On the iphone or ipad I just need to select the keepass file and it will open in the keepass app.

        Then my passphrase is required to open the encrypted file that contains the list of my passwords.

        This step is only required on my iphone/ipad if the keystore is out of sync with the dropbox folder. Otherwise the file remains cached on my portable device.

      • by CCarrot (1562079)

        So, do you put the keyfile in your Dropbox folder, or no? If so, how is that more secure than using a password? Otherwise, do you just manually move it to different devices with a thumb drive or email, or what?

        I don't, but opinions vary on this. For me it's no big deal to transfer the keyfile offline to any device that I would want to use, but 90% of the time it's one of two devices (phone, laptop). I always have my phone with me, so I always have my keyfile with me too if I need access from a different device...I suppose if I accidentally dropped both of them off a mountain somewhere, then I'd be hooped until I could get home again and grab the keyfile from my secure backups :)

        AS to the how, well bluetooth wor

    • by kwalker (1383)

      Same here. I use KeePassX, other members of my team use KeePass on Windows or Mac. I also use KeePassDroid on my Android phone. The database is compatible between all versions, and encrypted so it can be stored on a file share (In our case, our departmental drive). I also use ownCloud to sync it automatically between devices whenever a password is updated.

      I don't use the plugins though. I don't need to. KeePassX allows me to auto-type in named windows by hitting a global hot-key. Very useful.

    • by CCarrot (1562079)

      I use Keepass.

      I store my keepass database on dropbox, this way it is accessible from my iphone, ipad and all my laptops and desktops. Any changes I make are synchronized between devices automatically.

      Keepass will auto fill in websites with plugins like KeeFox for Firefox, or launch Putty.

      I don't even know what my Slashdot, eBay or Amazon passwords are, as they are all about 64 random characters each.

      If you choose to go this route, it makes sense to have a very strong passphrase, as such, my passphrase exceeds 128 bits. A key file is also an excellent option.

      Why not both? KeePass allows you to do that.

      I also use KeePass (despite how silly the name looks when it's not properly capitalized :) but I use both a strong passphrase and a keyfile, then keep the KP database on Dropbox. The keyfile is manually transferred to any computer or device that I want to access Keepass from, so even if someone scrapes my DropBox, they can crack away at the database all they want, they still don't have the keyfile needed to decrypt it... I guess if someone gets my phone or lapt

    • by idji (984038)
      I also use keypass+dropbox+iphone+Minikeepass.
      Why is a keyfile an excellent option? If you only have 500,000 files on your computer (I bet you have less on your iphone), it can't take long to try them all - that is less secure than a 6 digit PIN, isn't it?
      Or do you mean keyfile+passphrase? But isn't the effort to find the path of the keyfile more clicking/typing than an extra 6 digits??
    • by Immerman (2627577)

      Ditto. Worth mentioning since no one has so far that the password list is heavily encrypted (including multi-pass encryption to ensure that any attempt to brute-force it requires many seconds or minutes per guess to attempt the decryption), so you only need to remember a single password for the vault to keep the stored passwords secure. You also have the option of using a separate multi-KB keyfile to increase security even further - i.e. you need password vault on computer + keyfile on USB + password in h

  • Why are you unable to use one of the online systems like Lastpass? It's been very well vetted, offers offline and online modes. I personally find 1pass to be very Mac centric and expensive but it's a good product too. Keypass is a good opensource alternative, although its a local program so there are those downsides. It has android and iOS apps too so you can have access on a mobile device if needed.
    • by Agent0013 (828350)
      I like KeyPass because the same database file can be used in my Android phone and on me PC. I don't want to use a cloud based password storage as that might be a vulnerability. I also like that KeyPass allows you to use more than just a password to protect the database, you can also have it use a keyfile. So it turns into something you know (the password) and something you have (the keyfile on a USB key). Then you just need to keep the database synchronized between the different systems you use it on. That
      • by CCarrot (1562079)

        I like KeyPass because the same database file can be used in my Android phone and on me PC. I don't want to use a cloud based password storage as that might be a vulnerability. I also like that KeyPass allows you to use more than just a password to protect the database, you can also have it use a keyfile. So it turns into something you know (the password) and something you have (the keyfile on a USB key). Then you just need to keep the database synchronized between the different systems you use it on. That could be a problem if you add passwords very frequently, but in my useage it has not been a problem. KeePassDroid is a nice Android version.

        My dually-encrypted KP database is the one and only sensitive file I entrust to Dropbox, since even if someone gets it, they'll have to crack both the keyfile and the passphrase to get anything out of it. That does a lovely job of keeping your database in sync for you, since Dropbox clients are pretty much everywhere :)

  • I keep a KeePass database for each of my consulting clients and encrypt them with a unique master password for each client that gets shared with the client. Then, another KeePass database with all of the client's master passwords inside of it encrypted with yet another master password that gets shared with my fellow consultants. This lets me give my clients access to their password documentation without having to give them the master password for all of my clients' databases. It also ensures that my coll
  • I like KeePass it uses a database file that you can copy manually and you don't need to sync, or you could place the file on a dropbox share and use it from there. The file is encrypted and you need to enter a Master password each time. If you ever needed to give someone passwords you can export just the ones you need to share and set a new password so they can use it. Its been my favorite one to use since I use crazy complex passwords for everything online.
  • by Capt.DrumkenBum (1173011) on Friday February 21, 2014 @06:43PM (#46307139)
    PasswordSafe works for me.
    Several passwords I need commonly, are written in my wallet, with nothing to indicate what, or what usernname, or system they are for. There are about 5 passwords written on a sticky note stuck to the back of a seldom used credit card.
    Everything else is in PasswordSafe.
    • by Melkman (82959)
      Also worth mentioning is that the PasswordSafe database format has many different clients many of which are open source so you can check how your passwords are protected. Examples are Password Gorilla for Linux, MacOS and Windows and PwSafe for iOS .
    • by godrik (1287354)

      I use a few password for common systems I log in. For all the rest I use pwsafe to generate random passwords. I keep the password file on a git repository cloned on all my machines so it is difficult to lose that file.

  • I created a web app. The password (decyption key) is sent on every request, so it's never at rest. Under the hood, entries are encrypted and decrypted with openssl using a reasonably secure algorithm. Each entry in the database is just a plain text file. I can include passwords, accounting information, URLs, whatever I want.

  • 1. Access should only be available to systems you currently and actively manage. If you're using the system so infrequently that you can forget, your account should suspended. 2. Admins should keep a secure log of access credentials stored in a secure area with controlled access. Any "in case of my death" information should be recorded. If there isn't a local site, you might want to consider storing the documents in a safe deposit box at your bank.
  • by turkeydance (1266624) on Friday February 21, 2014 @06:45PM (#46307163)
    randomly. three options. 1. slashdot starts with s: password is sw23edcx. 2. two s words: semaphoreslinky. 3. for those that require combos: Sw@3edcx.
  • What I use is a text file on a thumb drive also backed up on several local drives.

    The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.

    For rarely used passwords and places I will put a hint under the half pass.

    I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one

    • by CCarrot (1562079)

      What I use is a text file on a thumb drive also backed up on several local drives.

      The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.

      For rarely used passwords and places I will put a hint under the half pass.

      I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.

      Youy mean like this [ironkey.com]?

      Yeah, they're a bit [amazon.com] pricey [amazon.com], but not totally out of the ballpark for the concerned user :)

  • by WilliamGeorge (816305) on Friday February 21, 2014 @06:51PM (#46307227)

    A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software. If I need a password, I just open that file up and copy / paste the password needed - then close it again. If I make a change to a password I can just change it once and that populates to all the other locations where my Google Docs are stored, but it is fully and safely encrypted the whole time.

    I even have an app for my phone in case I need it, but there is three factor authentication: my phone's login, a short PIN for the app, and then my full encryption password.

    • by sylvandb (308927)

      A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software

      This. However s/password/passphrase/ and I don't use google docs but similar propagation.

      My text file also contains credit card account and phone numbers in case I need to cancel a card, routing and account numbers for if I need to set up direct deposit or other EFT, my kids social security numbers, and other similarly confidential reference information. I've even at times (not currently) kept a regularly needed signing cert in the file as my backup.

      I've tried many of the desktop password apps. But I've

    • by CCarrot (1562079)

      A text file, encrypted locally with a long password (something I can remember easily, but quite long) and then uploaded to Google Docs for easy access anywhere that I have the decryption software. If I need a password, I just open that file up and copy / paste the password needed - then close it again. If I make a change to a password I can just change it once and that populates to all the other locations where my Google Docs are stored, but it is fully and safely encrypted the whole time.

      I even have an app for my phone in case I need it, but there is three factor authentication: my phone's login, a short PIN for the app, and then my full encryption password.

      Just FYI, KeePass [keepass.info] does basically the same thing for you, but in a user-friendly, searchable, generally-less-mucking-around-required database. Pop the encrypted database file into Google Docs or Dropbox or somewhere and boom, you're done.

      I suppose one benefit of using a text file would be that you could theoretically use it on some new system that didn't have a KeePass client yet...if your encryption/decryption client worked on the new system, that is.

  • I use vim -x passwordfile.txt. It uses Blowfish encryption. You only need the -x flag when you create the file. I keep it on one computer at home, only, with a hardcopy (lots of index cards) in a desk drawer. If I need it on the road I temporarily copy required passwords on a USB thumb, encrypted. It's not an enterprise solution, but I'm just one person, so it works OK. Actually, I refer to the index cards way more often than the password file.
  • The problem with any password manager/tool (of course aside from a simple text file, which is obviously out of the question) is that you are dependent on that piece of technology. A commercial password manager may exist for Desktop OS 1 today, but may not be supported in Mobile Phone OS 2 tomorrow. The cumulative turnaround time for your password inventory is often much longer than that of any particular device in your possession.

    I've resorted to a lower tech solution for my own password inventory: A

    • by pspahn (1175617)

      I can't even remember what service it was (this was mid 90's) but I once got an auto-generated password string from a site I registered on (might have been my online banking).

      I ended up using that short string as a base password for everything and have continued to do so even today. I did this by doing the same thing you suggest, taking a small chunk and devising your own system for encrypting it while leaving it easy to recall.

      Yes, there are certain site with overly simplistic password rules. For those I

  • by wonkey_monkey (2592601) on Friday February 21, 2014 @07:01PM (#46307301) Homepage

    ...that would be a security risk.

  • SuperGenPass (Score:5, Interesting)

    by Chelloveck (14643) on Friday February 21, 2014 @07:01PM (#46307305) Homepage

    For the most part I don't save or memorize passwords. I regenerate them as needed with SuperGenPass [supergenpass.com]. SuperGenPass algorithmically generates passwords by hashing the site's domain name together with a single memorized password. This always generates the same password for any given site. So, I don't have to remember them or store them anywhere, I just need to know how they're generated.

    But what if I'm at someone else's computer without SGP installed? The SGP website has a "mobile" version, which is just javascript that runs entirely within the browser. Go there, type in the domain and password, and generate it. (Yes, I've checked the javascript. It's not sending your password out to the mothership or saving anything locally.)

    I do keep a notebook in a plaintext file with all the sites I use. This contains the domain name that the site had when I first signed up. Domain names sometimes change, or are ambiguous (ie., the same site is available via both foobar.org and foobar.com). The text file lets me keep track of what I need in order to regenerate the password.

    What about sites that require periodic password changes? I use the domain and just suffix my memorized password with a sequence number. And I write the sequence number in my notebook.

    What's that? Security questions? I generate the answer by hashing the question itself rather than the domain with my memorized password. And of course, I copy the question verbatim into my text file so I can regenerate the answer when I need to.

    The only failing is when I hit a site that doesn't allow certain punctuation, or has length limits, or something of that nature. Then I modify the parameters that I give to SGP and write down the specific parameters that I used.

    The notebook is stored on my home fileserver in an svn repository which gets backed up every night. I'm completely screwed if I ever forget my one secret, but it's one I've been using for literally decades now. It's going to be one of the last things to go when my brain develops bit rot.

    • Re:SuperGenPass (Score:4, Informative)

      by Anonymous Coward on Friday February 21, 2014 @08:02PM (#46307743)

      I too use SuperGenPass and it's absolutely great, but I recently discovered that it has some well-known weaknesses: http://akibjorklund.com/2009/supergenpass-is-not-that-secure

      An alternative is PwdHash, but I haven't motivated myself to switch yet.

  • Memorized the passwords. Know your limit on how many random letters, numbers, symbols you can memorize and then remember them. This is especially useful because my data dies with me.
  • OK, why not?

    (Truly curious as to why a password manager is considered better than an encrypted spreadsheet, using the same password or pass phrase).
  • by 140Mandak262Jamuna (970587) on Friday February 21, 2014 @07:06PM (#46307339) Journal
    These cyber criminals are babes in the woods, compared to my brilliance. I pull wool over their eyes easily. See? I enter the password in the username textbox and the username in the password textbox when I created the account. That is the last place they will look while trying to hack my password. haa haaa. The jokes on you script kiddies...
  • KeePass (Score:5, Interesting)

    by CreatureComfort (741652) on Friday February 21, 2014 @07:08PM (#46307355)
    KeePass. With the encrypted datafile in dropbox.
  • by beerdragoon (1142579) on Friday February 21, 2014 @07:12PM (#46307377)
    I keep all my work passwords in a file that is saved in a TrueCrypt volume. This volume is kept on a network share where only domain admins can access it. I also keep some of the important passwords on a piece of paper that is locked in a safe in the data center. Generally I remember all the passwords I need, but sometimes (especially after a vacation) I need to refer to the TrueCrypt volume. If I ever forgot the password to access the volume, I have it stored in the safe. If I forget the combination to the safe...I'm screwed. Thankfully that hasn't happened yet.
  • I use SplashID on my phone (and it's probably the single biggest usage of my phone). Don't get the current version though - 7 is pretty much unusable. I had to fall back to 6, which is usable, though not quite as simple as 4 was (I think that's what I upgraded to 7 from, which was a terrible mistake). Like the submitter, I refuse to use the cloud offerings (which SpashID has as an option now). A cell phone is a risk, but I choose to believe that I could change the passwords before the database could be

  • Break your password up into two parts: the root and the suffix. The root part of the password is the complex part, that you want to change periodically yet is the same for all of your services. The suffix part is simple to remember and unique to each service, and should be consistently derived from the service itself.

    For example, lets say you are setting up a password for your Yahoo account. The root part is "TLi945!zx" and the suffix would be "yahoo" resulting in a password of "TLi945!zxyahoo".

    Your pas

  • I memorize them. It's not always easy but it's really the only 100% secure way, and no they are not simple and they do get changed often.

  • Linux can be installed on tablets. I would research a seven inch tablet, a distro that suits you, install Linux, encrypt the hard-drive, and power-down the device when not in use.
  • I'm pretty awful at password management.

    One "simple" password, used for web services that don't have any sort of financial or other "real" interaction with me beyond a pseudonym and a download I needed to access or an article behind registration that I needed to read.

    One "complex" password with a little bit of ever-changing entropy used for things like Google or Microsoft type services, banking/mortgage sites that don't offer me two-factor, etc. Your basic 7724hAppy!d0G$$smil3s sort of affair. Next year

  • I have a truecrypt virtual disk that I store in a dropbox folder. Because dropbox can sync differentially the entire thing doesn't have to sync every time I disconnect the file. Because all dropbox sees is the encrypted file, unless someone can decrypt it it is useless even if they breach my dropbox account or in some other way gain access to the file.

    It works a treat, to be honest. I keep sensitive passwords, of course, but also use it as encrypted storage for my notetaking app, sensitive diagrams, images

  • I have Secret! and KeePass on a company smart phone. Secret stores my personal passwords, and Keepass stores system passwords. Both are synced to/from a company server. The master password for Keepass is known to the other admins, and the Secret password is known only to me. (And no, it's not Correct Horse Battery Staple, sorry.)

    If the company has a problem with you keeping company passwords on a personal phone, have them issue you a phone with remote kill.

    The advantage of using a repository is that you

"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come." --Matt Groening

Working...