Online Encryption of Passwords?
January 5, 2009 11:16 AM   Subscribe

It's called "GoogleDocs." Password-protected storage for any document you care to file. You can create them there too.

Clearly, this does not have the security that actually, you know, remembering your passwords does, but I'm not aware of any scandals suggesting that Google's apps are insecure.
posted by valkyryn at 11:21 AM on January 5, 2009

Do you use gmail?

I mailed myself an email with somewhat cryptic clues as to where the password is from, e.g.

Meta - (metafilter password)
Amaz - (amazon password)
moneyplace - (bank security question)
etc.

The title for that email is something strange but memorable and unique, so you can search / find it easily.

Works for me.
posted by Meatbomb at 11:23 AM on January 5, 2009

Nthing Google Docs, they will be as secure as pretty much anybody for this sort of thing. The problem with this scheme in general is that a single password (probably along with a set of security questions in case you forget your password) is protecting all of your passwords.

Also remember that you can always print out a physical copy of your passwords and keep them in a safe place. I've heard some security experts say that you might as well write down your passwords and store them in your wallet/purse, since if it's secure enough to store your driver's license, ATM cards, etc. it's probably safe enough to store some random passwords in.
posted by burnmp3s at 11:30 AM on January 5, 2009

Download and install KeePass onto any computer you may use, save the DB file to your key and never worry again.

Alternately, download the portable version and install it onto your key and just run it from there.

All of your passwords are magically encrypted and safe unless your evil foes have 200 PS3s at their disposal (not likely)
posted by phredgreen at 11:31 AM on January 5, 2009 [3 favorites]

If you use Firefox, you can make it remember your passwords and set a master password which encrypts the password file. If you need an online backup or synchronization between multiple computers, use the excellent Foxmarks addon which stores your passwords securely online.
posted by criticalbeaver at 11:38 AM on January 5, 2009

email is sent in the clear with personal and ip information attached. Google docs is served in the clear. It doesn't matter how secure google keeps your document if it's then blasted across the web and presumably tucked away in you browser's cache.
posted by rdr at 11:39 AM on January 5, 2009

Get KeePass portable and drop that on your thumb drive. Problem solved.
posted by toomuchpete at 11:41 AM on January 5, 2009

I don't have a real solution, but holy crap - keeping all of your passwords in a Word document is a ridiculous idea, not only for possible data corruption, but because of the security risks. Find a solution that encrypts the data or better yet, craft an easy remember system for your passwords.
posted by cgomez at 11:55 AM on January 5, 2009

I use a service called PassPack . YMMV but I like it quite a bit.
posted by uva_nupe at 11:58 AM on January 5, 2009

5 Best Password Managers

Using Dropbox to Sync Passwords

PassPack: Online Password Management

posted by blue_beetle at 11:58 AM on January 5, 2009

email is sent in the clear with personal and ip information attached. Google docs is served in the clear. It doesn't matter how secure google keeps your document if it's then blasted across the web and presumably tucked away in you browser's cache.

I should have mentioned it, but you can access Google docs securely by going to https://docs.google.com instead of the normal http address. Of course caching will be dependent on the browser, but I believe Firefox for example doesn't cache https content by default. At any rate it will be as secure as say, logging into Amazon.com and typing in your credit card number.

You're right about email though. There is no guarantee of privacy in email so if it goes over the net, although Google may be smart enough to not send it anywhere in plaintext if you send an email to yourself in gmail over a https connect. That would be dependent on how they implement it.

I did have them in a google doc but wasn't so sure that was a safe place. I figured I would have to use some sort of pay site that had hire encryption levels.

There are different levels of encryption, but they generally just make the difference between someone cracking the encryption in 20 years of trying or 200 years of trying. Encryption, done correctly, is usually too hard for anyone to break directly. A hacker would have a better chance guessing your security question answer or using some other method to get around it.
posted by burnmp3s at 12:01 PM on January 5, 2009

You're being foolish. Memorize them. Have 100 accounts? No problem - but you'll need to change the password on all of them.

1) Create a master password, something like "ilbbaicnl" (i like big butts and i cannot lie). Make it WAY more complicated, don't forget to use symbols and upper case letters, I'm just using a very simple example to make the demo simple.

2) Every username/password combo you have is for some specific entity, like metafilter.com, or your office login. Use something about that name that is unique, such as the number of the second letter.
metafilter.com, 2nd letter = e, e=5
office, 2nd letter = f, f=6

3) now pick a place to insert that number into your master password.
metafilter password: ilbb5aicnl
office password: ilbb6aicnl

Steps 2 and 3 can be modified, including using multiple letters, or using the ASCII value of the letter, or anything you can dream, as long as it's something you can easily derive if you know what to look for. You can then place your derived values anywhere in your master password.

This way you have unique passwords for every site, and it's near impossible for someone to derive a password for site B if they have one for site A.
posted by Sonic_Molson at 12:27 PM on January 5, 2009 [4 favorites]

passwordsafe.com
posted by twistedmetal at 12:29 PM on January 5, 2009

Use Steganos Lock Note to encrypt text files. It's free.
posted by Confess, Fletch at 12:49 PM on January 5, 2009

phredgreen has it mostly right. Here's my take:

I agree that Google Docs doesn't have a huge amount of security. I mean, they hand stuff over daily on the basis of subpoenas; they're not evil, but you are just handing your data to them, and that's not really what you want if you want security.

Nor do I trust websites who store passwords for you much, since the same thing's going on there - they have your data wholesale. Moreover, real criminals are going to be after the money, and people who pay to store their passwords on a web site are the perfect target for them.

I like KeePass myself - I use it a fair amount - not least because your master password can be pretty big and strong if you want it to be, and because it's a local program that I can control myself. Also, it's free and open-source, so I can trust its security a little more (because of the transparency of the code) and it's my own business what I do with it.

So what I think you should do is this:

1) Download and install KeePass on multiple computers, or download its portable version and keep it on a USB drive.

2) Store your passwords in a file on the desktop using KeePass.

3) Webmail (gmail or some such) that heavily encrypted file containing your passwords to yourself, and delete the file from the desktop.

4) Repeat this process whenever you change or add a password.

Now, you have a well-encrypted and readily available file with all of your passwords in it wherever you go.
posted by koeselitz at 12:50 PM on January 5, 2009 [1 favorite]

KeePass portable is the best way. Install it to your thumb drive, set a good master password on the database, and you'll have your passwords with you wherever you go, with vastly better security than you'd get by storing it in a Google document or Word document. You could also install Firefox portable on the thumb drive and use that instead of whatever browser is on the machine you're using so that your browser history doesn't end up littered across computers everywhere. You can also keep the KeePass database updated and available with Dropbox as described at the Lifehacker link above.
posted by sinfony at 12:57 PM on January 5, 2009

I use foxmark's password syncing feature. Passwords are encrypted before storing them on a server, so you need a master key to decrypt them. Works well for me
posted by phrakture at 12:58 PM on January 5, 2009

Well it wouldn't be proper if this post went without at least one link to an Ironkey.

It's a USB flash drive with military grade security. It uses hardware encryption, is waterproof and self-destructs if tampered with. The device also has a web archival service so files can be restored to a new one if it's damaged.

You can pick one up from Think Geek.
posted by sipher at 2:24 PM on January 5, 2009

Generate all your passwords securely from one master password.
posted by nicwolff at 3:32 PM on January 5, 2009

Keepass on a USB stick is so much better than a Word document.
posted by arcticseal at 4:20 PM on January 5, 2009

I use 1password to remember over 350 passwords. It's installed on my iMac and syncs to my iPhone in case I need to log into a site and I'm not at home.
posted by Brian Puccio at 4:21 PM on January 5, 2009

I have found Clipperz to be just the right solution for the dozens of passwords I do not regularly use.
posted by jacobw at 4:42 PM on January 5, 2009 [1 favorite]

Nthing keepass + KeepassX (mac/linux version) + dropbox. It definitely works for me, but my parents and other not-particularly-computer-savvy people don't think it's convenient enough so they don't use it.
posted by escher at 4:47 PM on January 5, 2009

Here's my method:

Create wallet sized one time pad.
Encrypt your fairly secure passwords with the pad. You'd want at least mixed case plus a number and a special character.
Email encrypted passwords to yourself and carry the pad in your wallet.

Advantages:
One time pad pretty well as secure as it gets.
Don't need to install anything, can access passwords anywhere you have web mail access regardless of OS, hardware, security, etc.
Encrypted passwords look just like unencrypted passwords; provides misdirection.
Online criminals can't get your pad. Anyone nefarious who finds your wallet doesn't know the encrypted text and probably wouldn't recognize a one time pad anyways.

Disadvantages:
Need your wallet.
You'll have to decrypt the password manually when you need it.
posted by Mitheral at 6:02 PM on January 5, 2009

I like SuperGenPass for website passwords. It's a bookmarklet that generates a one way hash based on the password you enter and the domain of the site.
posted by crumbly at 6:14 PM on January 5, 2009

KeyPass + Dropbox is flawless.
posted by imagesafari at 9:06 PM on January 5, 2009

I've been usingLastPass for a while now and it's worked stellar for me. It's browser-specific: Firefox + IE sync between work and home, and my wife has her own account on her Firefox profile at the house. I highly recommend checking it out.
posted by urbandude at 9:20 PM on January 5, 2009

As for online password managers, I know of PassPack, but I know of another that doesn't have the marketing budget behind it, but is hosted by a a great cryptographer with security first and foremost. He is also the author of the popular single-file encryption tool AxCrypt. The name of his online password manager is Xecrets. It is done right by a respected guy in the field who obviously knows what he is doing. I would trust Xecrets because I trust him.
posted by Gerard Sorme at 1:11 AM on January 6, 2009

I'll second KeePass and Dropbox. I keep a portable version of keepass in my dropbox too so I don't have to install it on any other computers I sync with. I just open my password database with the portable version of keepass (mac or pc). Dropbox is an awesome program, I haven't used my thumb drive in a month or so since installing it. Here is where I got the idea.
posted by cmar618 at 5:07 AM on January 6, 2009

Further suggestion:
Consider making this info available to the person who may have to deal with all of your affairs in case of unforseen problems.
posted by mightshould at 5:37 AM on January 6, 2009

I have a fairly fail safe method that works for me.

Determine your 'code word/number combination' that will always be part of your password. For this example I'll use "dog1234".

I use the first part of whatever site is requiring the password. For Metafilter, my Pwd would be "metadog1234". For Amazon, "amazondog1234". For Barnes & Noble, I'd use "barnesdog1234".

When you need to log-in on whatever site, you instinctively know what the first part of the password is and the end part is always the same. So long as no one else knows your code combination, you're good to go!
posted by SoftSummerBreeze at 2:10 PM on January 7, 2009

All of these "add the site name to your master password" ideas have the same problem: now the admin at every crappy site you join knows your Amazon password. That's why after you join your master password and the site name you should hash them, which I've made easy with this secure Javascript form and bookmarklet.
posted by nicwolff at 3:03 PM on January 7, 2009

« Older I'm thinking of signing up wit...   |   My friends and I would like to... Newer »

This thread is closed to new comments.