What is my password again?
March 3, 2009 7:39 AM   Subscribe

I have two passwords, both of which are pretty intricate. One of them I use ONLY for online financial transactions. The other, for everything else.

I really do not know if this is a wise strategy or not, but in 10 or so years, I have not had anything bad happen. (Looks around for some wood to knock on.)
posted by Danf at 7:43 AM on March 3

I keep all my passwords in a text file, then encrypt it with GPG. All I have to remember is my GPG password, which is unique (not used anywhere else), secure, and memorable.
posted by knave at 7:48 AM on March 3

I have a little database I made in some software kind of similar to MS Access. That database is itself encrypted and password-protected; I remember _that_ password, but all my other passwords are in the database. I have backup copies of it (I make backups several times a week anyway).

I also have a bit comment field with each record in the database, so I've got details about how to access my e-mail, insurance plan ID, and so forth. It's _extremely_ handy. I worried it was overkill when I made it, but it's awesome.

I don't know much about 3rd-party password keepers, but this system means a) I _know_ that I made it and that there aren't any unknown backdoors (probably); and b) I can customize it to _exactly_ my needs. I can view stuff in table view and sort and search at will, so if I can't even remember the account name, I can usually find what I need.

I make web sites and manage hosting and domain names for people, and e-mail accounts and FTP accounts for some, so I have a ton of passwords. This is the best system I could have asked for.
posted by amtho at 7:52 AM on March 3

By the way, the software I used is Lotus Approach; it's part of the IBM SmartSuite. I don't know how available it is through IBM anymore, but I bought a copy a few months ago for about $20. Such a deal! And it's real, robust, fully-featured software that's easy to use.
posted by amtho at 7:53 AM on March 3

Writing them down certainly isn't the safest method, but if you use your own private shorthand they'll be less likely to be breached if the paper falls into the wrong hands. When I need to write mine down I compress letter combinations to just one letter and just write the first couple digits in a string of numbers.
posted by phatkitten at 7:56 AM on March 3

I use KeePass.

The KeePass data file is on a drive encrypted with TrueCrypt.

Yes, this is probably overkill.
posted by ODiV at 8:01 AM on March 3

I do almost exactly what Pater Aletheias does, and it's super effective.
posted by DWRoelands at 8:02 AM on March 3

Like Danf, I just have two for everything, but I do have a third for PayPal only.

The one that gets the most use is fairly intricate and completely unguessable.
posted by jgirl at 8:02 AM on March 3

I like having very different passwords rather than just altering one letter for each site because I don't want anyone to be able to puzzle out the system.

So I put all my passwords in a text file, encrypt it with Axcrypt as an exe, and upload it to my webspace (or you can e-mail it to yourself). Available anywhere, doesn't require any typing (so less keylogger danger), and doesn't require you to carry anything physical with you.
posted by hayvac at 8:08 AM on March 3

Seconding the use of KeePass.
It is Open Source, free, and simple.
I keep it in a DropBox so I can get to it with more than one computer.
And I have a copy on a flash drive in my pocket.

Overkill, but I can't lose it. (Did you hear someone knock?)
posted by Drasher at 8:18 AM on March 3

I used 1Password for OS X. It's super, super great and can even export an encrypted HTML file to take with you.
posted by Mo Nickels at 8:19 AM on March 3

If you're on a Mac, Keychain Access (part of OS X) not only stores the passwords for the OS but can store secure notes for any purpose you like.
posted by edd at 8:30 AM on March 3 [1 favorite]

I have a few passwords which I use for various levels of website (ie, Facebook/MySpace passwords /= email passwords /= banking website passwords).

I have a harder time with usernames.

I keep an encrypted, password protected excel file on a thumb drive. The file includes the website URL, username, and a password hint. It's a bit bulky and perhaps KeePass would be a simpler means of accomplishing the same thing, but it's MINE.
posted by peanut_mcgillicuty at 8:33 AM on March 3

I use Javascript to generate a different password for every site from one master password.
posted by nicwolff at 8:34 AM on March 3

I like these:

Password Safe (windows) and JavaPasswordSafe (mac)
MyPasswordSafe (linux)

All use the same encrypted file format so you can share between computers.
posted by ubermuffin at 8:34 AM on March 3 [1 favorite]

I should augment what I said...

My KeePass entry password is stored in my wife's KeePass and vice versa.
If something happens to me, she has access to all my passwords (Amazon account, cable PW, etc.) and likewise.

If something happens to the both of us, who cares.
posted by Drasher at 8:35 AM on March 3

PaterAlethias method, but with number iterations instead. Plus I can use about 7 different root texts because I have slight synaesthesia with words and use it for my passwords. A given password will have a particular personality, no kidding. This makes it easier to remember.

This also enables me to remember everybody else's password, including the never-changed passwords of other people I received years ago.
posted by By The Grace of God at 9:02 AM on March 3

My method is similar to Pater Aletheia's: I have a single unique "base" password that is complex but I know I will always remember it. Then I add characters to the end of the password based on the site I'm on that includes a site-specific word. I also have a pattern for including a number and a special character that are based on the site-specific word:

[password base][site-specific word][numbers & special characters based on word]

I record all of my passwords in my Evernote database, but I only write the site-specific word for each site, which is all I need (since I have memorized the number/special character pattern plus the base). Most of the time I can remember the site word without prompting, but writing them down is helpful in the occasion that I forget.

It is also necessary in a few cases where sites don't allow special characters, in which case I have an alternate pattern for those. In my password list, I can add a prompt to the password listing that lets me know to use the alternate.
posted by camcgee at 9:30 AM on March 3

I use keepassx and a backup encrypted file. I unencrypt the file, run MD5 on it and choose the last few characters as the next password (if it will work). Add it back to the file in a "site: user password" line and reencrypt. Then I add it to keepass, save and copy the db to my offsite account and to my USB drive. I must admit to keeping some important passwords on little post-it notes in my wallet, but it would take you longer to figure out what they are for than the age of the earth. :)
posted by zengargoyle at 9:39 AM on March 3

The Firefox Password Maker extension takes care of my web passwords. It's sort of Pater Aletheias' method, but automatic and generating passwords a zillion times more impenetrable (the bigger advantage is the automatic part -- I'd call Pater Aletheias' method reasonably robust.) An arguable disadvantage is that I literally don't know the passwords to my accounts, and can't log in without a copy of my Password Maker data. But I don't want to be logging into most things on a strange machine.

I use ssh public key access so that I don't have to type individual passwords for my ssh logins (beyond the one to decrypt the key.)

Everything else goes into an encryption app on my Palm (I keep meaning to switch to Keyring.)
posted by Zed at 9:41 AM on March 3

ditto Drasher: KeePass plus DropBox. Very simple to manage, free, and accessible from any computer that's on the net (PC, Mac and Linux). I also keep a copy on my PDA thanks to KeePassToKeyring and Keyring (specific to PalmOS-based PDAs though.)
posted by airplain at 9:51 AM on March 3

I have three words that I use for my passwords, and I store variations in a text file. All I have to remember are the three words.

For example, if my three words are banana, elephant, and pickle, then I make passwords, and put them in a text file as:

Metafilter:
[username] - 12_b.._xy for 12_banana_xy

Bank Account
[username] - 12_e.._xy for 12_elephant_xy

Ebay
[e-mail] - 12_P..xy for 12_Pickle_xy

Of course, my three words are not as simple as these examples.
posted by alligatorman at 9:56 AM on March 3

I keep a plain text file on my local machine and in my gmail box with a list of websites and passwords. The passwords are encoded with a one time pad I carry in my wallet.
posted by Mitheral at 10:48 AM on March 3

SuperGenPass generates passwords for each site by hashing the url and a master password.
posted by jjb at 11:15 AM on March 3

Heh yeah, SuperGenPass credits me as the inventor of the idea. I think he improved it a lot though, use his not mine!
posted by nicwolff at 11:20 AM on March 3

One method that I've found hugely helpful is to think of a phrase that you are going to easily remember and compose your password from the first letter of each word in the phrase (or something similar along those lines). Including numbers and/or other characters, uppercase and lowercase is good (but you will need to have a standard, easy to remember algorithm for when you use uppercase versus lowercase as well). Plus the advice reiterated many times above of having one part of your password vary based on the website or type of service you're using it for.

For example: let's say your phrase is "my fluffy Kitty 65 really likes x!" (where 65 is the last two digits of your phone number or whatever). You want the phrase to be long enough that you end up with a password with at least 8 characters. Kitty is capitalized because she is the overlord of your universe. So then your Metafilter (proper noun, also capitalized) password phrase would be "my fluffy Kitty 65 really likes Metafilter!" and the password would be mfK65rlM!

If you have a clear logical method to create a seemingly random password, it will be easy for you to remember all your passwords for all kinds of different things, and very hard for anyone else to figure them out.
posted by wretched_rhapsody at 11:23 AM on March 3

N-thing KeePass & KeePassX (Windows, Mac/Linux) and thumb drive. The database is compatible between the programs and can store attachments (like a scan of your passport). The windows version even features automatic form-filling and submitting. But the one (secure!) password entry to your passwords database is the killer feature for me.
posted by TruncatedTiller at 11:23 AM on March 3

Re: Password Safe

My girlfriend's install of password safe deleted the last letter of every username & every password (all randomly generated too, so almost impossible to guess) when upgrading from one version to the next.

I *do not* recommend storing your passwords in a proprietary encrypted format. A generic encrypted format is much better.

Re: Text + GPG

That's basically my approach, except instead of plain text, I use Treepad Free, whose format is open & basically plain text with an XML-like data structure. I've been using treepad for over a decade and it's rock-solid.

I keep that encrypted in a Truecrypt volume.

It's not very portable, but it works.

Then I use Syncback to back up the file (either the whole truecrypt volume or just the treepad file, but first zipped & password protected) to a secure off-site facility that's accessible from anywhere in the world.
posted by Muffy at 11:33 AM on March 3

I've seen SuperGenPass around & it looks like a great idea, but I'm not sure it's mature/stable enough to depend on forever... You'll still need to store your passwords somewhere.
posted by Muffy at 11:36 AM on March 3

For any systems at work where security is actually important I either use public-key based authentication or Strong Password Generator and store the passwords on a physical piece of paper in a locked filing cabinet. While this might not be reasonable for personal use, it makes plenty of sense in a business setting where someone else may need to be able to get to the services without digging through an obtuse storage system.
posted by odinsdream at 12:01 PM on March 3

I guess I'm the only one still old skool, but I'll throw this out here anyway.
I have a little address book that someone gave me as a gift and keep it by my computer at home (I don't surf at work). I just look up the site and there's the password.
posted by NoraCharles at 2:26 PM on March 3

Similar Question
posted by Sonic_Molson at 2:29 PM on March 3

Pater Aletheias and Others Using Similar Idea:

1) What do you do if the site requires a longer or (god-forbid) shorter password string?
and,
2. What do you do for sites that require or (again, god forbid) prohibit a non-alphanumeric character (@#$ etc...) to be in the string?
posted by webhund at 2:34 PM on March 3

webhund: 1) for shorter strings, I just drop the first two characters of the password. But that doesn't happen much. My actual password is 8 characters long, which most sites are happy enough with.

2) As I mentioned, I just add an exclamation point to the end. It can be a pain to remember that "Oh, yeah, this is the site that requires a special character."
posted by Pater Aletheias at 2:46 PM on March 3 [1 favorite]

Interesting question. I just put together a recommendation about this to my boss for my IT group. We have a large number of passwords dealing with websites and our own equipment, as well as secret product keys etc.

Keepass 2.x looks great for us. It's cross platform (with Mono), secure, and easy to use. Currently we use a PGP encrypted file, in is our own proprietary format.

The other alternative is PasswordSafe, originally by the renowned Bruce Schneier. It's design is soundliky in the "simplest thing that could work" camp. The format is not proprietary; there's about a dozen reimplementations that are file compatible. Keepass can even import PasswordSafe archives.

Both of these are free, and you might give them both a seperate 24 hour trial to see which you like better.
posted by pwnguin at 2:51 PM on March 3

For websites that are stupid and demand restrictions on the password characters, you can define custom password generation formats. You can make it as complicated as you like with a formatting string, or you can just click some boxes.
posted by pwnguin at 2:55 PM on March 3

I *do not* recommend storing your passwords in a proprietary encrypted format.

Password Safe has been open source since 2002.
posted by Zed at 2:56 PM on March 3

A second vote for 1password under OS X. It integrates well with the vast majority of popular browsers.
posted by NucleophilicAttack at 3:09 PM on March 3

1) What do you do if the site requires a longer or (god-forbid) shorter password string?
2. What do you do for sites that require or (again, god forbid) prohibit a non-alphanumeric character (@#$ etc...) to be in the string?

I've never had a problem with them being too short and all of my passwords have a non-alphanumeric component by default.

Here's an example that's similar to my system:

Base password: cHynd
site-specific word (for Metafilter): filter
Number (based on the number of characters): 11
Nonalphanumeric (based on the corresponding char. of the number after the 2nd digit in the pw): @

The full password is cHynd11@Filter and in my password file, I write "metafilter.com p:filter"

If "filter" is too long, I shorten it. If the site didn't accept special characters, I use the corresponding number instead, so it's cHynd112Filt. In my password file, I could write "p:filt#" The word would still be literal, and the pound sign indicates that I needed to use the number instead of the special character.
posted by camcgee at 3:11 PM on March 3

vidoop has a password storage plugin for browers that places your passwords in a nice secure place and behind their cool visual CAPTCHA tech that extends OpenID, and autofills your logins as you go about your business on the web. I highly recommend it.
posted by markovitch at 5:09 PM on March 3

For Internet passwords, I use GenPass, the predecessor of SuperGenPass; I should probably upgrade one of these days. I've also ported GenPass's JavaScript to PHP so that I can use it in Lynx.

For offline passwords and my encryption keys, I pick a line of poetry as my passphrase and memorize it. If nothing else, I remember more poetry this way.

For clients' accounts and those I manage for friends and family, I use Passpack.
posted by cmyers at 7:32 PM on March 3

Password Safe has been open source since 2002.

Zed. Perhaps you should read my post again, because I'm specifically talking about Password Safe.

By "proprietary" I mean anything you can't open up & get inside of should the software itself ever fail you.
posted by Muffy at 8:30 AM on March 4

I was specifically talking about Password Safe, too, whose files you can open up and get inside should the software itself ever fail you -- I wrote my own Password Safe v2 file reader myself, once.

It's part of the nature of good encryption that errors are dangerous and can screw up the whole file (or partition or whatever.) Backups become even more important. If the software fails you to the extent that it overwrites your only copy and you have no backup, then you're screwed whether the software or format was proprietary or not. But that's a different issue.
posted by Zed at 9:31 AM on March 4

I think Muffy's post is suggesting that anything you can't read with GPG and a text editor is dangerous for going off and coming up with something new. Which is somewhat Luddite: as you said you wrote a file reader yourself.
posted by pwnguin at 5:50 PM on March 4

I've seen SuperGenPass around & it looks like a great idea, but I'm not sure it's mature/stable enough to depend on forever... You'll still need to store your passwords somewhere.

You're mistaken — GenPass, SuperGenPass, my page, &c. are completely "stable" in that they simply concatenate the hostname and your master password and apply a standard hashing algorithm such as SHA-1. They're a convenience, but you can always re-create the same passwords without them, so you don't need to store the generated passwords anywhere — that's what's so great about the system.
posted by nicwolff at 6:47 PM on March 4

"I am going to try the Pater Aletheais method."

I'd be careful with that. If you do it that way an attacker has all of your passwords if they have one of them. It's really no more secure than using one password for everything. In fact I can't see any reason to even bother changing the one letter.
posted by y6y6y6 at 11:45 AM on April 7

« Older Is there a Firefox extension t...   |   Why is everything pissing me o... Newer »