Comments on: What is my password again?

Question: What is my password again?

snowjoe — Tue, 03 Mar 2009 07:39:35 -0800

What do you do with your passwords?

My passwords are killing me. I have been writing them down but I sure would like a better system. Are there any password programs that you would be willing to recommend? Other ideas? Bonus points if they are free.

By: Danf

Danf — Tue, 03 Mar 2009 07:43:52 -0800

I have two passwords, both of which are pretty intricate. One of them I use ONLY for online financial transactions. The other, for everything else.

I really do not know if this is a wise strategy or not, but in 10 or so years, I have not had anything bad happen. (Looks around for some wood to knock on.)

By: Pater Aletheias

Pater Aletheias — Tue, 03 Mar 2009 07:47:19 -0800

I just use the same two passwords for everything, with one letter changed based on the website.

Let's say my root password is Rx192Bq. Between the 2 and the B I add the first letter of whatever website I'm on. So my Metafilter password is Rx192mBq. Unguessable, but easy enough to remember, and once you get used to it, changing that one letter for each site is second nature. On the sites that make me add a special character, I just throw an exclamation point on the end.

The reason for the second password is for those sites that make me change passwords occasionally. If they let me get away with it, I just rotate back and forth between the two. At most, I have to enter a password twice to get in.

By: knave

knave — Tue, 03 Mar 2009 07:48:32 -0800

I keep all my passwords in a text file, then encrypt it with GPG. All I have to remember is my GPG password, which is unique (not used anywhere else), secure, and memorable.

By: amtho

amtho — Tue, 03 Mar 2009 07:52:23 -0800

I have a little database I made in some software kind of similar to MS Access. That database is itself encrypted and password-protected; I remember _that_ password, but all my other passwords are in the database. I have backup copies of it (I make backups several times a week anyway).

I also have a bit comment field with each record in the database, so I've got details about how to access my e-mail, insurance plan ID, and so forth. It's _extremely_ handy. I worried it was overkill when I made it, but it's awesome.

I don't know much about 3rd-party password keepers, but this system means a) I _know_ that I made it and that there aren't any unknown backdoors (probably); and b) I can customize it to _exactly_ my needs. I can view stuff in table view and sort and search at will, so if I can't even remember the account name, I can usually find what I need.

I make web sites and manage hosting and domain names for people, and e-mail accounts and FTP accounts for some, so I have a ton of passwords. This is the best system I could have asked for.

By: amtho

amtho — Tue, 03 Mar 2009 07:53:51 -0800

By the way, the software I used is Lotus Approach; it's part of the IBM SmartSuite. I don't know how available it is through IBM anymore, but I bought a copy a few months ago for about $20. Such a deal! And it's real, robust, fully-featured software that's easy to use.

By: phatkitten

phatkitten — Tue, 03 Mar 2009 07:56:49 -0800

Writing them down certainly isn't the safest method, but if you use your own private shorthand they'll be less likely to be breached if the paper falls into the wrong hands. When I need to write mine down I compress letter combinations to just one letter and just write the first couple digits in a string of numbers.

By: ODiV

ODiV — Tue, 03 Mar 2009 08:01:33 -0800

I use KeePass.

The KeePass data file is on a drive encrypted with TrueCrypt.

Yes, this is probably overkill.

By: DWRoelands

DWRoelands — Tue, 03 Mar 2009 08:02:02 -0800

I do almost exactly what Pater Aletheias does, and it's super effective.

By: jgirl

jgirl — Tue, 03 Mar 2009 08:02:08 -0800

Like Danf, I just have two for everything, but I do have a third for PayPal only.

The one that gets the most use is fairly intricate and completely unguessable.

By: hayvac

hayvac — Tue, 03 Mar 2009 08:08:48 -0800

I like having very different passwords rather than just altering one letter for each site because I don't want anyone to be able to puzzle out the system.

So I put all my passwords in a text file, encrypt it with Axcrypt as an exe, and upload it to my webspace (or you can e-mail it to yourself). Available anywhere, doesn't require any typing (so less keylogger danger), and doesn't require you to carry anything physical with you.

By: Drasher

Drasher — Tue, 03 Mar 2009 08:18:38 -0800

Seconding the use of KeePass.
It is Open Source, free, and simple.
I keep it in a DropBox so I can get to it with more than one computer.
And I have a copy on a flash drive in my pocket.

Overkill, but I can't lose it. (Did you hear someone knock?)

By: Mo Nickels

Mo Nickels — Tue, 03 Mar 2009 08:19:48 -0800

I used 1Password for OS X. It's super, super great and can even export an encrypted HTML file to take with you.

By: edd

edd — Tue, 03 Mar 2009 08:30:36 -0800

If you're on a Mac, Keychain Access (part of OS X) not only stores the passwords for the OS but can store secure notes for any purpose you like.

By: peanut_mcgillicuty

peanut_mcgillicuty — Tue, 03 Mar 2009 08:33:32 -0800

I have a few passwords which I use for various levels of website (ie, Facebook/MySpace passwords /= email passwords /= banking website passwords).

I have a harder time with usernames.

I keep an encrypted, password protected excel file on a thumb drive. The file includes the website URL, username, and a password hint. It's a bit bulky and perhaps KeePass would be a simpler means of accomplishing the same thing, but it's MINE.

By: nicwolff

nicwolff — Tue, 03 Mar 2009 08:34:27 -0800

I use Javascript to generate a different password for every site from one master password.

By: ubermuffin

ubermuffin — Tue, 03 Mar 2009 08:34:37 -0800

I like these:

Password Safe (windows) and JavaPasswordSafe (mac)
MyPasswordSafe (linux)

All use the same encrypted file format so you can share between computers.

By: Drasher

Drasher — Tue, 03 Mar 2009 08:35:17 -0800

I should augment what I said...

My KeePass entry password is stored in my wife's KeePass and vice versa.
If something happens to me, she has access to all my passwords (Amazon account, cable PW, etc.) and likewise.

If something happens to the both of us, who cares.

By: By The Grace of God

By The Grace of God — Tue, 03 Mar 2009 09:02:30 -0800

PaterAlethias method, but with number iterations instead. Plus I can use about 7 different root texts because I have slight synaesthesia with words and use it for my passwords. A given password will have a particular personality, no kidding. This makes it easier to remember.

This also enables me to remember everybody else's password, including the never-changed passwords of other people I received years ago.

By: camcgee

camcgee — Tue, 03 Mar 2009 09:30:22 -0800

My method is similar to Pater Aletheia's: I have a single unique "base" password that is complex but I know I will always remember it. Then I add characters to the end of the password based on the site I'm on that includes a site-specific word. I also have a pattern for including a number and a special character that are based on the site-specific word:

[password base][site-specific word][numbers & special characters based on word]

I record all of my passwords in my Evernote database, but I only write the site-specific word for each site, which is all I need (since I have memorized the number/special character pattern plus the base). Most of the time I can remember the site word without prompting, but writing them down is helpful in the occasion that I forget.

It is also necessary in a few cases where sites don't allow special characters, in which case I have an alternate pattern for those. In my password list, I can add a prompt to the password listing that lets me know to use the alternate.

By: zengargoyle

zengargoyle — Tue, 03 Mar 2009 09:39:48 -0800

I use keepassx and a backup encrypted file. I unencrypt the file, run MD5 on it and choose the last few characters as the next password (if it will work). Add it back to the file in a "site: user password" line and reencrypt. Then I add it to keepass, save and copy the db to my offsite account and to my USB drive. I must admit to keeping some important passwords on little post-it notes in my wallet, but it would take you longer to figure out what they are for than the age of the earth. :)

By: Zed

Zed — Tue, 03 Mar 2009 09:41:53 -0800

The Firefox Password Maker extension takes care of my web passwords. It's sort of Pater Aletheias' method, but automatic and generating passwords a zillion times more impenetrable (the bigger advantage is the automatic part -- I'd call Pater Aletheias' method reasonably robust.) An arguable disadvantage is that I literally don't know the passwords to my accounts, and can't log in without a copy of my Password Maker data. But I don't want to be logging into most things on a strange machine.

I use ssh public key access so that I don't have to type individual passwords for my ssh logins (beyond the one to decrypt the key.)

Everything else goes into an encryption app on my Palm (I keep meaning to switch to Keyring.)

By: airplain

airplain — Tue, 03 Mar 2009 09:51:03 -0800

ditto Drasher: KeePass plus DropBox. Very simple to manage, free, and accessible from any computer that's on the net (PC, Mac and Linux). I also keep a copy on my PDA thanks to KeePassToKeyring and Keyring (specific to PalmOS-based PDAs though.)

By: alligatorman

alligatorman — Tue, 03 Mar 2009 09:56:04 -0800

I have three words that I use for my passwords, and I store variations in a text file. All I have to remember are the three words.

For example, if my three words are banana, elephant, and pickle, then I make passwords, and put them in a text file as:

Metafilter:
[username] - 12_b.._xy for 12_banana_xy

Bank Account
[username] - 12_e.._xy for 12_elephant_xy

Ebay
[e-mail] - 12_P..xy for 12_Pickle_xy

Of course, my three words are not as simple as these examples.

By: Mitheral

Mitheral — Tue, 03 Mar 2009 10:48:46 -0800

I keep a plain text file on my local machine and in my gmail box with a list of websites and passwords. The passwords are encoded with a one time pad I carry in my wallet.

By: jjb

jjb — Tue, 03 Mar 2009 11:15:44 -0800

SuperGenPass generates passwords for each site by hashing the url and a master password.

By: nicwolff

nicwolff — Tue, 03 Mar 2009 11:20:51 -0800

Heh yeah, SuperGenPass credits me as the inventor of the idea. I think he improved it a lot though, use his not mine!

By: wretched_rhapsody

wretched_rhapsody — Tue, 03 Mar 2009 11:23:23 -0800

One method that I've found hugely helpful is to think of a phrase that you are going to easily remember and compose your password from the first letter of each word in the phrase (or something similar along those lines). Including numbers and/or other characters, uppercase and lowercase is good (but you will need to have a standard, easy to remember algorithm for when you use uppercase versus lowercase as well). Plus the advice reiterated many times above of having one part of your password vary based on the website or type of service you're using it for.

For example: let's say your phrase is "my fluffy Kitty 65 really likes x!" (where 65 is the last two digits of your phone number or whatever). You want the phrase to be long enough that you end up with a password with at least 8 characters. Kitty is capitalized because she is the overlord of your universe. So then your Metafilter (proper noun, also capitalized) password phrase would be "my fluffy Kitty 65 really likes Metafilter!" and the password would be mfK65rlM!

If you have a clear logical method to create a seemingly random password, it will be easy for you to remember all your passwords for all kinds of different things, and very hard for anyone else to figure them out.

By: TruncatedTiller

TruncatedTiller — Tue, 03 Mar 2009 11:23:43 -0800

N-thing KeePass & KeePassX (Windows, Mac/Linux) and thumb drive. The database is compatible between the programs and can store attachments (like a scan of your passport). The windows version even features automatic form-filling and submitting. But the one (secure!) password entry to your passwords database is the killer feature for me.

By: Muffy

Muffy — Tue, 03 Mar 2009 11:33:59 -0800

Re: Password Safe

My girlfriend's install of password safe deleted the last letter of every username & every password (all randomly generated too, so almost impossible to guess) when upgrading from one version to the next.

I *do not* recommend storing your passwords in a proprietary encrypted format. A generic encrypted format is much better.

Re: Text + GPG

That's basically my approach, except instead of plain text, I use Treepad Free, whose format is open & basically plain text with an XML-like data structure. I've been using treepad for over a decade and it's rock-solid.

I keep that encrypted in a Truecrypt volume.

It's not very portable, but it works.

Then I use Syncback to back up the file (either the whole truecrypt volume or just the treepad file, but first zipped & password protected) to a secure off-site facility that's accessible from anywhere in the world.

By: Muffy

Muffy — Tue, 03 Mar 2009 11:36:27 -0800

I've seen SuperGenPass around & it looks like a great idea, but I'm not sure it's mature/stable enough to depend on forever... You'll still need to store your passwords somewhere.

By: odinsdream

odinsdream — Tue, 03 Mar 2009 12:01:08 -0800

For any systems at work where security is actually important I either use public-key based authentication or Strong Password Generator and store the passwords on a physical piece of paper in a locked filing cabinet. While this might not be reasonable for personal use, it makes plenty of sense in a business setting where someone else may need to be able to get to the services without digging through an obtuse storage system.

By: NoraCharles

NoraCharles — Tue, 03 Mar 2009 14:26:25 -0800

I guess I'm the only one still old skool, but I'll throw this out here anyway.
I have a little address book that someone gave me as a gift and keep it by my computer at home (I don't surf at work). I just look up the site and there's the password.

By: Sonic_Molson

Sonic_Molson — Tue, 03 Mar 2009 14:29:58 -0800

By: webhund

webhund — Tue, 03 Mar 2009 14:34:35 -0800

Pater Aletheias and Others Using Similar Idea:

1) What do you do if the site requires a longer or (god-forbid) shorter password string?
and,
2. What do you do for sites that require or (again, god forbid) prohibit a non-alphanumeric character (@#$ etc...) to be in the string?

By: Pater Aletheias

Pater Aletheias — Tue, 03 Mar 2009 14:46:16 -0800

webhund: 1) for shorter strings, I just drop the first two characters of the password. But that doesn't happen much. My actual password is 8 characters long, which most sites are happy enough with.

2) As I mentioned, I just add an exclamation point to the end. It can be a pain to remember that "Oh, yeah, this is the site that requires a special character."

By: pwnguin

pwnguin — Tue, 03 Mar 2009 14:51:29 -0800

Interesting question. I just put together a recommendation about this to my boss for my IT group. We have a large number of passwords dealing with websites and our own equipment, as well as secret product keys etc.

Keepass 2.x looks great for us. It's cross platform (with Mono), secure, and easy to use. Currently we use a PGP encrypted file, in is our own proprietary format.

The other alternative is PasswordSafe, originally by the renowned Bruce Schneier. It's design is soundliky in the "simplest thing that could work" camp. The format is not proprietary; there's about a dozen reimplementations that are file compatible. Keepass can even import PasswordSafe archives.

Both of these are free, and you might give them both a seperate 24 hour trial to see which you like better.

By: pwnguin

pwnguin — Tue, 03 Mar 2009 14:55:30 -0800

For websites that are stupid and demand restrictions on the password characters, you can define custom password generation formats. You can make it as complicated as you like with a formatting string, or you can just click some boxes.

By: Zed

Zed — Tue, 03 Mar 2009 14:56:26 -0800

I *do not* recommend storing your passwords in a proprietary encrypted format.

Password Safe has been open source since 2002.

By: NucleophilicAttack

NucleophilicAttack — Tue, 03 Mar 2009 15:09:59 -0800

A second vote for 1password under OS X. It integrates well with the vast majority of popular browsers.

By: camcgee

camcgee — Tue, 03 Mar 2009 15:11:24 -0800

1) What do you do if the site requires a longer or (god-forbid) shorter password string?
2. What do you do for sites that require or (again, god forbid) prohibit a non-alphanumeric character (@#$ etc...) to be in the string?

I've never had a problem with them being too short and all of my passwords have a non-alphanumeric component by default.

Here's an example that's similar to my system:

Base password: cHynd
site-specific word (for Metafilter): filter
Number (based on the number of characters): 11
Nonalphanumeric (based on the corresponding char. of the number after the 2nd digit in the pw): @

The full password is cHynd11@Filter and in my password file, I write "metafilter.com p:filter"

If "filter" is too long, I shorten it. If the site didn't accept special characters, I use the corresponding number instead, so it's cHynd112Filt. In my password file, I could write "p:filt#" The word would still be literal, and the pound sign indicates that I needed to use the number instead of the special character.

By: markovitch

markovitch — Tue, 03 Mar 2009 17:09:55 -0800

vidoop has a password storage plugin for browers that places your passwords in a nice secure place and behind their cool visual CAPTCHA tech that extends OpenID, and autofills your logins as you go about your business on the web. I highly recommend it.

By: cmyers

cmyers — Tue, 03 Mar 2009 19:32:36 -0800

For Internet passwords, I use GenPass, the predecessor of SuperGenPass; I should probably upgrade one of these days. I've also ported GenPass's JavaScript to PHP so that I can use it in Lynx.

For offline passwords and my encryption keys, I pick a line of poetry as my passphrase and memorize it. If nothing else, I remember more poetry this way.

For clients' accounts and those I manage for friends and family, I use Passpack.

By: Muffy

Muffy — Wed, 04 Mar 2009 08:30:41 -0800

Password Safe has been open source since 2002.

Zed. Perhaps you should read my post again, because I'm specifically talking about Password Safe.

By "proprietary" I mean anything you can't open up & get inside of should the software itself ever fail you.

By: Zed

Zed — Wed, 04 Mar 2009 09:31:48 -0800

I was specifically talking about Password Safe, too, whose files you can open up and get inside should the software itself ever fail you -- I wrote my own Password Safe v2 file reader myself, once.

It's part of the nature of good encryption that errors are dangerous and can screw up the whole file (or partition or whatever.) Backups become even more important. If the software fails you to the extent that it overwrites your only copy and you have no backup, then you're screwed whether the software or format was proprietary or not. But that's a different issue.

By: pwnguin

pwnguin — Wed, 04 Mar 2009 17:50:16 -0800

I think Muffy's post is suggesting that anything you can't read with GPG and a text editor is dangerous for going off and coming up with something new. Which is somewhat Luddite: as you said you wrote a file reader yourself.

By: nicwolff

nicwolff — Wed, 04 Mar 2009 18:47:06 -0800

I've seen SuperGenPass around & it looks like a great idea, but I'm not sure it's mature/stable enough to depend on forever... You'll still need to store your passwords somewhere.

You're mistaken — GenPass, SuperGenPass, my page, &c. are completely "stable" in that they simply concatenate the hostname and your master password and apply a standard hashing algorithm such as SHA-1. They're a convenience, but you can always re-create the same passwords without them, so you don't need to store the generated passwords anywhere — that's what's so great about the system.

By: snowjoe

snowjoe — Thu, 05 Mar 2009 06:57:43 -0800

I am going to try the Pater Aletheais method. All in my mind and I really like the extra letter idea!

By: y6y6y6

y6y6y6 — Tue, 07 Apr 2009 11:45:49 -0800

"I am going to try the Pater Aletheais method."

I'd be careful with that. If you do it that way an attacker has all of your passwords if they have one of them. It's really no more secure than using one password for everything. In fact I can't see any reason to even bother changing the one letter.