What simple, secure, portable password and secure data management systems do you use?
May 4, 2011 4:34 PM Subscribe
What simple, secure, portable password and secure data management systems do you use?
With the PlayStation network break-in, it sounds like my standard secure password, and my password reset security questions have been compromised. Because of the security question breach, I presumably have to reset my password and security questions for any accounts that can be linked to my real name or PlayStation network ID, right?
So looking at what options I have for password management systems for use at work, home PC, home set-top boxes, ipad, android phone, I've come up with very few feasible options. It seems like my best bet is having my passwords and fake security questions answers on a piece of paper in my wallet. With the large number of accounts, I'd also have to have the account on the paper too, which concerns me some.
Alternatively, I could store this data in an encrypted file (using keepass presumably) on the systems I have control over, and use my android phone as the password lookup for systems I don't have control over. I don't like having to use one electronic device to look up the password to use on another electronic device, but do like the data being encrypted.
Which of these two systems is best, or is there another way I'm not thinking of?
I don't think I can memorize separate passwords and false security data for each account. I don't think the easy base password plus an algorithmic change per site is secure since simple algorithms are simple to crack, and secure algorithms (like the base password plus site name hashed together) works on systems I don't control like work PCs or settop boxes. For the same reason, many password program tools don't seem to be a good option when needing to have access on settop boxes or my work PC. Am I wrong?
With the PlayStation network break-in, it sounds like my standard secure password, and my password reset security questions have been compromised. Because of the security question breach, I presumably have to reset my password and security questions for any accounts that can be linked to my real name or PlayStation network ID, right?
So looking at what options I have for password management systems for use at work, home PC, home set-top boxes, ipad, android phone, I've come up with very few feasible options. It seems like my best bet is having my passwords and fake security questions answers on a piece of paper in my wallet. With the large number of accounts, I'd also have to have the account on the paper too, which concerns me some.
Alternatively, I could store this data in an encrypted file (using keepass presumably) on the systems I have control over, and use my android phone as the password lookup for systems I don't have control over. I don't like having to use one electronic device to look up the password to use on another electronic device, but do like the data being encrypted.
Which of these two systems is best, or is there another way I'm not thinking of?
I don't think I can memorize separate passwords and false security data for each account. I don't think the easy base password plus an algorithmic change per site is secure since simple algorithms are simple to crack, and secure algorithms (like the base password plus site name hashed together) works on systems I don't control like work PCs or settop boxes. For the same reason, many password program tools don't seem to be a good option when needing to have access on settop boxes or my work PC. Am I wrong?
I keep a spreadsheet on dropbox with my accounts, which email address they're associated with, and a couple of substitution codes — one for the PW, one for the security question answers. For example, if my password is one of my dead cats' names (it is not) and the cat was black and named midnight, I'd use blackcat99!! where blackcat is a substitution for "midnight," the actual PW, and the numbers and symbols are the actual symbols that comprise the rest of the PW. If a capped letter is required, I might put it in the spreadsheet as blackCat or whatever. I rely on my memory for the substitution codes. I don't have that written down anywhere, although I've thought of sticking it in my "when I die" folder. Maybe!
It's fairly simple and seems reasonably unbreakable as long as you use enough characters and you don't use obvious things from your life as your actual PWs. I can access dropbox from my phone and from any other computer I wish via the internet.
I also call the spreadsheet something tedious and boring-sounding, not juicy like "PASSWORDS SEKRIT WITHIN!" but "budget scenarios 2008" or somesuch.
I'll be interested to see other people's answers. I suspect they will consist largely of keepass, etc.
posted by clone boulevard at 4:55 PM on May 4, 2011
It's fairly simple and seems reasonably unbreakable as long as you use enough characters and you don't use obvious things from your life as your actual PWs. I can access dropbox from my phone and from any other computer I wish via the internet.
I also call the spreadsheet something tedious and boring-sounding, not juicy like "PASSWORDS SEKRIT WITHIN!" but "budget scenarios 2008" or somesuch.
I'll be interested to see other people's answers. I suspect they will consist largely of keepass, etc.
posted by clone boulevard at 4:55 PM on May 4, 2011
Response by poster: I definitely can't access dropbox from work. lastpass seems work accessable, but doesn't seem set-top box accessible.
posted by garlic at 5:16 PM on May 4, 2011
posted by garlic at 5:16 PM on May 4, 2011
1Password has made my life SO much easier! iPhone, Mac, Android, iPad....You can have it generate passwords for you, too.
posted by misha at 5:18 PM on May 4, 2011 [2 favorites]
posted by misha at 5:18 PM on May 4, 2011 [2 favorites]
I don't think lastpass is set-top box accessible, but not having a set-top box, I don't know how one would access the internet on one anyways! You can always look up the passwords you've saved in your lastpass vault, so you could enter a set top box password and then look it up via your smartphone/tablet/laptop when you need it.
Like 1Password, lastpass will also generate random passwords for you. At first glance, they seem to be basically equivalent services, though lastpass is free, which is nice.
posted by lewedswiver at 5:43 PM on May 4, 2011
Like 1Password, lastpass will also generate random passwords for you. At first glance, they seem to be basically equivalent services, though lastpass is free, which is nice.
posted by lewedswiver at 5:43 PM on May 4, 2011
Best answer: I'm rather fond of PasswordCard. I don't see a problem with using it to answer "Name of first pet" type questions if you generate a second card with only alpha-numeric, as I presume symbols are excluded in many such database fields.
posted by ob1quixote at 6:07 PM on May 4, 2011 [1 favorite]
posted by ob1quixote at 6:07 PM on May 4, 2011 [1 favorite]
I generate a unique password for each login by algorithmically combining and hashing one strong master password with the site's domain name or the resource's name, using this simple Javascript application (or this even simpler bookmarklet).
I don't know what you mean by "set-top box accessible" – aren't those closed systems by definition?
posted by nicwolff at 6:13 PM on May 4, 2011 [1 favorite]
I don't know what you mean by "set-top box accessible" – aren't those closed systems by definition?
posted by nicwolff at 6:13 PM on May 4, 2011 [1 favorite]
I use keePass with Dropbox. For work, I have neither on my workstation and just access it via my phone (both keepass and dropbox have android apps). For home, I can have both directly on my machines. I've found it to be a powerful combination. When I create a new account for something at work, I just add it to keepass on my phone, and then it's automagically in keepass on my computer at home too.
posted by -harlequin- at 6:36 PM on May 4, 2011
posted by -harlequin- at 6:36 PM on May 4, 2011
1password again, never used it for Windows, but love it on Mac and iPhone and the portable encrypted app-independent data file I can take with me.
posted by Brian Puccio at 6:52 PM on May 4, 2011
posted by Brian Puccio at 6:52 PM on May 4, 2011
PasswordSafe. I love it and have used it at home and work.
posted by rmd1023 at 7:10 PM on May 4, 2011
posted by rmd1023 at 7:10 PM on May 4, 2011
suggestion: Dropbox portable (DropboxPortableAHK) on an USB drive with KeePass.
posted by MzB at 8:15 PM on May 4, 2011
posted by MzB at 8:15 PM on May 4, 2011
Best answer: The problem with Dropbox isn't (just) that he can't install it. Many corporate firewalls block network access to any online storage, Dropbox being one of the first to go.
Also, speaking of stupid corporate tricks, I've had stability issues with (older) versions of IE and lastpass, to the point that it's not usable at work at all.
My solution is the stupid one: KeyPass on the home computers and phones, and I sync the KP database at work from my phone.
The dropbox solution also allows me to keep truecrypt volumes of important paperwork, including scans of things like citizenship papers, birth certificates, even tax records. It's saved my bacon a couple of times. Just use long pass phrases and never write them down.
posted by bonehead at 8:54 PM on May 4, 2011
Also, speaking of stupid corporate tricks, I've had stability issues with (older) versions of IE and lastpass, to the point that it's not usable at work at all.
My solution is the stupid one: KeyPass on the home computers and phones, and I sync the KP database at work from my phone.
The dropbox solution also allows me to keep truecrypt volumes of important paperwork, including scans of things like citizenship papers, birth certificates, even tax records. It's saved my bacon a couple of times. Just use long pass phrases and never write them down.
posted by bonehead at 8:54 PM on May 4, 2011
Best answer: By the way, there's a really good discussion of KeyPass vs LastPass in the PS breach thread. Start here with a great comment by ArkhanJG. He did a lot of poking around on the LastPass security model. It turns out that it's at least as good as the KP +DB alternative, and probably easier to use in a normal (better than IE 7) browser.
posted by bonehead at 8:59 PM on May 4, 2011
posted by bonehead at 8:59 PM on May 4, 2011
Response by poster: The set - top box issue I'd that for logging into pan or Netflix I'll need to be able yo enter the passwords via remote , not some auto downloads.
posted by garlic at 5:32 AM on May 5, 2011
posted by garlic at 5:32 AM on May 5, 2011
ReeMonster, sometimes our brains aren't good enough. For example, between work AND home I have something like 40+ different accounts. Many of these accounts have different usernames AND different password requirements (some even have to be updated every 30-60 days), which means I can't use the same password for all of them even if I wanted to (and that's a bad idea anyway) so things like LastPass and 1Password are extremely helpful.
Before 1Password came into my life I used a password protected Excel spreadsheet to store all my passwords. It should be noted that this is EXTREMELY unsafe.
posted by jnrussell at 10:03 AM on May 5, 2011 [1 favorite]
Before 1Password came into my life I used a password protected Excel spreadsheet to store all my passwords. It should be noted that this is EXTREMELY unsafe.
posted by jnrussell at 10:03 AM on May 5, 2011 [1 favorite]
I have been a faithful SplashID user for many years now. There are many versions for different platforms/uses.
posted by Mei's lost sandal at 10:28 AM on May 5, 2011
posted by Mei's lost sandal at 10:28 AM on May 5, 2011
Since the Gawker fiasco, I use Dropbox with a text file myself. Since Dropbox is out for you, maybe you could just use a thumb drive containing a text file with your passwords?
The biggest threat to most people are automated password stealing techniques. Keeping your passwords in a separate file that you have to manually open to get your password is an annoyance for you, but it makes those passwords largely immune to automated password harvesting techniques. These days the bad guys are scanning computers in bulk; if you don't have a password that can be easily retrieved then it's unlikely that chasing yours will make financial sense to them. It does still leave you vulnerable to individuals out to get your passwords though.
posted by JHarris at 11:36 AM on May 5, 2011
The biggest threat to most people are automated password stealing techniques. Keeping your passwords in a separate file that you have to manually open to get your password is an annoyance for you, but it makes those passwords largely immune to automated password harvesting techniques. These days the bad guys are scanning computers in bulk; if you don't have a password that can be easily retrieved then it's unlikely that chasing yours will make financial sense to them. It does still leave you vulnerable to individuals out to get your passwords though.
posted by JHarris at 11:36 AM on May 5, 2011
1Password on my home computer and on my iPhone - they sync using Dropbox, I think, but I do not need to access Dropbox from work. With it on my phone, I can look up any passwords I need wherever I am.
posted by telophase at 12:22 PM on May 5, 2011
posted by telophase at 12:22 PM on May 5, 2011
I've been using Bruce Schneier's Password Safe for about a decade or so.
posted by whuppy at 4:05 PM on May 5, 2011
posted by whuppy at 4:05 PM on May 5, 2011
Best answer: I use keypass and ftp. I have no idea what any of my passwords are. When I get nervous about hosting/ftp, I simply change the FTP password and the keepass password. I do keep a copy on my thumb drive and all my computers, in case I lose net access. I have maybe 200 entries, there is no way I would remember 200 username/password combos.
I like the password generator, I use it to generate passwords, pet names, mothers maiden names, favorite bands, cities and all the oterh bullshit 'helpful' password reminder questions.
I love it.
posted by Monkey0nCrack at 7:00 PM on May 5, 2011
I like the password generator, I use it to generate passwords, pet names, mothers maiden names, favorite bands, cities and all the oterh bullshit 'helpful' password reminder questions.
I love it.
posted by Monkey0nCrack at 7:00 PM on May 5, 2011
Response by poster: I've been successfully using PasswdSafe on my phone and home PC for a couple months now, and everything seems to be going fine.
posted by garlic at 3:26 PM on November 16, 2011
posted by garlic at 3:26 PM on November 16, 2011
« Older Okay to visit love interest at work? | How to get rid of malware on an external drive? Newer »
This thread is closed to new comments.
posted by lewedswiver at 4:53 PM on May 4, 2011 [1 favorite]