Join 3,514 readers in helping fund MetaFilter (Hide)


How can I store my passwords online securely?
March 2, 2006 5:35 AM   Subscribe

PasswordFilter: Any places to store passwords online?

I keep running into a problem with storing my passwords - I use Password Safe but I tend to be hard on computers and lose a HD every 6mo or so, thus loosing both my Password Safe DB and my PGP Private Key.

I've been finding various "Web Services" sites to manage things like calendars, address books, and even archive all my email. What I'd really like to find is some sort of online version of Password Safe. A site with an https login or security like hushmail.com.

I've tried using a system.....but even if I write it down, sometimes I forget the system or loose the paper.

I'm afraid if I use a USB Key, I'll loose the key.

Is there an online site where I can store my passwords or at least automatically have my PWSafe DB and PGP Private keys get sent to? Perhaps a reliable WebDAV service that I can make a Web folder in which I can install PGP and PWSafe?
posted by bkdelong to Computers & Internet (15 answers total) 1 user marked this as a favorite
 
What about sending yourself an email to a Gmail account?
Only you will have access to it (and passwords crawled by Google are worthless to Google) and it'll by centralized for you.

You won't be able to utilize PGP, but maybe tack some other system onto your passwords, like incrementing every character by one. Or using slightly arbitrary names for what they link to.

Bury it in a separate Gmail account, within some specific Gmail archived folder or some such and it won't be too many clicks out, but no one will ever think to look there. And if you're allowing people access to your Gmail/other email, then that's no good, since they could likely issue a reset request with any decent service you're using anyway.

Too many Gmail users for your info to be at risk, in my opinion. And Google couldn't care less what your passwords are.
posted by disillusioned at 5:46 AM on March 2, 2006


Hrm....not sure I dig the security-by-obscurity.
posted by bkdelong at 6:20 AM on March 2, 2006


Unless you also lose credit cards and $20 bills regularly, just take Bruce Schneier's advice and carry them with you on paper. Carrying high-value paper is a problem that most people have to solve anyhow, so might as well take advantage of those existing processes.
posted by mendel at 6:28 AM on March 2, 2006


I'm not sure I like the idea of unencrypted (or rotation-ciphered) passwords floating around on a server outside of my control either.
posted by musicinmybrain at 6:29 AM on March 2, 2006


Woops, I read right past "I lose the paper", sorry.

I think you're trying too hard to solve an easy problem. Sit down and calculate the threats against your passwords; who's going to want them, what resources do they have, and what risks are they going to take in order to obtain them? For most people, that's a bit of a reality check, and maybe keeping a copy on your hard drive and a backup on paper is all you need.

(I think I'd get tired of losing all of my data every six months, though. Why not back up your hard drive sometimes?)
posted by mendel at 6:30 AM on March 2, 2006


I think you guys are putting too much stock in a few letters and numbers that may get me all of the monies in bkdelong's bank account.

While it's true that I could easily destroy you if I had all your passwords, the truth is, I'm not sure anyone would start looking in Gmail. And hacking Gmail isn't exactly "obscurity."

Don't you think that the idea of unencrypted (or rotation-ciphered) passwords "floating around" on a Google server, buried in a few hundred terabytes of other data is absolutely beyond reproach? Short of someone actually managing to hack your account, or you stupidly leaving yourself logged into your account, (which would be an issue with any WebDAV solution, potentially) there are already plenty of examples of passwords "floating" around in web-based inboxes, anytime you create a new account to a service that sends you the plain text version of your password.

It's not just "obscurity." It's REALLY obscure obscurity. But if you want to, you can upload your PGP keys or a self-executable PGP file to your GMail as well, if you want to tack on another layer of security.

I'm still under the impression that if you use a Gmail account expressly for this purpose, no one will ever attempt to hack it, ever, in the history of man. Ever.
posted by disillusioned at 6:47 AM on March 2, 2006


You can just send the ENCRYPTED passwords file to gmail or any other online location. Your point is that you want this done in some automatic fashion? There are various programs and scripts out there that use gmail for backup purposes. You could schedule to have a script like that execute on a regular basis to backup your password file, which is almost automatic.
posted by blueyellow at 7:08 AM on March 2, 2006


The problem with any site storage is that you will need a login and password for that too, which you will most likely forget, given your circumstances. Keep the data on a USB key attached to your keys or nailed to the wall above your computer. It would be hard to believe that your keys would be regularly lost or a USB key would be lost if nailed to a wall.

Maybe narrow it down to a source of something that you have never lost? Your wallet, day planner, underwear, or maybe tattoed on your arm? I keep mine listed in my day planner and seeing that is almost always with me, it works perfectly.
posted by JJ86 at 7:08 AM on March 2, 2006


No problem, mendel. I do attempt to backup my computer but I guess I haven't found an easier solution. I used to use Tivioli Storage Manager when I worked at MIT and now I occasionally backup the drive on Firewire but I need to either come up with some way to keep those firewires mounted for easy access to the backed-up data, (I'm on laptop and am on the road a lot), or get another machine to work on while this one is backing up, (not fiscally possible).
posted by bkdelong at 8:38 AM on March 2, 2006


Thanks all - I think I'll investigate the USB Key route as well as a GMail acct.
posted by bkdelong at 8:39 AM on March 2, 2006


xdrive.com is around $10/month (max), and will do what you want.

BTW: you're using password safe, so even if someone gets access to the file with your passwords, they're still encrypted.
posted by Caviar at 8:44 AM on March 2, 2006


I too use Gmail for storing my passwords. I sent myself an email and then clicked the Favorites star. Whenever I need to retrieve the password, I just click "Starred" and open the message. If you're a bit paranoid, you could put the passwords inline as part of a normal email message.
posted by junesix at 11:17 AM on March 2, 2006


I know you mentioned concerns on using a USB key, but I would have to throw out Roboform which is a portable password manager and form filler. Have been using for about a year and a half and am very pleased.

In terms of safeguarding the passwords against loss of the USB drive, the same manufacturer produces a free sync program called GoodSync which I use to backup my passwords locally every week or so.

By the way, I'm not affiliated with this company - just like their products...
posted by Mave_80 at 11:19 AM on March 2, 2006


how about gmailing yourself a text file containing your passwords that is encrypted with something like Locknote? Then you just have to remember the one "master" password... I keep mine like that on my home, work, and usb drive - memory like swiss cheese - mine that is.
posted by dorcas at 12:05 PM on March 2, 2006


I've been using KeePass in a way that might (or might not) work for you.

Set it up, and keep it installed on your computer. Then, set up something like SyncBackSE so it'll back up to a USB drive.

I know you said you're afraid you'll lose it, I thought the same. My solution was to get a USB drive whose only purpose in life is backups. It has my KeePass database, Quicken backups, and some important documents on it, all highly encrypted of course. And it lives in my front right pocket.

There are only three times when it is not in my pocket: When I am updating the backup, when I am using KeePass on another PC (it runs right off the USB drive), or when I am changing my pants (I tend to wear the same jeans for a few days in a row. my job isn't exactly dirty).

So far, there's only been a couple of times that I've left it either at work or at home, usually sticking out of a USB port. But even if I do lose it, I'm not worried, because everything important on it is encrypted, and it also exists on my hard drive at home.

The chances of both losing the USB and having your hard drive fail at the same time are so small that I don't even worry. In fact, when my hard drive died on Saturday, I didn't panic, because I knew I had this backup.
posted by CrayDrygu at 5:13 PM on March 2, 2006


« Older Is it possible to open the con...   |  Kayaking / picnic / romance su... Newer »
This thread is closed to new comments.