Join 3,562 readers in helping fund MetaFilter (Hide)


Keeping Track of Passwords
January 31, 2004 11:08 AM   Subscribe

What's the best way to keep track of an escalating number of logins and passwords? For the web, there's Opera's magic wand, but what about hosting accounts, ftp servers, ATM PINs, etc? Encrypted text file on the desktop? Scribbled note under the pillow? How do you manage (and hide) your password library?
posted by muckster to Computers & Internet (17 answers total) 2 users marked this as a favorite
 
I usually use one of 2 different user names/logins/etc and one of 3 different passwords for just about everything, so that I can usually get access to things in under 6 tries.
posted by mcsweetie at 11:23 AM on January 31, 2004


I have two different types of passwords:

secure passwords: like for server logins, online banking etc. These are all distinct and i have them written down on paper only in the rare case that i forget them (usually just rely on memory)

unsecure passwords. this is what i use for logons to sites that ask for registration, games, metafilter. I use an algorithm thats easy to remember that incorporates a base rule plus the name of the site.

For example (this is not the algorithm but a simpler example): if the rule is use the 1st and 3rd letters of the site name and replace them in the base then, if the base is 'tijae45' the password i use here on metafilter would be 'mitae45'

As i said, thats not my rule (its a bit more subtle) and thats not my base but you get the picture. For each site i have a different password and yet all i need to remember is how to 'generate' it.
posted by vacapinta at 11:32 AM on January 31, 2004 [1 favorite]


My method to handle the madness is this:

Anyplace that can conceivably be tied to money gets a unique random password. I never ever fill in the "What's your mother's maiden name fields" for hints because it's a trivial social hacking to get that information. I don't go and open up bank accounts or accounts with online vendors very often so this is manageable.

For places like metafilter I have the same password and a couple of different user names. The most that can happen is somebody posts something I wouldn't, I can get over it.

I also have a couple dozen other accounts and passwords.

I keep everything in a plain text file on my home machine but it's encrypted with GPG. If need be I can ssh to my home machine and grab the password I need.
posted by substrate at 11:34 AM on January 31, 2004


I keep everything in a password-protected access database.
posted by tomorama at 11:56 AM on January 31, 2004


I use apple's keychain program
posted by rhyax at 12:16 PM on January 31, 2004


I MD5 hash the name of the domain or server or whatever with my secret word to generate a unique password for each site using this little Javascript thing I wrote.

That way I just have to remember one master password, and each site or server gets a different password so I don't have to worry about renegade admins borrowing my identity. And I can use it from any computer anywhere on the Net, and I don't have to worry about losing a password list.
posted by nicwolff at 12:27 PM on January 31, 2004 [2 favorites]


Tally up another vote for the plain text file encrypted with GPG. It's not that secure, since the private key resides on the same spindle as the text in question instead of on removable media I keep on my person at all times, but since all I must remember is my pass phrase, it's good enough for me.
posted by majick at 12:41 PM on January 31, 2004


I have a two-tiered password system. Insecure, for logging in to the NYTimes, Friendster and whatnot, and secure for banking, paypal, Ebay etc. The insecure one is one of two. The secure one is one of four that rotate OR when absolutely necessary to have one that is unique [often sites have special requirements that render my other ones unusable] I use a mnemonic to make new ones using the first letters of whatever song line is stuck in my head at the time, alternating upper/lower case, special character at the end. So, The Goats song that has the line that goes "I'm not your typical American" becomes iNyTa! and I can write, in plaintext, either the song artist and title, or, more likely, the first two characters in some unobtrusive way that doesn't say "THIS IS A PASSWORD HINT". New York Times - iN for example. In any case, I never write the password down, I only leave myself clues to it, based on weird "only I know what I am talking about" codes. I am pretty lucky that I can usually get my first name as a login nearly anyplace with less than a million users.
posted by jessamyn at 1:18 PM on January 31, 2004


keyboard typing patterns.
that's all I'm gonna say.
posted by signal at 2:01 PM on January 31, 2004


I've been using MultiPad for quite a while. Basically it encrypts text notes into a simple hierarchical structure. It hasn't been updated in years, though, and its homepage seems to be gone.
posted by turbodog at 2:21 PM on January 31, 2004


Palm Tungsten. eWallet. Any questions? :)
posted by keswick at 2:49 PM on January 31, 2004


Password Safe. As for Access databases, I would just mention that MS password protection is pretty crap at best.
posted by yerfatma at 2:55 PM on January 31, 2004


That's awesome, nicwolff. I think I'm gonna start using your method (for 'insecure' passwords) The problem I see with all the 'encrypted file on a computer' options is that its not very portable.
posted by vacapinta at 3:12 PM on January 31, 2004


Oh, but it is portable with a PDA. I use SplashID, which syncs nicely between Mac and Palm.
posted by Alylex at 4:14 PM on January 31, 2004


I use a swell little free utility called Passkeeper (Windows). It's tiny, quick, stable & handy.
posted by Tubes at 4:20 PM on January 31, 2004


I write them down in a notebook next to my computer.
posted by _sirmissalot_ at 4:21 PM on January 31, 2004


"not very portable."

A legitimate concern, and one that should inform your decision how to protect your passwords and key store. For me, I'm rarely in a place where I can't SSH to my data store from a semitrusted client, and if I am, it's exceedingly unlikely that I'll need access to my password list or be willing to expose my passwords to an untrusted host.

If portability were a requirement for me, though, I'd certainly be looking into one of these PDA based schemes.
posted by majick at 7:49 PM on January 31, 2004


« Older Does anybody know of any good ...   |  I want to learn the art of typ... Newer »
This thread is closed to new comments.