Comments on: Keeping Track of Passwords

Question: Keeping Track of Passwords

muckster — Sat, 31 Jan 2004 11:08:59 -0800

What's the best way to keep track of an escalating number of logins and passwords? For the web, there's Opera's magic wand, but what about hosting accounts, ftp servers, ATM PINs, etc? Encrypted text file on the desktop? Scribbled note under the pillow? How do you manage (and hide) your password library?

By: mcsweetie

mcsweetie — Sat, 31 Jan 2004 11:23:14 -0800

I usually use one of 2 different user names/logins/etc and one of 3 different passwords for just about everything, so that I can usually get access to things in under 6 tries.

By: vacapinta

vacapinta — Sat, 31 Jan 2004 11:32:17 -0800

I have two different types of passwords:

secure passwords: like for server logins, online banking etc. These are all distinct and i have them written down on paper only in the rare case that i forget them (usually just rely on memory)

unsecure passwords. this is what i use for logons to sites that ask for registration, games, metafilter. I use an algorithm thats easy to remember that incorporates a base rule plus the name of the site.

For example (this is not the algorithm but a simpler example): if the rule is use the 1st and 3rd letters of the site name and replace them in the base then, if the base is 'tijae45' the password i use here on metafilter would be 'mitae45'

As i said, thats not my rule (its a bit more subtle) and thats not my base but you get the picture. For each site i have a different password and yet all i need to remember is how to 'generate' it.

By: substrate

substrate — Sat, 31 Jan 2004 11:34:24 -0800

My method to handle the madness is this:

Anyplace that can conceivably be tied to money gets a unique random password. I never ever fill in the "What's your mother's maiden name fields" for hints because it's a trivial social hacking to get that information. I don't go and open up bank accounts or accounts with online vendors very often so this is manageable.

For places like metafilter I have the same password and a couple of different user names. The most that can happen is somebody posts something I wouldn't, I can get over it.

I also have a couple dozen other accounts and passwords.

I keep everything in a plain text file on my home machine but it's encrypted with GPG. If need be I can ssh to my home machine and grab the password I need.

By: tomorama

tomorama — Sat, 31 Jan 2004 11:56:47 -0800

I keep everything in a password-protected access database.

By: rhyax

rhyax — Sat, 31 Jan 2004 12:16:41 -0800

I use apple's keychain program

By: nicwolff

nicwolff — Sat, 31 Jan 2004 12:27:52 -0800

I MD5 hash the name of the domain or server or whatever with my secret word to generate a unique password for each site using this little Javascript thing I wrote.

That way I just have to remember one master password, and each site or server gets a different password so I don't have to worry about renegade admins borrowing my identity. And I can use it from any computer anywhere on the Net, and I don't have to worry about losing a password list.

By: majick

majick — Sat, 31 Jan 2004 12:41:12 -0800

Tally up another vote for the plain text file encrypted with GPG. It's not that secure, since the private key resides on the same spindle as the text in question instead of on removable media I keep on my person at all times, but since all I must remember is my pass phrase, it's good enough for me.

By: jessamyn

jessamyn — Sat, 31 Jan 2004 13:18:05 -0800

I have a two-tiered password system. Insecure, for logging in to the NYTimes, Friendster and whatnot, and secure for banking, paypal, Ebay etc. The insecure one is one of two. The secure one is one of four that rotate OR when absolutely necessary to have one that is unique [often sites have special requirements that render my other ones unusable] I use a mnemonic to make new ones using the first letters of whatever song line is stuck in my head at the time, alternating upper/lower case, special character at the end. So, The Goats song that has the line that goes "I'm not your typical American" becomes iNyTa! and I can write, in plaintext, either the song artist and title, or, more likely, the first two characters in some unobtrusive way that doesn't say "THIS IS A PASSWORD HINT". New York Times - iN for example. In any case, I never write the password down, I only leave myself clues to it, based on weird "only I know what I am talking about" codes. I am pretty lucky that I can usually get my first name as a login nearly anyplace with less than a million users.

By: signal

signal — Sat, 31 Jan 2004 14:01:02 -0800

keyboard typing patterns.
that's all I'm gonna say.

By: turbodog

turbodog — Sat, 31 Jan 2004 14:21:11 -0800

I've been using MultiPad for quite a while. Basically it encrypts text notes into a simple hierarchical structure. It hasn't been updated in years, though, and its homepage seems to be gone.

By: keswick

keswick — Sat, 31 Jan 2004 14:49:23 -0800

Palm Tungsten. eWallet. Any questions? :)

By: yerfatma

yerfatma — Sat, 31 Jan 2004 14:55:08 -0800

Password Safe. As for Access databases, I would just mention that MS password protection is pretty crap at best.

By: vacapinta

vacapinta — Sat, 31 Jan 2004 15:12:14 -0800

That's awesome, nicwolff. I think I'm gonna start using your method (for 'insecure' passwords) The problem I see with all the 'encrypted file on a computer' options is that its not very portable.

By: Alylex

Alylex — Sat, 31 Jan 2004 16:14:25 -0800

Oh, but it is portable with a PDA. I use SplashID, which syncs nicely between Mac and Palm.

By: Tubes

Tubes — Sat, 31 Jan 2004 16:20:16 -0800

I use a swell little free utility called Passkeeper (Windows). It's tiny, quick, stable & handy.

By: _sirmissalot_

_sirmissalot_ — Sat, 31 Jan 2004 16:21:34 -0800

I write them down in a notebook next to my computer.

By: majick

majick — Sat, 31 Jan 2004 19:49:10 -0800

"not very portable."

A legitimate concern, and one that should inform your decision how to protect your passwords and key store. For me, I'm rarely in a place where I can't SSH to my data store from a semitrusted client, and if I am, it's exceedingly unlikely that I'll need access to my password list or be willing to expose my passwords to an untrusted host.

If portability were a requirement for me, though, I'd certainly be looking into one of these PDA based schemes.