Online password storage, crazy or stupid?
September 4, 2007 8:18 AM   Subscribe

Nowhere.

Seriously.
posted by fusinski at 8:22 AM on September 4, 2007

http://ask.metafilter.com/33609/How-can-I-store-my-passwords-online-securely

This previous AskMetafilter thread settled on GMail.
posted by radgardener at 8:24 AM on September 4, 2007

This is the best idea in the thread: Write them down and put them in your wallet.
posted by damn dirty ape at 8:32 AM on September 4, 2007

The best advice I think I've seen on this is that it is ok to write them on paper, but then you should guard that paper as if it were a piece of monetary currency with a large denomination.
posted by Burhanistan at 8:36 AM on September 4, 2007

Also you can add a layer of trickery into the paper. Lets say all your passwords start with your dogs name. Instead of writing "Mittens123" you can just write m123 as the password field. instead of writing www.chase.com username: 8377127127 password: Mittens666 you can write:

bank, username social, pass m666

In other words treat it like crib notes. Keep the real list at home safely locked up or buried in a layer of encryption.

The paper should be useless to a non-determined attacker.
posted by damn dirty ape at 8:41 AM on September 4, 2007

USB key on a keyring, with a copy of Firefox Portable. Of course, if you lose your keys you're screwed.
posted by Leon at 8:45 AM on September 4, 2007

If you're expecting to get the passwords back, they won't be storing them as hashes, since they're non-reversible. They could be stored encrypted with you just giving them a master password to decrypt them, which may be "secure enough" if you have sufficient trust in them and/or your passwords aren't *that* critical.

Something like this might be a good solution. It's a public chunk of Javascript you can bookmark; you have the browser execute it and feed it a master password, and it generates a site-specific password for whatever site you're on using a cryptographic hash function.
posted by Freaky at 8:48 AM on September 4, 2007

I agree with putting them in your wallet. Now I have a Palm app to do it (Keyring), but in the past, I carried a short list of passwords and PINs in my wallet. I figured if I lost my wallet, having someone know my e-mail password was the least of my problems.

A few things you can do to make it more secure:

- Don't write down what the passwords go to.

- If you do write down what they go do, don't put them in the right order. (Example: in high school, I had to remember three different combinations. I listed all three on a sheet of paper, and labeled each one, but the actual combination was the one on the line below the lock name.

- Disguise them. PIN numbers become phone numbers in the local area. (E.g., if your bank code is 1234, you might have "Work fax number: 555-1234" scrawled on a slip of paper and stashed in the back of your wallet.) Or, subtract one from them, and you could even put "ATM PIN Code: 1233." Only you would think to add one to the number.

But really, I think even if you don't do any of these little 'tricks,' a slip of paper in your wallet is pretty secure.
posted by fogster at 8:49 AM on September 4, 2007

The problem is that storing passwords at any online service is inherently unsafe. You have to trust that, not only will no one break into the account, but also that the site admin is trustworthy. You're essentially trusting some random website with all of your passwords.

Even if I hosted the script that stored them, I'd worry about security flaws and someone obtaining access. The advantage with something like an e-mail account with the 'big guys' (GMail, Yahoo, Hotmail...) is that it's rather unlikely that they'll 'turn bad' and start reading your stuff.
posted by fogster at 9:07 AM on September 4, 2007

For computers that are mine, I store my passwords in Firefox and use Google Desktop to sync them between computers. I also use pwdhash as a simple way to securely use the same password on a lot of sites. pwdhash is a bit of a pain without the Firefox extension, but it's simple and works.
posted by Nelson at 9:08 AM on September 4, 2007

If your passwords make sense to you, just keep in plaintext what that meaning is. So if your password is hon3ybe4r after your first teddy bear, just put "numbered first teddy" in the document. Then it doesn't need to be kept secret.
posted by bonaldi at 9:11 AM on September 4, 2007

Personally, I just have a personal seven-character code (eg Date of Birth, zipcode, whatever), and append the middle two-letters of the website to the end or beginning, or scatter it throughout the password.

Ta-da - an ever-changing password for each website which only you know, and can easily remember.
posted by electriccynic at 9:21 AM on September 4, 2007

Ok, there's a difference between storage and easy retrieval. If you just want to store this thing you can make a truecrypt file with a big password.

If you just want to make this incredibly easy to retrieve make a text file with all your passwords. Zip it. Use zip's built in password protection. Choose a VERY GOOD password (note: it ignores anything past 8 characters, so make the first 8 count*). Any computer, anywhere can open an encrypted zip file. Windows, linux, and osx do this natively. Put the zip file on your webspace. Download it and open it as needed. Make changes as needed. When done wipe it from the computer (shift delete on windows). dOnt leave it in the recycling bin.

Thats not a perfect solution but good enough for everyday users.

*Make the first 8 count:
Bad password: dogfood12374662178247!11($*@
good password: !d0gf@@d
posted by damn dirty ape at 10:04 AM on September 4, 2007

Clipperz? (Disclaimer: never used it, probably wouldn't either... But it does exactly what you want. YMMV).

Surprised that no one has suggested Keepass yet. There are ports to Linux/Mac/Palm although it is primarily a Windows application.

There is also a portable version which will work from your USB key.

I hate the idea of online storage for passwords, but I would consider mailing the encrypted password file to myself on Gmail. My master password is reasonably lengthy and not easily guessable or cracked (I hope).
posted by geminus at 10:26 AM on September 4, 2007

Instead of storing it in Firefox Portable, or in a Truecrypt vault, you could store it in an encrypted message vault. It's just an html file with javascript (that every browser on every OS can read). If you lose your USB key it's still encrypted with 128-bit AES, so you won't be screwed.

Or you can store the vault in your webspace somewhere and download it to wherever you need it. The only thing that will be left in the browser's cache is a secured webpage (that other people can't read without the password). Or you can store it in Gmail, so that it isn't world accessible (so that people aren't trying to hack into the file). Be sure to still set a strong password for it though.

Personally, what I have set up is a wiki on my home computer for this and other stuff. Every time I need something from it, I create an ssh tunnel to the server and view it with portable firefox. This would work with linux or osx too, because all I need is ssh and a browser.
posted by philomathoholic at 10:50 AM on September 4, 2007

For an actual online service, try kyps. It's designed to circumvent key loggers and whatnot.
posted by philomathoholic at 10:58 AM on September 4, 2007

Putting sensitive data on someone else's computer is inherently risky. That said, I tend to put passwords in a plain text file (without notes on what they go to), then encrypt it with an easily available piece of software. I can back up that encrypted file in as many places as I like; the password on it tends to be super strong. EG, my server, an external HD, a flash key, and a multi session disk.

For my flash drive I tend to use dscrypt; for the things that I leave on my server and access remotely, I use pgp/gpg. There probably exists a nice portable windows gpg, I just don't know what it is. I'm unlikely to lose all the backup media at once. I can take them with me anywhere, or ssh to my server if I somehow don't have my key.
posted by a robot made out of meat at 11:28 AM on September 4, 2007

I use a standard password, which is a word cut in half, with numbers inserted, i.e., geo11rge, geo96rge, etc. I keep a list of sites, with just the number, i.e., mefi=66. Some passwords I email to gmail. George was a great dog we had when I was a kid, and is not my password.
posted by theora55 at 12:27 PM on September 4, 2007

Another hash service: Passwordmaker.
posted by dmd at 2:25 PM on September 4, 2007

Hey, that's my password generator that Freaky linked to up there; it really solves this problem well. But if you're just starting with it you should use this improved version which uses SHA-1 instead of MD5 for hashing, base64 instead of hex for encoding, and adds "1a" to the end of all passwords so they work at sites that require a letter and a number.

(All those other password hash services got the idea from me! Here's an old InfoWorld column that includes a screencast showing how it works.)
posted by nicwolff at 8:58 PM on September 4, 2007

I just recently started using Clipperz.com and I like it. From what I understand from using it, they just store a file that is locally (done in your browser and not on the server) encrypted/decrypted. The only danger would be a keylogger, which would always be a danger with using a computer to do anything with passwords. A quote from their site says "Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded. The key for the encryption processes is a passphrase that never gets sent or saved to the server! Therefore no one except you can access your data."

They offer up their code for you to download to check it for flaws, security or otherwise (http://www.clipperz.com/learn_more/reviewing_the_code).

Most useful for me is the fact that you can download an offline copy where your stored info is stored in its encrypted state into an html file that works exactly like the website with the exception that you can't store new info. Whenever I make an update to my info, I create a new offline copy and Gmail it to myself.

I am in no way affiliated with the site other than as a user. They were just the first site that seemed to do secure info management somewhat securely in a manner useful to me.
posted by CuJoe at 1:48 AM on September 5, 2007

FYI, Cujoe: What you describe about saving the file, is exactly what the html file I linked to does. Except, it'll let you add new info also. To review the code, just 'View Source'.
posted by philomathoholic at 5:01 PM on September 6, 2007

NeedMyPassword.com is the absolute best site for password storage. I am not just saying that because I am the developer. It is really easy to use and you can change the setting to "Super Secure" and no one is going to get in.

Give it a try, it is absolutely free!
posted by abpsoftware at 9:28 AM on May 2, 2008

« Older How to get freshmen college st...   |   How much space do I need to st... Newer »

This thread is closed to new comments.