Comments on: Online password storage, crazy or stupid?

Question: Online password storage, crazy or stupid?

The Radish — Tue, 04 Sep 2007 08:18:56 -0800

Where can I store my passwords online safely?

95% of the places I need passwords are on the web, so it is the most practical solution for me. Additionally I frequently find myself on different OSes and computers that are not mine.

Agatra seems to be what I want but I only know what I read in the FAQ. I found them through a Google search so I really don't know anything about them.

Does anyone have any recommendations? Is anyone else doing this? Am I crazy or stupid for thinking about trying this? How much trouble would I be in if the password site was compromised? I assume they would be storing my passwords as hashes (or whatever) so I wouldn't be too exposed if they were compromised (again assuming they are actually doing what they claim).

By: fusinski

fusinski — Tue, 04 Sep 2007 08:22:38 -0800

Nowhere.

Seriously.

By: radgardener

radgardener — Tue, 04 Sep 2007 08:24:28 -0800

http://ask.metafilter.com/33609/How-can-I-store-my-passwords-online-securely

This previous AskMetafilter thread settled on GMail.

By: damn dirty ape

damn dirty ape — Tue, 04 Sep 2007 08:32:36 -0800

This is the best idea in the thread: Write them down and put them in your wallet.

By: Burhanistan

Burhanistan — Tue, 04 Sep 2007 08:36:13 -0800

The best advice I think I've seen on this is that it is ok to write them on paper, but then you should guard that paper as if it were a piece of monetary currency with a large denomination.

By: damn dirty ape

damn dirty ape — Tue, 04 Sep 2007 08:41:39 -0800

Also you can add a layer of trickery into the paper. Lets say all your passwords start with your dogs name. Instead of writing "Mittens123" you can just write m123 as the password field. instead of writing www.chase.com username: 8377127127 password: Mittens666 you can write:

bank, username social, pass m666

In other words treat it like crib notes. Keep the real list at home safely locked up or buried in a layer of encryption.

The paper should be useless to a non-determined attacker.

By: Leon

Leon — Tue, 04 Sep 2007 08:45:19 -0800

USB key on a keyring, with a copy of Firefox Portable. Of course, if you lose your keys you're screwed.

By: Freaky

Freaky — Tue, 04 Sep 2007 08:48:56 -0800

If you're expecting to get the passwords back, they won't be storing them as hashes, since they're non-reversible. They could be stored encrypted with you just giving them a master password to decrypt them, which may be "secure enough" if you have sufficient trust in them and/or your passwords aren't *that* critical.

Something like this might be a good solution. It's a public chunk of Javascript you can bookmark; you have the browser execute it and feed it a master password, and it generates a site-specific password for whatever site you're on using a cryptographic hash function.

By: fogster

fogster — Tue, 04 Sep 2007 08:49:57 -0800

I agree with putting them in your wallet. Now I have a Palm app to do it (Keyring), but in the past, I carried a short list of passwords and PINs in my wallet. I figured if I lost my wallet, having someone know my e-mail password was the least of my problems.

A few things you can do to make it more secure:

- Don't write down what the passwords go to.

- If you do write down what they go do, don't put them in the right order. (Example: in high school, I had to remember three different combinations. I listed all three on a sheet of paper, and labeled each one, but the actual combination was the one on the line below the lock name.

- Disguise them. PIN numbers become phone numbers in the local area. (E.g., if your bank code is 1234, you might have "Work fax number: 555-1234" scrawled on a slip of paper and stashed in the back of your wallet.) Or, subtract one from them, and you could even put "ATM PIN Code: 1233." Only you would think to add one to the number.

But really, I think even if you don't do any of these little 'tricks,' a slip of paper in your wallet is pretty secure.

By: The Radish

The Radish — Tue, 04 Sep 2007 09:00:54 -0800

Let me clarify a bit. The piece of paper thing seems like a hassle, it seems kludgey and I'll loose it, or more likely send it through the washing machine. Additionally I'm making an effort to rotate my passwords more frequently. This piece of paper could get unwieldily pretty quick as I change my passwords. The problem with a USB key (or some mobile phone app) is if I loose or beak it I'm screwed. The idea of having it online gives me some reassurance that it will always be there. The G-mail idea for some reason makes me really really uneasy.

By: fogster

fogster — Tue, 04 Sep 2007 09:07:57 -0800

The problem is that storing passwords at any online service is inherently unsafe. You have to trust that, not only will no one break into the account, but also that the site admin is trustworthy. You're essentially trusting some random website with all of your passwords.

Even if I hosted the script that stored them, I'd worry about security flaws and someone obtaining access. The advantage with something like an e-mail account with the 'big guys' (GMail, Yahoo, Hotmail...) is that it's rather unlikely that they'll 'turn bad' and start reading your stuff.

By: Nelson

Nelson — Tue, 04 Sep 2007 09:08:54 -0800

For computers that are mine, I store my passwords in Firefox and use Google Desktop to sync them between computers. I also use pwdhash as a simple way to securely use the same password on a lot of sites. pwdhash is a bit of a pain without the Firefox extension, but it's simple and works.

By: bonaldi

bonaldi — Tue, 04 Sep 2007 09:11:56 -0800

If your passwords make sense to you, just keep in plaintext what that meaning is. So if your password is hon3ybe4r after your first teddy bear, just put "numbered first teddy" in the document. Then it doesn't need to be kept secret.

By: electriccynic

electriccynic — Tue, 04 Sep 2007 09:21:49 -0800

Personally, I just have a personal seven-character code (eg Date of Birth, zipcode, whatever), and append the middle two-letters of the website to the end or beginning, or scatter it throughout the password.

Ta-da - an ever-changing password for each website which only you know, and can easily remember.

By: damn dirty ape

damn dirty ape — Tue, 04 Sep 2007 10:04:56 -0800

Ok, there's a difference between storage and easy retrieval. If you just want to store this thing you can make a truecrypt file with a big password.

If you just want to make this incredibly easy to retrieve make a text file with all your passwords. Zip it. Use zip's built in password protection. Choose a VERY GOOD password (note: it ignores anything past 8 characters, so make the first 8 count*). Any computer, anywhere can open an encrypted zip file. Windows, linux, and osx do this natively. Put the zip file on your webspace. Download it and open it as needed. Make changes as needed. When done wipe it from the computer (shift delete on windows). dOnt leave it in the recycling bin.

Thats not a perfect solution but good enough for everyday users.

*Make the first 8 count:
Bad password: dogfood12374662178247!11($*@
good password: !d0gf@@d

By: geminus

geminus — Tue, 04 Sep 2007 10:26:48 -0800

Clipperz? (Disclaimer: never used it, probably wouldn't either... But it does exactly what you want. YMMV).

Surprised that no one has suggested Keepass yet. There are ports to Linux/Mac/Palm although it is primarily a Windows application.

There is also a portable version which will work from your USB key.

I hate the idea of online storage for passwords, but I would consider mailing the encrypted password file to myself on Gmail. My master password is reasonably lengthy and not easily guessable or cracked (I hope).

By: philomathoholic

philomathoholic — Tue, 04 Sep 2007 10:50:04 -0800

Instead of storing it in Firefox Portable, or in a Truecrypt vault, you could store it in an encrypted message vault. It's just an html file with javascript (that every browser on every OS can read). If you lose your USB key it's still encrypted with 128-bit AES, so you won't be screwed.

Or you can store the vault in your webspace somewhere and download it to wherever you need it. The only thing that will be left in the browser's cache is a secured webpage (that other people can't read without the password). Or you can store it in Gmail, so that it isn't world accessible (so that people aren't trying to hack into the file). Be sure to still set a strong password for it though.

Personally, what I have set up is a wiki on my home computer for this and other stuff. Every time I need something from it, I create an ssh tunnel to the server and view it with portable firefox. This would work with linux or osx too, because all I need is ssh and a browser.

By: philomathoholic

philomathoholic — Tue, 04 Sep 2007 10:58:50 -0800

For an actual online service, try kyps. It's designed to circumvent key loggers and whatnot.

By: a robot made out of meat

a robot made out of meat — Tue, 04 Sep 2007 11:28:38 -0800

Putting sensitive data on someone else's computer is inherently risky. That said, I tend to put passwords in a plain text file (without notes on what they go to), then encrypt it with an easily available piece of software. I can back up that encrypted file in as many places as I like; the password on it tends to be super strong. EG, my server, an external HD, a flash key, and a multi session disk.

For my flash drive I tend to use dscrypt; for the things that I leave on my server and access remotely, I use pgp/gpg. There probably exists a nice portable windows gpg, I just don't know what it is. I'm unlikely to lose all the backup media at once. I can take them with me anywhere, or ssh to my server if I somehow don't have my key.

By: theora55

theora55 — Tue, 04 Sep 2007 12:27:43 -0800

I use a standard password, which is a word cut in half, with numbers inserted, i.e., geo11rge, geo96rge, etc. I keep a list of sites, with just the number, i.e., mefi=66. Some passwords I email to gmail. George was a great dog we had when I was a kid, and is not my password.

By: dmd

dmd — Tue, 04 Sep 2007 14:25:59 -0800

Another hash service: Passwordmaker.

By: nicwolff

nicwolff — Tue, 04 Sep 2007 20:58:19 -0800

Hey, that's my password generator that Freaky linked to up there; it really solves this problem well. But if you're just starting with it you should use this improved version which uses SHA-1 instead of MD5 for hashing, base64 instead of hex for encoding, and adds "1a" to the end of all passwords so they work at sites that require a letter and a number.

(All those other password hash services got the idea from me! Here's an old InfoWorld column that includes a screencast showing how it works.)

By: CuJoe

CuJoe — Wed, 05 Sep 2007 01:48:37 -0800

I just recently started using Clipperz.com and I like it. From what I understand from using it, they just store a file that is locally (done in your browser and not on the server) encrypted/decrypted. The only danger would be a keylogger, which would always be a danger with using a computer to do anything with passwords. A quote from their site says "Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded. The key for the encryption processes is a passphrase that never gets sent or saved to the server! Therefore no one except you can access your data."

They offer up their code for you to download to check it for flaws, security or otherwise (http://www.clipperz.com/learn_more/reviewing_the_code).

Most useful for me is the fact that you can download an offline copy where your stored info is stored in its encrypted state into an html file that works exactly like the website with the exception that you can't store new info. Whenever I make an update to my info, I create a new offline copy and Gmail it to myself.

I am in no way affiliated with the site other than as a user. They were just the first site that seemed to do secure info management somewhat securely in a manner useful to me.

By: philomathoholic

philomathoholic — Thu, 06 Sep 2007 17:01:36 -0800

FYI, Cujoe: What you describe about saving the file, is exactly what the html file I linked to does. Except, it'll let you add new info also. To review the code, just 'View Source'.

By: abpsoftware

abpsoftware — Fri, 02 May 2008 09:28:41 -0800

NeedMyPassword.com is the absolute best site for password storage. I am not just saying that because I am the developer. It is really easy to use and you can change the setting to "Super Secure" and no one is going to get in.

Give it a try, it is absolutely free!