Join 3,556 readers in helping fund MetaFilter (Hide)


Password heck
January 3, 2008 6:58 AM   Subscribe

Any advice for a tri-platform, multi-computer, maybe not hashed, password manager for a large volume of ftp/ssh/ and misc logins?

I have a lot of various logins I need to keep track of. Most are ftp/ssh so I use kde's network connections manager, and things like keychain in osx. The problem is that if used as the main storage, the passwords are hashed and basically unrecoverable. Using the same machine or operating system all the time is not an option. And of course these things are not linked together in any sane way; its a matter of remembering to enter them at the same time in three places.

Wiki type solutions are probably out, as I do not want to be storing all my sensitive information under one potentially insecure password, online. I have considered flat text files (which takes care of my misc logins) but this seems almost as bad. Any methods, scripts, or advice would be greatly appreciated.
posted by shownomercy to Technology (18 answers total) 3 users marked this as a favorite
 
Replace FTP with SCP, and use public keys instead of passwords. Store the private key on a USB device on your keyring.

Lodge a second copy of the private key somewhere safe.
posted by Leon at 7:09 AM on January 3, 2008


I keep a list of accounts in a Word document. Not the passwords, just the accounts. Whenever I get a "your password is about to expire" message on any system I use, I change all the passwords in the list. This accomplishes several things- it makes sure I regularly change passwords, it keeps the passwords all the same (so there is only one I need to memorize), and it makes me log into systems that I might not regularly use otherwise to keep those account current so they aren't deleted from lack of use. (There are some that I don't use a lot, but need them once in a while).

Since there is no password information written down anywhere (they exist only in my head), I don't worry about people trying to hack into my accounts.

It's not very sophisticated, but it takes me about 10-20 minutes to update them all, maybe every couple of months or so.
posted by Doohickie at 7:12 AM on January 3, 2008


Flat text on an encrypted thumb drive? TrueCrypt (Windows + Linux) is open source and can make encrypted devices or containers. If you have an older thumb drive lying around - small capacity, otherwise useless - turn it into a portable password manager, by dropping TrueCrypt on it and saving all passwords / logins in an encrypted file on the device.
posted by caution live frogs at 7:15 AM on January 3, 2008


Although its as low-tech as you can get, many people just keep a notecard in their wallet with their passwords on it. You already protect your wallet, and you carry it everywhere. Also, in the rare event that you get mugged, the chances that the thief is a 1337 h4x0r who has any use for your passwords is next to zero.
posted by burnmp3s at 7:34 AM on January 3, 2008


Thank you all so far... these solutions all add a bit of security and flexibity although so far nothing completely solves the problem (stupid MISC).

As far as encrypted thumb drive, wouldn't I need to wait for an osx version of truecrypt?

I like the notecard suggestion, but I'm already in notebook realm. Or in need of better reading glasses.
posted by shownomercy at 7:37 AM on January 3, 2008


I store web passwords in a copy of Firefox Portable on a thumb drive, but I only use Windows desktops... assuming that the file format is the same across OSes, would it be possible to store just Firefox's settings on a thumb drive?
posted by Leon at 7:51 AM on January 3, 2008


I would look into using KeePass. I think--think--you might be able to have an instance running on each computer you use, and store the encrypted database on a flash drive.
posted by malaprohibita at 8:03 AM on January 3, 2008


If you're using a Palm PDA, you might want to try Keyring, which has a passel of desktop conduits (Java, native Windows, Jpilot(UNIX desktop client, which can be compiled on all three platforms) and others.) The passwords are stored hashed on the handheld, and it comes with a built-in password generator to assist you in staying away from not-exactly-random (Hello, WOPR!) passwords.
posted by Orb2069 at 8:06 AM on January 3, 2008


I use SplashID on my Palm Pilot for encrypted account and password storage. As Palm is withering away, you can pick up a low end Palm for cheap these days. It's not an ideal solution but at least I've been sticking with it, it's secure, and it's backed up.
posted by chairface at 8:08 AM on January 3, 2008


Funny, but I just walked in the door from Staples a minute ago. I went and picked up an address book and some Avery labels, to keep my accounts and PWs in hard copy (labels just to avoid unreadable handwriting down the line!). I had been using SplashID, but it can only exist on one of the three computers I use on a regular basis, and I was getting worred about losing it in a crash.
posted by NotMyselfRightNow at 8:16 AM on January 3, 2008


Single, GPG-encrypted text file, synchronised with Unison, viewed and edited using GNU Emacs crypt++ mode. Works perfectly across a Linux box and two 'doze boxen.

Now can someone explain why I find the use of the word "heck" for "hell" so upsetting? :-)
posted by denishowe at 8:21 AM on January 3, 2008


Keepass. Free software keeps all your passwords in a single password protected file. Has Windows, Linux, and Mac versions, as well as a "portable" version for jumpdrives, and support for PalmOS, PocketPC and Symbian devices.

I've used it on Windows and Linux boxes, and it's simple and does exactly what it says it does. Also adds organization to your passwords, allowing you to group them in folders. Works great for me.
posted by cgg at 8:28 AM on January 3, 2008


A couple of products that might be of interest are Roboform's Pass2Go (www.roboform.com/pass2go.html) and Protecteer's SignupShield (www.protecteer.com/asp/home.asp). Both are available for U3 type flash drives (see http://software.u3.com/softwarecentral.aspx?skip=1). There are also some aftermarket biometric devices in the market, as well as some (fingerprint scanners) built into some laptops.
posted by Dansaman at 8:34 AM on January 3, 2008


I use KisKis, which you can find though freshmeat. It seems to work pretty well. Since it's a java application, it should be platform neutral, though I have not tried it on anything but Linux.
I know that I have it installed on my USB drive and it works fine from there. I would keep copies of the database file, though on more stable storage than the USB drive.
posted by vilcxjo_BLANKA at 9:10 AM on January 3, 2008


New version of TrueCrypt with support for OS X is scheduled to be released this month.So if you want to go that route, you should not have to wait very long.
posted by caution live frogs at 11:23 AM on January 3, 2008


I'm going to go ahead and third Keepass. I now run around all day with a thumbdrive on my keys, which has all my passwords on it. Every so often I copy the KDB files over to gmail, and my PCs, in case of the worst.

I can't imagine not using it anymore. I literally remember no passwords, because they're all stupidly long gobbledygook. And thats just perfect.
posted by Smoosh Faced Lion at 11:47 AM on January 3, 2008


I use firefox to save my passwords and authenticate me automatically on my home computer. Like NotMyselfRightNow I also write my passwords down in an address book for archival purposes:

http://www.internetpasswordorganizer.com/
posted by Finsta at 11:54 AM on January 3, 2008


Don't store your passwords anywhere. Remember one robust password and generate (and re-generate) the others as needed.
posted by nicwolff at 2:35 PM on January 3, 2008


« Older My Sirius reciever has stopped...   |  Official terminology to descri... Newer »
This thread is closed to new comments.