Help me do passwords like I should.
November 22, 2013 7:18 AM   Subscribe

So, I was one of many people to have my adobe account information leaked. Though I know I shouldn't, I use that same password on lots of different accounts. I've changed them on the important ones, but how do people possibly keep the dozens of passwords for every different website straight?

My technique in the past is to have 3 levels of passwords. The strongest being for bank/financial websites, one for suspect stuff like facebook or tiny random websites, and then my "regular" password. It's a strong one with numbers, characters, uppercase, but that really doesn't matter when it'll be leaked everywhere.

I realize the strongest technique is to have absolutely no overlap of passwords. Not to mention my given name is pretty unique, I use the same internet handle lots of places, and my emails are all variations on my given name or username. A determined person could easily string them all together.

I know programs exist that generate a random password, save it in a personal encrypted database, and you use one password to unlock that database whenever you'd like to sign into something. This sounds fine for a person using one personal desktop. But most of the time I'm using a work computer or a mobile device. I can't see it being practical to wait to go home, turn on my laptop, etc every time I want to buy something on Amazon, for example. Thumbdrives are forbidden at the office too, not that this would work with my phone.

posted by fontophilic to Computers & Internet (37 answers total) 38 users marked this as a favorite
Best answer: You're looking for LastPass or 1Password.
posted by samhyland at 7:20 AM on November 22, 2013 [10 favorites]

I use LastPass and absolutely love it. It stores everything in the cloud, so when I'm at work I just use a browser with the LastPass plugin. Also, it works on my Android phone. (I think that requires a $12/year subscription) Have been using it for 3-4 years, and when I got notified that my Adobe password had been leaked, it didn't matter AT ALL.
posted by getawaysticks at 7:20 AM on November 22, 2013

Sorry to clarify both of those offer a mobile app. I personally use 1Password and synch it between my phone, tablet and two computers.
posted by samhyland at 7:21 AM on November 22, 2013 [1 favorite]

Password managers. I use KeePass, but there's are a bunch of others-- LastPass is what my Mac-using friends use. KeePass generates tough passwords, and can handle specific requirements or disallowed characters.

Best not, in general, to use browser password storage-- it's a big target and they've had security problems in the past.

I store my password file in Dropbox so I can easily sync it to my phone and other mobile crap, and also access through the web if I'm at a strange computer.
posted by Sunburnt at 7:22 AM on November 22, 2013 [2 favorites]

I use KeePass and store the encrypted password file in a Dropbox account that synced between my work computer, home computer, and cell phone.

If you can't install Dropbox or KeePass on your work computer, a browser-based cloud solution like LastPass would also work, although I agree they are a huge security target.
posted by muddgirl at 7:25 AM on November 22, 2013

I use KeePass just fine from multiple locations (home, work, phone) by saving my password file In The Cloud (*jazz hands*). It's also dead easy to sync encrypted password files that have been saved in two different locations. Give it a try. And seriously don't ever use the same password in two places like ever. Stop that right now.
posted by trunk muffins at 7:30 AM on November 22, 2013

I use LastPass for work accounts and 1Password for personal accounts. In my opinion 1Password is vastly superior, if you only need Mac and iOS support. I find LastPass clunky and buggy in comparison. However, it's functional, and if you need cross-platform support, it's probably a good option. I don't have my 1Password installed on my work computer, but I have it on my phone, so if I need to login to a personal account at work I just look up the password on my phone and type it in. I could install 1Password there, but I don't really want all of my personal passwords sitting on my employer's computer...
posted by primethyme at 7:31 AM on November 22, 2013

I must reference XKCD

My vote goes for lastpass. Using it since a while and it just works.
posted by nostrada at 7:32 AM on November 22, 2013 [4 favorites]

What happens if you're using a program like lastpass or 1password and you want do something as simple as checking your Facebook account from a friend's computer? Wouldn't that be a huge problem?
posted by Spiced Out Calvin Coolidge at 7:33 AM on November 22, 2013

Also I should add, I have found using a password manager to be incredibly convenient and awesome! No more, "Hmmm.... was my username Muddgirl or Muddgirl1997?? Did I use my weak password or my mid-level password or did I have to add extra random characters to get past their security requirements?" etc. There are minor annoyances (having to login to a separate program, making sure I add new websites vs. getting lazy, sometimes websites have ridiculous rules that make it hard to auto-generate passwords).
posted by muddgirl at 7:33 AM on November 22, 2013

If you're on Android then KeePass is a thing you should check out. Sync through Dropbox and you're good to go.
posted by theichibun at 7:38 AM on November 22, 2013

I use PasswordSafe paired up with Dropbox-- it has native clients for all operating systems and mobile devices, and Bruce Schenier helped with it's development and uses it, so.. points there.

Spiced Out Calvin Coolidge: "What happens if you're using a program like lastpass or 1password and you want do something as simple as checking your Facebook account from a friend's computer? Wouldn't that be a huge problem?"

In that situation I would just unlock my iPhone, launch the pwSafe app and type in my main password to unlock it-- then browse to the Facebook entry and uncover the password and type it in manually on the friends computer. If I know I'm going to be typing in passwords a lot manually, I'll get PasswordSafe to generate an easy-to-read password (no I's and 1's for example) to make it less of a hassle.

And honestly, you'd be surprised how easy it gets to remember a totally random password when you've typed it in a few times-- it's like being back in the pre-cellphone era :)
posted by Static Vagabond at 7:41 AM on November 22, 2013

I think my husband uses Keepass and Dropbox and he can access his passwords anywhere (phone, computer, etc.).
posted by AllieTessKipp at 7:43 AM on November 22, 2013

1Password as really slick on the mac — and if you sync to Dropbox, it includes a simple web-accessible JavaScript app you can get to from any browser (if you can remember the path).

Now, I'm all about KeePass, as it's cross-platform (Linux, iOS, Mac OS, Windows, Android), free and reliable. I've stuck with the older KeePass 1.x branch, as the new version is less portable and has database features I don't need. It's a bit less well integrated than 1Password, but you get used to it. You can also (temporarily) display all your logins sorted by password so you can see and fix the duplicates.

Apart from a few annoying ones (banks, why do you insist on simple 8-char only passwords?) I have no idea what any of my passwords are. I've had KeePass generate them and store them. I've never seen them.
posted by scruss at 7:52 AM on November 22, 2013

On the topic of the vulnerability of browser-based password managers, I didn't mean to refer to password services that're entirely online (I'm not familiar with their problems, if any), but rather the problem of having your browser itself remember the passwords. All modern browsers will store passwords for sites if you let them, and Chrome (at least) can commute these passwords to other Chrome browsers if you log in to both. These are, as I said, a big target, and I've heard talk of Chrome vulnerabilities in particular.

In any case, having access to passwords when you're offline is a nice thing. Since dropbox doesn't sync its entire contents to mobile devices, my smartphone's dropbox is sometimes out of date, so I have to remember to update it after making changes elsewhere. (However, you're mostly using passwords to access online functions in general, so it's mostly not a problem.)
posted by Sunburnt at 7:52 AM on November 22, 2013

Best answer: All the choices mentioned are great (1password, Keepass, and LastPass) and using any of them is better than nothing.

A few random points about using LastPass and 1Password remotely that I didn't see mentioned elsewhere... (ignoring Keepass because I've never used it)

LastPass and 1Password both let you access passwords remotely without installing anything. With LastPass, you just log into their website to get your password. If you use Dropbox sync, 1Password can store a "1Password Anywhere" HTML file in your Dropbox public folder so you can easily visit a URL within your Dropbox to access your passwords from within your browser. In theory, I imagine you could also copy that 1Password file to a server of your own.

Both LastPass and 1Password also have the Chrome and Firefox extensions to handle auto-filling, and I've found many "work" computers will let you install extensions without any issues. However, 1Password's extension also requires you to have a copy of 1Password installed and a copy of your keychain stored locally on the computer, and installing full software is probably not an option for most office workers. (This restriction also means that the 1Password experience kind of sucks on devices like Chromebooks, which can't install local software, limiting you to the "1Password Anywhere" HTML file.)
posted by cvp at 7:53 AM on November 22, 2013 [1 favorite]

I can cover those points for KeePass: It's free, it's on a lot of platforms* including Windows, OSX, a million flavors of *nix, Android, and probably, but not positively iOS.

KeePass runs local applications only, so if you want to commute the passwords from platform to platform, you have to handle the commuting yourself. (USB drive, dropbox-like service, etc.) KeePass does not have browser plugins, but it can auto-type into applications, or you can move things through the copy/paste buffer (which it clears automatically after a short length of time). It also lets you generate passwords that you (or someone watching your screen) will never see in the application, FWIW.

*Some of those platforms are using unofficial apps. That may alarm some people.
posted by Sunburnt at 8:00 AM on November 22, 2013

ugh I don't want to give away my secrets but this is the exact way I do passwords, and it is unique to each site, and easy to remember.
posted by St. Peepsburg at 8:00 AM on November 22, 2013 [4 favorites]

My password system is this: first three letters of the website, followed by three letters I have chosen, plus three numbers I have chosen.

So if my selected letters are abc and my numbers are 123 it would work like this: = metabc123 = gmaabc123

And so on. So I always remember my password, but they are unique on every website. When sites require a special character, I just add ! to the end, which is annoying. So you could just automatically have a special character at the end of your password system.

Hope this helps -- it has served me very well!
posted by AppleTurnover at 8:16 AM on November 22, 2013 [3 favorites]

n'th-ing KeePass 1.x + Dropbox. I'm mostly Mac & iOS, so I use KeePassX on OSX and MiniKeePass on iOS. Random password generated separately for every site, occasionally using the "Pronounceable" generation mode for passwords that I use often enough that I'd rather be able to enter them from memory than have to cut and paste every time. (E.g., for Steam, Apple ID, etc.)

Would also highly recommend turning on 2-factor authentication for anything that allows it (mainly Google, but a few others are following their lead).
posted by McCoy Pauley at 8:36 AM on November 22, 2013

I modify very long passages from books, plays, poetry, songs, etc. Very easy for me to remember, very difficult to guess or to crack.
posted by erlking at 8:37 AM on November 22, 2013

In case you get the impression that 1password is only for Mac and iOS, I've got it installed on my Windows computer at work as well as my Mac at home. They sync through Dropbox. Note, I did have to buy it more than once for multiple platforms, but I'm OK with that, and as I've got a smartphone, I don't *need* a version at work, since I can call my password up on the phone.

(I had a PC at home when I started using 1password, and bought it for that, then got rid of that and got a Mac, so bought it again and transferred my PC license to my work computer.)
posted by telophase at 8:38 AM on November 22, 2013

FWIW, I use SplashId myself.
posted by StrawberryPie at 8:51 AM on November 22, 2013

I've come up with a super secure trick. Write down all your passwords with a trick and keep it in your wallet or a small notebook you carry. So one picece of knowledge can make stealing your list useless. Here are some sample tricks.

1. Add three garbage characters at the end, so flannel14DuckBBx becomes flannel14Duck
2. Add a J somewhere in there and never type J in passwords, so JuiceboxSkiing!!6 becomes uiceboxSkiing!!6
3. Double the first number, so pigCheese37.f becomes pigCheese337.f

I'm sure you can think of more, but it's low tech and the added trick gives you simple piece of mind.
posted by advicepig at 8:55 AM on November 22, 2013

KeePass for anything important.

For stuff I prefer not to get compromised, but if they do it's not the end of the world I use a formula similar to but not exactly this: (short, 'l33t sp33k' translated word) + 09 + (last four letters of the site). For example: c@ts09lter would be my password for this site and c@ts09dobe would be my password on Adobe.

For something I absolutely don't care about but requires me to use a password, I use "password"
posted by Gev at 9:00 AM on November 22, 2013

Maybe something like this would help?

I use LastPass, FWIW, and the passwords I keep in there are generated similarly to AppleTurnover's system.
posted by chazlarson at 10:38 AM on November 22, 2013

I've used LastPass for a long time on PCs, Macs, and iPhones and I like it. It's easy to use, they have good support, and they continually update and improve the product.
posted by Dansaman at 12:06 PM on November 22, 2013

I use LastPass and I'm very pleased with it. Make sure you absolutely do not forget your main password, though. If you can't remember it they can't reset it so you have to delete your account and re-create it (and lose all your saved data). (Yes, I did set my mom up with it and she did forget her main password. Nothing important was lost but it was a good lesson.)
posted by kassila at 1:02 PM on November 22, 2013

Nthing AppleTurnover's method.
posted by mon-ma-tron at 6:49 PM on November 22, 2013 [1 favorite]

I'm sure you can think of more, but it's low tech and the added trick gives you simple piece of mind.

Peace of mind, sure, but that is a false sense of security.

Use a password manager (I like 1Password), and use it to generate very long random passwords. Crank it up to 40 characters because why not.

Please ignore anyone telling you to use a formula to make a password that you can remember. If a human can remember the password or spot the pattern for how it is generated it is NOT strong enough. AppleTurnover's system is a terrible idea, as an attacker can follow that logic and try citabc123 for Citibank, and repeat for each major bank until they get in. Plus no matter how random it is 8 characters is way too limited such that any combination of 8 characters is easily brute forced.

Also, realize "security questions" are just another password and feel free to use random generated passwords for them as well, and record the answers in your password manager. I use the notes section, and no one will guess my first boss was KdPxWiM@26CxwA&uXan(M$zFdf. I keep these answers unique to each site.

Be sure to record a way to get at your password manager to avoid a catch 22. If it's on Dropbox for example and you have a randomly generated dropbox password if your one computer is stolen or dies and you can't get into dropbox to get the rest of your passwords.

You will need a password you can remember for your password manager's master password as well as your primary email account. I suggest a long password based on something obscure but easily memorized by you. For example take your favorite song Call Me Maybe and say the lyrics in your head:

It's hard to look right
At you baby,
But here's my number,
So call me, maybe!

while you type your 18 character password Ih2lrayb,bhm#scm,m!

(Yes I'm contradicting myself that a human can remember it, but you must remember your master password.)

Feel free to embellish it with numbers and symbols. Poetry, movie quotes, song lyrics, etc make good fodder for this method.
posted by ridogi at 9:41 PM on November 22, 2013 [2 favorites]

When passwords are cracked, they are usually cracked en masse and automatically by software. They aren't cracked by people who sit around studying how people chose their passwords. No one is going to see, for instance, yahmtv316 on Yahoo and think "Oh, that person obviously uses the first three letters of the website + MTV + 316" and then start trying that for Citibank. It just looks like a random string of characters. No one would know that's how I do my passwords unless I told them. Not to mention they'd have to know my username. For my banks and for my primary email address, I use a different username than I use on random websites. If there's two thinks I wouldn't want cracked, it's my email and my bank account, so they have unique usernames. My method, frankly, is awesome. I've never had anything hacked yet and I always remember my passwords.

*mtv316 is not what I use. Just FYI.
posted by AppleTurnover at 12:18 AM on November 23, 2013 [1 favorite]

AppleTurnover, the collective ingenuity of attackers will target your method in the near future if they don't already. An attacker targeting you will certainly figure it out.

If my account is on a site that is the victim of a breach I'd rather have my 40 character password instead of your 8 character one. Depending on how well the site handled security only part of the list may be compromised. Why volunteer to be part of the low hanging fruit for attackers?

There are tons of ways into your identity. For example what about your recovery email for your primary email. How strong is that password?
posted by ridogi at 6:43 AM on November 23, 2013

Actually, studies show that complicated passwords aren't actually that helpful because most breaches are not brute force attacks. Basically, you shouldn't use the same password everywhere because a human could try it everywhere (or software could automatically try it with the same username on other sites), but when it comes to security a 40-character string isn't all that much better than an 8-character one. Companies like Google and others are exploring using dongles and hardware keys as passwords. There will probably be a time in the future where we don't use simple passwords for important things like banking. So I really disagree what what you're saying. If you do some research on strong passwords or complex passwords, you will see that they are only marginally better than simple ones. They will only help against brute force, which are uncommon attacks. I'd do some research before making the kind of statements you're making. It doesn't behoove OP to make his/her life more difficult with crazy-long passwords. OP just needs a unique password for every site and a way for it to be easy to remember or manage. That's it. My record speaks for itself -- I have used my system for 10+ years and I've never lost access to an account or been hacked, but I always remember my passwords.
posted by AppleTurnover at 1:05 PM on November 23, 2013 [1 favorite]

1Password is great.
posted by conrad53 at 9:53 PM on November 23, 2013

My record speaks for itself -- I have used my system for 10+ years and I've never lost access to an account or been hacked, but I always remember my passwords.

That isn't proof, it's an anecdote about luck.

My system is even easier: I use software to generate and remember the passwords for me.

when it comes to security a 40-character string isn't all that much better than an 8-character one

This is laughably and demonstrably false. We are depending on the sites to use best practices so sometimes plain text passwords are leaked which is the only time 8 vs 40 characters don't matter. If hashed passwords are revealed and they need to be brute forced the attacker likely won't crack all of them, just the easy ones. They will likely crack all 8 character passwords. As for my 40 character password it depends on how determined they are and how they are hashed. That also gives the company more time to let me know there was a compromise so I can change my password.

More info can be had at Ars, Wired, and Ars again.

As you can see especially form that last article it is becoming more and more possible to crack longer and longer passwords. I'd prefer to have an unlikely to be cracked one than a definite hit.

Using a password manager to generate unique, random passwords isn't a guarantee of your password not being cracked (as you're also depending on various web services to do proper security on their end), but in the current environment it is your best defense. Passwords might become obsolete in the future, but they are what we have now and not using unique, random, strong passwords is foolish.

2 Factor authentication such as that offered for specific services such as google and dropbox is a good addition, but of course isn't a guarantee.
posted by ridogi at 9:27 PM on November 24, 2013

Response by poster: So thanks all for the help so far.

I started off with 1Password this weekend and have run into a bit of a road block.

I run Mountain Lion (10.8) at home, and my work computer is stuck at Lion (10.7.5).

1Password 4 is only for 10.8+. It seems I can install 1Password 3 but the databases aren't compatible, and neither are the browser plug ins.

I already committed to buying the ($17!?) iOS app, so hopefully theres a work around. Any idea how I can downgrade my 1Password 4 database? Doubtful that would work with the ios app...

I'd also appreciate any general tips on how to go about changing all of these passwords.

For instance, changing my Apple ID password threw off my iMessage registration on my laptop, which could only be re-registered through a call to Apple Care. (but this was possibly because I had been a beta tester? Unsure.) Changing my gmail password means I need to take that password to every device that I use with my google calendar, etc. It's generally been a huge pain.

And, AppleTurnover, while I don't really expect to be a target of a hacking of epic proportions, I do think someone could figure out a system like that if they were dedicated enough. And if I'm mucking up all of this stuff anyhow, I might as well do it right.
posted by fontophilic at 5:57 AM on November 25, 2013

The 1Password database is compatible between 3 and 4. I ran 4 on one of my computers for a little while before updating the others.

You can use 3 on both computers and that is still compatible with the latest version of the iOS app.

If you disable chrome's syncing of extensions you can have the two versions of the extension-one at work and one at home. Only necessary if you keep 4 at home.

When you change as password on a site you should be prompted to update your existing 1passsword login item. If not the password you just generated is on your clipboard so you can paste it into the login item. There isn't any getting around the work of doing it so start with the important ones and handle a few each day.
posted by ridogi at 8:51 AM on November 25, 2013

« Older Guidelines for roof work in MA   |   How to deal with a stalking e-mail sent to 12 year... Newer »
This thread is closed to new comments.