Password manager for someone who can't install a password manager?
November 19, 2020 9:47 AM   Subscribe

I would like to manage my passwords, but at work I can't install anything. How can I still get passwords?

Here's my situation. Currently we have no password manager. It's kind of a mess, and a huge inconvenience if there's a compromise. Work is the tough use case. I can't install a personal password manager there, and can't have a cell phone. I could log into a website and, like, have someone else with my phone give me a code or similar literal games of telephone, but it would have to be an uncommon thing, at most once a month. I'm willing to keep the "high-value" passwords (bank, Google account, etc.) offline on paper but I need something to keep track of strong passwords for the other hundred accounts I have. I do have web space that I could use for security by obscurity. I think (please correct me if I'm wrong) that it would be better to have a random Google Doc or similar with all the low-value passwords than re-use passwords.

At home we have all Macs and iOS devices, so I think iCloud keychain would work for that, but we do use Chrome, Firefox, and Safari. Ideally we'd have one-click access from our home devices, but that's negotiable.
posted by anonymous to Computers & Internet (20 answers total) 3 users marked this as a favorite
 
You could use a bookmarklet that combines the site name with a master password to generate a strong password. You don't need to store anything and you only need to remember one password.
posted by kindall at 9:51 AM on November 19


I use 1Password, and I can access my password vault online using only my master password (I also needed a longer key for 2FA when I set it up, but that's a one-time thing and can be saved using a printed document).
posted by mosst at 9:53 AM on November 19


Also, I suspect the answer is "no", but it's worth asking: is keeping your passwords on an encrypted flash drive an option?
posted by mosst at 9:55 AM on November 19


Roboform also allows you to access your passwords by logging into their web site.
posted by SuperSquirrel at 9:58 AM on November 19


Consider that any work computer that you use may have tracking and keylogging software installed, and IT may be monitoring data traffic.

I would be wary of keeping any passwords on or accessing them through a work computer or workplace network.

If there is a way around using your cell phone, you could keep an encrypted note in the iOS Notes app.
posted by They sucked his brains out! at 10:07 AM on November 19 [3 favorites]


Firefox has a built-in password manager and a sync option that lets you connect it with your other devices. I work for Mozilla, so I'm definitely not a disinterested observer here, but I think it works pretty well.
posted by mhoye at 10:11 AM on November 19 [5 favorites]


How frequently do you need to use your personal passwords at work? This might be simpler if instead of thinking of "passwords", you split it into "work passwords" and "personal passwords".

Do you have Google Chrome at work? Then you can use the password manager that's built into that. If you can log in to a Google Account within the browser, then you can also sync those to other devices through your google account. Despite my employer not officially supporting a password manager, this is how I store my work passwords. I have the Chrome autofill/autosave disabled on all my personal devices, and use it only at work, but still have access to the passwords on a personal device if needed. I only store work passwords and default passwords for work equipment in that Google Account.

(On preview, looks like Firefox could be used similarly.)

For my personal passwords, on my personal equipment, I use a dedicated password manager app, which I can install and configure as needed. This is not installed on my work machine, which means that there's no way for someone at work to gain access to my personal passwords.
posted by yuwtze at 10:14 AM on November 19


LastPass vaults are available via web browser (at work) or autofill/oneclick (at home) and can be set to use grid 2FA
Grid Multifactor Authentication is an option for those who do not want to utilize mobile devices. With Grid Multifactor, you will print a sheet that is used to look up specific matching values when logging in to LastPass, and provide a code derived from your Grid to log in and access your account when prompted by LastPass.
posted by Mitheral at 10:15 AM on November 19 [4 favorites]


Bookmarklets like SuperGenPass might work.

Purely offline solutions:

- A paper Password Notebook can map from site to whatever you encode your passwords as (or maybe just store raw passwords and avoid all the security theater I'm linking below)
- Printed cards with random text, stick it in your wallet or a rolodex, record the row/column in the big Notebook. This is my favorite here, as without the card, the notebook is useless.
- Diceware for generating passwords, you could store just the numbers for higher security and hide the wordlist in a safe or locking drawer.
- Paper password recovery scheme?

I vaguely remember that there used to be a scheme for taking a master password ("SUPER SECRET") and the site (metafilter.com) and interleaving them in different ways to make site specific passwords: ("SmUePtEaRf iSlEtCeRrET"). I'm not finding anything, it's been a decade.

Relevant links:

- Is there a method of generating site-specific passwords which can be executed in my own head?
posted by Anonymous Function at 10:26 AM on November 19


I'm using Keepass and it is available as a portable installation, meaning it's just an .exe that runs without installing anything. If you can store files or access flash drives (and run an .exe) this will work.
posted by SweetLiesOfBokonon at 10:49 AM on November 19 [1 favorite]


In the past I've used the password generator page from ss64.com for this. You enter a master password and it uses that plus the site name to generate strings of characters. The code is implemented in javascript, so all the calculations are done on your machine.
posted by VeritableSaintOfBrevity at 10:52 AM on November 19 [3 favorites]


Bitwarden has a web based vault, browser extensions, and (at least an IOS) app.
posted by sm1tten at 11:21 AM on November 19 [2 favorites]


Seconding Anonymous Function, I combine a standard beginning and a standard ending with the site name, adding up to a strong password.

It works well, but it gets complicated if a site requires you to change the password. In that case, the original version of the password doesn't work any longer. In that situation, you can add "second version" or "third version" etc to your template, and then try all of those, in order, until you hit on the correct changed password.
posted by JimN2TAW at 11:22 AM on November 19


I work in an office that has similar restrictive policies on workstations (or at least had - this was back before COVID forced them to allow remote work) - cannot install anything, Chrome is pre-installed but cannot log in to it, DEFINITELY no USB devices, often no cell phone access, etc. The best solution I could find for personal accounts was to use LastPass with 2FA grid authentication via a web browser. It's far more cumbersome than a built-in password manager but it's the only secure option I found that worked.
posted by photo guy at 12:07 PM on November 19


I've been using Keepass on a USB stick at work for years, exactly as SweetLiesOfBokonon says. Works for me. I have the same password file on a couple of Macs using KeepassXC and on a couple of i-devices using Keepassium. The benefit of Keepass for me was exactly that there was no web storage or sharing.
posted by Logophiliac at 12:26 PM on November 19


In the past I've used the password generator page from ss64.com for this

Another vote - have confirmed that it does not send any information off of your computer, it allows you to use any string in conjunction with your password (not just the stock site names) and you can also save a local copy (just saving an html file, no installation, so it may bypass your work safeguards) so that should a malicious entity somehow capture that domain later and change its functionality, it won't affect your use. Plus once you have a local copy, you can open it in notepad and change some of those stock strings to ones you use more often, even without having any real understanding of the underlying code (I certainly don't).
posted by solotoro at 1:41 PM on November 19


I could log into a website and, like, have someone else with my phone give me a code or similar literal games of telephone, but it would have to be an uncommon thing, at most once a month.

If you are assuming you have to have 2 factor authentication to use the web interface for most password managers, that is not the case. I can log into my LastPass with just the password on a webpage. They may push to install a browser extension but you can say No.
posted by soelo at 8:15 AM on November 20


When using untrusted computers, like at work, it is best to use 2FA otherwise a keylogger can compromise your account.
posted by Mitheral at 10:40 AM on November 20


You could use a bookmarklet that combines the site name with a master password

Bookmarklets like SuperGenPass might work

In the past I've used the password generator page from ss64.com for this

I literally invented this – see e.g. the credits at the bottom of https://ss64.com/pass/ – and I use the iCloud Keychain now for most passwords, and a locked Apple Notes note for the others.

The main problem is that it can only make one password for a given site, so if you have to rotate one, or one is compromised, you have to switch to another system for that one, and remember that you've done so.

But for non-high-value passwords it still might be suitable; the current version of mine is here.
posted by nicwolff at 9:21 PM on November 20


I’m in a similar situation as you.

At work I use the LastPass bookmarklet to automatically fill in my username and password. You can’t add new usernames and passwords (or edit them) using a bookmarklet, but it’s good enough. No special privileges needed.

On my personal devices I either use the Lastpass mobile app or the Chrome extension.
posted by mr_silver at 1:29 AM on November 21


« Older Abstract sculpture toy sets?   |   Mouse proof automatic cat feeder? Newer »

You are not logged in, either login or create an account to post comments