What the hell do you do about passwords?
April 16, 2004 6:07 AM   Subscribe

What the hell do you do about passwords? -->

I am not exaggerating when I say I probably have 50 places that require passwords, ranging from brokerage accounts (very mission-critical) to various news site logins (trivial, but inconvenient if lost) How do you manage your passwords? You're supposed to make them hard to guess. You're not supposed to use the same password all the time. You're not supposed to write them down in one place, or store them in one place on your PC. You're not supposed to change login forms to GET so you can bookmark the logins. I do all these things. I want to start over with an integrated solution, either tech or not, that blends security and convenience in one frothy beverage.
posted by stupidsexyFlanders to Computers & Internet (36 answers total)
 
I have three passwords.

My throwaway, insecure site password (i.e. a message board);
my official but unimportant site password (i.e. NYT);
and my important-stuff password, which is the most complex (i.e. e-mail, FTP).

You ought to find a ton of good answers here, though.
posted by rafter at 6:15 AM on April 16, 2004


My integrated solution breaks a big rule -- don't use the same password -- but only for non-important sites/tasks.

I have one password for day-to-day use and new, trivial web site sign ups. For all the online newspapers, and other online content providers, I have one password. For Amazon, Ebay, etc, I have another, more sophisticated password. For banking, my computer, and other non-trivial areas, I create unique passwords that run on a general theme, while still being sophisticated enough to prevent anyone guessing.

No birthdays, or special dates on any kind.

I also use Mozilla, which is a bit better than IE at tracking passwords for web sites.
posted by o2b at 6:20 AM on April 16, 2004


Response by poster: Eh, asked and answered. Sorry.
posted by stupidsexyFlanders at 6:22 AM on April 16, 2004


First, break your passwords up into categorized groups as rafter has mentioned. Vital passwords get changed the most often and throwaway the least often.

Second, the easiest way to create secure memorable passwords is to base them off of phrases. Think of a short phrase that is relevant to the password category and make sure to include uppercase, lowercase, numbers and misc. characters as below.

Financial Password:
IamDAMN!nearBROKE&I*ONLY*have$5bucks!

The capitalized I's and the emphasis on damn, broke, and ony are easy for me to remember but relatively secure as they include multiple character sets.

Work Password:
Mybossisa*TOTAL*loser.HesmellsNASTY@work!

If you hate your boss and he always has coffee breath, I guarantee you that you won't forget a password like the one above.

The trick is to keep your passwords categorized, semantic, varying in character usage, and relevant to the subject at hand.
posted by yangwar at 6:29 AM on April 16, 2004


I write down my passwords in a book. At some point I'm going to get a little safe to put them in, but for now I figure if someone has broken into my house and is rummaging through the debris around my computer I have bigger things to worry about.

BTW, our policy at work is that writing down passwords is OK, as long as they stay in a safe and are treated as Classified material.
posted by JoanArkham at 6:31 AM on April 16, 2004


But good to see, as I'd missed the earlier thread. I'm kind of in the same boat. I use the same two or three passwords everyplace...and one difficult thing is remembering which of the two or three passwords I've used to register at a given site.

I also make sure that none of my passwords are words that'd be in the dictionary.
posted by Vidiot at 6:32 AM on April 16, 2004


What yangwar said.

Also, I've been using PassKeeper for Windows for a few years and am perfectly content with it. Freeware/donationware, tiny and stable.
posted by Tubes at 6:34 AM on April 16, 2004


My approach is like o2b's: I have 4 "tiers" of passwords. None of them are actual words, but they're all easy for me to remember and almost meaningless to everyone else. they should be resistant to "dictionary attacks," so don't use, well, words in a dictionary.

Mix case, use "leetspeak" (zero for o, that sort of thing), intersperse with punctuation. Note that some websites have limits on the characters you can use--must be at least so long, or must not be too long, or must not use punctuation marks--so have an automatic fallback (eg, if you use !, always use 1 as the fallback character).
posted by adamrice at 6:40 AM on April 16, 2004


This is my solution. With this, I have a different password for every site, and no dictionary passwords.

First, I take a word: Belmont (I smoke Belmont cigarettes, and they're right next to my keyboard, so they're the example word.)

Then, I leet-ify the word:

b3lm0nt

Then, I add a site-specific suffix/prefix to the word, based on what site needs the password. If it's Metafilter, it might end up like this:

mb3lm0ntf (mf = metafilter)

(or)

mb3lm0nth (mh = mathowie)

For the NYT, it might look like this:

nyb3lm0ntt

Thus, even if someone gets a hold of one of my passwords, it'll only work on that site.
posted by Jairus at 6:50 AM on April 16, 2004


At work I just keep them all jotted down in a .txt file which I keep well-hidden, although I don't really have to, because no one at my place of employment knows how to do anything with the computers except me. It's unbelievable. No one can resize a browser window, close one, move one over, do a search for anything, find their email, open the recycle bin, bookmark a website...the list goes on and on. These are all people in their 20s, 30s, and 40s.

They all know how to buy stuff from Amazon.com though.
posted by iconomy at 6:50 AM on April 16, 2004


between my wife and i we generally have three password classes - the usual, more secure one we only use for important stuff, and then plain ol' simple ones for remembering preferences on websites, etc. we know each other's usual logon name, and given three guesses can generally pick the password, as we keep the number of options low for easy remembering (variations on a theme - start with base password, then try changing first or last letter to digit, substitute letter-looking digit for letter, etc.) finally i have some Important Work Passwords that i keep to myself. i like to find something important to me and then find an obscure way to reference it, often with a coded version (like say for example if i was a big fan of citrus fruit i might use "#00ff00" as a password - html color code for lime. just so long as it's an indirect reference to something that not many other people would think of, even if they know me.)

limiting the number of base passwords i use, but changing the way i type them, allows me to guess the password if i happen to forget, while still maintaining seperate passwords for different sites.

mozilla remembers it all for me anyway, which makes it easy for me (as long as nobody steals my laptop, anyway). has anyone tried setting a master password for mozilla? i haven't played with this - i imagine it's a pass you enter once per session, without which it won't fill in any other passwords for you?

but we do have a pad of paper at home with the important ones scribbled on it, and this is kept where we can find it in an emergency.
posted by caution live frogs at 6:57 AM on April 16, 2004


I have three layers:

A semi-anonymous free email account I use for annoying web registrations. They all get the same password.

My "serious" and work registrations in my real name all get another password.

My important and financial logins (ebay, the bank, the broker), all have seperate, long logins, usually some leet-speak verison of a phrase.

And then, because I never met a trend I didn't like, I write all of them down in my moleskine.
posted by bonehead at 6:58 AM on April 16, 2004


I use the same approach others use, having a mix of "real" passwords and throw-away ones.

I also keep them in a memo in my Palm pilot, but rather than writing down the actual site, username, and password, I just write down clues to make it easy to remember them. That way if somebody finds my Palm Pilot they wont be able to figure anything out. Example:

Site/User/PW

Mefi/bc/Gr3

Means on Metafilter my username is Bondcliff and my password is the kid from 3rd grade who I will never, ever forget. The little bastard.

(For those of you dying to take on the identity of Bondcliff, that is not my actual password)
posted by bondcliff at 7:03 AM on April 16, 2004


Am I the only person who doesn't write down their passwords, or use some kind of password manager?
posted by Jairus at 7:07 AM on April 16, 2004


Jairus, I'm in the same boat as you except I do keep a gpg encrypted file for my very seldomly used passwords. There are a few that I've only ever used once and weren't assigned by me. Those go in my encrypted file. My other passwords are mix of random letters and numbers and 'l33tified words. I can't remember what day it is, to put the garbage out, to buy milk, to drink milk if I buy it, or to throw out milk if I remember to buy it but forget to drink or not to drink it if I bought it, forgot I bought it and didn't throw it out it but I can remember passwords :P
posted by substrate at 7:28 AM on April 16, 2004


I do something somewhat similar to you, Jairus; I use a personal code that makes every single password different, yet all I have to do is go to the site, and even if I can't remember whether I've registered, I can figure out what password I would have used if I did register. I have much more trouble with log-in names, since I might be taz, or taztaz, or taztaztaz (depending on what they will accept based on number of characters they want, and people who have already registered with my preferred user name), and with e-mail addresses used for log-in, because I can't always remember what email I might have used with what site...

Of course, I also have trouble with sites that issue you a password instead of letting you pick your own - these are the sites that most usually fall off my "used" list, because I just can't be bothered with looking it up every time.
posted by taz at 7:40 AM on April 16, 2004


I can't possibly remember passwords. That memory storage area is in use for the words to the theme song from Gilligan's Island.

As above, I have levels of password security. I use the same easy password for sites where security is insignificant. Some passwords, esp. at work, have to be changed often. My password scheme uses a "magic" word or phrase, i.e., maxheadroom. I split the word and add a number, and increment the number and some punctuation, i.e., maxh0001eadr][oom, maxh0002eadr][oom, etc. Like bondcliff, my notes say mefi/t/0002.
posted by theora55 at 8:06 AM on April 16, 2004


i'm pretty sure leet-speak is included in standard list-cracking dictionary tools, so i don't think it gives you more security.

i use the first letter of words in a phrase. so "another fucking site that wants a password" becomes "afstwap". also, at the lowest level, i have one standard phrase that i use with the site name, so they vary slightly from site to site. for topmost level passwords i also throw in punctuation marks.

(incidentally i once worked with someone - a very serious old man - whose password was "iwtmlty", which wasn't as opaque as he imagined, and amused us all :o)
posted by andrew cooke at 8:28 AM on April 16, 2004


Response by poster: I won't tell my login to you?
posted by stupidsexyFlanders at 8:34 AM on April 16, 2004


What taz said. I use a mnemonic on most sites so that I can remember passwords 99% of the time.

Say I create a login at a pet food site. What does pet food remind me of? I used to have a bird named Max, so I'll start with "maxthebird" as the password. Then I'll substitute in some characters, leet-speak style, and the final password will be something like "max+heb1rd". As long as I can remember the link between pet food and my old bird Max, I can remember the password.

The leet-speak is to protect against guessers more than crackers.
posted by falconred at 8:35 AM on April 16, 2004


I want to make love to you.
posted by bonheur at 8:43 AM on April 16, 2004


I have one password for everything and it is "PASSWORD". I can remember it easily.

Please do not read my e-mail.
posted by xmutex at 8:45 AM on April 16, 2004


andrew cooke, the l33tified words aren't for more security, it's for the compression. If you're forced to use say 8 characters at most (I've seen as low as 6) then long words don't have any randomness. If you can shorten the words by things like ate -> 8, or not -> 0, not -> !, or -> | and so on and throw in some random characters you're in ok shape. It's the random characters that foil the dictionary attacks. For my financial stuff I've got gobbledygook as passwords though.

The most likely time to find my password is just after I've changed it. The muscle memory stumbles over them and I type them in slow. Once I've used it a few times those random characters are typed without any slow down. Personally I try to look away as a courtesy when I'm in somebodies office and they're typing passwords.
posted by substrate at 8:50 AM on April 16, 2004


I think I posted this in the previous thread, but I've solved this problem.
posted by nicwolff at 10:46 AM on April 16, 2004


I recommend PasswordWallet for Mac OS 9 and X, which holds my passwords, along with the login URL and a notes field. It uses the BlowFish encryption algorithm with 448-bit keys and can launch your site and enter your username and password for you. It also can generate random passwords for each entry. Incredibly handy and functions as a self-contained bookmarking and login system. There are similar programs on the PC.

I also recommend Yodlee for keeping track of banking, credit card and a few other sites.
posted by the biscuit man at 11:36 AM on April 16, 2004


ah, ok.
posted by andrew cooke at 11:38 AM on April 16, 2004


That password generator bookmarklet is fookin' awesome. Now the only problem will be remembering which sites I've used my old passwords on, and which I've used the bookmarklet on.
posted by kindall at 11:41 AM on April 16, 2004


I'm surprised that no one has mentioned PasswordSafe, an open source password wallet originally written by Bruce Schneier of Counterpane Labs fame. I've been using it for about a month now, and I like it a lot. It'll generate passwords for you, too.
posted by Daddio at 1:08 PM on April 16, 2004


Bonheur, that's so sweet.
posted by theora55 at 2:18 PM on April 16, 2004


Thanks kindall - the bookmarklet is cool but for some reason doesn't find the password fields on a lot of sites - just some stupid error in my Javascript DOM hacking I'm sure. And as noted on its page, it's too long for stupid IE.

All these other solutions are OK but what if you are at someone else's computer? (E.g. me, now, at the Apple Store.) What if you lose the password file? &c.

Mine, you remember one really secret password, and generate the rest each time you need them. And you can use it from anywhere on the 'net, or since it's just Javascript you can use it offline just by saving a local copy.

Really, I'd love to hear any good reasons to use a password-wallet instead, just to inspire me to improve my thing...
posted by nicwolff at 3:09 PM on April 16, 2004


In addition to the methods already mentioned, OS X's Keychain, Safari autofill, and "Forgot My Password" links also help me a lot.
posted by nakedcodemonkey at 3:18 PM on April 16, 2004


I do the same things as many people have mentioned here - different tiers of passwords, first letters of phrases, generation methods, etc - but for those really important, more or less random passwords that I don't have methods or mnemonics for, I do something that most people probably won't. A friend and I developed a cipher/code in sixth grade or so, and as far as I know, we're the only ones who know it - or maybe it's just me, as he's probably forgotten by now. The upshot is, I can pretty much just write down passwords and tape them to a monitor, or scratch them into the case, or whatnot, and be pretty sure that nobody will ever be able to figure out what they are, much less use them. Sometimes, being a huge nerd has its advantages...
posted by majcher at 4:14 PM on April 16, 2004


BTW, for some things, I'm still using a random-letter password that GEnie issued for an account I created there back in, like, 1987. Like all such passwords, it is completely unmemorable unless you make an extended, concerted effort to memorize it, as I did 15-plus years ago.

No, I don't use it for important things, just sites that require you to create an account and want a password. It's far too stale for anything else at this point, but dammit, I'm fond of it. Besides, it's fun to be able to type your password in front of a friend, with them watching you type it, and ask them a minute later what it was and see them draw a complete blank. "Uh, it started with P...?" "No."
posted by kindall at 4:32 PM on April 16, 2004


for really important stuff--online car payments, financial info, etc...i use passwords i can't even remember, and have check my actual written list.

the passwords aren't labeled as such, but i put enough thought into to ensure that the password offers me a clue as to where it belongs.

i used to carry my PIN number in my wallet, written as the middle part of a phone number for a girl.
posted by th3ph17 at 4:59 PM on April 16, 2004


Heh. Reminds me of a guy I worked with, who kept the alarm code for the building we worked in in his address book under the name "Al Armu."
posted by kindall at 5:42 PM on April 16, 2004


Well, I just looked back on my first comment and realized that it wasn't at all helpful in actually giving any tips (sorry!). If you come up with some kind of obtuse personal code that you can fairly - but not too - easily memorize the steps for creating, then it just can become a quick exercise. For example, for "MetaFilter", let's say your formula was: take the second and third letters of the name (et) add the total number of letters in the name (putting a zero in the first position if it is under 10) (10), take the last two letters of the name and put them in backwards (re), then add 4 (or any other number) to the total number of letters in the name (10+4=14). So the code for MetaFilter is et09re14. Yes, still a pain in the ass, but if you want to keep them in your head instead of written down or recorded anywhere, something like this works, and if you go through these steps for a few days it becomes quite quick.

The only thing is that in the first couple of days of using this you might not remember your method, so you do have to write down your formula at first. I'm not very worried about anybody looking over the mess of indecipherable personal notes that I have scattered about my desk, but if I were, I would probably write my reminder as marginalia in a crossword-or-other puzzle book, where I always have completely strange notations jotted down.
posted by taz at 8:15 AM on April 18, 2004


« Older Looking for good danceable Latin music for...   |   Session variables and redirects aren't working the... Newer »
This thread is closed to new comments.