How do you keep track of all your passwords?
Personally I host a personal copy of clipperz [1], I used keepass [2] and passpack [3] in the past.
What password manager would you recommend, what features does it have that make it awesome?
Now at 70+ "answers" it's a pretty good bet that your favourite program is already mentioned. Upvote that if that's the case.
If you can't yet upvote, come back when you've gained enough reputation instead of posting a duplicate answer.
I use KeePass [1]. Features I like:
The big win for me was the cross-platform capability and the ability to export and import databases.
There's also an iPhone app [3] in the works (independent project, yay open source software!).
Those who want to store in the cloud can look into dropbox [4].
There's not a lot of Firefox plugins, but LastPass [5] will import from KeePass into Firefox.
[1] http://keepass.info/LastPass [1] is a very nice solution.
It is an online password manager and form filler that makes web browsing easier and more secure.
That way, I always have all my passwords at hand.
Its security has been discussed at length [2]: it seems pretty solid on that front.
[1] https://lastpass.com/Joel has a good post on password management [1]. You should check it out. Basically it's a combination of Password Safe [2] and DropBox [3].
[1] http://www.joelonsoftware.com/items/2008/09/11b.htmlThey all come with a free (limited) version and a full commercial version. I suggest you to try the full version for the trial period and check if they fit your need.
I have at least one full license of each. They are really worth the money you pay and the license is quite cheap.
I heard good words about KeePass [4] as well, but I never used it.
[1] http://agilewebsolutions.com/products/b/1PasswordMy password manager is my memory. I have a set of maybe half a dozen passwords I use for accounts on various websites. However, I won't use my online banking password on any other website.
I remember them. Wherever possible, I use OpenID.
If I forget, I use the "Forgot Password" option.
I follow a memorized formula. Since inventing this, I have never needed to use the "forgot your password?" links, and rarely write down a password.
My password for any site/machine/whatever is
(who)(1+)(2)(3-)8xy!R2(what)
where
(who) = who am i? 'd' for me (Daren) or 'r' for 'Root'. For a web CMS that I manage, I may have an account as a regular nonpriveleged user, for which (who) would be 'u' for User.
(1+) = is the letter alphabetically following the first letter in the name of the site, company, machine or whatever. Always capital.
(2) = is the second letter of the name.
(3-) = is the letter alphabetically preceding the third letter in the name.
8xy!R2 is a fixed part. Many sites require a punctuation mark, digits, and a mix of capital and lowercase. I just memorize this.
(what) is 'm' for money-related sites like banks, 'f' for forums, 'b' for email (mailBox) accounts, etc.
Example: To log in the usual way at the Intergalactic Bozo Research Council (IBRC) user forum, the password is
dJBQ8xy!R2f
Password strength indicators are routinely impressed with the passwords created by this formula.
Once every year or so, I change the fixed part, and maybe switch from using (1+)(2)(3-) to (2)(3-)(4-), or put the (what) in front instead of the end. It's a lot of fun to go to every website I have an account with and change the password, for certain definitions of "fun".
A few oddball sites require peculiar passwords. Some from way back don't have a "change password" feature. Some don't allow punctuation marks, or make demands on the length. When I must write down a password, I obfuscate it: The first character is bogus, the first 'N' that appears isn't really there, every digit is one more than what is should be, and so on.
Of course, everything I say here is a lie. I'm not telling anyone the real rules. Make up your own!
I use Password Safe [1] in Windows and Password Gorilla [2] in Mac OSX and Ubuntu Linux. I like this solution because:
Note: I did get this suggestion from Joel Spolsky [3], although I'm not using the DropBox part.
[1] http://passwordsafe.sourceforge.net/KeePassX [1] is a cross-platform clone of KeePass. Nothing beats having your passwords everywhere you go.
Ehtyar.
[1] http://www.keepassx.org/On my macbook, I use Apple's default Keychain application mostly. Other than that, my memory memory usually serves me just fine :)
Doesn't keep track, but supergenpass [1] algorithmically generates passwords based on the site domain you need a password for and a single master password.
[1] http://supergenpass.com/The Forgot your password?
link.
I have a bad memory.
If you're mainly looking to store web passwords, Firefox [1] does fine by itself.
Now Firefox will remember and fill in site passwords for you, but only when you provide your master password.
[1] http://www.getfirefox.comI use PasswordMaker [1] It's not really a management system but rather a generator based on a hash of a master password and a domain name or some other identifying value. I like it because it's deterministic and doesn't rely on a store of passwords that could be lost, corrupted, or inaccessible. I have the browser plugin for FF and the php version running on a secure server so I can pretty much generate a password at any time and from any computer.
[1] http://passwordmaker.org/I use 1Password for the mac. It has two really nice features:
Combined, these make it a breeze to ensure I've different, strong, passwords for every service.
I use command-line OpenSSL, e.g.
openssl bf -a > somepass
openssl bf -d -a < somepass
No fancy features, but I'm fairly confident that it's secure and it has the bonus of being cross-platform and simple.
passwords.txt
A USB stick, TrueCrypt and an Excel spreadsheet ... simple and safe.
EDIT: For machines without Excel, I use OpenOffice & PortableApps [1].
[1] http://www.portableapps.comI'd love to proudly say "I use OpenID everywhere" but it's not really up to me, is it? What I don't do is log in with Facebook, Twitter, Gmail, etc. I treat OpenID as my separate identity management. Those are apps that don't need to be involved with my identity.
For web apps I like to use a password generator. Here's one [1] that creates a SHA-1 hash based on your master password and the domain name. There's even a link [2] to access it from the iPhone. His older version uses MD5. Great thing is it's all javascript.
As mentioned by another poster SuperGenPass [3] is a similar "password generator" tool. I believe SGP creates a MD5 hash which would not be preferable to SHA-1.
What this has done for me is greatly reduce the unique passwords I need to know, e.g.
I use a system whereby I make a pattern with the last letter of the domain name I'm entering my password into. This allows all my passwords to be unique and essentially the same thing repeated. For example on superuser.com I would start from the letter "r" and then go 3 letters left two down, ect.
The amazing power of The Mind.
Don't crucify me for this, but I keep all my passwords in a file stored in a remote Linux computer.
Pros:
ssh
s the remote machine. All I have to do is enter my password, and cat pass | grep site
(e.g. for gmail, cat pass | grep gmail
).Cons
KWallet on KDE.
Windows - scattered between various build-in password managers in Firefox, Thunderbird and other apps.
I wrote my own web app to store my passwords.
To protect myself, I...
It works really well for me.
I remember them. To avoid using the same one everywhere, I mix certain parts of the name of the place where I use the password with a small and secure password that I remember very well. For example:
I want to remember the password for Super User. Suppose that my "mini-password" is "Irock123". I could take the first and last letters of the name of the site and put them before the password, resulting in the password "srIrock123" for Super User. Personally, I use a much more secure password (this was just an example), but I think this is a good way to remember passwords. A password is supposed to be something that will tell the computer that it's indeed me who wants access somewhere. Storing them in the computer, even if they're encrypted, kind of defeats the purpose.
Of course, this is an opinion. Maybe password managers are excellent tools and very secure. But I think that nothing's more secure than my head.
I use Revelation on Fedora. For Linux it works very well - integrated with the bottom bar so you can search for a password without starting up the application.
http://oss.codepoet.no/revelation/wiki/Home
I try to remember them. As backup I use a piece of paper for the passwords and a safe for that piece of paper.
Memory. For bill paying accounts, I leave myself little clues in my tracking spreadsheet. I never allow passwords for anything financial to be stored or memorized by anything -- including third party tools.
Use an algorithm based on the website you are trying to access. You will only have to remember the algorithm.
Simple example
// algoritm:
sitename.lenght + last3digits + birth day + sitename.firstChar.upperCase
yahoo.com => 5hoo15Y
hotmail.com => 7ailH
Of course I recommend something more complex. I think this is simple and pretty complex to break as the hacker will need several passwords ( a lot of them ) to find the algorithm. This approach cannot be hacked by dictionary attacks. You can apply it to a multitude of websites
And is pretty simple to remember.
Lifehacker just put this http://lifehacker.com/5346325/remains-of-the-day-hide-your-passwords-on-a-floppy-disk-edition up today and I immediately thought of this post and laughed. I had to add this after reading the post-it comment, lol!
I use a GPG encrypted text file with Vim. It encrypt/decrypts on the fly.
I just write them in OneNote [1]. It wasn't really made for this but I find it very convenient.
[1] http://en.wikipedia.org/wiki/Microsoft_OneNoteIn the past I used a text file in an encrypted folder. Now I use SplashID, which I can access from my desktop or my WM phone. I'm surprised that no one else already posted this, or maybe I missed it. Secure Password Manager - SplashID for iPhone, Palm, BlackBerry, Windows Mobile, Android, Symbian, Windows and Mac OS [1]
[1] http://splashdata.com/splashid/index.aspI used Strip [1] on my PalmOS PDA for several years, but nowadays I use KeePass. It seems Strip is available for the iPhone as well.
[1] http://www.zetetic.net/products/stripPost-it notes. Under my keyboard.
You mention it in your question, but I did not see it as answer here, so here it is:
clipperz [1]
Features:
My passwords are: something + base + something. I memorize the base. The something I put in a list for each site. For example: base: "aabc" something for gmail: "gg"
So the password for the gmail account is "ggaabcgg"
I use myVidoop [1] for all my Internet passwords. It supports OpenID and integrates nicely with Firefox.
It has a innovative image-based login, that adds some security - something that you want when storing all of your passwords. You can read more here [2].
[1] https://myvidoop.com/I use sxipper [1] (and here [2]). It integrates perfectly into firefox, provides OpenID support. The owner, Dick Hardt, has a long standing in identity management, see here [3]. Watch the video [4] too, its kind of fun.
[1] http://www.sxip.com/sxipperI bought a copy of Jungle Disk [1] which I installed on all my machines. I run KeePass on Windows machines and the Linux clients on Ubuntu. Since Jungle Disk is cross-platform too, all the databases are kept in sync.
[1] http://www.jungledisk.comThis is not very tech savvy, but for most places on the Internet I have several tiers of passwords that I have already memorized and use a different tier depending on how important that service is for me.
Anything that involves money is tier 1 password, for example.
For work there are a lot of constraints on passwords so I let pwgen in Linux make one for me, write it on a post-it, put it in my wallet, on the same note with all the previous passwords, it's safe enough.
I just use atwood
for everything.
I like Passpack [1] because it keeps my stuff in the cloud, but gives me the option of having a desktop client which synchronizes with the same cloud-based repository.
[1] http://www.passpack.comKeePass! With the auto-lock feature enabled.
I use Evernote http://www.evernote.com/ as my external brain. The great thing is that it syncs to web, iPhone and other computers as well.
For passwords, I always make sure to encrypt the data, and tag the item as a password. This saves me from yet another program (Password manager).
Of course, you should resort to OpenID if the site supports it (like the StackOverflow family).
I use eWallet [1] on my desktop and iPhone, with the sync feature to keep them both up-to-date.
[1] http://www.iliumsoft.com/site/ew/ewallet.phpFor website password, I use the Firefox internal one.
For Mac, I use 1Password.
For Windows, I use KeePass.
I use GenPass [1] (not switched to the newer SupergenPass). I like the simplicity of it - especially that you don't need to install any software, just a bookmarklet. It even works on my iPhone.
[1] http://supergenpass.com/genpass/I use password corral [1]. It works extremely well, and is portable. Unfortunately it's not cross-platform, but at the moment, that's not a huge requirement for me.
[1] http://www.cygnusproductions.com/freeware/pc.aspI use PasswordMaker [1]. It basically lets you create a password that's a hash of your master password, a username, and parts of the URL. There's a Firefox plugin, a mobile version, and a few others too.
[1] http://passwordmaker.sf.netI have a system, with different passwords for different level of needed security. I also modify the passwords according to a system for different places, so even if one place is cracked they can't use it to access other places (they need to crack at least two sites of similar security level to figure out the system). I change the passwords and systems periodically.
I use a system that combines a random string with something involving the name of the site. That way, I just remember the system and still get a unique password per site.
For example (I don't actually use this), one system could be take "abcd", the number of letters in the site name, and the 5th, 3rd, and 1st letter of the site. So a password for superuser would be "abcd9rps"
I use Roboform and synchronize it to roboform online..It is very easy and convince.
I developed an algorithm (using a hash function) to create an visually random-like but reproducible string of letters symbols and numbers. I store them in the browser, but if I happen to forget, applying the algorithm to the known data allows me to reobtain the password.
I quite simply use a Google Docs' spreadsheet to hold that type of reference information. I remember the passwords most of the time, but if memory fails I know that I can access my Google Doc's password list anytime, anywhere.. cell phone, computer, it doesn't matter. Let Google handle the security and backing up of this type of information. Why re-invent the wheel? Using Google means you'd just have to remember the one Google password.
Also in this doc I can store, IPs, secondary logins, etc. with ease..
I use Ouiblette [1] - simple, free and encrypts password file so you don't need to worry where you're keeping it (you can combine it with Dropbox or Jungledisk to have it accessible from multiple computers). Although it's discontinued, works well with all Windows versions including Windows 7. I can't exactly figure out why, but I like its interface much more than that of other popular solutions like KeePass.
[1] http://www.tranglos.com/free/oubliette.htmlI use an Excel spreadsheet, containing all my accounts with usernames and passwords. The file itself is password protected - but I'm fairly sure if someone found it, they'd easily be able to crack it.
Have you checked out Passwordstate [1] from Click Studios? Has plenty of features, can be used at home or at work, and starts at $0 for 10 user accounts.
[1] http://www.clickstudios.com.auIf you are concerned about security the easiest way is to write down into physical paper and store it on a safe location. Security software can fail, software can be hacked, but with a physical media (aka paper) you will prevent from getting your passwords stolen at least on th e internet.
Before you star laughing about my lo-tech solution consider this:
An average person has a lot of identities from many different web sites and the average person choose either very poor passwords, wich are a high risk from a security point of view or uses the same password for many sites, which is worst even when the password is very secure, since if one of the website gets compromised, every site also gets compromised.
So a very good solution, although not exactly the best convinent, is to always choose a very complicated (best if randomly generated), secure password for evey site, and a different one for every site also. Then how can you remember all of these???
Well I can't so they all have to be stored into some media. But if you choose some software to do it you are returning to the same problem here: Relying on only one password for all the sites wich it's very insecure. If it is some stand alone application it's at least a little bit more secure but it is no portable. If it is some web service you are exposing all of your passwords!!!
So the only good solution I can think of it is to... Store all these passwords in a piece of paper that nobody knows about. And to store it on a safe location that also nobody knows.
Now the problem goes to somewhere else... What if somebody ohysically follows you to physically steal your passwords??? But I guess this is far more improbable than somebody getting your your passwords by simply running a key logger.
This was my Personal Secret since 5 years but WTF
A secure and a memorable password is supposed to be simple for you to remember, and hard for others to guess.
Everywhere you have to use your password to login or register at a site. Whether it’s the dozens of web sites that crave you log in to use them, or your ATM card PIN, how do you decide on a new password? More importantly, how do you remember that?
Don’t use the same password for every site.
The problem with using the same password for everything you do is that if it’s compromised and someone finds it, the rest of your identity is at risk. for example if your email account has a security breach or you may have been tricked into lossing your password , potentially thieves will not only compromise your email account but also your Online bank account or Paypal acc or maybe your Facebook account because you are using the same password for all of them.
Use 1 Rule Set for all your Passwords
You do not need to remember all your passwords if you have 1 rule set for generating them. One Trick to get unique and easy-to-remember passwords is to choose a base pass word and then apply a rule that includes the name of the service in it. For example, let’s say your base password is “PARY.” Then your password for Gmail would be “PARYGAMIL”, and your password for Paypal would be .PARYPYPL
You can use many other great combinations along this same rule (say, your initials and a favorite number) plus the first three letters of your service. so my password for Yahoo would be SK14YAHO. Including Special Chars will be better.
Choosing your Rule Set (Base Password)
You can use anything in it , maybe your favourite song like take Beyonce’s “All the single ladies” so my rule set can be ATSL and you can add the services name , your fav number , maybe a special charachter too. so it can be like ATSL56YAHO&.
Before you decide your Password rule set, keep in mind that every service has different password requirements in terms of length and charachters allowed, you should go for a 8 letter password which has both upper and lower class alphabets & numbers or maybe a special charachter “!@#$%^&*()”.
You can generate 100’s of unique passes. ENJOY and Share
I keep my passwords all in my head. I have about 10 different passwords; I use certain passwords for small, unimportant accounts and certain passwords for other accounts.
I use Any Password [1]. I expect the other programs do this also, but I like that I can keep my personal and professional passwords in separate files and I can synchronize the files between my home and work computers. Free for personal use version, and Pro version for $24.95.
[1] http://www.anypassword.com/?apI use
KeePass
[1], and OpenID.
Last time I stock passwords in a
GPG
[2] encrypted file.
I like Password Depot [1] (Windows only, commercial), mainly because:
I know it's bad, but I only have a couple of passwords. A short numerical one for random sites that require logins, a much longer numerical one for more important sites that I use often, and a really long one with letters (capital, lowercase), digits, and symbols for things like banking.
"OI Safe" on Android Dev Phone 1.
Works for me.
I have a large number of different passwords on different sites. There are some I re-use regularly on sites that I consider low-risk; unfortunately, sometimes I leet them differently at various times. Important sites, such as banking, email have unique passwords. I also allow my browser to remember my password on sites I consider safe, or for which the consequence of a password attack would be minimal.
I don't trust keeping important passwords on my computer, no matter how well encrypted, since reading an article at Microsoft that 128-bit PK encryption can be broken in a few hours by a powerful computer.
I keep my passwords in a spiral book -- that seems the only safe place to me, so long as access to the book is protected. In an office, I would keep the book in a locked file-cabinet, &/or off-site. When I am travelling away from home, book goes with me, in a separate piece of luggage from my laptop.
I am convinced that the best security is physical security.
I use three different methods:
I use TiddlyFolio. It's an html file with Javascript inlined for handling micro-content, with encryption to obscure the text. I had to spend some time figuring out how to use the encryption part, because the instructions that come with it are pretty lame and also I wanted to be sure that it actually works.
I like it for the following reasons:
Sorry to repeat, but as I don't have enough karma to upvote or add a comment, I wish to say that KeePass is my way of keeping track of passwords.
I just use the same password everywhere ;-)