share
Super UserHow do I securely store and manage 180 passwords?
[+146] [8] Samir
[2012-06-05 10:47:09]
[ passwords password-management password-protection ]
[ https://superuser.com/questions/432844/how-do-i-securely-store-and-manage-180-passwords ]

I have about 180 passwords for different websites and web services. They are all stored in one single password protected Excel document. As the list gets longer I am more and more concerned about its security.

Just how secure, or should I say insecure, is a password protected Excel document? What's the best practice for storing this many passwords in a secure and easy manageable way?

I find the Excel method to be easy enough, but I am concerned about the security aspect.

Commercial product like CyberArk meets your need. - Ivan Chau
[+207] [2012-06-05 10:51:47] Der Hochstapler [ACCEPTED]

My favorite password storage tool is KeePass [1]:

enter image description here

What is KeePass?

Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page [2].


Is there any limit as to how many passwords you can store in it?

Only in theory. You can put as many entries into the database as you want, but at some point your USB key or HDD will be full.

Is there a way to automatically sync changed passwords?

No, not like you expect it.
You'll want to make that a regular, manual process. This can not and should not be automated.

I like to set up expiration dates for all my password entries: enter image description here
Then I remember to change my passwords regularly. I store the URL of the website with the password entry, so it's a quick process.

Can I automatically log on to a website like Facebook using this software?

No, not automatically either (at least to my knowledge). But this is where Auto-Type comes into play. For example, for Facebook, this is my Auto-Type setup:

enter image description here

As you can see, I've created 3 configurations for different browser titles. This allows me to simply go to facebook.com, press Ctrl+Alt+A, and the username and password will be automatically entered and I will be logged in.

If you have multiple username/password combinations for the same window title, you'll get a popup window asking you which password entry should be used.

What about mobile?

There are apps that support the KeePass container format on mobile devices. But I stay away from those. I just don't like the thought of my KeePass database on my phone.

I prefer to only transfer single passwords using the QR Code Generator [3] plugin. It lets you generate a QR Code [4] from a password, which you can then scan with your phone. It helps to have an app [5] that can copy the scanned content to clipboard.

enter image description here

[1] http://keepass.info/
[2] http://keepass.info/features.html
[3] http://keepass.info/plugins.html#qrcodegen
[4] http://en.wikipedia.org/wiki/QR_code
[5] https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=en

(3) If you put it in Dropbox you can open it anywhere (theres a portable version), even on your phone. Plus it can be imported into Lastpass. Great choice - Ivo Flipse
(2) @Oliver This seems to be just the tool I need. I will definitely give this a try. The expiration date feature is sweet! And the auto-type is simple enough. I understand that some websites may require you to confirm a password change by clicking on a link they send via email, so for that reason any auto-sync feature the way I imagined it would fail to sync and auto-update the password. It's a plus that this works on other OSes than just Windows. Danke Oli! ;) - Samir
(1) I've been using this for a few years - works great. I store it in a BoxCryptor (free) container on DropBox for additional security, that way I can share the database between my PC and laptop. I also tried it on Linux a few weeks ago (using encFS to open the BoxCryptor container) and that worked fine as well - Linux just didn't like my laptop so that part was short-lived. :\ - MetalMikester
(9) If you want added security for use in Dropbox, use a key file in conjunction with a password and manually copy it to any computer or device you want to have access to your passwords (don't store the key in Dropbox). AFAIK this only works with Android and rooted iOS devices since you need access to the file system, but without the key file the password file is all but uncrackable. - Chad Levy
(2) Note that KeePass 2 is Windows-only (at least, the free Mono interpreters on Linux ran it very poorly). There's an older clone of KeePass 1 called KeePassX which I use on Mac and Linux and it works very well. - Reid
(2) @Reid: From my experience, KeePass2 works well on Mono; it's just ugly, and that's a Mono vs .NET thing. - grawity
(1) @Oliver: The KeePass v2 branch has a database sync option. // Could you expand on "should not be automated"? - grawity
Of course the process of syncing changed passwords can be automated. See the integrated tools in OS X and Linux. And there’s no reason not to automate this process. - Konrad Rudolph
(1) "Is there a way to automatically sync changed passwords?" - LastPass does that automatically. "Can I automatically log on to a website like Facebook using this software?" - LastPass does that too. "What about mobile?" - LastPass has apps for all major mobile platforms, though they are not free (This is one of the very few things LastPass charges for - everything else is free) - BlueRaja - Danny Pflughoeft
I use this program daily and have for years. I use it in conjunction with a drop box like program that keeps things in sync. The few times I left it running by mistake and wound up with conflicting edits, I ended up with two copies of its data files.... which KeepPass is able to sync between! So I synced it up and deleted the extra file - problem solved! - Mark Allen
Well explained. I'm using Keepass on Windows, Linux and Android phone with the same file. To make it easy to sync I'm keeping keepass database file in dropbox which is password protected with a complex big password and I have separate key file locally stored without which keepass database cannot be decryped. This keeps my all passwords in sync on all my devices and yet they are safe. - TusharG
Not sure if already mentioned, but KeePass allows for browser integration through plugins: keepass.info/plugins.html I use KeeFox and KeepassDroid, for example. - Legolas
@Oliver, How do you handle backups of the passwords? - Pacerier
@Pacerier By keeping multiple synchronized copies of the database - Der Hochstapler
(1) @OliverSalzburg, Why did you not choose LastPass instead? - Pacerier
@Pacerier: Because I prefer a solution where I can control every aspect of it. Also, KeePass is 100% open source, I read the source code and I've developed plugins for it. I do not trust LastPass the same way and I don't think a solution like that should have "premium" features you need to unlock by paying money. - Der Hochstapler
@OliverSalzburg, "LastPass cannot share what we cannot access". Since the passwords are encrypted locally, Why will "not fully open source" matter? Assuming we Trust No One, it is still secure even if it's not open source right? - Pacerier
@DerHochstapler Can this application be used for multiple users in a company? with different credentials, permission etc.? - SimonS
@SimonS See keepass.info/help/base/multiuser.html for details about that. - Der Hochstapler
1
[+68] [2012-06-05 10:55:18] Mark

There appear to be several easy to use Excel password crackers around.

I would use a password management system like 1password [1] or LastPass [2] which work on several OSs including mobiles.

These have plugins for most browsers which can fill in passwords and other information to the web form. 1password can also set up a bookmark in the browser which will automatically login (All uses of the app require use of a master password first)

1password can also store notes, account (e.g. email, ftp) and templates to help store credit card, bank account and other information. Although it is commercial you can get a free demo that allows entry of up to 20 items.

One difference between the two is that 1password only stores the data locally (although you can sync the encrpted data using dropbox or similar) , Lastpass can (must? someone please correct this) store the data on its web site which allows web access to the data and no need for dropbox etc.

[1] https://agilebits.com/onepassword
[2] https://lastpass.com/

That's what I thought... so it's not very secure then is it? On a scale from 1 to 10, just how secure would you say that a password protected Excel document is? I for one have forgotten a password for a backup copy of an old Outlook PST file. And I wanted to open it. This happened only recently, like two months ago. I was still able to open it with an alternate password using a free PST password reset tool. But I'm not sure about Excel password protection. - Samir
(4) Excel passwords are very easy to crack. Google Excel password cracker and you will see many options. +1 for Lastpass. I used to use Roboform, but liked Lastpass better because it is cross platform. I use their password generator to randomize passwords. - Kendor
(1) Last pass is nice. I use it. It stores your passwords on a server but in encrypted form. It's encrypted before sending to server and decrypted on your machine. You just have to remember one password, it allows easily fill in of passwords on demand without even typing them in. - MadBoy
@Sammy - On a scale from 1 to 10 an excel spreadsheets falls at about -10 on security. Your password unless its 20-30 characters would be a trivial task to brute force. - Ramhound
(23) +1 for LastPass - It's unfortunate that the answer with all the nice formatting and pictures is for KeePass, as LastPass is vastly superior: it does everything KeePass does, but also has plugins for every major browser, OS, and mobile platform. It also stores data online so you never have to worry about losing it (and caches it locally, so you never have to worry about their servers going down), yet encrypts everything using TNO (trust no one), so LastPass can never actually see your passwords. There are very few programs I ever call absolutely perfect, but LastPass is one of them. - BlueRaja - Danny Pflughoeft
The vast majority of my passwords are for websites. I have been more than satisfied with LastPass. - ale
(3) LastPass now also supports 2-factor authentication via Android/iPhones now as well, meaning someone would first need to steal your phone to launch your Authenticator app (which generates a random code every 30 seconds) to access your passwords. - glenneroo
@Sammy: How secure? According to this link, somewhere under 2 minutes. online-tech-tips.com/ms-office-tips/… I would say a pen and paper is safer. - Phil H
@MadBoy You say that passwords are encrypted before sending to LastPasss server and decrypted on the local machine when you need it. But when you go abroad and don't have your computer, how is it possible to see your passwords on LastPass website if it is encrypted? Is it decrypted when you log on to LastPass website? - Samir
@Ramhound My Excel password is 6 characters only. But it uses numbers, lower- and uppercase letters. But I guess it would still be easy to crack with the proper tool. - Samir
@BlueRaja Thank you! I will test LastPass too. But for now I will give KeePass some time to evaluate it. But is LastPass really free? How is it possible? It's not open source is it?... the other suggestion called 1Password is commercial and you have to pay for it. Does anyone like this one? - Samir
@glenneroo What does 2-factor authentication mean? I have an Android device, how would I benefit from this? Where are the passwords stored? - Samir
@Sammy - that should be a new question - although I suspect a duplicate - Google should give a good answer - Mark
(1) @Sammy - I use 1Password and like it - Mark
(3) @Sammy: Yes, most of the features are free forever. The only features you need to pay for are the mobile apps and multi-factor authentication, which require a "premium account" ($12/year). The author is not trying to get rich off the program - I don't use the premium features, but still pay for a premium account to show my gratitude. I usually only donate to open-source projects, so that tells you something :) - BlueRaja - Danny Pflughoeft
(2) LastPass is convenient, but is mostly closed-source & acquired by LogMeIn. LastPass's servers have been breached (at least partially) multiple times, and their client has allowed "reading plaintext passwords for arbitrary domains from a LastPass user's vault when that user visited a malicious web site" and currently (Mar2017) "the LastPass binary... allows malicious websites to execute code of their choice. Even when the binary isn't present... lets malicious sites steal passwords from the protected LastPass vault" See en.wikipedia.org/wiki/LastPass#Security_issues for references - Xen2050
2
[+49] [2012-06-05 14:36:22] PlTaylor

I have used Lastpass [1] for a while now and recommend it highly. It has some wonderful browser plugins and a bunch of features that make it easier to have more secure passwords.

The browser plugin will automatically fill-in login information (when logged into the plugin). It also has an export function, so you can retrieve your database and import it into KeePass [2] for example. It also uses two-step authentication for extra security.

Desktop client:

desktop client

Browser plugin:

browser plugin

[1] https://www.lastpass.com
[2] http://keepass.info

(1) @PITaylor Thank you! I will definitely test LastPass. But for now I will give KeePass some more time to evaluate it. - Samir
(4) The big reason I like LastPass is because it is easy to share a set of passwords on multiple computers easily and you can always access your passes on a random computer through the web interface. - PlTaylor
(2) I use lastpass, however there are 2 downsides. 1) The server can go down (either technical issues, or the company goes out of business, etc) 2) Some companies dont allow it, as you are sending passwork info out of the company. - Keltari
(1) LastPass is convenient, but is mostly closed-source & acquired by LogMeIn. LastPass's servers have been breached (at least partially) multiple times, and their client has allowed "reading plaintext passwords for arbitrary domains from a LastPass user's vault when that user visited a malicious web site" and currently (Mar2017) "the LastPass binary... allows malicious websites to execute code of their choice. Even when the binary isn't present... lets malicious sites steal passwords from the protected LastPass vault" See en.wikipedia.org/wiki/LastPass#Security_issues for references - Xen2050
I'm going to leave this link here, because Mr. Hunt says it way better than I can. troyhunt.com/… - PlTaylor
3
[+10] [2012-06-05 12:48:46] Stepan Vihor

Password Hasher [1] plugin (for Firefox) is what I personally use.

How Password Hasher helps:

  • Automatically generates strong passwords.
  • One master key produces different passwords at many sites.
  • Quickly upgrade passwords by "bumping" the site tag.
  • Upgrade a master key without updating all sites at once.
  • Supports different length passwords.
  • Supports special requirements, such as digits and punctuation.
  • Supports restricting a hash word to not use special characters. (New!)
  • Saves all data to the browser's secure password database.
  • Generates a portable HTML page with your site tags and option settings that allows you to generate your hash words in any browser on any machine without the extension installed. (New!)
  • Can add marker buttons to unmask passwords on any web site. (New!)
  • Extremely simple to use!

enter image description here

[1] https://addons.mozilla.org/en-US/firefox/addon/password-hasher/

(6) They must be stored somewhere or else they would be forgotton - Mark
There are also ports for Chrome. - rishimaharaj
(6) By @kutschkem: No, the passwords Don't need to be stored somewhere. What the plugin probably does (at least this is how I would do it), is to hash the concatenation of the site tag and the master password, which will result in a different (and supposedly strong) password for every site (without storing anything, see?). Of course your master password would still need to be strong. The advantage is that not only will every password be different, they will be very different (at least if the hashing function is good). - Der Hochstapler
There is also a port for IE, written by a very handsome person - BlueRaja - Danny Pflughoeft
@Matthew: That is true of every password storage solution... - BlueRaja - Danny Pflughoeft
Does this work as an alternative to KeePass or in conjunction with it?... - Samir
True, the passwords are stored nowhere. But if the password hasher is not done very well and cryptographically secure, one can break the passwords to all your accounts by just finding out the password to one site. Did someone check this? - Hans-Peter Störr
4
[+9] [2012-06-05 13:59:33] user1202136

I personally use PasswordMaker [1] to generate passwords from a master password and the site's URL. The project is fairly mature, open-source and stable. It is available for Firefox (as an extension), Linux CLI, Android etc.

How it works:

Warning - technical jargon in this section! You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it.". In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

[1] http://passwordmaker.org/

5
[+4] [2014-03-27 22:26:59] DavidDe

It is risky to trust a third-party application to store your important passwords especially those applications that are potentially able to connect online or those you authorize them to access the processes of other program; and more importantly to trust non-open source ones.

A more secure way, in my opinion, is to store your important passwords in a text file (.TXT) and then encrypt the file with AES algorithm by dsCrypt.exe [1]. You are required to enter your main password into dsCrypt only once and you will be able to encrypt/decrypt you password text file many times without asking you re-enter the main password every time as long as dsCrypt is running. You can auto-run dsCrypt with your Windows start and enter your main password once; and what you need then is just to drag and drop your password file (.txt) onto dsCrypt to de/encrypt it when you need your passwords.

[1] http://www.softpedia.com/get/Security/Encrypting/dsCrypt.shtml

Replacing dsCrypt with PGP / GPG, TrueCrypt derivatives, LUKS, etc would be just as good, still +1 - Xen2050
but there is a flaw in your answer : dsCrypt.exe IS a third party software :-) ! I prefer to trust an open source program, which I can recompile, over an exe - spiritoo
6
[0] [2018-04-26 16:46:07] simhumileco

I recommend KeePassXC [1] which is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.

This client is also recommended by Surveillance Self-Defense [2].

Main Features KeePassXC:

  • Secure storage of passwords and other private data with AES, Twofish or ChaCha20 encryption
  • Cross-platform, runs on Linux, Windows and macOS without modifications
  • File format compatibility with KeePass2, KeePassX, MacPass, KeeWeb and many others (KDBX 3.1 and 4.0)
  • SSH Agent integration
  • Auto-Type on all supported platforms for automagically filling in login forms
  • Key file and YubiKey challenge-response support for additional security
  • TOTP generation (including Steam Guard)
  • CSV import from other password managers (e.g., LastPass)
  • Command line interface
  • Stand-alone password and passphrase generator
  • Password strength meter
  • Custom icons for database entries and download of website favicons
  • Database merge functionality
  • Automatic reload when the database was changed externally
  • Browser integration with KeePassXC-Browser for Google Chrome, Chromium, Vivaldi, and Mozilla Firefox.
  • (Legacy) KeePassHTTP support for use with KeePassHTTP-Connector available for Mozilla Firefox and Google Chrome, and passafari for Safari.
[1] https://keepassxc.org
[2] https://ssd.eff.org/en/module/how-use-keepassxc

7
[-4] [2014-09-26 16:46:55] UltraDEVV

I use Notepad and .txt files. If you want my advice, I advice you not to use a third party sodtware. From where do you know they are not stealing your passwords?
So using text files would be the best.
Also if you are a programmer, I suggest you to build a simple one for yourself that uses encoding to secure data. Thats the best solution.


(2) I'll take my chances that the encrypted password manager's database is more vulnerable than the plain text file, seeing as the latter will be harvested by the next piece of malware that does as quick search of my computer for the word password. - Twisty Impersonator
(1) At least encrypt your plain text file with gpg / pgp or something, anything, and then remember that one password - Xen2050
8