Super UserWhat is your favorite password storage tool?
[+32] [39] Marcel Levy
[2008-08-14 17:18:45]
[ security passwords project-management ]

Aside from personal passwords, I'm always juggling a number of project-specific passwords, including those for network, web and database authentication. Some authentication can be managed with ssh keys and the like, but everywhere I've worked I also faced the need for the management of passwords that need to be available to a number of different people.

So what do you use, either for personal or team-based password management? Personally I'd like to hear about cross-platform tools, but I'm sure other people would be satisfied with Windows-only solutions. I know the stackoverflow podcast tackled this issue in #7 [1] and #9, [2] but I'm hoping we can come up with the definitive answer here.

Update: Even though this question was asked before its sibling site existed, you should probably add your two cents to the more active question over at superuser, [3] which is a more appropriate venue for this.

(2) This has already been asked on Super User -… - ChrisF
[+57] [2008-08-14 17:20:06] Thomas Owens [ACCEPTED]

KeePass [1]. There are both desktop and flash drive applications. There are both Windows, Linux, and OSX versions, but I believe the flash drive app is Windows only. I could be wrong on that, though.


I use the portable version from and love it, you can download it at - Swish
I use this with free backup / sync service Syncplicity (see ) and my password sync'ing woes are over. - Dan Esparza
(2) I love KeePass. It has a nice UI and quite a few options. It uses secure controls for password entry that use (I think) protected memory, making it rather difficult to pull passwords from the control. - Matt Olenik
(2) I keep my Keepass file in my Dropbox folder so my encrypted password file is available on all my machines and accessible via the web if needed. Very handy. - Cory House
[+23] [2008-08-26 13:16:55] Michael Pryor

Password Storage Tools


The brain isn't as secure a place as you might think. It's hard for somebody to examine the binary data, but I've forgotten passwords before. Think of it as excessively random access memory. - David Thornley
[+20] [2008-08-14 17:24:45] Marius

Password Safe [1] works for me. Recommended Written by Bruce Schneier [2]

Edit: Also recommended by Joel Spolsky [3]


I use this myself, however it's no good in a team environment (only one person can have access to a file at a time) - Dean
(2) Recommended by Bruce Schneier?!? - it was written by him. - Hamish Downer
Windows only unfortunately. There is an outdated Java version. - ssn
[+15] [2008-08-14 17:20:21] Nick Berardi

Does my brain count?

Apparently...Jeff agrees with you. - gbarry
Am I the only one that uses segments of keyboard patterns? for example: ZXASzxasmju76yhnNHY^&UJM - Sneakyness
No, because I don't have access to your brain to store my passwords. - Kyralessa
you can have much better, and more varied, passwords if you dispense with the requirement of being able to memorise them. - Steve Bennett
[+12] [2008-08-14 19:22:18] James A. Rosen

1Password, but it's OSX-only.

It works on the Mac, iPod and iPhone, and you can synch between them, so if you are a Mac fan, this is a very neat solution. - Sergio Acosta
(2) It's available on Windows now! - philfreo
[+7] [2008-08-14 18:52:06] Joseph Sturtevant

I've used the online service Clipperz [1]. The advantage of Clipperz is that it is open source so you can download the code (PHP + MySQL) and host it yourself [2].


Clipperz is really top-notch in terms of fundamentals and I think superior to both Passpack and Lastpass. Its sad that Giulio and Marco could not find any funding to put behind the project. - bouvard
I just tried Clipperz. I added like 50 passwords. I logged out and they were gone. Apparently, it doesn't handle several sessions on the same user too easily. - User1
[+7] [2008-08-14 19:16:25] Wilka

I use PasswordMaker [1], I heard of it from one of the StackOverflow podcasts a while back and I've been using it ever since. It means I only need to keep one password in my head, and it will generate all my other passwords using a hash of the one in my head with the domain of the site I'm logging on to.


[+6] [2008-08-26 12:53:19] yoavf

I'm using roboforom [1] and loving it. It's possible to use this for team password storing by syncing the password directory.


[+6] [2008-08-26 13:29:11] mgrouchy

Honestly, I just memorize all my passwords. But what I suggest for people less apt to memorize more than one password or people who are less tech savvy is to remember one single password that is strong(at least 8 characters, mixture of letters,numbers,symbols,caps), and then every time they go to a new site/application, choose a password, write it down, then use their memorized password concatenated with the new password. That way even though they have their passwords written down in plain text, maybe even on a post it stuck to their monitor, it is still useless to someone else looking at it.

[+6] [2008-09-17 23:23:07] geo

index card in my wallet. Also endorsed by Bruce Schneier.

(1) I had to look this one up, because I was going to call BS. But holy crap, he's right: - Dan Esparza
[+6] [2009-06-03 18:07:32] Leigh Riffel

LastPass [1] is free and along the same lines as Passpack. Here are some points from their site:

  • Create strong passwords, knowing you only have to remember one.
  • Log into your favorite sites with a single click
  • Fill forms in a second; stop pulling out your wallet to get your credit card number
  • Access and manage your data from multiple computers seamlessly
  • Securely share logins and notes with friends and let others share with you

I use LastPass at work for personal passwords, Keepass for group passwords, and Roboform at home. - Leigh Riffel
[+5] [2008-08-26 13:07:10] dbr

OS X's default Keychain ("Keychain Access", and it's what most applications use to store their password)

(1) I think it's pathetic that the OS X keychain doesn't get synced to the iPhone. That essentially encourages you to use less secure passwords just so that you can remember the damn things on the move. - f100
[+5] [2008-08-26 13:27:04] saniul

Passpack [1], they're really secure (they use Host-Proof hosting, and they actually released a MIT/LGL library [2] that implements it. Here are some of the security features:

  • US Government Approved, AES-256 encryption
  • Host-Proof Hosting over HTTPS
  • Two step login
  • Non-Permanent Account Info - All login information can be changed, always.
  • Strong Pass-phrases
  • Anti-phishing Welcome Message
  • Disposable Logins

They also offer two offline versions of the app, one built with AIR [3], the other one with Gears [4]


[+5] [2008-10-29 07:23:38] orenkl1

Brain cells.

[+4] [2008-08-14 17:21:43] mabwi

I'm a big fan of Keepass. As far as I know, it's Windows only. It runs on the desktop, so it's not as widely accessible as a Web-based one. OTOH, that means it's less vulnerable.

It also has a built in secure password generator, with rules for length and valid characters, which makes life super easy when you need a new one.

there's a Mac OS X edition, too - warren
[+4] [2008-08-26 13:33:03] wizard

I recently started using SuperGenPass [1] it's a javascript hasher bookmarklet that takes your "master password" and hashes a site password. SuperGenPass has a leg up over the other few in it's class because it has a wonderful interface where you can easily double click the field you want to put the password, and a nice little box in the corner that tells you what's going on.

It's not password storage but it works for me, and for more then webforms.


[+3] [2008-08-14 17:29:08] Christopher Mahan

Commit the damn things to memory. The way you do that is to purposely not ask your software to autofill the password for you. If you have to type the password 5 times per day, you're going to remember it.

That's good for primary passwords.

For all the other passwords, put them online (yahoo notes, google notebook, that sort of thing)

For team passwords: a text file in a restricted directory. make the text file parseable. I personally use this format:

# Format: password number, colon, username, colon, password, colon, date password must be changed by

This allows the writing of utilities that can parse the file yet make the password list human-editable and legible.

Remember that once a password is stored somewhere beside your brain, it is only a matter of time before unauthorized people gain access to it.

Update: In view of the breach of Sarah Palin's Yahoo Mail account. I think the Yahoo Notes idea is bad.

(1) and what about passwords that contain a colon? =) - Sergio Acosta
well, the escape sequence \: works for those. :) - Christopher Mahan
[+3] [2008-08-14 18:53:29] Campbell

Keepass is great. Get it from link text [1] then it installs just nicely on a USB key for transportation!


[+2] [2008-08-14 17:25:37] Alan Le

I use Passpack [1], an online password vault. A big concern with a central place that store all your passwords is security. They handle that with AES encryption. All of your passwords are stored encrypted and decrypted on the fly with a packing key that only know.


"All of your passwords are stored encrypted and decrypted on the fly with a packing key that only know." Are you missing the word "you" or "they"? - Dean
[+2] [2008-08-26 13:01:44] Baltimark

Password safe [1]

I have an instance on my home machine and my work machine. I basically just flash-drive to keep them "synched", and just expend the minimum amount of mental energy to ensure that I don't get them out of sync. I'd like something more automated, but how often are you really adding new passwords/usernames?

PW Safe is a Bruce Schneier project.


I'm using Live Mesh to keep my PasswordSafe database in sync. Works great. - Otto
[+2] [2008-09-18 20:16:31] fiveprime

KeePass. I have it at work, at home, on a USB drive, and it even works on my Blackberry.

[+2] [2008-09-18 21:47:18] MikeScott8

I use "Password Keeper" that came on my BlackBerry. I just have to remember that one password, and can backup the database to my PC. I always have my phone with me, so if travelling my passwords are with me for use on a public PC that has USB locked (or has no accessible USB ports)

[+2] [2008-10-28 22:57:59] rodey

Keepass is far and away the best I've used.

The greatest thing about it is how many platforms it's available for. Windows, Linux, mobile devices (Blackberry, etc.). What is even more amazing is combining it with Dropbox [1]. You keep your database in your public folder and then the Blackberry app can access the URL of your Keepass dictionary. Your passwords are wherever you go :)


[+2] [2009-02-14 09:24:22] user8337

I used Password Safe from Bruce Schneier, but I rewrote it in Java so I could use it under Linux and OSX as well. I called it "Password Tracker" it is completely compatible with the original Password Safe and you can find it in Sourceforge [1]. 8


[+1] [2008-08-14 17:25:17] palehorse

I've used CryptoCard Explorer [1] which has a Windows and a Windows Mobile client so I can sync the encrypted cards with my phone.


[+1] [2008-08-14 17:37:22] jeffwinkworth

I use Steganos Locknote [1] to store all my logins, passwords, and associated email/security question data. Locknote is essentially Notepad with a password attached. Of course, you have to remember the password to your password file.

Overall, I go out of my way to remember the passwords for sites I use all the time, and don't worry about obscure ones (thats what the text file)


[+1] [2008-09-18 20:10:51] Carl Seleborg

Xecrets [1], from the developer of AxCrypt. I can't live without that website now. There's two reasons I use this web-based service:

  • I trust the developer (I know him, and I've seen the source code)
  • I'm going to type those passwords into an input box on another website. Thus, Xecrets is no less secure than the websites receiving my passwords.

[+1] [2008-10-28 22:07:07] Fred

Foxmarks which is great for synching your bookmarks in Firefox now does passwords as well. It defaults to off so don't panic if you already use Foxmarks and don't want it touching your passwords.

They do include a wiki [1] entry on how to host your own server.

Here's one of their posts about security of this feature:

We know how sensitive passwords are, so we built this feature with security in mind from the very beginning. In order to synchronize your passwords, Foxmarks will ask you choose a secret PIN that is different from your password. This PIN will be used to encrypt your passwords before synchronization so that your passwords are secured even before they leave your computer. Only you and your computer will have knowledge of this PIN, so nobody but you will be able to decrypt and access your passwords - not even Foxmarks!

If you want to host your own server, there are three settings you should be concerned with in about:config

  • foxmarks.url-bookmarks (string)
  • foxmarks.url-passwords (string, needs to be a different file)
  • foxmarks.useOwnServer (boolean, set to True)

[+1] [2008-10-29 06:53:00] Steve Buikhuizen

I use Roboform and sync the encrypted files amoungst my machines using Goodsync. This works great although I don't have an Macs - yet!

[+1] [2008-10-29 06:59:00] blizpasta

I use KeePass. You can also use it to encrypt file by adding it as attachment to an entry, but this will increase your database size and make it less portable. Nonetheless, it's a nifty feature to have.

[+1] [2009-10-20 17:12:14] meme

I have tried most of them and KeePass is my favorite. I store my password database on a JungleDisk encrypted volume and I can share it between all of my computers including my Mac and PC ones.

There is also a developer working on a iPhone version [1], hopefully coming soon.


[+1] [2009-10-30 22:34:51] Dave

We use PasswordSafe . Open Source & easy to use.

[0] [2008-11-19 16:50:23] slav0nic

Revelation [1] - password manager for Linux


[0] [2009-02-14 12:43:14] neoice

Pastor on OSX. I'd to create some sort of public-private key (GPG?) Django app for storing / sharing passwords though.

[0] [2009-07-23 22:07:33] PTBNL

For 6 or 7 years I've been using STRIP [1] (Secure Tool for Recalling Important Passwords) for the Palm. (Yeah, I know, the Palm's not cool anymore, but it does what I need.) I see there's an iPhone version [2] now.


[0] [2009-09-20 06:19:09] Peter Loron

1Password for the Mac (sync passwords across Macs with DropBox) and iPhone, KeePass for everywhere else.

why not use keepass on the Mac, too? - warren
Honestly, I haven't looked at KeePass in a couple of years, so it may be much better now. However, 1Password is elegant and "just works"...I highly value software that does what I need it to and gets out of the way. - Peter Loron
[0] [2009-10-30 22:29:43] unknown (google)

Passwordstate [1] - plenty of features, and great for IT departments who need to shared passwords.


[0] [2010-04-27 18:33:01] Marnix A. van Ammers

Vim has an option to encrypt a file and vim is available for most platforms:

vim -x secretfile

If you're in vim editing a file and you decide you want to file to be encrypted, you can type ":X" (upper case X) from command mode and you will be prompted for a password. Very convenient and simple if you are already a vi user.

[0] [2010-07-24 04:35:04] boot13

Password Corral: No autofill, which I prefer. I don't want passwords to be entered automatically, I just need an encrypted place to store them because there's no way I can remember them all. Passwords are stored in a plaintext file.