Aside from personal passwords, I'm always juggling a number of project-specific passwords, including those for network, web and database authentication. Some authentication can be managed with ssh keys and the like, but everywhere I've worked I also faced the need for the management of passwords that need to be available to a number of different people.
So what do you use, either for personal or team-based password management? Personally I'd like to hear about cross-platform tools, but I'm sure other people would be satisfied with Windows-only solutions. I know the stackoverflow podcast tackled this issue in #7 [1] and #9, [2] but I'm hoping we can come up with the definitive answer here.
Update: Even though this question was asked before its sibling site existed, you should probably add your two cents to the more active question over at superuser, [3] which is a more appropriate venue for this.
KeePass [1]. There are both desktop and flash drive applications. There are both Windows, Linux, and OSX versions, but I believe the flash drive app is Windows only. I could be wrong on that, though.
[1] http://keepass.info/
Password Safe
[1] works for me.
Recommended Written by
Bruce Schneier
[2]
Edit: Also recommended by Joel Spolsky [3]
[1] http://passwordsafe.sourceforge.net/Does my brain count?
1Password, but it's OSX-only.
I've used the online service Clipperz [1]. The advantage of Clipperz is that it is open source so you can download the code (PHP + MySQL) and host it yourself [2].
[1] http://www.clipperz.com/I use PasswordMaker [1], I heard of it from one of the StackOverflow podcasts a while back and I've been using it ever since. It means I only need to keep one password in my head, and it will generate all my other passwords using a hash of the one in my head with the domain of the site I'm logging on to.
[1] http://passwordmaker.org/I'm using roboforom [1] and loving it. It's possible to use this for team password storing by syncing the password directory.
[1] http://www.roboform.comHonestly, I just memorize all my passwords. But what I suggest for people less apt to memorize more than one password or people who are less tech savvy is to remember one single password that is strong(at least 8 characters, mixture of letters,numbers,symbols,caps), and then every time they go to a new site/application, choose a password, write it down, then use their memorized password concatenated with the new password. That way even though they have their passwords written down in plain text, maybe even on a post it stuck to their monitor, it is still useless to someone else looking at it.
index card in my wallet. Also endorsed by Bruce Schneier.
LastPass [1] is free and along the same lines as Passpack. Here are some points from their site:
OS X's default Keychain ("Keychain Access", and it's what most applications use to store their password)
Passpack [1], they're really secure (they use Host-Proof hosting, and they actually released a MIT/LGL library [2] that implements it. Here are some of the security features:
They also offer two offline versions of the app, one built with AIR [3], the other one with Gears [4]
[1] http://passpack.com/info/home/Brain cells.
I'm a big fan of Keepass. As far as I know, it's Windows only. It runs on the desktop, so it's not as widely accessible as a Web-based one. OTOH, that means it's less vulnerable.
It also has a built in secure password generator, with rules for length and valid characters, which makes life super easy when you need a new one.
I recently started using SuperGenPass [1] it's a javascript hasher bookmarklet that takes your "master password" and hashes a site password. SuperGenPass has a leg up over the other few in it's class because it has a wonderful interface where you can easily double click the field you want to put the password, and a nice little box in the corner that tells you what's going on.
It's not password storage but it works for me, and for more then webforms.
[1] http://www.supergenpass.comCommit the damn things to memory. The way you do that is to purposely not ask your software to autofill the password for you. If you have to type the password 5 times per day, you're going to remember it.
That's good for primary passwords.
For all the other passwords, put them online (yahoo notes, google notebook, that sort of thing)
For team passwords: a text file in a restricted directory. make the text file parseable. I personally use this format:
# Format: password number, colon, username, colon, password, colon, date password must be changed by
1:username:password:9/1/2008
This allows the writing of utilities that can parse the file yet make the password list human-editable and legible.
Remember that once a password is stored somewhere beside your brain, it is only a matter of time before unauthorized people gain access to it.
Update: In view of the breach of Sarah Palin's Yahoo Mail account. I think the Yahoo Notes idea is bad.
Keepass is great. Get it from link text [1] then it installs just nicely on a USB key for transportation!
[1] http://portableapps.com/I use Passpack [1], an online password vault. A big concern with a central place that store all your passwords is security. They handle that with AES encryption. All of your passwords are stored encrypted and decrypted on the fly with a packing key that only know.
[1] https://www.passpack.com/info/home/Password safe [1]
I have an instance on my home machine and my work machine. I basically just flash-drive to keep them "synched", and just expend the minimum amount of mental energy to ensure that I don't get them out of sync. I'd like something more automated, but how often are you really adding new passwords/usernames?
PW Safe is a Bruce Schneier project.
[1] http://passwordsafe.sourceforge.net/KeePass. I have it at work, at home, on a USB drive, and it even works on my Blackberry.
I use "Password Keeper" that came on my BlackBerry. I just have to remember that one password, and can backup the database to my PC. I always have my phone with me, so if travelling my passwords are with me for use on a public PC that has USB locked (or has no accessible USB ports)
Keepass is far and away the best I've used.
The greatest thing about it is how many platforms it's available for. Windows, Linux, mobile devices (Blackberry, etc.). What is even more amazing is combining it with Dropbox [1]. You keep your database in your public folder and then the Blackberry app can access the URL of your Keepass dictionary. Your passwords are wherever you go :)
[1] http://www.getdropbox.comI used Password Safe from Bruce Schneier, but I rewrote it in Java so I could use it under Linux and OSX as well. I called it "Password Tracker" it is completely compatible with the original Password Safe and you can find it in Sourceforge [1]. 8
[1] http://sourceforge.net/project/showfiles.php?group_id=15532I've used CryptoCard Explorer [1] which has a Windows and a Windows Mobile client so I can sync the encrypted cards with my phone.
[1] http://www.pmmax.com.ar/I use Steganos Locknote [1] to store all my logins, passwords, and associated email/security question data. Locknote is essentially Notepad with a password attached. Of course, you have to remember the password to your password file.
Overall, I go out of my way to remember the passwords for sites I use all the time, and don't worry about obscure ones (thats what the text file)
[1] https://www.steganos.com/us/products/home-office/locknote/overview/Xecrets [1], from the developer of AxCrypt. I can't live without that website now. There's two reasons I use this web-based service:
Foxmarks which is great for synching your bookmarks in Firefox now does passwords as well. It defaults to off so don't panic if you already use Foxmarks and don't want it touching your passwords.
They do include a wiki [1] entry on how to host your own server.
Here's one of their posts about security of this feature:
We know how sensitive passwords are, so we built this feature with security in mind from the very beginning. In order to synchronize your passwords, Foxmarks will ask you choose a secret PIN that is different from your password. This PIN will be used to encrypt your passwords before synchronization so that your passwords are secured even before they leave your computer. Only you and your computer will have knowledge of this PIN, so nobody but you will be able to decrypt and access your passwords - not even Foxmarks!
If you want to host your own server, there are three settings you should be concerned with in about:config
I use Roboform and sync the encrypted files amoungst my machines using Goodsync. This works great although I don't have an Macs - yet!
I use KeePass. You can also use it to encrypt file by adding it as attachment to an entry, but this will increase your database size and make it less portable. Nonetheless, it's a nifty feature to have.
I have tried most of them and KeePass is my favorite. I store my password database on a JungleDisk encrypted volume and I can share it between all of my computers including my Mac and PC ones.
There is also a developer working on a iPhone version [1], hopefully coming soon.
[1] http://ikeepass.de/We use PasswordSafe http://pwsafe.org/ . Open Source & easy to use.
Pastor on OSX. I'd to create some sort of public-private key (GPG?) Django app for storing / sharing passwords though.
For 6 or 7 years I've been using STRIP [1] (Secure Tool for Recalling Important Passwords) for the Palm. (Yeah, I know, the Palm's not cool anymore, but it does what I need.) I see there's an iPhone version [2] now.
[1] http://www.zetetic.net/products/strip/palm1Password for the Mac (sync passwords across Macs with DropBox) and iPhone, KeePass for everywhere else.
Passwordstate [1] - plenty of features, and great for IT departments who need to shared passwords.
[1] http://www.clickstudios.com.auVim has an option to encrypt a file and vim is available for most platforms:
vim -x secretfile
If you're in vim editing a file and you decide you want to file to be encrypted, you can type ":X" (upper case X) from command mode and you will be prompted for a password. Very convenient and simple if you are already a vi user.
Password Corral: http://www.cygnusproductions.com/freeware/pc.asp. No autofill, which I prefer. I don't want passwords to be entered automatically, I just need an encrypted place to store them because there's no way I can remember them all. Passwords are stored in a plaintext file.