26

I am just a mere mortal that wants to have a somewhat secure way of managing all my passwords.

This is something that I have been putting off, but since LinkedIn decided to give away one of my passwords away, I figured it was about time I addressed this issue.

I say somewhat secure, because - clearly - the most secure way would be for me to remember every single unique 200 character password I created for every site.

I know there are various sites that allow you to create hashes per url that you mix with a particular word you select, so I think that is what I am leaning towards.

I could also write it down, but then if I don't carry my passwords with me I am in big trouble and I am clumsy like that.

What is a good practical way to manage passwords for different sites (short of writing them down)? Any Chrome plugin hash generator I should be looking into? Online service?

rburhum
  • 363
  • 3
  • 5
  • You can store your password archives on DropBox or an equivalent service. Besides, your archive should be backed up along with your data. You *do* have backups, right? ;) – Polynomial Sep 02 '12 at 15:13
  • What is the threat? Someone will still your PC, hack it? – Lukasz Madon Sep 02 '12 at 21:02
  • 1
    @lukas the threat was somebody going to an online service and get the password which I was (hint *was*) repeating on another site in order to remember it. – rburhum Jul 22 '13 at 22:22

7 Answers7

19

What I do is the following:

  • I write the passwords down.

Many people will cringe and scream and curse me and say that this is wrong and should never be done, but this is too simplistic an assertion. Details matter. Here are the details:

  • I keep the passwords in a text file.
  • When I get out of my home and must access my passwords, I bring with me a netbook. That computer has a few specific characteristics:

    1. It runs Ubuntu (a Linux distribution).
    2. No swap space is configured. What is "in RAM" is really "in physical RAM" and never makes it to permanent storage.
    3. The /tmp directory is a tmpfs, i.e. the files in that directory are only in RAM (and that's physical RAM, see above).
    4. I always shut the machine down; I never put it in "sleep mode".

    Under these conditions, I have a reasonable guarantee that if I write a file in /tmp, read it, then shut down the computer, then the file contents will not be accessible to any evildoer who would steal the machine.

  • My file full of passwords is symmetrically encrypted with GnuPG, with a big, fat, strong passphrase (that passphrase, I keep in my brain).

  • When I must use a password, I decrypt the file in the /tmp directory and I erase it immediately after; and when I no longer need to use the computer, I shut it down, as is my custom.

Under these conditions, my passwords are reasonably safe. This is not perfect: if my computer is hacked in silently and the attacker can observe everything I do for a long time, he will get my passwords -- but he would get them anyway under these conditions, if only by plugging some evil code in the Web browser itself (regardless of how you manage your passwords, the Web browser code gets them at some point, since it must send them to the servers who ask for them). I claim that my method is much safer than the common alternative, which is reusing passwords on several sites. Do not reuse passwords !

(In practice, I very rarely have to access my file of passwords, because I remember the passwords I often type -- and those I do not often type, well, I type them rarely, by definition.)

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 4
    smart approach, but cumbersome for daily use, specially when you have to login on a couples of website. – elsadek Sep 30 '14 at 05:54
  • 1
    In fact, it is no hardship for daily use, because I remember the passwords that I use daily. The file is for the passwords that I don't remember because I don't use them often, and, by definition, this does not happen often. – Tom Leek Sep 30 '14 at 23:02
  • 6
    And what does this buy you over something like KeePass (also completely local if you want it to be) that is actually designed for the purpose and easy to use? – Ben Dec 05 '15 at 04:12
  • The main things it buys me is that most of my passwords really fit in my brain and are thus usable even on machines where KeePass is not installed. I do not trust many machines and I certainly won't enter my password on a shared machine anywhere, but there are a couple of machines that I trust and yet do not manage directly. – Tom Leek Dec 07 '15 at 14:41
  • hmm I did cringe very very hard when I saw the first line, but I warmed up in the process. every password I have is stored in my brain (even the 32 character randomly generated ones) best form of security! – TheHidden Feb 12 '16 at 09:25
  • 1
    -1 This is a pretty secure method, but I would definitely _not_ recommend it to "mere mortals" simply because of how difficult it is to set up and use. The correct answer to the OP's question of how a layman should manage passwords is "use a password manager", not "create an elaborate setup using a specially configured laptop running Ubuntu and GnuPG". – Ajedi32 Dec 05 '16 at 16:51
14

Use a password manager like KeePass.

Have it auto-generate a different password for every account you own. This ensures that your passwords are far more complex and far more different than a human brain could possibley handle. It also has the advantage that you don't even know you passwords yourself, protecting you from many social engineering attacks.

But what if you have multiple devices? Any sane password manager will require a master password for your whole password database and strongly encrypt it with a key derived from it. That means your password file is save to publish as long as your master-password is strong enough. That means you could even use the cloud servers owned by someone else (like dropbox.com) to synchronize your password file between your devices.

Lastpass combines password management with online synchronization, but due to some security issues they had in the past I am a bit reluctant to recommend them (even though none of them was very likely to have leaked cleartext passwords of users).

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • 1
    I don't use Lastpass either, but to be fair to them, they are a VERY tempting target as one of the most popular password managers; and AFAIK they've fixed all security issues found in their product extremely quickly after finding out about them. That said, there are PLENTY of options out there of very high quality. – Ben Feb 12 '16 at 16:40
4

If your looking for an offline solution then you could use Steve Gibson's Off The Grid. It a paper based encryption which allows you to hash a domain name into a password. This gives you a lot of security as it doesn't require trusting any third party source. I know you mentioned you may forget it, but it's easy to store in a wallet.

The basics of it is you take a 26x26 table of characters. This table follows rules similar to Sudoku (only one of each character in each row and column). This starts it off with a lot of entropy (1400 bits minimum). The basics of how to use it are fairly easy (I won't bother re-typing it all out again). The biggest risk for it is if someone physically steals your grid. Even then there are few steps you can take slow (should be easily long enough to realize someone has stolen it). These methods include,

  1. Choosing a different starting location
  2. Salting (You can do this by pre-pending/appending something when performing the encryption)
  3. When performing the encryption (read the appropriate page) instead of choosing the next two characters. Instead choose perhaps the next three characters, one across one up, two down one left, etc.
Dracs
  • 244
  • 2
  • 9
  • 1
    Not a bad idea, but what happens if you have to change the password of *one* site? – George Nov 14 '12 at 09:56
  • @Georgios, interesting I hadn't considered how to change one password if it became compromised. I don't believe it has an inbuilt system for handling that. You could try switching up you encryption method (do the domain name backwards) or something. But it's probably not the best solution. – Dracs Nov 14 '12 at 10:45
  • 2
    This is a cool idea, but definitely _not_ something I would recommend to "a mere mortal", simply because of how cumbersome it is. So far the only truly _practical_ answer I've seen to the OP's question is "use a password manager". – Ajedi32 Oct 27 '16 at 14:52
4

I like to use VeriSign's Personal Identity Portal. It works automatically with a lot of major websites and you can add your own custom sites as well. It also has some support for OpenID. The best feature is the 1-Click Sign In which gives you a JavaScript snippet that will automatically log you in to the current page.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
jackvsworld
  • 381
  • 4
  • 7
4

I think the best way to manage a large number of passwords is by storing an encrypted list behind a password you have committed to memory.

@Tom Leek seems to be doing this the hard way, the easy way would be to use one of the programs mentioned by @Matt. The easy way may be somewhat less secure, but I expect the easy way is secure enough for most users. Depending on which program you choose, you may be able to use the same list file on different platforms, including mobile devices.

How you manage passwords is really a separate question from how you generate passwords, but if you're willing to rely on a list you can have a unique random password for each site. There would be no need to follow a non-random password generation scheme, no need reuse any password ever, and no problem changing any password at any time. (But, for generating passwords, I recommend against using any password generated by any website. If you want it done programmatically, run something local.)

If the encryption of the list itself is secure, and the password to decrypt the list is secure, there's no need to worry about unauthorized access to the encrypted list (e.g. by storing it on Dropbox, losing your phone, or having your computer stolen). The drawback is that if the password to your list is compromised, every password on the list is also compromised, along with any other information stored in the file. This is really bad if it happens, but, considering that the list password never needs to be stored anywhere and never needs to be used outside of a local app, and that other options have a hard time handling the tens to hundreds of accounts many people have, using an encrypted list is at least worth considering.

ShadSterling
  • 190
  • 6
2

I use a password manager, which replicates my data through Dropbox, and which integrates with most browsers and apps I use. Apart from a few long master passwords, such as the one for my email account, computer, and the password manager, I simply don't know my passwords. They are all very long random "garbage", unique for each site, and if they would ever get lost, for whatever reason, I would use the recovery function of the site to set a new one.

Once upon a time, I used different schemes to come up with "clever" password patterns, that I could easily deduce each time. From the URL, or some other site-specific key information, but it ended up being simply too much to remember. When I needed the same password in different contexts (such as when multiple related sites share a single user db), or I needed to replace it, the pattern became riddled with exceptions. I found it simply not worth the effort, to be clever.

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
axl
  • 201
  • 1
  • 2
0

This is what I do:

Remember only one long master pass phrase.

Generate randomly generated passwords for all sites you register to.

And encrypt them all with that master pass phrase on whatever software you want that supports encryption. Ensure it's a software with strong encryption like OneNote with AES-256 in CBC mode (http://www.cjmorgan.org/tech-blog/2015/1/8/default-encryption-settings-and-behaviors-for-onenote-2013-office-365).

Copy/paste the randomly generated password into the site/app you need to login when needed.

This way:

  • One service being compromised doesn't expose your other services (yahoo, adobe, snapchat, have all been compromised in the past)
  • Zero correlation between passwords between services, as we tend to memorize one "template" password, and do multiple variations of it for the sites.

In 2016, we need to keep passwords for more than 30, 40+ sites. The exposure is too high, there's almost a 100% chance that one of the sites you ever registered to was compromised, and someone else has your password somewhere in the world (https://haveibeenpwned.com/).

The only person that should know about your master phrase is the person managing your will.

Wadih M.
  • 1,132
  • 6
  • 20