The Straight Dope

Go Back   Straight Dope Message Board > Main > In My Humble Opinion (IMHO)

Reply
 
Thread Tools Display Modes
  #1  
Old 06-24-2013, 09:29 AM
Jackknifed Juggernaut Jackknifed Juggernaut is online now
Guest
 
Join Date: Oct 2000
Best way to manage passwords?

I have to manage roughly 100 personal and professional passwords. These include many banks, investment accounts, e-mail accounts, websites, etc. At the moment, they are written on several pieces of paper in my office. Years of laziness have gotten me to this point.

So what's best practice these days? My personal solution is to store them as an archived e-mail. This way, I just have to remember one e-mail password. But I suspect that most wouldn't consider that the safest option.

Please keep in mind that I use several devices (iPhone, PC and MAC) to access the internet.
Reply With Quote
Advertisements  
  #2  
Old 06-24-2013, 10:07 AM
AngelSoft AngelSoft is offline
Guest
 
Join Date: Jan 2009
I use a free app on my tablet called Keeper. You have to manually enter in all the account info and passwords but it works great. And I also like that it has a built in random secure, password generator. There's a free and paid version. I think the paid version keeps a backup of all your stuff on their secure server.
Reply With Quote
  #3  
Old 06-24-2013, 10:09 AM
Phnord Prephect Phnord Prephect is offline
Guest
 
Join Date: Jan 2003
Come up with a password 'Base Word', and modify it to the situation.
For example, OrangeSDMB, OrangeGoogle, OrangeFBook, OrangeBank, OrangeWork, OrangeWhatever.

Your Base Word + Site Reminder + whatever random variable your site requires, such as three numbers and a dog breed name, or whatever.

Depending on the security level required, use different base words.

Works for me, but I have a security level of approximately zero.
__________________
They're evil undead zombie pirates! They're not going to be freshly bathed and wearing tuxes!
Reply With Quote
  #4  
Old 06-24-2013, 10:15 AM
boozilu boozilu is offline
Guest
 
Join Date: Mar 2009
I use an old-fashioned address book and write the passwords in there. Until I lose it, it will work great!
Reply With Quote
  #5  
Old 06-24-2013, 10:16 AM
AngelSoft AngelSoft is offline
Guest
 
Join Date: Jan 2009
Oh and I missed your part about using multiple devices. Keeper syncs your info across all your devices.
Reply With Quote
  #6  
Old 06-24-2013, 10:17 AM
Duckster Duckster is offline
Charter Member
 
Join Date: Aug 2001
Posts: 12,782
KeePass Password Safe.
Reply With Quote
  #7  
Old 06-24-2013, 10:38 AM
RickG RickG is offline
Charter Member
 
Join Date: Apr 1999
Location: Boulder CO USA
Posts: 536
I use 1Password. I keep the database on Dropbox, so I can access it from any device. It integrates with all the major browsers, generates secure passwords, and keeps secure notes and product license keys in addition to the basic password management. It's not free, but I like it so I'm happy to have paid the developers for their work.

I've also heard good things about LastPass.
Reply With Quote
  #8  
Old 06-24-2013, 10:54 AM
Clothahump Clothahump is offline
Charter Member
 
Join Date: May 2000
Location: Houston, TX
Posts: 11,301
One of the best schemes I have ever seen works like this.

You create a personal identifier: your initials, first X letters of your first name, whatever. Decide to make at least one of those characters uppercase.

You select a special character: !,@,# whatever

You select an identifier for the site you are logging into: first word of site name, common name, first X letters, whatever. Decide to make at least one of those characters uppercase.

You then pick a 4 digit number that is meaningful to you: last 4 digits of your work number, first 4 digits of your DL number, whatever.

For example: suppose I pick first 5 letters of my first name (1st character UC), special character @, common name of site *or* first five letters (second character UC) and my work phone ends in 1219. My password for the Dope would then be:

Cloth@sDmb1219

Plugging this into https://howsecureismypassword.net/ gives this result:

I
Quote:
t would take a desktop PC about
2 billion years to crack your password
If I banked at Chase Bank, my password would be Cloth@cHase1219.
If I had an investment account at Fidelity, my password would be Cloth@fIdel1219. Etc.

It took me about a week to get used to this structure and I love it.
Reply With Quote
  #9  
Old 06-24-2013, 11:25 AM
Jackknifed Juggernaut Jackknifed Juggernaut is online now
Guest
 
Join Date: Oct 2000
Quote:
Originally Posted by Clothahump View Post
....It took me about a week to get used to this structure and I love it.
The problem with this is that many of the websites I use force me to change my password periodically.
Reply With Quote
  #10  
Old 06-24-2013, 11:46 AM
UncleRojelio UncleRojelio is online now
Member
 
Join Date: Nov 2004
Location: ATX
Posts: 5,317
+1 for 1Password.
Reply With Quote
  #11  
Old 06-24-2013, 11:52 AM
JustinC JustinC is offline
Guest
 
Join Date: Jun 2007
Quote:
Originally Posted by Clothahump View Post
One of the best schemes I have ever seen works like this.

You create a personal identifier: your initials, first X letters of your first name, whatever. Decide to make at least one of those characters uppercase.

You select a special character: !,@,# whatever

You select an identifier for the site you are logging into: first word of site name, common name, first X letters, whatever. Decide to make at least one of those characters uppercase.

You then pick a 4 digit number that is meaningful to you: last 4 digits of your work number, first 4 digits of your DL number, whatever.

For example: suppose I pick first 5 letters of my first name (1st character UC), special character @, common name of site *or* first five letters (second character UC) and my work phone ends in 1219. My password for the Dope would then be:

Cloth@sDmb1219

Plugging this into https://howsecureismypassword.net/ gives this result:

I

If I banked at Chase Bank, my password would be Cloth@cHase1219.
If I had an investment account at Fidelity, my password would be Cloth@fIdel1219. Etc.

It took me about a week to get used to this structure and I love it.
And your Microsoft password would be Cloth@mIcro1219.
Your Gmail password would be Cloth@gMail1219
etc.

So if someone sees your password on one website they can work out all of them on all other websites?

Last edited by JustinC; 06-24-2013 at 11:53 AM.. Reason: Quotation marks not forwarded, resulting in amusing quote
Reply With Quote
  #12  
Old 06-24-2013, 11:53 AM
leahcim leahcim is online now
Member
 
Join Date: Dec 2010
Location: New York
Posts: 1,877
Quote:
Originally Posted by Duckster View Post
I also recommend this (with dropbox synchronizing the safe between computers). I was introduced to it on SMDB and have been using it ever since. The password to my password vault is very long, and all of my "real" passwords are just random strings of the maximum length allowed by the site.
Reply With Quote
  #13  
Old 06-24-2013, 12:08 PM
Grumman Grumman is offline
Guest
 
Join Date: Jul 2006
Quote:
Originally Posted by JustinC View Post
And your Microsoft password would be Cloth@mIcro1219.
Your Gmail password would be Cloth@gMail1219
etc.

So if someone sees your password on one website they can work out all of them on all other websites?
This is why I would suggest using two or three tiers of passwords, depending on how secure you need it to be. Banks and email accounts used to activate other accounts might have individual alphanumeric passwords, but it doesn't really matter if someone finds my SDMB password and uses that to figure out my StarDestroyer.net password.
Reply With Quote
  #14  
Old 06-24-2013, 01:58 PM
Furious_Marmot Furious_Marmot is offline
Guest
 
Join Date: Jan 2007
I just write the darn things on a pad of paper that sits on a shelf near the computer. A burglar isn't even going to notice it and a hacker can't see it. If the house catches fire, you've got bigger things to worry about.
Reply With Quote
  #15  
Old 06-24-2013, 03:03 PM
Hershele Ostropoler Hershele Ostropoler is offline
Guest
 
Join Date: Jun 2010
Another satisfied KeePass user, in my case on a thumb drive. My password for KeePass itself has no connection with any of my other passwords. I do have a couple of tiers, as well.
Reply With Quote
  #16  
Old 06-24-2013, 05:48 PM
HookerChemical HookerChemical is offline
Guest
 
Join Date: Jun 2002
I use a tiered system. SDMB and other "low security" sites can get one of my basic passwords that I share across several sites. Even my low level password contains a mixutre of letters, numbers, and special characters and is not a dictionary word. High security sites get the full security password, and none are the same. It's similar to Clothahump's system where you take a common root you can remember, then add a prefix or suffix based on the website you're using it for.

The wrench is when sites have password rules like they don't allow a specific special character, require a capital letter in a certain position, or other don't allow more than 2 consecutive numerals. These break the system and make it hard to remember without a password manager.

Which brings me to LastPass, my password manager. I really like it, and it works across my browsers (Chrome, Firefox, and IE) and Android phone. If I can't remember a site's password, I can look it up or have it automatically entered by LastPass.
Reply With Quote
  #17  
Old 06-24-2013, 06:06 PM
ZenBeam ZenBeam is offline
Charter Member
 
Join Date: Oct 1999
Location: I'm right here!
Posts: 8,450
Does anyone know how KeePassx (a cross-platform posrt of KeePass) compares to KeePass? Are they compatible?
Reply With Quote
  #18  
Old 06-24-2013, 07:42 PM
stargazer stargazer is offline
Guest
 
Join Date: Oct 2000
I love LastPass, too. I've been using the free version for a couple of years now and it's great.
Reply With Quote
  #19  
Old 06-25-2013, 06:59 AM
Learjeff Learjeff is offline
Guest
 
Join Date: Jul 2012
I use Password Corral, and it's great. Free. The large internet equipment vendor I work for is bonkers about security, and our IT security group recommends it.
Reply With Quote
  #20  
Old 06-25-2013, 07:45 AM
ASanders ASanders is offline
Member
 
Join Date: Aug 2011
Posts: 212
I use both PasswordSafe and LastPass. They're both great. I haven't gotten to the point of letting them generate passwords for me, though; I live in fear of not being able to access one or the other on some device and being shut out of a vital site.
Reply With Quote
  #21  
Old 06-25-2013, 10:47 AM
Pixel_Dent Pixel_Dent is online now
Guest
 
Join Date: May 2011
Quote:
Originally Posted by RickG View Post
I use 1Password. I keep the database on Dropbox, so I can access it from any device. It integrates with all the major browsers, generates secure passwords, and keeps secure notes and product license keys in addition to the basic password management. It's not free, but I like it so I'm happy to have paid the developers for their work.
Another vote for 1Password.
Reply With Quote
  #22  
Old 06-25-2013, 12:45 PM
Deeg Deeg is offline
Member
 
Join Date: Jun 2008
Posts: 2,072
Another vote for KeePass+Dropbox. Once it is set up (admittedly a bit of a pain) it is so much easier than any other system.

Quote:
Originally Posted by ZenBeam View Post
Does anyone know how KeePassx (a cross-platform posrt of KeePass) compares to KeePass? Are they compatible?
According to their FAQ it only supports KeePass v1 DBs and doesn't have support for plug-ins. I currently use KP on Linux (via Mono), Windows, and Android and don't have any problems. It doesn't work as well on OS/X, however.
Reply With Quote
  #23  
Old 06-25-2013, 07:12 PM
TreacherousCretin TreacherousCretin is offline
Horrified Onlooker
 
Join Date: Oct 2008
Location: Moscow, Idaho
Posts: 3,551
Keepass for me too.
Reply With Quote
  #24  
Old 06-25-2013, 08:12 PM
E. Thorp E. Thorp is offline
Member
 
Join Date: Apr 2003
Location: Seattle
Posts: 2,476
The sites I visit most often are few enough that I generally remember all my passwords. For the rest, I click on "Forgot password" and get the site to reset it for me. So I guess you could say I store my passwords in gmail.
Reply With Quote
  #25  
Old 06-26-2013, 01:08 AM
Tacit Knowledge Tacit Knowledge is offline
Guest
 
Join Date: Jun 2013
I'm shocked to be the first:

Send them to me. I'll keep them safe for you. I have a special system.
Reply With Quote
  #26  
Old 06-26-2013, 01:40 AM
The Librarian The Librarian is offline
Guest
 
Join Date: May 2002
Keepass synced via Dropbox
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:36 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@chicagoreader.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: sdsubscriptions@chicagoreader.com.

Copyright 2013 Sun-Times Media, LLC.