I have to manage roughly 100 personal and professional passwords. These include many banks, investment accounts, e-mail accounts, websites, etc. At the moment, they are written on several pieces of paper in my office. Years of laziness have gotten me to this point.
So what’s best practice these days? My personal solution is to store them as an archived e-mail. This way, I just have to remember one e-mail password. But I suspect that most wouldn’t consider that the safest option.
Please keep in mind that I use several devices (iPhone, PC and MAC) to access the internet.
I use a free app on my tablet called Keeper. You have to manually enter in all the account info and passwords but it works great. And I also like that it has a built in random secure, password generator. There’s a free and paid version. I think the paid version keeps a backup of all your stuff on their secure server.
Come up with a password ‘Base Word’, and modify it to the situation.
For example, OrangeSDMB, OrangeGoogle, OrangeFBook, OrangeBank, OrangeWork, OrangeWhatever.
Your Base Word + Site Reminder + whatever random variable your site requires, such as three numbers and a dog breed name, or whatever.
Depending on the security level required, use different base words.
Works for me, but I have a security level of approximately zero.
I use 1Password. I keep the database on Dropbox, so I can access it from any device. It integrates with all the major browsers, generates secure passwords, and keeps secure notes and product license keys in addition to the basic password management. It’s not free, but I like it so I’m happy to have paid the developers for their work.
One of the best schemes I have ever seen works like this.
You create a personal identifier: your initials, first X letters of your first name, whatever. Decide to make at least one of those characters uppercase.
You select a special character: !,@,# whatever
You select an identifier for the site you are logging into: first word of site name, common name, first X letters, whatever. Decide to make at least one of those characters uppercase.
You then pick a 4 digit number that is meaningful to you: last 4 digits of your work number, first 4 digits of your DL number, whatever.
For example: suppose I pick first 5 letters of my first name (1st character UC), special character @, common name of site or first five letters (second character UC) and my work phone ends in 1219. My password for the Dope would then be:
If I banked at Chase Bank, my password would be Cloth@cHase1219.
If I had an investment account at Fidelity, my password would be Cloth@fIdel1219. Etc.
It took me about a week to get used to this structure and I love it.
I also recommend this (with dropbox synchronizing the safe between computers). I was introduced to it on SMDB and have been using it ever since. The password to my password vault is very long, and all of my “real” passwords are just random strings of the maximum length allowed by the site.
This is why I would suggest using two or three tiers of passwords, depending on how secure you need it to be. Banks and email accounts used to activate other accounts might have individual alphanumeric passwords, but it doesn’t really matter if someone finds my SDMB password and uses that to figure out my StarDestroyer.net password.
I just write the darn things on a pad of paper that sits on a shelf near the computer. A burglar isn’t even going to notice it and a hacker can’t see it. If the house catches fire, you’ve got bigger things to worry about.
Another satisfied KeePass user, in my case on a thumb drive. My password for KeePass itself has no connection with any of my other passwords. I do have a couple of tiers, as well.
I use a tiered system. SDMB and other “low security” sites can get one of my basic passwords that I share across several sites. Even my low level password contains a mixutre of letters, numbers, and special characters and is not a dictionary word. High security sites get the full security password, and none are the same. It’s similar to Clothahump’s system where you take a common root you can remember, then add a prefix or suffix based on the website you’re using it for.
The wrench is when sites have password rules like they don’t allow a specific special character, require a capital letter in a certain position, or other don’t allow more than 2 consecutive numerals. These break the system and make it hard to remember without a password manager.
Which brings me to LastPass, my password manager. I really like it, and it works across my browsers (Chrome, Firefox, and IE) and Android phone. If I can’t remember a site’s password, I can look it up or have it automatically entered by LastPass.
I use Password Corral, and it’s great. Free. The large internet equipment vendor I work for is bonkers about security, and our IT security group recommends it.
I use both PasswordSafe and LastPass. They’re both great. I haven’t gotten to the point of letting them generate passwords for me, though; I live in fear of not being able to access one or the other on some device and being shut out of a vital site.