It used to be that you could have just a few passwords for all websites, with varying degrees of complexity depending on the website content. For example you might have a “junker” password for rarely used sites that needed basic registration but complex passwords for email sites, financial institutions etc. with two step authentication.
That’s no longer good enough and now every website really needs its own password so when one is compromised, the others are not compromised too. But managing hundreds of unique passwords it not easy!
I’m curious to learn how folks here manage their passwords and, if appropriate, what tools do you use?
I use KeePassX (version 2, although I think I liked version 1 better on how
it displayed the random passwords), It’s free in both meanings of the word,
although a bit clunkier to use than the non-free options I guess. I run it
on Mac and Linux mostly, and share the encrypted database through dropbox.
I’m also curious as to what the best practices are for this.
I’m a heavy user of LastPass. Their security model is quite good (all encryption is client-side; they never see your cleartext) and their client software is decent. I use the Android and Chrome clients, can’t speak to any others.
Thanks Toma… but how do you know your first account is iTunes, for example, your second is gmail, your third is Netflix… your hundredth is FlowersDirect etc etc??
re Toma: I think the problem with adding numbers at the end is when one of
them gets leaked, say somebody hacks crunchyroll and they didn’t properly
encrypt it. It then gets added to a big database of leaked passwords, I’d
be surprised if jacktheripper didn’t already have rules for that sort of
thing
For important things, I use PasswordSafe. I also use it to keep the random answers to the “verification questions” for those same important accounts. I love it when I’m talking to customer service and they want to know the name of my first pet … Qeeru23423D!^
For non-important things I use a variation of Toma’s suggestion. I have 2 words and I inject the domain name in between them, adding an exclamation mark at the end to satisfy the websites that require “strong” passwords. example: HousevanhackcaTree!
I think the problem with adding numbers at the end is when one of
them gets leaked, say somebody hacks crunchyroll and they didn’t properly
encrypt it. It then gets added to a big database of leaked passwords, I’d
be surprised if jacktheripper didn’t already have rules for that sort of
thing.
You mean like the dropbox password leak? Cause that happened, and someone could have your keypass database, they could have cracked it too. ; )
“I have 2 words and I inject the domain name in between them, adding an exclamation mark at the end to satisfy the websites that require “strong” passwords. example: HousevanhackcaTree!”
I like that a lot… every password is unique yet you always know what it is.
Thank you all for the various tool suggestions. I will check them all out and use the above for non important passwords.
Depends on how paranoid you are.
For me, what I used to do is have a common password, and then a more secure unique one for sites I thought were more important like paypal ect. A better solution is would be a password storage program, there are many.
Though if you are up to doing it, it’s kind of a fun math exercise to try to find a good algorithm that takes a string (the website url, for example) always onto 6-8 chars and has all of the common password requirements such as uper-lower case and so on. It is theoretically more secure, as any password-safe-type software is vulnerable to attacks on the device itself.
My understanding is that password managers and long, unique, random passwords are still considered to be the best way of protecting your online accounts, and that you should enable two factor authentication when it’s available.
Nothing will protect you if don’t keep your own computer safe, but that’s a separate discussion.
The point of that comic (aside from the memorability issue) is that the first password can be attacked without resorting to brute force attack, while if the words in the second password are chosen randomly, brute force is the best you’re going to do. So the correct comparison isn’t 6e21 vs 9e20, it’s 3e8 vs 9e20.
I don’t care if you use random characters or random words, the key is to get enough of them and ensure they’re truly randomly selected, which in the first example they absolutely are not.
Also Lastpass w/ synchronization between devices. Works nice w/ Chrome and on my iOS devices. Nice auto-generated 20+ character long complex passwords.
The really frustrating part is still some financial institutions that only allow a max of 8 characters and only letters and numbers… crazy. The 80’s called and wants its passwords back.