Managing passwords - recommendations?


#1

It used to be that you could have just a few passwords for all websites, with varying degrees of complexity depending on the website content. For example you might have a “junker” password for rarely used sites that needed basic registration but complex passwords for email sites, financial institutions etc. with two step authentication.

That’s no longer good enough and now every website really needs its own password so when one is compromised, the others are not compromised too. But managing hundreds of unique passwords it not easy!

I’m curious to learn how folks here manage their passwords and, if appropriate, what tools do you use?

Thanks in advance.


#2

KeePass + KeeFox + ownCloud for synchronization. I also use the Android client occasionally.


#3

I use KeePassX (version 2, although I think I liked version 1 better on how
it displayed the random passwords), It’s free in both meanings of the word,
although a bit clunkier to use than the non-free options I guess. I run it
on Mac and Linux mostly, and share the encrypted database through dropbox.
I’m also curious as to what the best practices are for this.


#4

Just append a number to the end of your password and increase it each time you create a new account.

Example:
$R%T6y7u$R%T6y7u - Your Old password
$R%T6y7u$R%T6y7u1 - First Account
$R%T6y7u$R%T6y7u2 - Second Account
$R%T6y7u$R%T6y7u3 - Third Account

Unique passwords for each account, easy to remember.


#5

I’m a heavy user of LastPass. Their security model is quite good (all encryption is client-side; they never see your cleartext) and their client software is decent. I use the Android and Chrome clients, can’t speak to any others.


#6

Thanks Toma… but how do you know your first account is iTunes, for example, your second is gmail, your third is Netflix… your hundredth is FlowersDirect etc etc??

Kind Regards

Ian


#7

Memory. And when I forget I just brute force it, cause i know its within a range of number.

But you could always write a numbered list.

  1. iTunes
  2. gmail
  3. netflix
  4. FlowersDirect

#8

I also really like Lastpass, been using it for a few years. Haven’t tried others though.


#9

I use lastpass as well - has worked pretty well for me.


#10

I’ve been using 1Password and love it. Syncs my laptop with my phone, integrates great with all browsers, etc.

I can also recommend KeePassX which I’ve used in a team setting. It’s a little rougher, but more open.


#11

re Toma: I think the problem with adding numbers at the end is when one of
them gets leaked, say somebody hacks crunchyroll and they didn’t properly
encrypt it. It then gets added to a big database of leaked passwords, I’d
be surprised if jacktheripper didn’t already have rules for that sort of
thing


#12

For important things, I use PasswordSafe. I also use it to keep the random answers to the “verification questions” for those same important accounts. I love it when I’m talking to customer service and they want to know the name of my first pet … Qeeru23423D!^

For non-important things I use a variation of Toma’s suggestion. I have 2 words and I inject the domain name in between them, adding an exclamation mark at the end to satisfy the websites that require “strong” passwords. example: HousevanhackcaTree!


#13

I think the problem with adding numbers at the end is when one of
them gets leaked, say somebody hacks crunchyroll and they didn’t properly
encrypt it. It then gets added to a big database of leaked passwords, I’d
be surprised if jacktheripper didn’t already have rules for that sort of
thing.

You mean like the dropbox password leak? Cause that happened, and someone could have your keypass database, they could have cracked it too. ; )

jtr is old school. hashcat is the new thing


#14

“I have 2 words and I inject the domain name in between them, adding an exclamation mark at the end to satisfy the websites that require “strong” passwords. example: HousevanhackcaTree!”

I like that a lot… every password is unique yet you always know what it is.

Thank you all for the various tool suggestions. I will check them all out and use the above for non important passwords.

Kind Regards

Ian


#15

Depends on how paranoid you are.
For me, what I used to do is have a common password, and then a more secure unique one for sites I thought were more important like paypal ect. A better solution is would be a password storage program, there are many.
Though if you are up to doing it, it’s kind of a fun math exercise to try to find a good algorithm that takes a string (the website url, for example) always onto 6-8 chars and has all of the common password requirements such as uper-lower case and so on. It is theoretically more secure, as any password-safe-type software is vulnerable to attacks on the device itself.


#16

I’m not a security expert, but I’m pretty sure there’s some questionable advice in this thread.

What password cracking looked like four years ago:

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

My understanding is that password managers and long, unique, random passwords are still considered to be the best way of protecting your online accounts, and that you should enable two factor authentication when it’s available.

Nothing will protect you if don’t keep your own computer safe, but that’s a separate discussion.


#17

I wouldn’t listen to XKCD on passwords.

Tr0ub4dor&3
96 printable characters x 11 characters = 6.382393306×10²¹

correcthorsebatterystaple
171,476 words in english dictonary x four words = 8.645963084×10²⁰

would be quicker to brute force the second password with a wordlist


#18

The point of that comic (aside from the memorability issue) is that the first password can be attacked without resorting to brute force attack, while if the words in the second password are chosen randomly, brute force is the best you’re going to do. So the correct comparison isn’t 6e21 vs 9e20, it’s 3e8 vs 9e20.

I don’t care if you use random characters or random words, the key is to get enough of them and ensure they’re truly randomly selected, which in the first example they absolutely are not.


#19

Another Lastpass user, with a yubikey for 2FA auth for Lastpass and anything else that supports it.


#20

Also Lastpass w/ synchronization between devices. Works nice w/ Chrome and on my iOS devices. Nice auto-generated 20+ character long complex passwords.

The really frustrating part is still some financial institutions that only allow a max of 8 characters and only letters and numbers… crazy. The 80’s called and wants its passwords back.

Warren.