Ask HN: How to you create and manage passwords?
I have a confession: I use the same password for pretty much everything, even though I know it's a bad idea and unsafe and all that. The problem is remembering my password at the dozen plus email and web services I use.
Is there a good solution that exists for remembering passwords? I know it's built into Firefox, which is nice, but I need something that can travel with me to use on my iPhone and other computers I might need to use. Ideally, it would magically sync up and password retrieval would be amazingly simple and secure.
So I ask you, HN, how do you create and manage your own passwords?
60 comments
[ 6.0 ms ] story [ 269 ms ] threadBecause I'm not always in front of my laptop, or desktop and don't have an iphone I use a system similar to what is here - different passwords for different sites, with a system that helps me remember them.
Not perfect, not 100% secure (nothing is), but always accessible :)
EDIT: here's the link http://www.supergenpass.com/
I love 1Password, but I wish they supported Opera. I would almost switch to this if it weren't for the need to reset hundreds of passwords.
If you steal a password list from a website you can identify all the passwords generated by this utility (10 characters, uniform distribution over alphanumeric characters) and then simply crack the master passwords with a brute force attack. If you have stolen multiple SuperGenPass generated passwords from the same website, you can crack them all at the same time with no additional penalty. After recovering the master password you can then log into every single online account belonging to the user.
They seem to generate the password hash with simple md5, which is about the worst possible choice they could have made. Any master password which is low entropy enough to carry around in your brain can probably be cracked in a few days at most.
One password for all the stuff that isn't really important like sites I visit a few times and then leave.
One password for sites I trust and use on a regular basis, but where a compromised password isn't the end of the world. HN is in this category.
Seperate and strong passwords for stuff that matters, like netbanking, gmail, etc. To remember these I have a system set up so that the passwords are similar in a non-trivial way, like [first words of sentence][number I remember]. One password derived from this could be tqbfjotld!1249057, easily derived from "the quick brown fox jumps over the lazy dog!", and 1249057 which is the serial number for the motor in my boat. This way I only have to remember a phrase and a number I already know for entering secure sites.
Using this system I don't have to rely on potential unsafe software, or writing down passwords that may be compromised.
I've got the one password that I used on all my low-priority stuff--Slashdot, throwaway mail services, etc. It's a terrible password, but at 9 letters it at least has some length and it actually may last against a dictionary attack.
Gmail, my university mail account, and other next-tier things get a stronger password, but still easy to type.
The rather more strict requirements of my school's CS and CE computer systems mean that I have to have complex passwords which change frequently. As such, I have a few that are based on phrases with numbers interspersed (the canonical example, I believe, is "Don't have a cow, man" which becomes something like "d0n'tHac,m" which has the added bonus of looking like "don't hack 'em"). When the policy requires me to change, I can either swap in one of my other extra-strong passwords or, if it remembers previous passwords and I'm stuck, I can just add a number at the end.
My job uses a CryptoCard for most things, but I use a randomly-generated Kerberos password for mail. When it changes, I write it down and stick it in my wallet until I have it memorized, then destroy the paper.
TL;DR: Assign different services to "tiers" and use a different password for each tier, with increasing complexity of passwords corresponding to increasing importance of services.
Basic level password example: "pi975315703" -> alpha-numeric, easy to remember because I have typed it a billion times.
Medium strength: "C0caC0la1s<3pt14159" -> Coca Cola (upper case because it is a company) is not as good as pie always use 0 for o and 1 for i.
High Strength: "9T&11E:ttttttttteeeeeeeeeee+pi975315703" -> all I have to remember is "nine 't's and eleven 'e's plus weak password" but someone trying to hack it with a hash table or whatever would be significantly slowed.
Max strength (where life or my job hangs in the balance): get university text book and ruler, goto page 314 hold ruler along 3rd column of paragraph text, read each letter downwards write on bottom left corner of page in very light pencil "3X5%"
"WdeAdehaeeadyej.dR35Tyismdy+3X&5%:xxx%%%%%+pi97531570" -> I think you should get the idea here.
I'm also super paranoid about key loggers. One of my friends did this to the whole school when I was 16, so ever since then I have never entered high or max on a public computer, just in case. All told I think I have about 35 active passwords that I can easily remember (or obtain in the textbook one).
I have a contact on my phone where all the passwords are stored as phone numbers (just the number, not the letters). If I ever forget the password, I just look it up on my phone. If my phone is ever stolen, the thief will never figure out that a particular contact happens to be having my password as their phone number, and even if he does, he does not know the fixed letter combination I tack on.
And I change this passwords every few months, and when I first change it, I use my phone to remember it. Furthermore, I split the passwords into 3 categories - important, not so important and the password I share with family.
w3tm0mccab1ca$@
hvh1faa0n3tac)&
"What ever the mind of man can concieve and believe, it can achieve" -Napoleon Hill
If you can't remember all the passwords to the accounts you have, one solution it to create less accounts.
initials + last 3 characters in domain of site + year of birth + random sequence you know.
my + tor + 91 + e72BQo -- HN my + igg + 78 + abwBs$ -- Digg
Again, just examples. It works for me and I never forget my passwords as long as I remember the algorithm.
I designed mine to be a little more mixed up, so hopefully even if someone intelligent got my password it would just look like an assortment of characters instead of an obvious hash.
I have FF remember all of my passes basically (on my own computer with a good password on it.) I make fairly heavy use of "forgot pass" functions to make up for forgetting some passes.
I keep them in an encrypted file on an encrypted disk. I let my browser remember them though, and I have the frequently used ones (ssh, gmail, etc.) memorized.
For really important passwords I use strong random passwords with a security copy on paper stored in a safe place. Depending on the password and how often I need it that may be the safe at work, a binder with all the important related personal documents, or that place all people use to keep valuable small pieces of paper, the wallet in my pocket (there usually without a full domain name).
Then I use old safe passwords which I no longer use for their original purpose but still remember as passwords for situations where PasswordMaker is no option.
Sync of keychains is possible, but only if you pay for MobileMe (nee iTools/.Mac).
Unfortunately, Firefox uses its own password manager on the Mac instead of a keychain.
I've been using it for years at this point, and I love it - it's very well supported, and is fast and straightforward to use - both for creating new accounts and recalling old accounts. In fact, I don't know my password to the majority of sites that I am signed up for, and instead use a randomly generated string.
That helps my peace of mind in cases where sites like monster.com get hacked - I don't need to change every password on every site, only that one.
[Edit] - By the way, Version 2 is written in Mono-compatible .NET, which means that it is accessible as a cross platform application. (It's not quite Python or Perl, but it works for me)
http://bookshelfapps.com/
For sites that I care about the security I generate a random password with something like this:
then store that in psafe (http://www.hep.wisc.edu/~dan/psafe/) with a master password that I remember. This way if some site's password does get compromised, it doesn't translate to any other site. I suppose I could also carry around the encrypted psafe file with me on a USB key, but I've found that I don't really need to log into these sorts of sites when I'm out.Our product Memengo Wallet http://www.memengo.com is a password manager that can be used in three different ways:
I can answer any questions. We also answer all support questions submitted from the web site (with a return address).FAQ:
1. Q: The web site makes me uneasy. What if you decide to change your program to fish out the encryption key form the client? A: The web site does not add to the problem - any password mamanger app on the iPhone can phone home without your knowledge.
I believe it is a security risk to reveal password usage/methodology and so must politely refuse to elaborate.