Ask HN: How to you create and manage passwords?

21 points by rscott ↗ HN
I have a confession: I use the same password for pretty much everything, even though I know it's a bad idea and unsafe and all that. The problem is remembering my password at the dozen plus email and web services I use.

Is there a good solution that exists for remembering passwords? I know it's built into Firefox, which is nice, but I need something that can travel with me to use on my iPhone and other computers I might need to use. Ideally, it would magically sync up and password retrieval would be amazingly simple and secure.

So I ask you, HN, how do you create and manage your own passwords?

60 comments

[ 6.0 ms ] story [ 269 ms ] thread
I use 1Password (for OS X and iPhone), which lets me generate random passwords for different sites. It can't auto-fill on the iPhone, so you have to go into the app and write it down somewhere (or remember it) temporarily. It's got syncing and stuff too. http://agilewebsolutions.com/products/1Password
I have a question - is there a password manager out there thats made it possible to access passwords from a computer that isn't yours? I'm guessing not, because of the obvious security issues.

Because I'm not always in front of my laptop, or desktop and don't have an iphone I use a system similar to what is here - different passwords for different sites, with a system that helps me remember them.

You can either use a website to manage your passwords or a USB drive. I use keepass to keep some of my passwords on a USB stick...

Not perfect, not 100% secure (nothing is), but always accessible :)

Thanks! I like the USB drive idea (maybe on a keychain) in conjunction with keepass (I'll need to look more closely at keepass - I skimmed over it a while ago). Also I like the supergenpass suggestion below - less to carry, and as long as I have the bookmarklet on a browser, and my master password, easily accessible. More to think about! :)
I use 1Password also, with DropBox to sync passwords across multiple machines. Excellent combination.
I use SuperGenPass, which hashes the domain of a website with a Master password, so you only need to remember one password. Then, every time you log in, you just enter in your master password, it automatically hashes it, and you get a new password for logging in like af49AgsdU8

EDIT: here's the link http://www.supergenpass.com/

Amen. It amazes me how little this has caught on with the technical people I know. You can have your cake and eat it too: you only need to remember a single password, but you get to keep that password private. And you can use as many different computers and browsers as you want.
Holy crap, how have I not heard of this?!

I love 1Password, but I wish they supported Opera. I would almost switch to this if it weren't for the need to reset hundreds of passwords.

I know! Where's the news on this been? This sounds awesome - more research, but I'm seriously thinking about switching.
I've also been using this for ages. Absolute huge time saver. I used to keep vim encrypted files for every site I visited...when the list topped about three hundred, it seemed like time for a change.
This scheme is hugely flawed.

If you steal a password list from a website you can identify all the passwords generated by this utility (10 characters, uniform distribution over alphanumeric characters) and then simply crack the master passwords with a brute force attack. If you have stolen multiple SuperGenPass generated passwords from the same website, you can crack them all at the same time with no additional penalty. After recovering the master password you can then log into every single online account belonging to the user.

They seem to generate the password hash with simple md5, which is about the worst possible choice they could have made. Any master password which is low entropy enough to carry around in your brain can probably be cracked in a few days at most.

Except that you don't use the full MD5 sum, so it's not a simple matter of brute-forcing it.
For the default password length of 10 characters they use ~60 bits of MD5 output. That's more than enough information to uniquely identify the master password.
So once your master password is found (brute force/keylogger/shoulder surfing), the attacker has a handy bookmarklet to log into all of your accounts.
I take a layered approach.

One password for all the stuff that isn't really important like sites I visit a few times and then leave.

One password for sites I trust and use on a regular basis, but where a compromised password isn't the end of the world. HN is in this category.

Seperate and strong passwords for stuff that matters, like netbanking, gmail, etc. To remember these I have a system set up so that the passwords are similar in a non-trivial way, like [first words of sentence][number I remember]. One password derived from this could be tqbfjotld!1249057, easily derived from "the quick brown fox jumps over the lazy dog!", and 1249057 which is the serial number for the motor in my boat. This way I only have to remember a phrase and a number I already know for entering secure sites.

Using this system I don't have to rely on potential unsafe software, or writing down passwords that may be compromised.

Seconded with gusto.

I've got the one password that I used on all my low-priority stuff--Slashdot, throwaway mail services, etc. It's a terrible password, but at 9 letters it at least has some length and it actually may last against a dictionary attack.

Gmail, my university mail account, and other next-tier things get a stronger password, but still easy to type.

The rather more strict requirements of my school's CS and CE computer systems mean that I have to have complex passwords which change frequently. As such, I have a few that are based on phrases with numbers interspersed (the canonical example, I believe, is "Don't have a cow, man" which becomes something like "d0n'tHac,m" which has the added bonus of looking like "don't hack 'em"). When the policy requires me to change, I can either swap in one of my other extra-strong passwords or, if it remembers previous passwords and I'm stuck, I can just add a number at the end.

My job uses a CryptoCard for most things, but I use a randomly-generated Kerberos password for mail. When it changes, I write it down and stick it in my wallet until I have it memorized, then destroy the paper.

TL;DR: Assign different services to "tiers" and use a different password for each tier, with increasing complexity of passwords corresponding to increasing importance of services.

Same here. I've written up my methods here, which are similar in spirit, but not the same in execution.

Basic level password example: "pi975315703" -> alpha-numeric, easy to remember because I have typed it a billion times.

Medium strength: "C0caC0la1s<3pt14159" -> Coca Cola (upper case because it is a company) is not as good as pie always use 0 for o and 1 for i.

High Strength: "9T&11E:ttttttttteeeeeeeeeee+pi975315703" -> all I have to remember is "nine 't's and eleven 'e's plus weak password" but someone trying to hack it with a hash table or whatever would be significantly slowed.

Max strength (where life or my job hangs in the balance): get university text book and ruler, goto page 314 hold ruler along 3rd column of paragraph text, read each letter downwards write on bottom left corner of page in very light pencil "3X5%"

"WdeAdehaeeadyej.dR35Tyismdy+3X&5%:xxx%%%%%+pi97531570" -> I think you should get the idea here.

I'm also super paranoid about key loggers. One of my friends did this to the whole school when I was 16, so ever since then I have never entered high or max on a public computer, just in case. All told I think I have about 35 active passwords that I can easily remember (or obtain in the textbook one).

You're too hardcore for me, man. Is a 50+ letter password really worth it? My tiny brain barely remembers the 5 or 6 passwords I always choose to use.
Just hope you don't lose (or lose access to) the university textbook :)
The system I use is this - I use a fixed combination of letters that never change (4 letters), and then I follow it up with an 8 digit series of numbers, ending up with 12 digit password.

I have a contact on my phone where all the passwords are stored as phone numbers (just the number, not the letters). If I ever forget the password, I just look it up on my phone. If my phone is ever stolen, the thief will never figure out that a particular contact happens to be having my password as their phone number, and even if he does, he does not know the fixed letter combination I tack on.

And I change this passwords every few months, and when I first change it, I use my phone to remember it. Furthermore, I split the passwords into 3 categories - important, not so important and the password I share with family.

The first or second letters of the words of motivational quotes with a few letter substitutions (e.g. 0 for 'o', 3 for 'e') and some random symbols work well for me as easy to recall and strong passwords. Plus when you type it in, you have to think about the quote and whether you are applying it.

w3tm0mccab1ca$@

hvh1faa0n3tac)&

"What ever the mind of man can concieve and believe, it can achieve" -Napoleon Hill

(comment deleted)
The way I create passwords is to make an algorithm that no one else would know - which creates unique passwords for every site I use, but I can never forget the password since the algorithm stays the same. Example:

initials + last 3 characters in domain of site + year of birth + random sequence you know.

my + tor + 91 + e72BQo -- HN my + igg + 78 + abwBs$ -- Digg

Again, just examples. It works for me and I never forget my passwords as long as I remember the algorithm.

I think I read about this hashing technique here and have been using it ever since. There's no need for any password tools and you simply remember one algorithm. After about a month of usage it takes no time to type in the PW for any site.

I designed mine to be a little more mixed up, so hopefully even if someone intelligent got my password it would just look like an assortment of characters instead of an obvious hash.

I use a different pass for basically everything. The strength depends on how much I care about my account at the service. I've been known to do stuff like "<servicename>sucks" when I really don't care about it. Everything somewhat important is longish, with some capitals/numbers/special chars.

I have FF remember all of my passes basically (on my own computer with a good password on it.) I make fairly heavy use of "forgot pass" functions to make up for forgetting some passes.

For sites like this one, I use one of two or three easy to remember passwords. For banking sites and such, I create strong passwords, which I keep written down (the Bruce Schneier approach).
Random username and password for each site, generated by http://duckduckgo.com/?q=pw

I keep them in an encrypted file on an encrypted disk. I let my browser remember them though, and I have the frequently used ones (ssh, gmail, etc.) memorized.

For web sites I don't want to access from my phone, I use the PasswordMaker plugin for Firefox, which generates site specific passwords from a single master password that never gets saved anywhere (except maybe swap space, I haven't looked into that). The only problem I've run into were overzealous input sanitizers on some sites that refused some of the characters in the generated passwords.

For really important passwords I use strong random passwords with a security copy on paper stored in a safe place. Depending on the password and how often I need it that may be the safe at work, a binder with all the important related personal documents, or that place all people use to keep valuable small pieces of paper, the wallet in my pocket (there usually without a full domain name).

Then I use old safe passwords which I no longer use for their original purpose but still remember as passwords for situations where PasswordMaker is no option.

The Mac's Keychain Access program (Utilities folder) is pretty good for this. Most programs I use directly support it, e.g. Mail passwords, and web site passwords in OmniWeb. You can also add your own passwords or secure notes without having a program "support" the keychain.

Sync of keychains is possible, but only if you pay for MobileMe (nee iTools/.Mac).

Unfortunately, Firefox uses its own password manager on the Mac instead of a keychain.

I'm actually quite surprised at the lack of mention of KeePass in this comments thread: http://keepass.info/

I've been using it for years at this point, and I love it - it's very well supported, and is fast and straightforward to use - both for creating new accounts and recalling old accounts. In fact, I don't know my password to the majority of sites that I am signed up for, and instead use a randomly generated string.

That helps my peace of mind in cases where sites like monster.com get hacked - I don't need to change every password on every site, only that one.

[Edit] - By the way, Version 2 is written in Mono-compatible .NET, which means that it is accessible as a cross platform application. (It's not quite Python or Perl, but it works for me)

Not extremely sophisticated from the generation side but SecretBook for Mac is really pretty clean. iPhone version as well.

http://bookshelfapps.com/

KeePassX(http://www.keepassx.org/) is an excellent free cross-platform password manager for storing user names, passwords, urls, attachments and comments in one single database.The database is encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key.
I use passook. Its a perl command line generator for pronouncable passwords of selectable strength. Quick and dirty.
I have a mix of methods. For sites that I rarely visit or are of no real consequence if the password were compromised I use a memorable one for them all.

For sites that I care about the security I generate a random password with something like this:

    dd if=/dev/urandom bs=1 count=12 | uuencode -
then store that in psafe (http://www.hep.wisc.edu/~dan/psafe/) with a master password that I remember. This way if some site's password does get compromised, it doesn't translate to any other site. I suppose I could also carry around the encrypted psafe file with me on a USB key, but I've found that I don't really need to log into these sorts of sites when I'm out.
Your command never generates lower-case letters. :-)
Shameless plug follows:

Our product Memengo Wallet http://www.memengo.com is a password manager that can be used in three different ways:

  1. Store your passwords on the iPhone app (Windows mobile phone also supported). Encrypted with AES-256.
  2. Store your passwords on the web site (AJAX). Encrypted with AES-256 within 
     the web browser - plaintext never leaves your computer.
  3. The iPhone and the web site can be synchronized. There is a sync button in the iPhone app.
I can answer any questions. We also answer all support questions submitted from the web site (with a return address).

FAQ:

1. Q: The web site makes me uneasy. What if you decide to change your program to fish out the encryption key form the client? A: The web site does not add to the problem - any password mamanger app on the iPhone can phone home without your knowledge.

I use 1Password from Agile Web Solutions. It's great -- it imported all of my passwords from Firefox and I just save new ones that way. It also does work on the iPhone as a password filler if you use the bookmark. If you use Dropbox you can keep your password keychain in there and update it among all of your macs. It would be ideal if Windows and Opera were supported but maybe some day. For now I just go between Safari and Firefox.