Poll: How do you manage your passwords?

27 points by malanj ↗ HN
I used to memorize a few passwords; mentally graded as "very secure" (for things like my Google Apps and my laptop's disk encryption password), "somewhat secure" (for services like DropBox or HipChat) and then "probably insecure" (for services like Facebook or Skype). Recently I decided that the approach is simply too insecure and started using 1Password to create and manage strong, unique, passwords for every service that I used.

I'm really interested to find out what HN tends to do.

60 comments

[ 3.9 ms ] story [ 151 ms ] thread
I GPG encrypt them and email them to myself using Thunderbird/Enigmail. I don't claim this makes any sense, I started doing it before password managers were popular. I keep meaning to start using `pass`.
Pass looks good! The only thing missing for me is a way to use it on iPhone/Android. I currently use KeePassX and it works pretty well with Dropbox sync.
I've been using LastPass for years. Of course, there's no way to be completely safe using a cloud-based service and closed-source code, but so far they've conducted themselves in a trustworthy manner, and the system they've built has safeguards against remote security failures.

Their cross-platform support is great as well. The only thing that's missing is a solid way to retrieve passwords on Android. The LastPass "keyboard" is abysmal, and switching between their app and the one you want to enter the username/password in can be painful. I'm not sure if there's an easy way to solve this problem, though, given the sandboxed nature of mobile apps.

There is a recent update on android that is fantastic. An overlay will appear on any app requesting a password, including the browser.

It's actually better than integration with a computer.

That overlay only shows up for me after I've switched to the LastPass keyboard and selected the password and filled in the box, too little way too late.
Shows up for me without issue so long as I've already logged in to the LastPass app. Not using the lastpass keyboard either.
I think I saw that once or twice after updating, but it then stopped working for me. I'll have to investigate what's going on.
The latest updates solve this problem (in Android at least) by using the accessibility features. When a login appears (in an app or browser) an overlay appears with matching credentials that you can copy with a single click.
It is great when this new feature works, but unfortunately it doesn't work all the time. Hopefully it will continue to get better.
I find it a bit weird that the OP only mentioned 1password and omitted lastpass which has been cross platform for longer and is free for basic use.
Notably, their code for their Firefox extension^1, while not free software, is available to look at. Firefox extensions are delivered as an XPI file (https://developer.mozilla.org/en-US/docs/XPI), which is simply a renamed .zip . So it can be extracted with gunzip, 7-zip, winzip, etc.

Inside the .xpi are various human-readable files, including .js, .xml, and .config files (https://developer.mozilla.org/en-US/docs/Bundles).

So you can literally examine the source of any Firefox extension. And not just source you hope is the same as the delivered extension^2, but literally the running code.

So no, it's not free software. But it is accessible for you to read^3.

[1] I _know_ this is true for Firefox. I think it is for Chrome, but I'm not sure. I have no idea for any other browser.

[2] How do you know the code for e.g. Firefox that you clone from https://hg.mozilla.org/mozilla-central/ is the same code used to build the browser downloaded at mozilla.org ? You don't, unless you go to the lengths of building it yourself and doing a bitwise comparison of the executables, but that is going to be error-prone. But you can pull the Lastpass extension out of your profile and see the exact code being run.

[3] Unless they download code from somewhere and eval() it.

I just stick to the bookmarklets on the mobile browser
I've been using keepass for several years now, I'm very happy and I can use it on my mobile phone too.
KeePass2 on my computers and my androids, with a very secure passphrase and the database synced between devices via dropbox. It works great!
This is my exact setup. Haven't had any issues with it so far.
I keep everything in keypass and write the ones that I need to bring with me on a piece of paper which I keep on my person[1]. People who are likely to steal your wallet are not likely to be interested in your passwords and people looking to mug you for your passwords are just about as likely to break into your house and steal or mess with your home computer IMO.

[1] see https://www.schneier.com/blog/archives/2005/06/write_down_yo...

For my less secure passwords, I use a tabla recta:

I keep a grid of random base64 characters on a laminated card in my wallet. I use a secret algorithm to derive a site's password from that grid. This gets me a unique password for each site, but I don't have to remember it. The code for generating the table is in this gist:

  https://gist.github.com/dunhamsteve/3259075
(You might want to tweak the font - 1 and l are very hard to distinguish in Courier.)
I have a gpg encrypted file with them in just in case, but mostly I know them from memory, or rather I'm able to find them back.

I have a few "roots" passwords which depends on the necessary level of security and the importance of the service. Them I know by heart. Then for each service I add a few characters (letters, numbers, punctuation signs) which depends on the service and feel natural as prefix and/or suffix (sometimes it's a bit more complex if it can be fun).

For instance lets say a root is "icanh4zcheeZbugr", then maybe my reddit password will be "reddicanh4zcheeZbugr,t".

It works pretty well in practice. More than one time I was sure to have forgotten a password and was actually able to rediscover it quickly.

I have a gpg encrypted file on a server that I manage manually - made slightly easier by the gpg plugin for vim. Not found a password manager with a UI that I get on with yet.
I memorize my email passwords (just 2-3) and put the rest in KeePass with backups online. Worst case scenario I have to request a forgotten password via email.
1Password for OS/X and iOS (iPhone and iPad). Backup passwords for GMail and Dropbox are printed and stored in a safe place in my home, in case two-factor authentication doesn't work (e.g. iPhone stolen).
I do the exact same, but with the added step of adding the backup passwords for Google/Dropbox to the extra text fields you can add in 1Password. (For the very rare case of "I lost my phone/ipad, am not home for the physical backup codes, but still have access to 1Password on my Macbook")
LastPass. Strikes me as just insane to use anything else.
What is insane about using Keepass (or 1Password)?
I have to say - I have been unfailingly impressed by Lastpass. For $12 a year they provide a lot of value add, and seem (at least to someone who knows shamefully little about the nuts and bolts of security) to be fairly transparent about what using their service means for Users.
I've personally been enjoying Dashlane. It has quirks, weird behaviors, and occasional sync issues, but it's been light-years ahead of LastPass for me. Don't know about Keepass.
I use this trick to generate (in my head) a unique password for each site: http://blog.rabidgremlin.com/2009/12/28/tip-creating-easy-to...
8 characters, 4 of which are static between your passwords and 4 of which any reasonably clever person can connect with the service name, in a predictable pattern, appears to be roughly as secure as using the same weak password on any service.

8 characters is well below the threshold of brute-force attacks these days, and once I've got one, and I see it has the site name in it, I'm gonna catch on to the game and there goes your other sites' passwords.

(comment deleted)
Randomly generated passwords, encrypted file. "Open source password manager" is the closest match, though it's not a specific solution.

Sharing between full keyboard/desktop systems isn't so tough, but transferring 30 character passwords to mobile devices very nearly exactly sucks.

Answering a now-deleted comment: "Using a tool would defeat the purpose of a password for me (a key hidden where we still can't read - the brain)."

The purpose of authentication isn't to provide absolute proof against compromise. It's to provide an asymmetrically difficult means for you vs. someone else to access systems. There are hacks against memorized passwords just as there are against encrypted safes of passwords. The question is: which makes you most secure?

What's insecure about having a good password in memory?
How many passwords do you memorize?

Do you use any of these at more than one site?

I have a base password that I use on every website.

Then for every website, I (for example) use the first letter of the domain name and the last letter, add it to the beginning of my password. Then I take the last letter of the domain name and add it to the end of my password.

This way I only have to remember my tiny algorithm + my base password.

I do something very similar to this, base password which is some digits and then some key word that comes to mind based on the website. For example I might use 123456cashmoney for my bank and 123456friends for facebook. Usually I use the first thing that comes to mind when I see the domain as I am very likely to think that same thing a year down the road when I am trying to remember that password! I've had a high success rate with this, rarely reset passwords for websites I dont access but once a year (ie turbotax)
Using words related to the target domain is one of the tactics most beloved by attackers, as that's where they'll be starting their dictionary attack. Hitting a bank? There are a few hundred bank-specific words, let's start with those, plus all the "cute" leetspeak substitutions and with prefixes/suffixes tacked on.
This is almost as bad as just using the same password. Anybody who breaks one is gonna notice that the site's name is in the password and suddenly know all your passwords.

It's 2014. Password managers are great.

True, but there are some algorithms that allow you to combine a domain name with a single password and get a good unique password out. Unfortunately it's hard to compute bcrypt hashes in your head.
And if you're going to be using something to derive keys and store the results, you might as well just pump out a random string and stash it in the password management app of your choosing :)
This was an example. I am not actually concatenating 1st+2nd letter to my password. You can use the 1st letter of domain name in the middle of the base password, you can add the first and the last letter, resulting in a letter which will be added to the beginning etc. And in a 10-12 character password, it's very hard to 'notice' this.
using eWallet and after I got it down works very well for me.
I have previously used LastPass, 1Password, and RoboForms. Nowadays, I used Dashlane -- it's far-and-away the best password manager I've ever used. Both their Android client and Chrome extension have great UX.
KeePass on my PC, KeePassX on my Mac, and iKeePass on my iPhone & iPad, with a shared database on DropBox. I'm pretty happy with that setup, except for iKeePass, which is a little clunky. I'd really like to have a better KeePass client on iOS.