Poll: How do you manage your passwords?
I used to memorize a few passwords; mentally graded as "very secure" (for things like my Google Apps and my laptop's disk encryption password), "somewhat secure" (for services like DropBox or HipChat) and then "probably insecure" (for services like Facebook or Skype). Recently I decided that the approach is simply too insecure and started using 1Password to create and manage strong, unique, passwords for every service that I used.
I'm really interested to find out what HN tends to do.
60 comments
[ 3.9 ms ] story [ 151 ms ] threadI started using it earlier today actually (moving from KeePassX and have been meaning to for a while) and so far I really like it. As an Emacs user the Emacs integration plugin is also pretty amazing and it has import functionality for most known password managers.
Their cross-platform support is great as well. The only thing that's missing is a solid way to retrieve passwords on Android. The LastPass "keyboard" is abysmal, and switching between their app and the one you want to enter the username/password in can be painful. I'm not sure if there's an easy way to solve this problem, though, given the sandboxed nature of mobile apps.
It's actually better than integration with a computer.
Inside the .xpi are various human-readable files, including .js, .xml, and .config files (https://developer.mozilla.org/en-US/docs/Bundles).
So you can literally examine the source of any Firefox extension. And not just source you hope is the same as the delivered extension^2, but literally the running code.
So no, it's not free software. But it is accessible for you to read^3.
[1] I _know_ this is true for Firefox. I think it is for Chrome, but I'm not sure. I have no idea for any other browser.
[2] How do you know the code for e.g. Firefox that you clone from https://hg.mozilla.org/mozilla-central/ is the same code used to build the browser downloaded at mozilla.org ? You don't, unless you go to the lengths of building it yourself and doing a bitwise comparison of the executables, but that is going to be error-prone. But you can pull the Lastpass extension out of your profile and see the exact code being run.
[3] Unless they download code from somewhere and eval() it.
[1] see https://www.schneier.com/blog/archives/2005/06/write_down_yo...
I keep a grid of random base64 characters on a laminated card in my wallet. I use a secret algorithm to derive a site's password from that grid. This gets me a unique password for each site, but I don't have to remember it. The code for generating the table is in this gist:
(You might want to tweak the font - 1 and l are very hard to distinguish in Courier.)I have a few "roots" passwords which depends on the necessary level of security and the importance of the service. Them I know by heart. Then for each service I add a few characters (letters, numbers, punctuation signs) which depends on the service and feel natural as prefix and/or suffix (sometimes it's a bit more complex if it can be fun).
For instance lets say a root is "icanh4zcheeZbugr", then maybe my reddit password will be "reddicanh4zcheeZbugr,t".
It works pretty well in practice. More than one time I was sure to have forgotten a password and was actually able to rediscover it quickly.
8 characters is well below the threshold of brute-force attacks these days, and once I've got one, and I see it has the site name in it, I'm gonna catch on to the game and there goes your other sites' passwords.
[1] http://www.zx2c4.com/projects/password-store/
Sharing between full keyboard/desktop systems isn't so tough, but transferring 30 character passwords to mobile devices very nearly exactly sucks.
Answering a now-deleted comment: "Using a tool would defeat the purpose of a password for me (a key hidden where we still can't read - the brain)."
The purpose of authentication isn't to provide absolute proof against compromise. It's to provide an asymmetrically difficult means for you vs. someone else to access systems. There are hacks against memorized passwords just as there are against encrypted safes of passwords. The question is: which makes you most secure?
Do you use any of these at more than one site?
Then for every website, I (for example) use the first letter of the domain name and the last letter, add it to the beginning of my password. Then I take the last letter of the domain name and add it to the end of my password.
This way I only have to remember my tiny algorithm + my base password.
It's 2014. Password managers are great.
https://itunes.apple.com/app/id359807331