Password Overload
 

I admit it, my ability to remember all my passwords is long gone. I have always resisted recording them all on a portable laptop for security reasons but now I am overwhelmed. Any successful practices or useful tips are appreciated especially by road warriors in the same boat.

I agree totally! Here is my rant..
 

Alas, we live in a world of stupid internet security. Kazillion logins and passwords! I am a scientists and I review scientific articles for over 50 journals. All of them require logins and passwords. Since many journals are now controlled by publishers, often you can't keep the same login and password.
My work place is paranoid; I don't work directly with patients and yet, the level of security is outrageous. Yet, I hear of security breach every other day.
I hate the almost hourly "security updates".
I am convinced that some of the very common websites (not objectionable sites) leave more than cookies. The operating systems and web browsers are so full of holes, unless you stop surfing the web, you can't avoid these intrusions. Yes, there are password vaults, storage programs, etc. I bought one of them but they change so frequently that you need to keep buying their updates.
Computer business is for crooks. I switched to Mac and have less of these problems but it appears to be toothless.

1Password is essentially a keychain for all your passwords and other information (secret questions, etc.), software serial numbers and even secure notes.

everything is encrypted and it can also auto-populate web pages so you don't need to type in long cryptic passwords. you can optionally use dropbox so it can sync multiple computers (mac or windows), iphones and ipads.

Easiest way at home is to use a dedicated address book.

Traveling, scraps of paper, same as recording credit card numbers--except that I use a simple code, in case the papers are lost--i.e., number 1 2 3 becomes number 2 3 4 or some such. I suppose "Password" could be written "Qwttxpse" or whatever.

i keep mine abbr. in a notepad its fairly easy to do if you use a variation of word(s)/combos

ie.
password base is: flyertalk

American: FT1 (flyertalk1)
US: FT11 (flyertalk11)
UA: FT1- (flyertalk1-)
Delta: 11FT1 (11flytertalk1)

I have sites that require other chars and some that do not allow which is quite annoying. I have also used a number base so I could just use the # sign instead of the real number.

Firefox has a (I believe) safe encrypted password "vault" that works pretty well, and they now have a sync system that lets you sync amongst different computers. I use it AND I use 1Password. I don't like the fact that 1Password is not open source. But I use it anyway.

The nice thing is that you can use complicated passwords and you don't need to remember any of them (except the master password)

I've been in the market for something like 1Password. Is that generally considered one of the best of its kind?

I've also been meaning to revamp all my passwords. I'm long overdue. For years I only had a couple of passwords...1 for secure sites like online banking, and another for forums and similar less secure sites. But over time I started making different variations so that I wouldn't have the same password at dozens of sites. Now I'm all over the place and just this afternoon couldn't figure out how to log in to an email address I don't use on a regular basis.

I read a good article about taking a phrase you like or your favorite song lyric and taking the letters/numbers from that. For example...happy birthday to you, happy birthday to you would become hbtyhbty...and from that you could make Hb2u.Hb2u. To further differentiate you could then put a few of the letters of each site in the password...so for Flyertalk you could go with Hb2u.FT.Hb2u. That way you have a different password for every site but you can easily remember each one.

The browser methods are not that great as they don't save everything and anything. They save some things. And the data is only good in that browser. This is a place where an external program with browser plug-ins can do a much better job and it can also save any type of data (credit card numbers, pins, whatever) you want in a very secure manner, and support automated backup and x-platform secure sharing of the data.


1passwd is what mac users use. Though it has both a pc and a mac version if you use both, that's a good choice. The browser integration on the pc is not as good as roboform. (it's not a huge problem, you get a pop-up instead of a pull down from the menu bar.) You only need to pay once per platform for 1passwd. (buy the mac version, and you can install it on all your macs. Buy the pc version and you can install it on all your pcs.) 1passwd supports roboform passwd import, with instructions on how to do it on their web site. 1passwd supports dropbox integration, so if you are using another backup, you can just get the free space for dropbox and just use that for dropbox sync across all your machines.

AI Roboform is what PC users use. It's great. But you need a license for each device you use it on, so it can get a little expensive. You can use any of the online backup methods for x-platform sync with roboform, including, I think, their own free method. (goodsync).

Both of those have app versions for i<devices>, which you may or may not like, at least you can get the passwd on those devices and copy/paste it, but the browser integration in them is basically non-existant or terrible. Both of those also have strong password generators, and they will typically remember the generated passwd for you when you use it, though you have to be careful about that with some web sites.

I've used both, but when I started buying Mac's last year, I has to switch over to 1passwd, since roboform does not have a mac version.

There's also something called lastpass, which is an alternative, but I've never tried it. You should check it out also. I just checked their web site, it is x-platform. If we have a x-platform lastpass user here, hopefully they will post it's good points and bad points in this thread.

-David

Bruce Schneier, the security expert, has a free and open-source program called Password Safe that does this.

http://www.schneier.com/passsafe.html

the browser doesn't save everything perfectly, but the sync works very well to share amongst computers, and 1password doesn't save everything either. Nothing is perfect.

In particular, banks use more sophisticated methods with multiple page logins, security questions and images you need to recognize, and nothing seems to work perfectly with these.

For multi-page logins, I usually have one entry named xxx - login, and a 2nd one xxx - passwd, and that works fine, in both roboform and 1passwd.

security images, questions that change, etc, sure, none of them can really do that today. though you can save your answers in passcards in the external programs if you really need to/want to. ING direct has made their PIN so complicated, and you can't save that either, but I have a passcard (safenote in 1passwd) for it, in case I forget what the 6 - 10 digit PIN is.

But I really don't have an issue with missing items in 1passwd or roboform, because you can always save the stuff manually if it doesn't recognize the page as a login screen, and once saved, it will fill those in. You can't do that with the browser built-in stuff. That's what I meant by the stuff the browser misses, not the image stuff and security questions from financial institutions.

Certainly some of this is personal preference. If something different works well for you, I think that's great. Personally, I use a combination of methods, including firefox sync, but firefox sync won't get me login/passwd/form data into IE or Safari or Chrome.

Does xmarks copy login/passwd data between different browsers? 1passwd/roboform, etc are all multi-browser. They have plugins for most browsers.

-David

The ultimate answer is supergenpass. Use an extension for your favorite browser not the original bookmarklet (or the mobile page from the latter)

https://chrome.google.com/extensions...lknncolofnaead
https://chrome.google.com/extensions...ibbaenpnnodkhk
https://chrome.google.com/extensions...dlbpfgegcibkjo
https://addons.mozilla.org/en-US/firefox/addon/52490/

I use Lastpass (Lastpass.com). Works from most browsers, Is secure and syncs on the web.

I heard about it on the security Now podcast (twit.tv)

I use a password vault program called "Keepass". I'm not necessarily endorsing it, although I'm happy with it.

I have one master password that is roughly 25 characters long, includes letter (upper & lower), numbers and spaces. Its essentially a phrase I'll remember. This password is used to gain access to my keepass database vault. Within the vault, I have all of my usernames and passwords, stored. When I setup a new account, I use keepass to generate a secure, random password, for each site.

The program then allows you to use two keyboard shortcuts to copy the username (CTRL-B) and password (CTRL-C). Or I can drag the user/password into the appropriate boxes on the program or website.

I additionally sync it with Windows Live Mesh, a cloud based storage provider. I chose mesh because I can easily access the files by logging into a website from any computer in the world (remember, I have a 25 char long password on the file, so even if someone hacks my password on mesh, they still have to break my master password - also my mesh password is easy enough to remember).

I now have a way to keep my password file in sync across my work, home and laptop computers, plus can access it on the road or at a friends house, if I don't have my laptop for some reason.

Because the passwords are random, I honestly couldn't tell you what my password was for any site, and if a person gains access to my flyertalk password, they won't be able to get into my bank account, trading accounts, FF...you get the idea.

Sometimes I miss the days of having a single easy to remember password across all sites, but after having my wife's email account hacked a while back, I'm convinced random passwords on all sites is the way to go.

The free or premium version?

it looks like the same program, except the premium stuff is a subscription.

Which one do you need?

You need the premium service in order to import from the other programs, but if you don't have another program now, try the free version, see if you like it.

-David

For things that I use on a regular basis (BlackBerry, Flyertalk, Amazon etc.) I just remember them but for things that I don't, I use my Blackberry. I just look up the contact for that firm/site and work out what the password was in the details there, the things encrypted (and lock after a minute, so there is little chance of someone finding it and using the data. I may be overly cautious in not just storing some passwords directly on the Blackberry and putting them in buried in other data but it works for my piece of mind.

This is the method we have been using for a while now. I don't think we have yet been at it for a full year, rather we are still changing passwords as we run across those without the site letters included.
Although I am still on my husband to change his to something that includes lower case, upper case, numeric and symbols, but that comes from my days working with two dozen different passwords on a daily basis. And that was 20 years ago.

I feel your pain and I think anyone who is online today is in the same situation.

I sometimes need to reset passwords since I cannot remember what password I used for that site. What a pain.

Low tech here - I have an encrypted and pw protected Word doc that holds all my usernames and passwords. I'm satisfied that my password is sufficiently long and complicated that you could watch me type it in and still not get it. The major disadvantages to this approach: 1) Word is somewhat slow to load, 2) I don't have it with me on the rare occasions when I'm not at either my home, work, or mobile computers (though I can always remote into my home pc). Major advantages: 1) it's free, 2) I can include notes, e.g., on some websites I have a login name which is different from my customer account number, or I can show discount levels or contacts.

I've used Keepass for a couple of years, and I am endorsing it. Excellent free program, and very easy to safely transfer your encrypted file to other computers, thumb drives, etc, without risk.

I also use PasswordSafe, thought the screen shots of KeePass looks almost identical.

Do most of these programs that remember and/or create random passwords easily allow you to export/print all of the passwords? In case of a malfunction I like to store a copy of all accounts/passwords in a safe deposit box.

Currently, out of laziness, I use key chain on the mac but I don't find it useful if you use multiple computers.

Thanks.

I use acronyms (including punctuation where allowed) as my passwords. Most are taken from poetry in another language, with a deliberate error added, and I have a "reminder" word which will remind me of what the phrase I used is. Where possible I set it up so that the name of the site itself is a reminder of the password.

I seriously dislike websites that force me to use "security questions" - as far as I am concerned these are merely unsecure passwords! I also hate websites that force specific patterns or character types, or disallow punctuation. Logins that I'm forced to change frequently end up with a normal password appended with the date in mmyy format.

To give a practical example of my password methodology - The Lady Of The Lake. I misspell the acronym as "tlith!" and the reminder word is "Excalibur".

It is actually quite difficult to come up with good passwords with this technique - I require that all my passwords not look memorable and not be pronouncable, and at least 10 - 12 characters long. "tlitl" fails on all counts!

Audrey

> I use Lastpass

+1

Free, unless you want the iPhone edition, then it is $1/month. I have VERY
pleased with this utility.

-doug

I use a second email account and made a folder "passwords" along with others and use it only to store onfo that I my need to access somtime away from home.

Password overload is quite a bit of a hassle these days!!

I personally now use Lastpass, which according to the others on this thread is also popular here.

I am paying for the premium subscription, mainly because of its great integration with the Dolphin browser on Android, however I also use it with Yubikey.

Other alternatives are KeePass (open source and free) and Roboform. There are loads others but these are reckoned to be the best.

1Password is also popular, but I don't like the way you have to pay per device used. At least with Lastpass you pay once a year and it covers all your devices.

Also both Firefox and Chrome have built in password managers, but personally I think the security with something like Lastpass, KeePass, etc is much stronger than the built in options.

1passwd is pay once use anywhere, but they do charge separately for the app and pc versions. If you have 3 macs, you only pay once. If you have a mac and a pc, you have to buy the mac version and the pc version. But you don't have to pay more than once for each version, which is better than roboform.

roboform's license is per device. You need a separate license for each pc.

lastpass does seem to have the friendliest licensing terms. But the paid services are a subscription plan which is ongoing. It's cheap at $1 per month billed annually, but you have to keep paying if you want those services.

-David

Signup Shield
 

I use SignupShield on a Sandisk Cruzer. Since I provide PC support to my bride, she also uses the program on a separate Sandisk Cruzer. The program also fills out forms which is extremely helpful to my favorite contest enterer.

I regularly dump the passwords to a PDF that I print using CutePDF and store the output on a separate thumbdrive that never leaves the house. This gives me a backup in case 1) I lose my Cruzer or 2) the Cruzer fails.

SignupShiled includes a facility to generate a pw so I can increase the complexity of my PWs.

I'm three years into this exercise and so far I'm pleased.

HTH

I don't think so. Firefox and Chrome are open source and are in theory open to being vetted. Security vulnerabilities once found are rapidly addressed by the community. Can't know what is going on under the hood of these other systems, and for sure, any vulnerabilities aren't being checked out and announced to the world.

We are much, much safer with open source password "vaults".

I must say, after taking a look at Lastpass, I'm impressed. I'm seriously considering give it a try. I really like the auto fill in feature on the web browser. Something Keepass currently can't do.

I second (and maybe even third) your pain. A couple of years ago, I came across and app called "Ewallet" by Ilium Software (http://www.iliumsoft.com/). The things I like about it are:
1) there are BB and IPhone apps and they will sync
2) you can sync to multiple devices (such as laptops, etc)
3) does much more than just password (such as bank info, credit cards, etc)
4) Is password protected and encrypted
5) can be used to generate passwords as well as store them

I am NOT endorsing this product, just saying that it has worked well for me. YMMV

I also use eWallet. I keep my (password protected) password file in a private space online, so I can access the password file from home or work and it always stays in sync. There's also an Android viewer that can be synced via USB.

Keepass.info - I STRONGLY endorse Keepass (classic edition), open source, free, and multi-platform.

I have it on my Android phones as well as my computers. Best of all, Keepass is portable, so you don't have to install it. It can be backed up on a USB thumb drive.

Why would anyone use ANYTHING else other than Keepass (unless you're on a mac)??

Keepass is #1, the one I recommend and use. No need to look elsewhere. I even donated to Keepass (along with Truecrypt) because that's how useful the utility is to me.

Agree, Keepass is fully open source.

I don't like browser based passwords. Those can be potentially exploited by browser vulnerabilities, or just someone sitting in front of the PC and using the browser.

I use Keepass because it's authenticate once, use it for everything (even non password stuff like credit card info). I have it set to auto-lock after a certain time, or if the PC screen saver comes on.

I strongly dislike this product. It's not open source, pay infinitely for premium version ($1 per month - yuck), and ad supported.

I don't want my mobile security apps to have network communication access - who knows if the app isn't leaking my private info to a server on the internet for hackers?

I much prefer Keepass and Keepass Droid (on Android) that are completely free, open source, and all your data is in your control.

That's fine for casual sites, but for banking, credit card, and other websites I prefer a truly random, strong password and that's why I use keepass.

To not use something like keepass these days is irresponsible, if you're dealing with very sensitive information online.

I can recommend 1Password for OSX. It's a clean, easy to use, well integrated app that works seamlessly with Safari. The Dropbox syncing is great for set up and forget about it transferring of data to/from all devices (iPhone, iPad, Mac, PC).

I use the premium version, for $12per year. It gives me access to a lastpass client for my Blackberry.

Otherwise, the free version works fine. (I also pay to support the developers, they do a great job )

Jerry

lastpass is having some problems apparently?

http://blog.lastpass.com/2011/05/las...ification.html

(security issues; master passwd change recommended; server overload; aftermath?)

http://bits.blogs.nytimes.com/2011/0...er=rss&emc=rss