princessleia2: Password Management?

Elizabeth Bevilacqua (

princessleia2) wrote,
@ 2008-03-03 10:26:00

Password Management?

Between work, play, and community involvement, I’ve now officially passed the threshold of reasonable password management. I’m constantly checking my brain, irclogs, stashed emails and scraps of paper to find various passwords. It’s a mess, and in a lot of cases causes me to drag my feet on tasks because I have to search for the password.

My first thought to get this under control is a simple gpg wallet, since I want command line accessibility (no GUI!), simple backups to a flash drive, encryption and password protection.

Any other suggestions? What do you use?

(Post a new comment)

	the_karen_show 2008-03-03 03:44 pm UTC (link)
	i am SO not trying to be trite here, but i use the same alphanumeric string for all my passwords. it helps a lot. (Reply to this)(Thread)

	feng_huang 2008-03-03 04:22 pm UTC (link)
	Just pointing out that as a sysadmin, you access to systems where you do not set the password, and/or it's shared with other people. Or there are passwords that are shared with you, your boss, and customer A, and a different server has a password for you, your boss, and customer B, and the passwords must be different. (Reply to this)(Parent)

	secretsoflife 2008-03-04 03:49 am UTC (link)
	yaknow, that's a great idea until one of the sites you use gets hacked and they try the same user/pass elsewhere :) (Reply to this)(Parent)

princessleia2
2008-03-04 12:54 pm UTC (link)

Truth be told, I only have about a dozen personal passwords that I use all over the internet, and I can generally keep those straight - and if I don't I just do the password reset/change thing when I go to sites I don't frequently visit.

The trouble comes in with work (as

feng_huang mentions) and with community things like mailing lists where there is a shared password - in fact what prompted this journal entry was such a shared password, which I had to dig through my email for.

(Reply to this)(Parent)

Slightly better

texasdex
2008-03-04 01:24 pm UTC (link)

I have a slightly better solution worked out.

I use three passwords:
*One password with no special characters for all insecure things (LJ, AIM, , and any one of fourteen different forums I'm signed up for)
*One strong password that I use for thinks like online stores and banking. I refuse to use this password on sites that don't have SSL.
*One strong password to use as my login for all of the various computer systems I have shell accounts on, e.g. my server, and the school's system. This is also considered relatively secure.

I change the important ones two or three times a year. The first one hasn't been changed in roughly three years, because it's in so many places (probably like 20 or 30) but I plan to change it soon.

Unfortunately this means that I have to remember like 6 to 8 different passwords, but knowing the type of site means that I hopefully only have to try the current password and the previous password of that type. I know it's not ideal, but it's reasonably secure for the important things.

I've toyed around with the idea of doing something like appending the first letter of the URL to the end of the password. If the password is sufficiently random nobody would realize that the last letter is related to the website. Of course now that I've told you I'll have to kill you to keep my password practices secure. Shame. *Stabs*

(Reply to this)(Parent)

feng_huang
2008-03-03 04:18 pm UTC (link)

At work, we pretty much all use KeePass. It looks like there is a Linux port, but I've never used it. (We have Windows desktops forced on us as the company standard, presumably because it's enterprisey.) The Windows version works well; there are all kinds of options about how long before it clears the clipboard, and when to lock the database and require its password again, and that sort of thing.

I just did a quick apt-cache search (Ubuntu), and found KeePassX, which is apparently a cross-platform fork.

One nifty thing about KeePass that looks like has been retained in KeePassX is a password generator.

(Reply to this)

time3
2008-03-03 04:22 pm UTC (link)

I have always used GNUPG for this. It's very simple and you can simply encrypt a text file and then decrypt it with a password when you want to lookup some information. I put the following (example) into my ~/.zshrc

alias pas='gpg --decrypt ~/passwords.gpg'

To create the passwords.gpg file, simply do the following replacing your key with my own:

gpg -r "Michael D. Bevilacqua <michael@bevilacqua.us>" -e passwords.txt

You can then always pipe the output of --decrypt to a text file and update the file with new passwords.

(Reply to this)

ehowton
2008-03-03 05:31 pm UTC (link)

I'm right there with you, but for reasons of Single (sometimes 'Simple') Sign On. For the unitiated, it's a "global" password which is tied into all corporate apps so that you can access everything you need to online by logging in only once. Sounds fantastic, doesn't it?

It's not, and I've threatened an entire entry on it alone.

Suffice it to say, as a contractor working at a client site, both with SSO's - they each support a differing set of rules, the aging is not sync'd, They don't always mesh with our Solaris server rules, and both corporations encapsulate to third-party online apps which not only require discrete passwords but fall to the same problem of rules and aging!

Its a mess.

I'm going to have to pull on some tights and rid the world of evil so I can go back to a simpler time.

**WARNING*** PASSWORD HAD BEEN USED WITHIN THE PAST 7 YEARS; PLEASE CHOOSE ANOTHER

Edited at 2008-03-03 05:31 pm UTC

(Reply to this)

	darkrow 2008-03-03 08:47 pm UTC (link)
	Well, it's a Mac app, but 1Password is the best password manager I've ever used. That said, I did try KeePass, and it was nice, just didn't have good browser integration. (Reply to this)

darkspur
2008-03-04 05:02 am UTC (link)

I use the vim gnupg plugin. Google for "gnupg.vim" - I don't remember the source, but someone in irc recommended it years ago. Basically it allows you to edit a gpg-encrypted file from vim and does it in a secure manner. I like it a lot, and it works on both my linux box and my macbook. So all you need to remember is your gnupg pass :)

I also use the palmos program called "strip" sometimes.

(Reply to this)(Thread)

	time3 2008-03-04 01:26 pm UTC (link)
	I use the vim gnupg plugin I just recently found out about this and it makes my life all that much better. That is one great plugin. (Reply to this)(Parent)

kattphud
2008-03-04 05:52 am UTC (link)

I don't like the idea of an application like Apple's Keychain keeping track of my passwords. For one thing, it certainly wouldn't help me remember my passwords because I would never type them in more than once, which would leave me in a world of hurt if I needed to access one account or another when away from home. However, my main paranoia is the possibility that that very app could be compromised, and an attacker could walk away with my entire list of passwords in one trip; like the Wal-Mart of passwords.

Physical security is a good thing. If your passwords are stored on a cheap flash drive (or even just a piece of paper), kept under physical lock-and-key (or a combination lock, if you want yet another to keep track of), no mysterious hax0r from teh intarwebz can get to them.

(Reply to this)

shades3d
2008-03-04 07:09 am UTC (link)

I do not keep my passwords written ANYWHERE, digital or analog. I have a set of common passwords I use on places I don't care about, then on the ones I do care about, I create passwords that have some symbolism towards what I'm creating them for. And since my mind is so random, noone can ever guess them, since they NEVER match a dictionary word or keylogger file.

And hell, I don't even tell my own parents any of my passwords, and I'll never tell a SO any of my passwords either. I'll change them to something simple instead.

(Reply to this)

	purpledragon11 2008-03-06 12:24 am UTC (link)
	I prefer to keep all my passwords separate from my computer, I bought a small note book that I write all my passwords down in with the name of the site and the date. That way there is no way they are all in one place and no one can hack into my computer system and find them. (Reply to this)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs