Fog Creek Software
Discussion Board




Passwords

Hi

Because of my job, I have several passwords to maintain. I am wondering what's the best way to store these securely

There you go
Monday, October 06, 2003

There are wallets.

There's a free software for palm pilot that lets you write down all your passwords and secure it with a master password (or group them and secure them with several master passwords).

When I do a site:sourceforge.net password palm
on google I get this:

gnukeyring.sourceforge.net/

They work for your credit cards as well.

Are they secure? As long as the NSA can't swap your pilot for a trojaned one it should work. I think it hashes your master password and make a 3DES (or some less processing intensive cipher) key out of it.

Li-fan Chen
Monday, October 06, 2003


It's just me or the slashdot factor is getting dangerously high?

Leonardo Herrera
Monday, October 06, 2003

Yeah it is. Instant gratification powers the net man.

Li-fan Chen
Monday, October 06, 2003

http://www.treepad.com/treepadsafe/

A two-paned organizer that's encrypted and password protected.

http://www.tranglos.com/free/index.html

Keynote was recommended as a freeware program that has many of the same features as treepad.


I store my passwords in Treepad Secure. This doesn't travel well unless you e-mail, ftp, or physically carry the file with you everywhere, and are willing to install TP Secure anywhere you might need it.

Alternatively, depending on the level of security v. accessibility you need, a web-based and secured area may work. Something updatable via the web gui so you can access/update it from anywhere. Something as simple as a blog or wiki with .htaccess level security, and SSL if you need it would work.

Pieces of paper stuck in your wallet. Maybe with a simple pig-latin-esque encoding. I.e. learn to read and write Rot13.

All of these are susceptible to being cracked, for example all of them require you to do something which a shoulder surfer may notice. If you have to store your passwords somewhere, you're always susceptible to being "hacked."

Mark T A W .com
Monday, October 06, 2003

Oh yeah, and there are programs dedicated to this sort of thing as Li-fan pointed out. I hadn't thought of a palm version, but that sounds like a good idea.

Mark T A W .com
Monday, October 06, 2003

Password Safe is great.

http://passwordsafe.sourceforge.net

Originally from Bruce Schneider who runs the CRYPTOGRAM newsletter and http://www.counterpane.com

It works well for me.

Philippe Back
Monday, October 06, 2003

The safest place for passwords is inside your own head.

As you can't remember a soup of letters and numbers you have to have some mnemonic structure and generation rules which are both simple and easy to apply on an ad hoc basis.

So, although I'm not going to disclose my actual method, it depends on the service/site the password and account is being used for and the generation method relies on information from the site combined with another static component to generate the password.

So, apart from any cookie or local caching of passwords, if I come across a site or service I haven't used for a while a few moments will allow me to regenerate the password in my head.  Occasionally it fails because there are too many possible results, but that's very rare, and in those cases the 'you lost your password' tends to sort it out.

Simon Lucy
Monday, October 06, 2003

Simon, some sort of scrambling of the letters in the name of the service strikes me as being somewhat insecure. And what do you do about passwords that change every 30 days?

Sure you can just type the name of the site, plus any AlPhaNuM8RiC38 requirements, but wouldn't someone, upon learning any one of your passwords be able to crack ALL of them?

Mark T A W .com
Monday, October 06, 2003

Okay, how about a solution where memory isn't a sufficient answer?

Do you store the admin passwords of your company's machines? Something to protect against wild bus attacks?

If so, how do you store them?

Philo

Philo
Monday, October 06, 2003

Not ideal but, I admit I store my passwords in a unprotected file on my network "home" folder. It's secure as our network and no-one except the network admin can get into it.

So if I get hit by a bus a few hours of browsing my home directory should get them the passwords that are required to keep the business rolling.

DJ
Monday, October 06, 2003

So it seems there are as many ways to store passwords as there are people who store them.

1. Are there any best practices?

2. How do you store yours?

Mark T A W .com
Monday, October 06, 2003

Excel spreadsheet.  Has the url of the site asking, the username, and the password.  Or the server name, or whatever else will ask for the password.

Encrypted with Entrust.  http://www.entrust.org/  Its recoverable after a bus, because the central server can still decrypt your stuff in an emergency.  Also can recover if you forgot your one password.

Andrew Hurst
Monday, October 06, 2003

I've got literally hundreds of 'em -- passwords that is.

I store them on one of those little USB keychain devices in a text file. I carry my keychain virtually everywhere I go, so my passwords go with me virtually everywhere I go. The textfile is PGP encrypted. I also store the PGP setup files on my keychain in case I'm in the rare pickle where I don't have access to a machine that has PGP.

FYI -- I have had one of the keychain devices go bad in the past, so backing up my password file is part of my regular weekly backup routine.

Sgt. Sausage
Monday, October 06, 2003

Well I haven't said what it is that I use, only that the site itself suggests a mnemonic and that's combined with another string that I'll always know.  But the mnemonic is meaningful only to me.

As for passwords which have to be stored because its an admin password of a system and such, they get put in a safe.  Well mine don't as my server is effectively just mine.

Simon Lucy
Monday, October 06, 2003

I use SplashID for PalmOS: http://www.splashdata.com/splashid/

It provides a set of pre-defined categories for holding passwords, bank account info, credit card data, etc. Categories can also be added and edited. It comes with a Windows desktop component that provides the same functionality and synchronizes with the Palm program.

I've too many passwords to remember (work requires about 10) so this is very useful to me.

David Fischer
Monday, October 06, 2003

Why not use the the little scrambler some internet banks provides us with? It's protected by a four digit pin code. By entering eight digits you get six digits back. Example: Store all the eight digit passwords necessary on an open text file. Use the unique scrambler to calculate the real six digit password. The scrambler can be thought of as a table with 100m entrys containing six digits each.

Christer Nilsson
Monday, October 06, 2003

Oops, there is a backup problem here. Forget my last writing. I have to blame the late hour...

Christer Nilsson
Monday, October 06, 2003

> Do you store the admin passwords of your company's machines? Something to protect against wild bus attacks?

I tell my boss and my 2inC what the admin passwords are.

Christopher Wells
Monday, October 06, 2003

Sgt. Sausage,
  I used to try that (the USB key drive trick) but I keep destroying them (put them on the keychain, but the keys, tools, and leatherman tool are hard on a plastic and PCB device.) 

Anyone know of an armored (metal encased) USB key drive that might survive the real world to store passwords in?

Unfocused Focused
Monday, October 06, 2003

Hmmmm. What about your cell phone? Is that viable?

Mark T A W .com
Tuesday, October 07, 2003

I use Password Agent from http://www.moonsoftware.com/pwagent.asp

John Topley (www.johntopley.com)
Tuesday, October 07, 2003

i often can't tell you off the top of my head what my most used passwords are. i don't pick out words, I just think of keyboard patterns and know the pw by "feel." this has bit me a few times, like when i try to check email on my friend's fancy cell phone device.

rz
Tuesday, October 07, 2003

Unfocused Focused, I don't know of any metal USB keys, but Think Geek have a USB watch.

RB
Tuesday, October 07, 2003

I store my passwords on a PostIt note on my monitor, except for the production machines.

The production machines have mind-numbingly obvious passwords, so I don't need any help remembering them.

Someday, our SSO server will actually implement single sign on. Oh, what a happy day that will be.

Gustavo W.
Tuesday, October 07, 2003

I store my passwords on a PGP virtual disk. In it are folders for "Work", "Personal" and "Family" and in those folders are text files containing passwords and notes.

The PGPdisk is 10MB so it fits on a USB drive. I keep a copy in my home directory on the network, so it gets backed up at night.

Because PGP is cross-platform I can mount the disk on my Mac or Windows notebooks. The disk unmounts automatically after 10 minutes of inactivity or when I put the notebook to sleep, making it even safer. The password is verrry long. It was tough to memorize, but it's easier to memorize one password than dozens.

Nate Silva
Tuesday, October 07, 2003

In answer to Nate ^^

What you describe somewhat defeats the purpopse of the underlying Keychain layer which is built into Apple's Mac OS (since (OS 9). The next version of OS X will be using the feature that you mention, but you could do it now - using DiskCopy to create an encrypted R/W disk image.

Strage

Sasha
Wednesday, October 08, 2003

(last line should have read:) Strange, but true. Damned garbled HTTP packets. :)

Sasha
Wednesday, October 08, 2003

For a client site, I usually create a password that is easy for me to regenerate, but virtually impossible for someone else to guess. 

I begin by generating a few pieces of trivia that I may personally ASSOCIATE with the job - things that I can easily recall or regenerate - but which have nothing directly to do with the current project or client.  Then I combine two or three such pieces of information, and mangle the result in some fashion. 

I'm not going to mention the specific relationships that I often choose, but here are a few equivalent examples:

- If the client's secretary's voice reminds me of grandma, I might choose the telephone exchange she used to have.

- If the client's name is Jones, I might use the name of the wife some another person who also happens to be named Jones (but who has no connection whatsoever).

- If his assistant's mustache reminds me of a guy I used to know, named Jake, they I might use "Jake".  Or, better yet, Jake's daughter's name.

- If the client was referred to me by an old friend named Pete, then I might pick the name of the street that Pete lives on (or used to live on!) - or the first name of a boss Joe once had at a place we both worked - or a word from the punch line of a joke Joe cracked me up with.

- If I first met a client at some an event sponsored by an organization, then it might be the date name of the previous president of that group.

- If the contract arrived after I returned from Disneyland, maybe I could pick "Mickey" - but the name of our hotel would be better.

Yeah, these are silly examples.  Just use some UNRELATED thing that you mentally ASSOCIATE with the client, job, whatever.  If it's a step or two removed, so much the better.  The FIRST few things you think of are probably the best, for free association; if they are too close to the job (i.e. crackable), then apply some relationship (like dog's name, facial feature, wife, street, etc.).

The key is to use ASSOCIATION.  You own associative relationships, which nobody else has or can guess.
(The more personal the better.  The more humorous the better, too.)

IN SUMMARY:

1.  Pick two or three items that YOU associate with the job,
but which have nothing whatsoever to do with it, directly.

2.  Combine them.  (It's good if they include both letters and numbers.)

3.  Then mangle the combination by some scheme.
(Of course, I'm being vague here, too, but you can make up your own transpositions, shifts, rotations, substitutions, or whatever.)

Bruce A. Martin
Tuesday, October 14, 2003

*  Recent Topics

*  Fog Creek Home