What is a good practical (and sane) way to manage all your passwords for online sites?

Question

I am just a mere mortal that wants to have a somewhat secure way of managing all my passwords.

This is something that I have been putting off, but since LinkedIn decided to give away one of my passwords away, I figured it was about time I addressed this issue.

I say somewhat secure, because - clearly - the most secure way would be for me to remember every single unique 200 character password I created for every site.

I know there are various sites that allow you to create hashes per url that you mix with a particular word you select, so I think that is what I am leaning towards.

I could also write it down, but then if I don't carry my passwords with me I am in big trouble and I am clumsy like that.

What is a good practical way to manage passwords for different sites (short of writing them down)? Any Chrome plugin hash generator I should be looking into? Online service?

Answer 1

What I do is the following:

• I write the passwords down.

Many people will cringe and scream and curse me and say that this is wrong and should never be done, but this is too simplistic an assertion. Details matter. Here are the details:

• I keep the passwords in a text file.

• When I get out of my home and must access my passwords, I bring with me a netbook. That computer has a few specific characteristics:

  1. It runs Ubuntu (a Linux distribution).
  2. No swap space is configured. What is "in RAM" is really "in physical RAM" and never makes it to permanent storage.
  3. The /tmp directory is a tmpfs, i.e. the files in that directory are only in RAM (and that's physical RAM, see above).
  4. I always shut the machine down; I never put it in "sleep mode".

  Under these conditions, I have a reasonable guarantee that if I write a file in /tmp, read it, then shut down the computer, then the file contents will not be accessible to any evildoer who would steal the machine.

• My file full of passwords is symmetrically encrypted with GnuPG, with a big, fat, strong passphrase (that passphrase, I keep in my brain).

• When I must use a password, I decrypt the file in the /tmp directory and I erase it immediately after; and when I no longer need to use the computer, I shut it down, as is my custom.

Under these conditions, my passwords are reasonably safe. This is not perfect: if my computer is hacked in silently and the attacker can observe everything I do for a long time, he will get my passwords -- but he would get them anyway under these conditions, if only by plugging some evil code in the Web browser itself (regardless of how you manage your passwords, the Web browser code gets them at some point, since it must send them to the servers who ask for them). I claim that my method is much safer than the common alternative, which is reusing passwords on several sites. Do not reuse passwords !

(In practice, I very rarely have to access my file of passwords, because I remember the passwords I often type -- and those I do not often type, well, I type them rarely, by definition.)

Answer 2

Use a password manager like KeePass.

Have it auto-generate a different password for every account you own. This ensures that your passwords are far more complex and far more different than a human brain could possibley handle. It also has the advantage that you don't even know you passwords yourself, protecting you from many social engineering attacks.

But what if you have multiple devices? Any sane password manager will require a master password for your whole password database and strongly encrypt it with a key derived from it. That means your password file is save to publish as long as your master-password is strong enough. That means you could even use the cloud servers owned by someone else (like dropbox.com) to synchronize your password file between your devices.

Lastpass combines password management with online synchronization, but due to some security issues they had in the past I am a bit reluctant to recommend them (even though none of them was very likely to have leaked cleartext passwords of users).

Answer 3

If your looking for an offline solution then you could use Steve Gibson's Off The Grid. It a paper based encryption which allows you to hash a domain name into a password. This gives you a lot of security as it doesn't require trusting any third party source. I know you mentioned you may forget it, but it's easy to store in a wallet.

The basics of it is you take a 26x26 table of characters. This table follows rules similar to Sudoku (only one of each character in each row and column). This starts it off with a lot of entropy (1400 bits minimum). The basics of how to use it are fairly easy (I won't bother re-typing it all out again). The biggest risk for it is if someone physically steals your grid. Even then there are few steps you can take slow (should be easily long enough to realize someone has stolen it). These methods include,

1. Choosing a different starting location
2. Salting (You can do this by pre-pending/appending something when performing the encryption)
3. When performing the encryption (read the appropriate page) instead of choosing the next two characters. Instead choose perhaps the next three characters, one across one up, two down one left, etc.

Answer 4

I like to use VeriSign's Personal Identity Portal. It works automatically with a lot of major websites and you can add your own custom sites as well. It also has some support for OpenID. The best feature is the 1-Click Sign In which gives you a JavaScript snippet that will automatically log you in to the current page.

Answer 5

I think the best way to manage a large number of passwords is by storing an encrypted list behind a password you have committed to memory.

@Tom Leek seems to be doing this the hard way, the easy way would be to use one of the programs mentioned by @Matt. The easy way may be somewhat less secure, but I expect the easy way is secure enough for most users. Depending on which program you choose, you may be able to use the same list file on different platforms, including mobile devices.

How you manage passwords is really a separate question from how you generate passwords, but if you're willing to rely on a list you can have a unique random password for each site. There would be no need to follow a non-random password generation scheme, no need reuse any password ever, and no problem changing any password at any time. (But, for generating passwords, I recommend against using any password generated by any website. If you want it done programmatically, run something local.)

If the encryption of the list itself is secure, and the password to decrypt the list is secure, there's no need to worry about unauthorized access to the encrypted list (e.g. by storing it on Dropbox, losing your phone, or having your computer stolen). The drawback is that if the password to your list is compromised, every password on the list is also compromised, along with any other information stored in the file. This is really bad if it happens, but, considering that the list password never needs to be stored anywhere and never needs to be used outside of a local app, and that other options have a hard time handling the tens to hundreds of accounts many people have, using an encrypted list is at least worth considering.

Answer 6

I use a password manager, which replicates my data through Dropbox, and which integrates with most browsers and apps I use. Apart from a few long master passwords, such as the one for my email account, computer, and the password manager, I simply don't know my passwords. They are all very long random "garbage", unique for each site, and if they would ever get lost, for whatever reason, I would use the recovery function of the site to set a new one.

Once upon a time, I used different schemes to come up with "clever" password patterns, that I could easily deduce each time. From the URL, or some other site-specific key information, but it ended up being simply too much to remember. When I needed the same password in different contexts (such as when multiple related sites share a single user db), or I needed to replace it, the pattern became riddled with exceptions. I found it simply not worth the effort, to be clever.

Answer 7

This is what I do:

Remember only one long master pass phrase.

Generate randomly generated passwords for all sites you register to.

And encrypt them all with that master pass phrase on whatever software you want that supports encryption. Ensure it's a software with strong encryption like OneNote with AES-256 in CBC mode (http://www.cjmorgan.org/tech-blog/2015/1/8/default-encryption-settings-and-behaviors-for-onenote-2013-office-365).

Copy/paste the randomly generated password into the site/app you need to login when needed.

This way:

• One service being compromised doesn't expose your other services (yahoo, adobe, snapchat, have all been compromised in the past)
• Zero correlation between passwords between services, as we tend to memorize one "template" password, and do multiple variations of it for the sites.

In 2016, we need to keep passwords for more than 30, 40+ sites. The exposure is too high, there's almost a 100% chance that one of the sites you ever registered to was compromised, and someone else has your password somewhere in the world (https://haveibeenpwned.com/).

The only person that should know about your master phrase is the person managing your will.