Strategies to share passwords for multiple users such as husband wife?

2

My wife and I use the same accounts on many web pages, such as music, video, and utilities. We're looking to improve our system to have us both able to login to the same accounts. Our goals:

  1. Ubiquitous access to determining and adding passwords.
    • We use many computers, and need access from multiple locations.
  2. No software management tool or service. (e.g. RoboForm).
    • We aren't looking to put all our eggs into one basket vulnerable to hacking.
    • We want access without installing software if we're a guest on another computer.
  3. Fairly easy to use without memorizing a lot of secrets.
    • We can handle memorizing a few numbers, or a list of 10 words or so.

Examples we're looking to beat:

  1. Plain text file hosted on a web server.
    • Obviously too much of a security risk.
  2. Plain text file hosted behind a login based collobration site, e.g. a private wiki.
    • Getting better, private wiki makes it easy for either to update it. But still too vulnerable as all passwords are plain text.
  3. Obfuscated text file hosted on collaboration site.
    • Ok, now we're talking, but how to obfuscate it?
      1. Memorize a 3 character password prefix, only write down the unique bits after that.
        - If someone knows one password and they find the list, the rest are obvious.
      2. You better idea here.

Vincent Scheib

Posted 2012-11-11T03:34:52.087

Reputation: 489

Question was closed 2012-11-11T16:28:34.830

1Lastpass is the way to go – surfasb – 2012-11-11T03:39:49.130

I use google docs to store password hints, I'll write the first few characters of my password

I don't really value my security for many online message boards, or subscriptions to media websites like netflix – cloneman – 2012-11-11T03:43:33.723

"No software management tool or service." That makes this pretty much unanswerable, at least not in an on-topic kind of way. – Ƭᴇcʜιᴇ007 – 2012-11-11T03:49:53.657

Don't trust a password system you design yourself is an appropriate thought here. A software tool can easily make things available when on a guest computer (e.g. 1password Anywhere or LastPass). – Alan Shutko – 2012-11-11T03:51:50.303

Answers

1

Select an account name that you will always use. Both of you agree on it.

The password is built like this:

Pick a "root" password for the first 8 characters. Three characters are lower case letters. Two characters are upper case letters. The remaining characters are numbers and symbols on the keyboard.

These 8 characters are always used in the password. Next, you decide where you are going to put three additional characters. Either at the beginning or the end of the eight you originally came up with. Once you know if they are going to be a prefix, or a postfix, you have to decide what they are.

This is based on the website or service you are connecting to. If you were connecting to AT&T's website, you would add att or ATT to your original 8 character password.

This way the two of you know the root password. You know what three characters are going to be added that are specific to what you are password protecting. You know where they are going to go. And every password you use is different, but easy to remember.

You also never have to say anything more than, "Hey I created a LinkedIn account today." You'll never have to write down a password, share the password (because you have a system that defines the password), and you can keep a list of account locations in cleartext.

I've been doing this for 15 years and NEVER had a security failure because of it. You can check my profile for my credentials if you're worried.

You can modify the system as needed. Always use a 3 instead of E (simple substitution). Always do the location based portion (the three letter prefix/postfix) backwards, or of varying capitalization.

I have over 200 accounts, NO PASSWORDS WRITTEN OR STORED ANYWHERE, and I have never forgotten one. enter image description here

Everett

Posted 2012-11-11T03:34:52.087

Reputation: 5 425

This won't work for websites that require you to change the password after some amount of time. For example you have rootATT today, but then tomorrow you have to reset the password. Now it's rootATT2 - how would you communicate this change and make sure you know it's rootATT2? In my old age (ok - I'm not old) sometimes forget I change passwords. – Natalie Adams – 2012-11-11T04:09:23.273

Sure it will. If the password doesn't work the first time (after it was changed without me knowing about it), I would attempt the first changed version. My system would include what the change is too. Since you have already agreed on the change, you know what to try. NO website locks you out for one password failure. What you described is EXACTLY what I do. And it's worked for 15 years. – Everett – 2012-11-11T04:15:43.060

And if I needed to communicate a password change, since the system has already addressed what the next iteration is, all that has to be said is, "hey, the AT&T password changed today." – Everett – 2012-11-11T04:31:39.020

1

I don't know if you will be able to get away not installing software if you want to be secure.

Personally, I use Dropbox + keepass. Keepass encrypts my username/password combinations, and dropbox syncs those changes on all my computers. I can even access it on my (Android) phone when I'm on the go. I really think it's the best trade off of all worlds - because even if someone did get a copy of that file - I trust keepass enough to where the bad guy wouldn't be able to get into it (at least easily).

If you are REALLY paranoid, you can use encFS to add a layer of encryption to your cloud drive (Windows - http://members.ferrara.linux.it/freddy77/encfs.html ). However, this could get complicated if you want to access your credentials while on the go.

I would be against "password hints" simply because personally I randomly generate my passwords (usually [some number of] characters containing some combination that I find easy to remember). For some things I have used the same password for years. But those services usually provide OTP password support (like gmail). Which, it is a pain sometimes, but you would be a fool to not take advantage of the security it provides.

If you are truly against using software, I would recommend self host with a basic-auth SSL enabled site. Assuming the file is in plain text - I wouldn't trust ANYONE with my credentials on a publicly accessible system. (I wouldn't even trust myself with said plain text file.) While your basic auth could be brute forced - I'm sure you could do some interesting counter-hacking techniques. And SSL would prevent some guy in the middle being able to read your data. A self-signed certificate could suffice, but you better make sure you trust the internet connection you are connected to.

Now that I'm thinking about it - you could do something even more interesting (and I would be interesting in putting a prototype together). This system in the backend would store a text file encrypted. When you pulled up via your web browser, it would prompt you for a messagebox for the "password" (or more simply key). Upon providing this key it will request via AJAX the file and attempt to decrypt using said key. This way - while it is sent "in the clear" a guy in the middle would only get the encrypted file and it would be decrypted on the fly. This should work on any browser (including mobile).

Natalie Adams

Posted 2012-11-11T03:34:52.087

Reputation: 2 071

Asked: 2012-11-11T03:34:52.087

Viewed: 546 times

Active: 2012-11-11T04:40:06.083