WingNews logo WingNews GitHub [2]
top | item 9185077

Ask HN: How do you manage your passwords?

43 points| pft | 11 years ago | reply

A while back someone posted a link to qwertycards.com, a (low security) product that promised an easy way to keep track of all of your passwords whilst staying secure.

This got me thinking about what I should use - after a year of using Lastpass to store "super secure" passwords and then logging in repeatedly to it, i'm starting to get fed up.

What do you all use? Do you spend a lot of time memorising them? Do you use medium security passwords that are easier to remember? Do you use Lastpass/ 1Password/ another service? If so what do you recommend?

88 comments

order
[+] maxcan|11 years ago|reply
1password on iOS/OSX. There was a big discount on both a while back and I jumped on it. Even today, I'd consider paying for it. I've tried all the open source options, none of them worked nearly as well as 1pwd.
[+] cgriswald|11 years ago|reply
https://agilebits.com/onepassword

1password is great. On OSX, I have one long, nice password and on iOS I can use Touch ID to open it (typing in that password on an iPhone was a pain). It syncs across devices over wifi, Dropbox, or iCloud.

There are versions for Windows and Android as well. I've used the Windows version a little bit and it's pretty much the same.

[+] piqufoh|11 years ago|reply
1password on iOS/OSX + on windows at work. It's got a great feature here you can have different 'vaults' for different sets of passwords - I have one personal, one for work and one for home utilities that I can share with the family.

Initially the $50 was painful, but I've since happily paid for all the upgrades and for family members license' too - encouraging good password hygiene!

[+] _virtu|11 years ago|reply
Hands down the best fifty bucks I've ever spent.
[+] cwt|11 years ago|reply
I use lastpass. Never tried any other password manager. I don't mind logging into it. On my phone I can swipe my thumb. The only thing I don't like is having to type out the long random passwords on non-physical-keyboards - like setting up a roku to connect to amazon play and spending an extra 15 clicks switching case/keyboard.

How often do you have to log into it? Is it specific to a device?

[+] theklr|11 years ago|reply
+1 for lastpass. On it for now 4 years, they've gotten more aggressive on development as the market grew but still simple as the first time I've used it.
[+] pft|11 years ago|reply
I'm guessing you use Lastpass premium if you use it on your phone? I use lastpass on all my devices. I like the phone app but I got premium for free for one year and it's about to run out. Looking for a free alternative.
[+] UnoriginalGuy|11 years ago|reply
I like that I can open up an incognito window in Chrome at work, login to LastPass, have access to many things, then when the window closes, I log out, or shut the machine down then I am logged out.

I do have Google Authenticator tied to it, so logging in once a day is a little annoying, but overall it is a good experience.

I have the phone app (LastPass Premium) and while it is fine, it is a little buggy/annoying/meh. I haven't decided if I'm going to renew or not. I don't really blame the company for the limitations, they're trying to work around heavy app sandboxing, but after it all the user experience remains subpar.

Overall I would recommend it. In particular if you use Google Authenticator with it and a very solid master password.

[+] chrisparsons|11 years ago|reply
I started using Lastpass when I switched jobs and the company I moved to used it. The ability to share logins with people/groups without actually exposing the password is wonderful in the corporate setting, as it makes revoking a group of passwords (think company-level social media accounts) simple and worryfree.

It works well enough to have convinced me to buy Premium on my personal account.

[+] denverdavido|11 years ago|reply
Another vote for Lastpass. Truly cross platform as it works on Linux as well. And the price is much less then 1password.
[+] boydjd|11 years ago|reply
keepass. I don't trust a service to store my passwords.

I use a key file and a passphrase to secure my keepass database. The database is stored on dropbox, the keyfile is stored elsewhere.

[+] UnoriginalGuy|11 years ago|reply
This is very close to how LastPass works under the hood. You're storing an encrypted database on their service (just like DropBox in your case). They don't actually store your original master password.

The only legitimate security gripe I've ever read about LastPass (and people have focused its security a LOT) is that a bad guy can modify the JavaScript utilised by the extension if they took control of LastPass's servers, and have your plain text master password sent to a third party (assuming no cross-site protections).

The actual password database is fairly secure. As is the login process (which can further be strengthened with 2F and various options in the account settings).

[+] JshWright|11 years ago|reply
Same here. KeePass2 on Linux, KeePassX on OSX, and KeePassDroid.
[+] potatosareok|11 years ago|reply
I don't particularly favor putting all my passwords in an online password manager. So I have some JavaFX gui I made that encrypts a password file (passphrase => PKDF => AES). In total it's like 200 lines of code - GUI, storing pass, generating pass, and rotating master password. The encrypted file I keep synced in my cloud storage.

But in retrospect I don't know if this makes any real difference from something like keepass. My encrypted file is transferred over some secure socket, so an attacker can at least a copy of the encrypted file if they either hack the cloud storage provider or somehow hijack my connection.

It's not exactly super portable but for sites I care about, I wouldn't log onto them on untrusted computers anyway.

[+] daddykotex|11 years ago|reply
I use KeyPass and sync it using BitTorrent sync on all my devices. The problem with my current setup is that I carry the keyfile along with the database which useless.

I got to think of another way!

[+] toki5|11 years ago|reply
My muscle memory is astonishingly strong (probably from two decades of classical piano training).

I use this to my advantage with passwords: When I need to generate a new one, I play a "song" into Notepad (or vim as the case may be). Not a known song, but a seemingly random string of glyphs that make sense in my head at the time.

Practicing typing that string forms a powerful association with that account/website and that "song," and my hands remember it for the rest of my life.

The one big drawback to this is that it's nearly impossible for me to enter passwords on my phone without having a keyboard handy and arduously trying to recreate the string. Also, changing a password (not that I usually need to) is a little difficult because I have to retrain myself.

The advantages are: They're not written down anywhere; I don't have to struggle to remember which permutation of some base string I used this time; they don't follow any sort of pattern.

[+] baldfat|11 years ago|reply
> logging in repeatedly

Repeatedly? Only at my work do I ever have to retype my password. My home is logged in and my phone has a pin.

What repeatedly is driving you away?

PS Lastpass is best in class for me

EDIT: I never memorize my passwords for sites. After having friends who were penetration testers I never do anything half-way secure. I actually can't wait till I have some kind of rfid of some sort to access lastpass.

[+] mtry1|11 years ago|reply
Keeper - https://keepersecurity.com/

I've tested just about every password manager because it was up to me to choose the most secure one for my company after we noticed some suspicious activity going on.

There a few products I liked, but I can say unequivocally that Keeper is the best solution for IT folks. It's hands down the most secure and it's the most intuitive for people of all backgrounds.

Keeper generates 256-bit encryption keys using PBKDF2 with HMAC-SHA256 and a minimum of 1,000 rounds, and user data is encrypted with 256-bit AES ciphers. They're a zero knowledge platform, so the cipher keys to encrypt and decrypt user records are not stored or transmitted to the cloud.

Works on every browser and platform, including Linux.

They have all of the standard password management features as well, like autofilling logins, generating random, complex passwords, two-factor auth, fingerprint login, etc... It's made my life a lot easier.

[+] Old_Crow|11 years ago|reply
My wife and I use this. I have an android phone and she has an iphone. We share records back and forth and she really likes the touch id quick login.
[+] chilicuil|11 years ago|reply
I use a shell alias:

alias getpass='_getpass() { _g=$(printf "sauce%s" "${*}" | md5sum | openssl enc -base64 | cut -c1-16); printf "%s" "${_g}"|xclip -selection clipboard 2>/dev/null|| printf "%s\\n" "${_g}"; }; _getpass'

like this:

$ getpass [email protected]

$ getpass [email protected] #for ssh logins

[+] eli|11 years ago|reply
Seems like that would be pretty annoying for passwords that must be changed periodically (or even just occasionally).
[+] ftwinnovations|11 years ago|reply
I use a secret scheme that only I know. It works like this - I have one single long complex "base" password, which is no problem for me to remember, which has letters, numbers, caps, and symbols so all password checkers are happy. Then, for every site I change that password using my secret scheme. I won't say what mine is, but an example is that I change the 3rd character to match the 3rd character of the URL, and I add a character to the end equal to the URL's first character, but shifted right one column on the keyboard (V becomes B for example).

Basically it's one base password and one repeating scheme, that gives me a unique complex password on every site, that's easy to remember, and doesn't require any special software to maintain!

[+] cgriswald|11 years ago|reply
An attacker who can get two of your passwords will basically have all of your passwords, because by knowing which characters can change, they only have to attack those changes (your effective password length becomes the number of those changes). Additionally the pattern may be discernable with only two passwords, and even if not, each additional brute forced password provides additional information.

Put another way, every time you sign up for a website with a derived password, you are giving out information about your base password.

Special software doesn't reveal any information about your base password and even if the base password is acquired, the attacker still needs access to your vault to do anything about it.

[+] henshao|11 years ago|reply
This is how I do it. The only problem is that I thought of doing this only a few years ago, so when I go access things I haven't been on in a few years, I have to try to remember if i already changed my password or not.
[+] fallinghawks|11 years ago|reply
I do something very similar - a base password made unique by the URL. The pain in the behind is when you're on a site that requires a password change every X days, and you have to make up something else.
[+] raimue|11 years ago|reply 

  $ vim passwords.gpg
I configured vim to

a) automatically pipe *.gpg through gpg on open and write,

b) to not keep viminfo, swap files or undo history for these files, and

c) to close automatically if I leave this file open for longer than 10 seconds without cursor movement.

This modeline at the top of the file hides everything besides the first indentation level:

  # vim:set foldenable foldmethod=indent foldclose=all foldlevel=0 foldminlines=0 foldtext='\ \ (hidden)' fillchars+=fold\:\  :
I have been using this approach for years. There might be better alternatives now, but this still works for me. I admit this is not perfect, as I still need to look at the password in plaintext for copy and paste operations.
[+] fj8pPoh1Jq4m|11 years ago|reply
Would you mind sharing how you got 'b' & 'c' to work?
[+] GrandTheftR|11 years ago|reply
I use KeePass (and KeyPassx on Mac OS), and use network drive to store the DB files.

For password security, I have different levels of passwords, for less important service, will just use less secure password and will not store in security DB.

[+] tptacek|11 years ago|reply
I use and recommend 1Password.
[+] coherentpony|11 years ago|reply
I also recommend this. I use it on my phone too. The downside is it's not targeted towards linux users. That said you can hack together access via Dropbox if you need access to your vault on linux.
[+] woebtz|11 years ago|reply
KeePassX (Mac) + cloud storage and unique "low security" derived passwords for each service1.

I made a clone (lazypass.com) of passwordtable.com, so I could use a custom no-look-alike's character set (sans-"iILl1...o0O", etc.) and to improve lookups -- but the improvement, in practice, seems to be somewhat negligible.

I feel that important passwords should to be stored on paper or encrypted for a close friend/parent/spouse to recover should you get dead... is that kind of a similar concern?

1 Until they tell me to make a new one that can't be the same as the previous. :(

[+] fierycatnet|11 years ago|reply
I use lastpass because it's been mentioned. It's been almost 2 years now and I like it. It's pretty cheap and works on mobile, pretty convenient. I haven't tried anything else.
[+] mcbetz|11 years ago|reply
Keepass (Win/Linux) and MacPass (Mac). Certainly not as polished as 1password, but it's Open Source and cross platform.

And it has plugins for FF and Chrome for auto entry on websites (Win only so far).

What I often use and enjoy a lot is it's import and export functionality. For example if I want to add URLs to get auto completion working and I want to do that in batch, I export a CSV, edit this in LibreOffice and import it back into Keepass.

[+] fluidcruft|11 years ago|reply
The Achilles heel for Keepass for me (and what ultimately sent me to LastPass) was that there wasn't any way to use it on a Chromebook conveniently (yes, there's crouton, but I don't find that acceptable).

( It would be cool if something like Keepass could be built around smartcards or these new-fangled U2F dongles... I've be come quite a convert to the smartcard approach after setting up my yubikey to work as an OpenPGP smartcard )

[+] calcrafoord|11 years ago|reply
http://supergenpass.com/

I use a chrome extension and an android app most of the time, and the "mobile" browser version when neither of those are handy.

I like the fact that nothing is ever stored anywhere. Feels clean.

[+] usermac|11 years ago|reply
I use a system. I use a general subject the a number then the service name. In this way all my passwords are different yet memorable. So here would be "car44hackernews" and for facebook would be "car44facebook".
[+] rikkus|11 years ago|reply
Spreadsheet in Google Docs, 2FA on Google to keep it safe. Passwords generated with my generator here: https://without.azurewebsites.net/pass.html and kept to 64 chars where the service allows that many. Most get saved in the browser, Remote Desktop Connection Manager, etc. - so I'm not looking them up often.

I like the fact I can get to this from anywhere. Even from IE on my Windows Phone, if I need to copy+paste (e.g. to log into the Spotify app after installing it).

[+] eli|11 years ago|reply
I use KeyPass synced over Dropbox to all my devices. My wife really like Dashlane, which has some neat (if a little scary) features like the ability to automatically change many account passwords at once.
[+] eterm|11 years ago|reply
I use the same passwords across almost all my accounts. I realise it's not secure but nearly everything that asks for a password doesn't need to be secured.

The few I use a different password for are gmail, steam, my bank and my work domain. Muscle memory kicks in quite quickly because they're all typed so often, so while I can't actually remember what my password is to say it, I can remember enough to start typing and the muscles take over.

I find when faced with a new password that just saying each character in my head as I type them helps memorize them.