Storing passwords

[Sac Arrow]

No this is not a unique problem; everyone has it. Some more than others.

Last time I accounted for all of my online logins, not even counting message boards, but fairly important stuff, it was roughly twenty. And, many of these sites require you to use fairly obscure passwords that may not be easily remembered. And with so many, particularly if you infrequently use some, you forget usernames, passwords, etc... In addition, there are various challenges and answers, the answers of some which may not necessarily be ingrained in permanent memory.

So you gotta write this stuff down. I know that there are apps out there (e.g. Lastpass) but I don't trust that stuff. Right now I made up an Excel spreadsheet with all that crap, which is great, because I have it, but then again there is an Excel spreadsheet with all that crap on it.

Suggestions on how best to track this stuff?

 

[wsuffa]

I currently use Lastpass. I may move to Dashlane next year, we'll see what happens now that Lastpass has been acquired by a company with a much less stellar customer service record..

What your looking for is something where the encryption takes place on your machine (i.e. only YOU hold the key) and allows for two-factor authentication with one of the common two-factor systems. After that, you look for features.

 

[Let'sgoflying!]

Two pages of Word. Wouldn't be so bad except for the new requirement to be constantly changing your passwords. So, always adjusting the file. Plus, you are not supposed to use one password for everything. And there are no standards for what figures are included, some need one number, some need that and a symbol, but not certain symbols. Then, we all have a couple devices or are traveling - and the file is not available. Looking forward to when hacking and stealing has ceased.

 

[dweyant]

I wish some sort of biometric device would catch on..

-Dan

 

[sferguson524]

keepass is free, and encrypts your passwords. We use it here at work, where we are regulated by SOX, PCI, and Gaming boards in 5 states.

 

[cowman]

I have a system.

I won't post what that system is here, but in general I've got a couple easy to remember "low security" passwords I use for stuff like social media, video games, etc... basically things that I wouldn't loose a lot of sleep over if they got hijacked.

Medium security stuff I use rotating combinations of common things and this is where the "system" part comes into play. Obviously I'm not gonna give out my password system but think of something you'd remember easily. If you're a gun guy maybe you have PistolColt.45, 1911Colt.45 or .45cal1911 on different sites. You may not remember what combination you used but you'll get it on try 2 or 3 probably. Those examples are kinda short but I'm sure you can think of something more memorable to you. There's all sorts of great number/phrase combinations in the aviation world that we have to memorize for one...

For_high_security_maybe_write_out_a_sentance_that_can_be_remembered.

I don't sweat having really strong passwords too much though mainly because on a lot of these same sites where they have the complex password requirements, they also have security questions that are mandatory. These exist to reduce lost password tech support calls FYI.

"What was your mother's maiden name?"
"What street did you grow up on?"

etc... most force you to choose from a list of this kind of stuff. It's sadly a lot easier to just look up these answers and game the system than it is to crack passwords. After all your mother's maiden name and your old street address are generally publicly available info.

I lie on these questions just to throw off an attacker... of course this creates a new problem if I forget a password.

 

[wsuffa]

Two pages of Word. Wouldn't be so bad except for the new requirement to be constantly changing your passwords. So, always adjusting the file. Plus, you are not supposed to use one password for everything. And there are no standards for what figures are included, some need one number, some need that and a symbol, but not certain symbols. Then, we all have a couple devices or are traveling - and the file is not available. Looking forward to when hacking and stealing has ceased.

I won't do that personally.

If someone gets that file from your computer, you're toast.

Better to hand write them and stick them is a safe.

 

[LDJones]

I won't do that personally.

If someone gets that file from your computer, you're toast.

Better to hand write them and stick them is a safe.

Which does you a lot of good when you travel and need your passwords!!

I store my passwords in a secured page in OneNote which is stored in my cloud and available on any device I use.

It's still a pain. Passwords are the bane of modern living.

 

[cowman]

In the not too distant past I worked in a dept full of programmers for a major retailer... system admins made a new policy that we had to have complex passwords... capital/lowercase, numbers, a symbol, so long, etc... AND implemented a policy that required us to change it every couple weeks.

I could not longer put in a unique password I could remember so I started writing them down on a piece of paper and hiding it in my desk. Others did the same. These are programmers we're talking about too... imagine what the non computer literate folks do.

 

[AggieMike88]

Lastpass was purchased by the company that does LogMeIn. And I'll echo Bill's thoughts about less than stellar customer service.

I recently got auto-renewed for $150 with no notice or chance to opt out. A review of the site shows no means of trying to opt out now and get any refund. A search of the community site shows many folks who have attempted the same, with mixed bag of results, but a lot of frustration. My only course was to go to the billing credit card page and insert all zeros so next year, the renewal will fail.

So Lastpass isn't one that has my recommendation.

 

[G-Man]

I'm using Password Safe, which was free. Version 3.26. Seems to work fine, though is tied to my home machine so awkward when traveling.
I welcome any reviews or insights, especially if this program sucks and I just don't know it.

Cowman makes excellent suggestions (as usual) with his 'system.' Thanks.

 

[eman1200]

I have a system.....

me too. hard for anyone to remember every dayum password but if you create a system it makes it much much easier. hard for me to give examples without giving information away, but actually I come up with a few systems. at a high level, I 'group' accounts something like this:

1) sensitive data sites....banking, etc...
2) email accounts
3) "most other stuff", which can further be broken out if necessary, ie shopping/forums/junk sites that require logins

come up with a system for each group and it gets easier. certainly easier than for me to explain the actual system lol.

 

[RJM62]

I store passwords and other sensitive data (banking information, etc.) in text files, and store the text files in encrypted 7z archives, using one of several hard-to-guess (but easy to remember) phrases.

For the phrases, I use quotes from books, songs, or other works that happened to stick in my memory, but in which I have changed a few key words and/or punctuation marks. So "The first time Yossarian saw the chaplain he fell madly in love with him." might become "The first time Yossarian saw Yogi Bear he fell madly in love with him?"

The phrases themselves are also backed up into each archive on text files, so I'd have to forget all of them to lose access to any of them.

Rich

 

[Jim_R]

Lastpass was purchased by the company that does LogMeIn. And I'll echo Bill's thoughts about less than stellar customer service.

I recently got auto-renewed for $150 with no notice or chance to opt out.

I've been using LastPass for several years and have been very happy with the technical performance. Didn't know about the recent sale and haven't yet hit my renewal date, but a normal subscription is only $12/yr (though I get the LP+Xmarks bundle for $20), and mine has renewed in the past as expected without issue, so I wouldn't expect that to change.

Note also that LastPass is free if you're not using it on portable devices (phones/tablets).

How did you get hit with a $150 bill? Was it an error on their part, or do you have multiple subscriptions for some reason, or what?

My only course was to go to the billing credit card page and insert all zeros so next year, the renewal will fail.

On my account management page on the lastpass.com site, there's a big red "[Cancel]" option next to where it says, "Automatic renewel: Enabled".

 

[kayoh190]

My company's IT department makes us change our iPad 4 digit pin every month. It can't be anything we've previously used. The same digit can't be used twice in a row. Nor can two consecutive numbers.

It's a 4 digit pin. Sooner or later I'm gonna run out of options!

 

[AggieMike88]

I've been using LastPass for several years and have been very happy with the technical performance. Didn't know about the recent sale and haven't yet hit my renewal date, but a normal subscription is only $12/yr (though I get the LP+Xmarks bundle for $20), and mine has renewed in the past as expected without issue, so I wouldn't expect that to change.

Note also that LastPass is free if you're not using it on portable devices (phones/tablets).

How did you get hit with a $150 bill? Was it an error on their part, or do you have multiple subscriptions for some reason, or what?

On my account management page on the lastpass.com site, there's a big red "[Cancel]" option next to where it says, "Automatic renewel: Enabled".

Sorry for the confusion. My comments and dollars were to do with LogMeIn. I am not a LastPass customer. The $150 was a renewal for LogMeIn Pro. And on the LogMeIn website, there is no obvious self cancel mechanism.

 

[RJM62]

Sorry for the confusion. My comments and dollars were to do with LogMeIn. I am not a LastPass customer. The $150 was a renewal for LogMeIn Pro. And on the LogMeIn website, there is no obvious self cancel mechanism.

My solution to that (and other) problems is to refuse to deal with any company that requires a stored payment method other than PayPal. PayPal authorizations can be cancelled on the consumer side regardless of the vendor's wishes.

I have severed my business relationships with almost every company that requires me to store a credit card number, with the exception of companies that issue their own non-Visa/MC store cards. Adobe is the sole holdout at this point. I did this because I got tired of my card information being stolen when vendors got hacked. But it also does wonders to avoid those surprise auto-renewals.

Rich

 

[NickC99]

I use 1Password. It has browser integration and TouchID integration on iOS.

 

[cowman]

I have always been interested in some of these password management solutions but I don't like the storage being in the cloud and I also don't like the fact that(if done right) all the passwords are irretrievable should I lose the master.

 

[mkosmo]

I also use lastpass. It's free if you don't need premium, but I use a yubikey for 2fa and like mobile access, so I pay the dollar a month for premium. I think I'm paid up for like 3 more years...

 

[Lando]

Password protect an Excel file and then store it in the cloud for a free and easily accessible option. There are some issues with saving changes if you don't sync the file directly to your machine, but it's very secure and very easy to access.

 

[Vinny]

For personal stuff, I have a truecrypt container with individual text files with each website and user/pass. I put the truecrypt container in dropbox. But that's mainly for my wife in case I get hit by a bus; I have most of them memorized and they don't have to change often.

For work, I just use a password-protected excel file in a password-protected zip file. I have something like 40 passwords for various systems, and the rules for some of them are beyond ridiculous; I gave up long ago trying to make a system. They have varying expiration dates and character requirements. But the most draconian is for our travel system (government contractor provided). I think this is right, but I'm going from memory:

- Minimum of like 12 characters, including upper and lower and number and symbol.
- Expires every 90 days
- New password can't be one of your most recent 12 passwords
- New password can't have more than 8 characters in common with current password

Thank god we have single signon and Oracle ESSO keeps track of the passwords through my SmartID.

 

[Jim_R]

I have always been interested in some of these password management solutions but I don't like the storage being in the cloud and I also don't like the fact that(if done right) all the passwords are irretrievable should I lose the master.

To be clear, while passwords are stored in the cloud for universal access from anywhere with an internet connection, they're also stored locally on any device with the LP app installed, so that you also have access without an internet connection.

If you are are just generally against storing anything in the cloud, then yeah, you'll want another solution, because you can't turn that off. And LP is a very popular password vault, so it's a high-profile target for attacks. In fact, they were hacked earlier this year. Here's some info from their blog shortly after the event:

Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address. We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

 

[wsuffa]

Which does you a lot of good when you travel and need your passwords!!

I store my passwords in a secured page in OneNote which is stored in my cloud and available on any device I use.

It's still a pain. Passwords are the bane of modern living.

Which is why I use a password manager. I specifically chose one that encrypts on your local device and there's no key held by the company/cloud provider.

I have always been interested in some of these password management solutions but I don't like the storage being in the cloud and I also don't like the fact that(if done right) all the passwords are irretrievable should I lose the master.

As for the last problem, it's a pain in the rear, but most websites have some mechanism for PW recovery. I'd rather the PWs be tightly encrypted.

 

[GeorgeC]

I won't do that personally.

If someone gets that file from your computer, you're toast.

Better to hand write them and stick them is a safe.

I have wondered about printing passwords as barcodes in order to not have them stored on the computer at all. USB barcode readers got cheap...

 

[Jim_R]

I have wondered about printing passwords as barcodes in order to not have them stored on the computer at all. USB barcode readers got cheap...

What good would that do? There are a jillion free smartphone scan apps available on every platform. Would take someone an extra 3 seconds to decode it than if you wrote it in plain text.

 

[GeorgeC]

The point of the barcode is not to obfuscate, but to make data entry less error prone.
If you don't have physical security, you already lost.

 

[Jim_R]

Personally, I think that's crossing into tinfoil hat territory, but we all have our ways of assessing and managing risk. Is someone more likely to crack a jillion hashes, or more likely to break into my house and put a gun to my head and demand my passwords? Neither event is particular likely, but neither event can be driven to zero probability.

 

[BigBadLou]

Password protect an Excel file

^^^^
That.
Though you are limited to the Microsoft platform. But if you don't have any crApple devices, that's perfectly sufficient.

Another layer of security for your passwords is to NOT put the actual password in the file but instead describe it verbally, in another language, especially obscured. I don't like making it easy for crooks. If anybody ever finds my pwd file and cracks the access code, they'll be in for a surprise and they'll hate me for the rest of their lives.

 

[midlifeflyer]

No this is not a unique problem; everyone has it. Some more than others.

Last time I accounted for all of my online logins, not even counting message boards, but fairly important stuff, it was roughly twenty. And, many of these sites require you to use fairly obscure passwords that may not be easily remembered. And with so many, particularly if you infrequently use some, you forget usernames, passwords, etc... In addition, there are various challenges and answers, the answers of some which may not necessarily be ingrained in permanent memory.

So you gotta write this stuff down. I know that there are apps out there (e.g. Lastpass) but I don't trust that stuff. Right now I made up an Excel spreadsheet with all that crap, which is great, because I have it, but then again there is an Excel spreadsheet with all that crap on it.

Suggestions on how best to track this stuff?

The first question is, do you need them remotely?

If not, and you don't trust the apps (I use KeePass), the best security around is a paper notebook. After all, they'd have to break into your house and know to look for it in order to get access.

 

[Sac Arrow]

The first question is, do you need them remotely?

If not, and you don't trust the apps (I use KeePass), the best security around is a paper notebook. After all, they'd have to break into your house and know to look for it in order to get access.

Yes I do need them remotely.

 

[denverpilot]

278 items in 1Password kept in Dropbox.

 

[Henning]

I234567$

 

[midlifeflyer]

278 items in 1Password kept in Dropbox.

Yep I do something similar with KeePass.

 

[Turningfinal]

keepass is free, and encrypts your passwords. We use it here at work, where we are regulated by SOX, PCI, and Gaming boards in 5 states.

I also use Keepass on all of my iOS devices. MiniKeepass has TouchID integration too which is fantastic.

 

[JGoodish]

Turned on iCloud Keychain. Problem solved.

 

[Manderson]

Keepass works for me.

 

[JimNtexas]

Lastpass is the gold standard of password managers.

They had a network intrusion in 2013, but there is no evidence that any user data was exposed.

http://www.pcworld.com/article/227268/lastpass_ceo_exclusive_interview.html

Use a strong passphrase and you'll be fine.