Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How to you create and manage passwords?
21 points by rscott on Jan 31, 2009 | hide | past | favorite | 58 comments
I have a confession: I use the same password for pretty much everything, even though I know it's a bad idea and unsafe and all that. The problem is remembering my password at the dozen plus email and web services I use.

Is there a good solution that exists for remembering passwords? I know it's built into Firefox, which is nice, but I need something that can travel with me to use on my iPhone and other computers I might need to use. Ideally, it would magically sync up and password retrieval would be amazingly simple and secure.

So I ask you, HN, how do you create and manage your own passwords?




I take a layered approach.

One password for all the stuff that isn't really important like sites I visit a few times and then leave.

One password for sites I trust and use on a regular basis, but where a compromised password isn't the end of the world. HN is in this category.

Seperate and strong passwords for stuff that matters, like netbanking, gmail, etc. To remember these I have a system set up so that the passwords are similar in a non-trivial way, like [first words of sentence][number I remember]. One password derived from this could be tqbfjotld!1249057, easily derived from "the quick brown fox jumps over the lazy dog!", and 1249057 which is the serial number for the motor in my boat. This way I only have to remember a phrase and a number I already know for entering secure sites.

Using this system I don't have to rely on potential unsafe software, or writing down passwords that may be compromised.


Same here. I've written up my methods here, which are similar in spirit, but not the same in execution.

Basic level password example: "pi975315703" -> alpha-numeric, easy to remember because I have typed it a billion times.

Medium strength: "C0caC0la1s<3pt14159" -> Coca Cola (upper case because it is a company) is not as good as pie always use 0 for o and 1 for i.

High Strength: "9T&11E:ttttttttteeeeeeeeeee+pi975315703" -> all I have to remember is "nine 't's and eleven 'e's plus weak password" but someone trying to hack it with a hash table or whatever would be significantly slowed.

Max strength (where life or my job hangs in the balance): get university text book and ruler, goto page 314 hold ruler along 3rd column of paragraph text, read each letter downwards write on bottom left corner of page in very light pencil "3X5%"

"WdeAdehaeeadyej.dR35Tyismdy+3X&5%:xxx%%%%%+pi97531570" -> I think you should get the idea here.

I'm also super paranoid about key loggers. One of my friends did this to the whole school when I was 16, so ever since then I have never entered high or max on a public computer, just in case. All told I think I have about 35 active passwords that I can easily remember (or obtain in the textbook one).


You're too hardcore for me, man. Is a 50+ letter password really worth it? My tiny brain barely remembers the 5 or 6 passwords I always choose to use.


Just hope you don't lose (or lose access to) the university textbook :)


Seconded with gusto.

I've got the one password that I used on all my low-priority stuff--Slashdot, throwaway mail services, etc. It's a terrible password, but at 9 letters it at least has some length and it actually may last against a dictionary attack.

Gmail, my university mail account, and other next-tier things get a stronger password, but still easy to type.

The rather more strict requirements of my school's CS and CE computer systems mean that I have to have complex passwords which change frequently. As such, I have a few that are based on phrases with numbers interspersed (the canonical example, I believe, is "Don't have a cow, man" which becomes something like "d0n'tHac,m" which has the added bonus of looking like "don't hack 'em"). When the policy requires me to change, I can either swap in one of my other extra-strong passwords or, if it remembers previous passwords and I'm stuck, I can just add a number at the end.

My job uses a CryptoCard for most things, but I use a randomly-generated Kerberos password for mail. When it changes, I write it down and stick it in my wallet until I have it memorized, then destroy the paper.

TL;DR: Assign different services to "tiers" and use a different password for each tier, with increasing complexity of passwords corresponding to increasing importance of services.


I use SuperGenPass, which hashes the domain of a website with a Master password, so you only need to remember one password. Then, every time you log in, you just enter in your master password, it automatically hashes it, and you get a new password for logging in like af49AgsdU8

EDIT: here's the link http://www.supergenpass.com/


This scheme is hugely flawed.

If you steal a password list from a website you can identify all the passwords generated by this utility (10 characters, uniform distribution over alphanumeric characters) and then simply crack the master passwords with a brute force attack. If you have stolen multiple SuperGenPass generated passwords from the same website, you can crack them all at the same time with no additional penalty. After recovering the master password you can then log into every single online account belonging to the user.

They seem to generate the password hash with simple md5, which is about the worst possible choice they could have made. Any master password which is low entropy enough to carry around in your brain can probably be cracked in a few days at most.


Except that you don't use the full MD5 sum, so it's not a simple matter of brute-forcing it.


For the default password length of 10 characters they use ~60 bits of MD5 output. That's more than enough information to uniquely identify the master password.


So once your master password is found (brute force/keylogger/shoulder surfing), the attacker has a handy bookmarklet to log into all of your accounts.


Amen. It amazes me how little this has caught on with the technical people I know. You can have your cake and eat it too: you only need to remember a single password, but you get to keep that password private. And you can use as many different computers and browsers as you want.


I've also been using this for ages. Absolute huge time saver. I used to keep vim encrypted files for every site I visited...when the list topped about three hundred, it seemed like time for a change.


Holy crap, how have I not heard of this?!

I love 1Password, but I wish they supported Opera. I would almost switch to this if it weren't for the need to reset hundreds of passwords.


I know! Where's the news on this been? This sounds awesome - more research, but I'm seriously thinking about switching.


The way I create passwords is to make an algorithm that no one else would know - which creates unique passwords for every site I use, but I can never forget the password since the algorithm stays the same. Example:

initials + last 3 characters in domain of site + year of birth + random sequence you know.

my + tor + 91 + e72BQo -- HN my + igg + 78 + abwBs$ -- Digg

Again, just examples. It works for me and I never forget my passwords as long as I remember the algorithm.


I think I read about this hashing technique here and have been using it ever since. There's no need for any password tools and you simply remember one algorithm. After about a month of usage it takes no time to type in the PW for any site.

I designed mine to be a little more mixed up, so hopefully even if someone intelligent got my password it would just look like an assortment of characters instead of an obvious hash.


I use 1Password (for OS X and iPhone), which lets me generate random passwords for different sites. It can't auto-fill on the iPhone, so you have to go into the app and write it down somewhere (or remember it) temporarily. It's got syncing and stuff too. http://agilewebsolutions.com/products/1Password


I have a question - is there a password manager out there thats made it possible to access passwords from a computer that isn't yours? I'm guessing not, because of the obvious security issues.

Because I'm not always in front of my laptop, or desktop and don't have an iphone I use a system similar to what is here - different passwords for different sites, with a system that helps me remember them.


You can either use a website to manage your passwords or a USB drive. I use keepass to keep some of my passwords on a USB stick...

Not perfect, not 100% secure (nothing is), but always accessible :)


Thanks! I like the USB drive idea (maybe on a keychain) in conjunction with keepass (I'll need to look more closely at keepass - I skimmed over it a while ago). Also I like the supergenpass suggestion below - less to carry, and as long as I have the bookmarklet on a browser, and my master password, easily accessible. More to think about! :)


My product does exactly that - client-side AES-256 encryption in AJAX app. Works on any (modern) computer! More details: http://news.ycombinator.com/item?id=459887


I use 1Password also, with DropBox to sync passwords across multiple machines. Excellent combination.


I'm actually quite surprised at the lack of mention of KeePass in this comments thread: http://keepass.info/

I've been using it for years at this point, and I love it - it's very well supported, and is fast and straightforward to use - both for creating new accounts and recalling old accounts. In fact, I don't know my password to the majority of sites that I am signed up for, and instead use a randomly generated string.

That helps my peace of mind in cases where sites like monster.com get hacked - I don't need to change every password on every site, only that one.

[Edit] - By the way, Version 2 is written in Mono-compatible .NET, which means that it is accessible as a cross platform application. (It's not quite Python or Perl, but it works for me)


The system I use is this - I use a fixed combination of letters that never change (4 letters), and then I follow it up with an 8 digit series of numbers, ending up with 12 digit password.

I have a contact on my phone where all the passwords are stored as phone numbers (just the number, not the letters). If I ever forget the password, I just look it up on my phone. If my phone is ever stolen, the thief will never figure out that a particular contact happens to be having my password as their phone number, and even if he does, he does not know the fixed letter combination I tack on.

And I change this passwords every few months, and when I first change it, I use my phone to remember it. Furthermore, I split the passwords into 3 categories - important, not so important and the password I share with family.


The Mac's Keychain Access program (Utilities folder) is pretty good for this. Most programs I use directly support it, e.g. Mail passwords, and web site passwords in OmniWeb. You can also add your own passwords or secure notes without having a program "support" the keychain.

Sync of keychains is possible, but only if you pay for MobileMe (nee iTools/.Mac).

Unfortunately, Firefox uses its own password manager on the Mac instead of a keychain.


The first or second letters of the words of motivational quotes with a few letter substitutions (e.g. 0 for 'o', 3 for 'e') and some random symbols work well for me as easy to recall and strong passwords. Plus when you type it in, you have to think about the quote and whether you are applying it.

w3tm0mccab1ca$@

hvh1faa0n3tac)&

"What ever the mind of man can concieve and believe, it can achieve" -Napoleon Hill


Shameless plug follows:

Our product Memengo Wallet http://www.memengo.com is a password manager that can be used in three different ways:

  1. Store your passwords on the iPhone app (Windows mobile phone also supported). Encrypted with AES-256.
  2. Store your passwords on the web site (AJAX). Encrypted with AES-256 within 
     the web browser - plaintext never leaves your computer.
  3. The iPhone and the web site can be synchronized. There is a sync button in the iPhone app.
I can answer any questions. We also answer all support questions submitted from the web site (with a return address).

FAQ:

1. Q: The web site makes me uneasy. What if you decide to change your program to fish out the encryption key form the client? A: The web site does not add to the problem - any password mamanger app on the iPhone can phone home without your knowledge.


I have a mix of methods. For sites that I rarely visit or are of no real consequence if the password were compromised I use a memorable one for them all.

For sites that I care about the security I generate a random password with something like this:

    dd if=/dev/urandom bs=1 count=12 | uuencode -
then store that in psafe (http://www.hep.wisc.edu/~dan/psafe/) with a master password that I remember. This way if some site's password does get compromised, it doesn't translate to any other site. I suppose I could also carry around the encrypted psafe file with me on a USB key, but I've found that I don't really need to log into these sorts of sites when I'm out.


Your command never generates lower-case letters. :-)


Here is a post from an earlier comment on how I manage my passwords: http://news.ycombinator.com/item?id=384658


http://www.bugmenot.com FTW

If you can't remember all the passwords to the accounts you have, one solution it to create less accounts.


I use 1Password from Agile Web Solutions. It's great -- it imported all of my passwords from Firefox and I just save new ones that way. It also does work on the iPhone as a password filler if you use the bookmark. If you use Dropbox you can keep your password keychain in there and update it among all of your macs. It would be ideal if Windows and Opera were supported but maybe some day. For now I just go between Safari and Firefox.


I like an very simple approach, which allows me to avoid using password managers.

For all accounts which are of little importance to me (in other words, for ones which can be recreated without any problems) I have got the one easy-to-remember password. "foo87b@r" is the good illustration of what I mean. There are two simple words, separated by a number, and one special symbol. It's very easy to commit in your memory, doesn't look easy to brute force.

But what if there is a malefactor which knows your universal password? If so, you are in trouble. He has all the keys to your e-money, mailbox...

To protect things that matters I'm using unique passwords made on basis of the general pattern. It will prevent your accounts from being accessed using the insecure "foo87b@r" pass.

To illustrate that, suppose that our patter is: __&_1_H@ckN!ws (placeholders for further substitutions are marked by "_")

Let's generate password for the [n]ew[s].[y]combinato[r].com site (which characters of url are used when generating password is up to the user).

Here is your secure password: ns&y1rH@ckN!ws

So, to use it you should be able to remember one simple password, one pattern and the princible describing how to get new passwords from the existing pattern + URL.

I've been using this scheme for the last two months.


For over a year I've been using a GPG-based "password wallet" through a shell script based on this Linux Journal article. http://www.linuxjournal.com/article/9861

I just run wallet.sh -e and enter the wallet password, and then vim (or editor of your choice) opens up with your passwords. It can be handy to store other important data in this GPG protected file as well. When you exit vim, the file is re-encrypted automatically.

I keep automatic backups of the gpg encrypted wallet file for safety.

The nice thing about this approach is that you can view and edit the file in whatever way you are comfortable, e.g. with vim. No GUI needed, so you can access it over SSH quickly (and yes, you could use the GUI solutions with SSH forwarding, but nothing beats a text editor in terms of speed).

Also, for generating passwords, you can use a Vim keymapping to shell out and run something like apg or spassgen to generate a random password.

I typically store website account info like this:

hotmail.com:hachiyamail@hotmail.com:password

or for more verbose account information:

americanairlines.com

hachiyamail@hotmail.com

Password: flyamericanairlines

Mother's Maiden Name: Smith

PIN: 2342


For web sites I don't want to access from my phone, I use the PasswordMaker plugin for Firefox, which generates site specific passwords from a single master password that never gets saved anywhere (except maybe swap space, I haven't looked into that). The only problem I've run into were overzealous input sanitizers on some sites that refused some of the characters in the generated passwords.

For really important passwords I use strong random passwords with a security copy on paper stored in a safe place. Depending on the password and how often I need it that may be the safe at work, a binder with all the important related personal documents, or that place all people use to keep valuable small pieces of paper, the wallet in my pocket (there usually without a full domain name).

Then I use old safe passwords which I no longer use for their original purpose but still remember as passwords for situations where PasswordMaker is no option.


I store all my account URLs, user IDs, and passwords in a text file that is inside of an encrypted TrueCrypt volume. The TrueCrypt volume appears as an ordinary file on my computer, and the password to decrypt it is stronger than any password inside the file (13 characters, mixed case with some numbers and symbols mixed in).

For non-critical accounts, I use an old Kerberos password from a long-expired ISP account that I used to have. It's burned into my memory as strongly as my own birth date. For more secure account needs, I have s stronger and longer password that I use. When I need to rotate passwords regularly, I use three characters of the month, a symbol, two digits of the year, and my old Kerberos password all concatenated together. It's easy to remember and difficult to crack because it's eleven characters long, and mixed-case alpha-numeric.


Password Safe http://passwordsafe.sourceforge.net/

I believe it is a security risk to reveal password usage/methodology and so must politely refuse to elaborate.


I use a different pass for basically everything. The strength depends on how much I care about my account at the service. I've been known to do stuff like "<servicename>sucks" when I really don't care about it. Everything somewhat important is longish, with some capitals/numbers/special chars.

I have FF remember all of my passes basically (on my own computer with a good password on it.) I make fairly heavy use of "forgot pass" functions to make up for forgetting some passes.


I just finished reading a book on this very topic, and recommend it highly.

_Perfect Passwords_ by Mark Burnett, available at:

http://www.amazon.com/Perfect-Passwords-Selection-Protection...

It's full of great analysis, as well as a fun table of the 500 worst passwords of all time. :)

(Note: I am not connected with the publisher or author in any way.)


Roboform (http://www.roboform.com/) sounds similar to some of the password managers here, but also does form filling. There's also a Robo2Go app that let's you tote your passwords on a USB drive.

The browser integration is really nice in that login fields can be prefilled as you visit different sites.

Also there's a password generator than can be customized for special characters, upper, lower, numbers, length, etc.


I have a single password and a mailinator address for anything that requires login or registration. Fake name, fake password?

Then I have different, good passwords for my login and Gmail. These are easy to type and generated from a passphrase so they look nothing like dictionary words and yet there is a good way to remember them when they're new and my fingers haven't learned them yet. These are about 10+ characters long but those that are easier to type are favoured.

Old passwords from the previous category are often reused for middle-level services such as HN, Reddit, Slashdot, FaceBook and others where I have a long (or expected long) residence and high correlation with my privacy or personality. This is mostly for convenience since my fingers have the kinetic memory for about 6-7 such passwords: something I've typed for months or a year as my login password is something I'll also remember the following montsh or a year as my reddit password. If I forget, I try all recent password patterns that my fingers can remember. Has worked so far.

Online banking login + passwords are nowhere but my head. In fact, I don't know them if someone wanted me to write them down. Instead, my fingers remember them. The login + password are set by the bank. I also have to look up a code from a pad of one-time PINs sent to me by my bank in order to successfully log in to the online services.

Anything else that is either important or rarely used (Amazon, online stock brokerage service etc.) are stored in a file encrypted for my private GPG key. I open it with Emacs, type in the GPG passphrase, let Emacs decrypt the contents and edit the file as usual. Saving will automatically encrypt the data before writing to disk. Looking up a password is a matter of decrypting the file to stdout from the command line and piping it to less. The private GPG key is protected with a passphrase that is about 50 characters long. It is not written anywhere. The passwords in this file are generated by a Perl script I wrote in the 90's. The output of the script is 16 bytes of random characters and numbers.

It seems that I rely a lot on my memory. Most of them are memorised in my fingers rather than the lexical part of my brain. I have maybe ten passwords that I need every week or month, and those are in my head, probably because I can keep them there. In addition, I have several PIN codes I must remember, and I do. (Cell phone PIN, two bank cards, SecurID user PIN, door lock code...)

So, go figure how to hack me.


KeePassX(http://www.keepassx.org/) is an excellent free cross-platform password manager for storing user names, passwords, urls, attachments and comments in one single database.The database is encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key.


I use KeePass (http://keepass.info/), it's free and open source. It stores all your passwords in addition to being able to generate passwords with a myriad of options. You need only remember a single password to get in. They also have a bunch of plug-ins for various different uses.


Random username and password for each site, generated by http://duckduckgo.com/?q=pw

I keep them in an encrypted file on an encrypted disk. I let my browser remember them though, and I have the frequently used ones (ssh, gmail, etc.) memorized.


here's an article I wrote on creating them, and having them be recoverable. http://xenoterracide.blogspot.com/2008/04/making-secure-reco...


For sites like this one, I use one of two or three easy to remember passwords. For banking sites and such, I create strong passwords, which I keep written down (the Bruce Schneier approach).


Not extremely sophisticated from the generation side but SecretBook for Mac is really pretty clean. iPhone version as well.

http://bookshelfapps.com/


"Password Gorilla" is a GPL-licensed, cross-platform password manager. http://fpx.de/fp/Software/Gorilla/


+1


I probably need to use more passwords. I make them by creating simple geometric patterns on my keyboard. It's easy to remember, and they aren't common words.


As per a post on Joel on Software, I've started using PasswordSafe (SWT..the java one) on all my machines, and sync the datbase with dropbox. It's great.


For me it's lastpass.com. They do it right: they remove the passwords they (easily) find on my HD. The problem is still the master password, I agree.


I use http://passwordsafe.com to manage my password. Its good enough for me.


I use this: http://www.angel.net/~nic/passwdlet.html


I use passook. Its a perl command line generator for pronouncable passwords of selectable strength. Quick and dirty.


clipperz.com FTW

They also have community version that you can install on your own server


I have to add another vote for Clipperz (http://clipperz.com). I started using it to manage insecure passwords. I tried to use a generic insecure password as others have mentioned above, but I kept encountering slightly different password restrictions that made this very difficult. I think Clipperz is web-based password management done right. Encryption is done in the browser and the javascript code is open source. Only encrypted data is stored on the server, so they can't even get your information. I highly recommend at least checking it out.


1Password is __teh__ shit.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: