How do you keep track of passwords?

[David1961]

How do you all keep track of the different usernames and passwords on the numerous web sites you are registered on? "Experts" say to never write a password down, but there is no way I can keep track of all this in my head. And when you register on a site, do you try to use the same username and password that you use on other sites to make it simpler?

For some sites, I'm not that concerned if someone gets into my account, but financial accounts are a different story.

A funny story, but when I worked, the computer security experts wanted us never to write our passwords down. One time, I was in his office and he tried to log onto a site and could not remember his password. He got a piece of paper out from his briefcase, looked at it, logged on and said "You didn't see this"

 

[frayne]

I keep a hard copy of all my passwords, probably have over thirty. Plus I don't like to keep them anywhere on my computer.

 

[Katsmeow]

I use Roboform a password manager. I have some variation of a password that I use (it is customized for each site) that I use for non-critical sites. For financial passwords and my email passwords I use a unique password for each one. I do have a hard copy (not on the computer of a few critical passwords).

 

[easysurfer]

My passwords are randomly generated and stored in a good password manager.

 

[target2019]

I use an old rolodex-type program - PalmPilot. The file is stored in an encrypted volume.
A secure password manager is much better, though. Something like lastpass works fine.

 

[zinger1457]

LastPass is a good tool for managing your online passwords. It will auto generate and save very complex passwords for you so you don't have the problem of trying to remember them which usually results in people using the same and/or simple to guess passwords.

 

[Midpack]

Our sensitive passwords (about 8) are hard copy and backed up to a flash drive. All my other passwords (another 30) are on a spreadsheet on my PC. I used to go to some length to protect them all until I realized the consequences of losing most of them weren't worth the effort. What's the downside if someone gets my ER.org password really? There are several ways to deal with it.

 

[sengsational]

LastPass is a good tool for managing your online passwords. It will auto generate and save very complex passwords for you so you don't have the problem of trying to remember them which usually results in people using the same and/or simple to guess passwords.

I also use LastPass. I like that it is not an advertising business model; you get the web version for free and pay 10 bucks a year if you want to use it on mobile devices. The encryption is all done locally in JavaScript, so what is saved on the LastPass servers is an encrypted blob that is pretty close to impossible for anyone to decrypt, including LastPass. I honestly only have memorized one password... Actually a pass phrase because longer is better...and that's my LastPass pass phrase. If you run with the browser plug-in, you authenticate with LastPass one time, and it populates user name and password when it "sees" a login page. It also recognize s when you do a password change and chunks the new password into it's memory. You can download the blob so that you can have access to your passwords offline. It is not open source, but some smart folks have looked at the JavaScript code and also sniffed the traffic without finding anything suspect, so I trust it to keep my stuff safe.

 

[TrvlBug]

Our sensitive passwords (about 8) are hard copy and backed up to a flash drive. All my other passwords (another 30) are on a spreadsheet on my PC. I used to go to some length to protect them all until I realized the consequences of losing most of them weren't worth the effort. What's the downside if someone gets my ER.org password really? There are several ways to deal with it.

+1

 

[RonBoyd]

Don't I remember this conversation taking place only a couple of months ago?

 

[pb4uski]

I have one or two passwords that I use for non-critical sites (sites where if my password was compromised the implications are not very dire). For financial sites, I have a particular scheme but the password for each site ends up being different.

 

[Sunset]

I use keepass, its like lastpass but not on the web.
So I don't worry that a web server will be hacked (it must be a big target).
The encrypted file is stored locally on my machine and I can copy it to a flash drive or other machine (laptop) to travel.
I only need to remember 1 password to open it and then have access to 100's of different usernames and passwords for the sites I visit.
I also own some domains, so I have unlimited email accounts for the sites that need you to use email for the username.
I forward all these disposable emails to a real email account so I can get reminders/spam

 

[bUU]

I also use LastPass. I like that it is not an advertising business model; you get the web version for free and pay 10 bucks a year if you want to use it on mobile devices. The encryption is all done locally in JavaScript, so what is saved on the LastPass servers is an encrypted blob that is pretty close to impossible for anyone to decrypt, including LastPass. I honestly only have memorized one password... Actually a pass phrase because longer is better...and that's my LastPass pass phrase. If you run with the browser plug-in, you authenticate with LastPass one time, and it populates user name and password when it "sees" a login page. It also recognize s when you do a password change and chunks the new password into it's memory. You can download the blob so that you can have access to your passwords offline. It is not open source, but some smart folks have looked at the JavaScript code and also sniffed the traffic without finding anything suspect, so I trust it to keep my stuff safe.

LastPass is our solution as well. I especially like the new enhancements that make it more useful on Android devices: https://blog.lastpass.com/2014/03/logging-into-android-apps-just-got.html/

 

[Fishingmn]

I use KeePass for all of my financial sites and an Excel spreadsheet for the 200+ usernames/passwords for sites that won't impact me financially.

 

[braumeister]

I've been using 1Password for nearly eight years, and I still like it very much.

 

[VaCollector]

Most of my passwords for my general sites are from of the same 8 to 12 character password and so I can usually guess but just in case, I keep a list that is coded for quick reference...my family was in the furniture business and we use to "code" our cost on items that we were intent on moving out the door....so you can use any 10 letter word or phrase where the letters do not repeat (money talks was one of them that I thought most appropriate at the time).

I also use old phone numbers as I learned them as a child ~ back when they included the 1st 2 numbers as a letter designation....heck, I have one account where my PW is my ex-in-laws telephone number from almost 40 years ago...why not? They are long gone and it's burned into my memory so why not use it for something??

 

[photoguy]

Are people worried that last pass will be subject to the same issues as lavabit?

Sent from my Nexus 5 using Early Retirement Forum mobile app

 

[imoldernu]

Just counted my website links... 134...
Pretty easy to store all those passwords in memory, but maybe I should write them down, just in case.

 

[timo2]

I use Norton Identity Safe. It's in the cloud, so I can also access it from places other than home.

 

[zinger1457]

Are people worried that last pass will be subject to the same issues as lavabit?

Not sure how the lavabit email encryption worked but with lastpass your encryption key is unique to you and stored locally on your computer, any data stored on the lastpass server is first encrypted locally on your computer then sent to the server. Lastpass does not have the ability to unencrypt your data that's on their server which means if you forget your lastpass password you're screwed. Is there some secret key that the NSA has to get around it? Who knows, I figure if the NSA is coming after me they can/will get anything they want, I use it for typical hacker protection.

 

[CoolChange]

Long, Random Passwords Stored in Software

My passwords are randomly generated and stored in a good password manager.

I use software to generate long, randomized passwords and store them.

My user ID's are also significantly different across most sites, especially anything related to my finances.

Two Open Source software tools that I can personally recommend for this purpose can be found at the following sites: KeePass Password Safe and Password Safe

If you go this route, backups of the files and using a pass phrase (master password) that is complex but which you have no real chance of forgetting are very important.

 

[LoneAspen]

I also use LastPass. I like that it is not an advertising business model; you get the web version for free and pay 10 bucks a year if you want to use it on mobile devices. The encryption is all done locally in JavaScript, so what is saved on the LastPass servers is an encrypted blob that is pretty close to impossible for anyone to decrypt, including LastPass. I honestly only have memorized one password... Actually a pass phrase because longer is better...and that's my LastPass pass phrase. If you run with the browser plug-in, you authenticate with LastPass one time, and it populates user name and password when it "sees" a login page. It also recognize s when you do a password change and chunks the new password into it's memory. You can download the blob so that you can have access to your passwords offline. It is not open source, but some smart folks have looked at the JavaScript code and also sniffed the traffic without finding anything suspect, so I trust it to keep my stuff safe.

+1

About six months ago, I realized I needed to have stronger passwords, and unique to each site, so I did a lot of research on password managers.

I was initially skeptical of LastPass' model of keeping a blob of data on their servers, but the more research I did, I felt comfortable that they couldn't decrypt it provided I use a strong enough pass phrase.

I've been very happy with it. There are a few sites that it has trouble logging into automatically, even though I'm pretty sure I've got the correct URL saved. But it's not a big deal, because I just select the ID/password from the already-populated list it presents (which only contains that sites' credentials anyway, so only one entry to choose from) and then I log in no problem.

Even though I don't need the mobile part of it because I don't log into web sites from my phone, I'm tempted to subscribe anyway because I like the product, and some day I may want to incorporate a YubiKey for additional protection.

 

[bltkmt]

+1 on Keepass. Very simple and powerful.

 

[Lsbcal]

I too use Lastpass on my desktop PC but NOT on mobil devices. Mobil devices seem to me to be less secure because (1) who wants to have a password on a smartphone when a call comes in? (2) one uses networks that are possibly insecure when on the road (3) more likely to have a tablet/smartphone/laptop stolen when on the road. If I did have Lastpass on my mobil device, I would just turn it on just to logon and then turn it off as the vault makes all your passwords visible (by clicking on the "eye" on a password in the entry form). Logging in on a cell phone connection probably is more secure then a hotel wifi.

If a person hacks into Lastpass, maybe via a keylogger, all your passwords are easily visible. Admittedly, this is a remote possibility. For that reason I do not have my financial sites or other critical sites on Lastpass.

Caveat: I'm no security expert ... just paranoid.

 

[marko]

Anyone use Chrome's "password manager"? It keeps your passwords and automatically enters them as needed/appropriate. Stored in the cloud and as long as nobody hacks your Google password, you're good. (or not?)