Keeping passwords safe

[summer2007]

It seems I have so many passwords...one is required for everything.

I just have the passwords for online groups and things like that stored on my computer.

But my more important passwords for bank accounts and things like that I keep in a locked box.

I just wanted to see what others thought was the best way to keep important passwords safe?

Jim

 

[Walt34]

Committed to memory. They're made of a random combination of names & numbers from dates & places. Somehow I remember which one goes where.

 

[CyclingInvestor]

My password list is the only hand-maintained (non-computer) list I have - a sheet
of paper with about 30 logins/passwords. This is the only info I will not store on
my computer.

 

[rayvt]

A bundle of 3x5 cards that I keep in a plastic card holder on my desk. All important info about each account is written on a card---institution, URL, login name, password, security questions, account number(s), phone number, etc.

 

[donheff]

Bruce Schnier (sp) a well known security guru keeps his on a paper list in his wallet. He said he hasn't lost his wallet in decades and would change them all if he lost it. I assume he must keep another copy somewhere else. I keep mine in password safe a free, open source application for storing and retrieving encrypted passwords. You can copy the app and data file onto a USB key and carry it with you. If you trust your online mail system like Gmail or whatever you could keep a copy in your email drafts folder or as a Google Doc. Just don't send it to someone else over email where it will traverse the Internet in clear text.

Edit: speaking of the drafts folder I read that criminals and terrorists use that method to pass information. I.e., two or more parties have access to the account and write to each other through the drafts folder - nothing passes across the Net in clear text for NSA to spot.

 

[Bikerdude]

I keep mine on paper in a code that only I know. An example would be oldpet123 means my first pets name followed by 123.

 

[RunningBum]

I keep a file on my computer with just enough of a hint of each account/username/password that I can figure it out. I have ways to indicate variations of common passwords/PIN numbers that I use.

The encrypted program on a USB thumb drive is probably safer, but I think my system is good enough. I worry more about the system that I have my information on being hacked than I do my own password being found and used. I do check my accounts where I've got money pretty often, to make sure nothing looks changed or missing.

I suppose once one password was compromised, it might not be too hard for someone to figure out my method and get to the others that one is based on. If I were an international spy and worrying about the NSA trying to crack it, I'd be more worried.

 

[mickj]

I use roboform ( roboform.com). I like it because it automatically fills and submits them on the webpage when I tell it to.

 

[lucija]

... I keep mine in password safe a free, open source application for storing and retrieving encrypted passwords. You can copy the app and data file onto a USB key and carry it with you. ...

I use something similar as well... I connect to it via USB as needed (when I can't remember the password or need to update it). The file contains basic info on all of our accounts/assets.

The file itself on the USB drive is password protected (no way I can forget that one) as well, so every year I also print out this information and store it in the fire box - this is where my DH would look for it.

 

[W2R]

I keep mine on paper in a code that only I know. An example would be oldpet123 means my first pets name followed by 123.

I do a similar thing, and sometimes I would list it as Ro123 if the dog's name was Rover (in other words, just use the first 2-3 letters instead of the whole thing, or sometimes just one of the numbers would be enough, like Ro3). All it takes is enough to jog my memory. I don't list anywhere what the passwords are for. I usually know that for this application, it's on the upper left of the sheet and for that one, the lower middle, and so on. Once I see the code I can usually remember which one goes to the application in question, though once in a while there are two similar ones on the same part of the paper, so I have to try two.

I remember back in the old days, before one was forced to change passwords at irregular intervals and make them so-called "strong passwords" and such. Back then, I had the same password for everything and simply did not allow anyone to look over my shoulder and did not tell anyone what it was. I never had my password stolen, and if someone walked behind me while I was typing it then I would change all of my passwords that day. That was pretty easy, and I never had any problems with it. It was easy to remember one password, so I didn't have to write anything down. Ah, the simple days of yore!

 

[TromboneAl]

I like Password Vault.

 

[CuppaJoe]

I keep scraps of paper with account numbers and a cryptic list of phone numbers that I knew from my past. There will be one fake phone number it there that contains the password or a hint to it if the password requires letters as well as numbers. I also keep the numbers in a draft e-mail. I'm looking into other methods as I'm setting up a home office.

 

[figner]

I keep em in a GPG-encrypted file, so I only have to remember the one passwd for that file.
The GNU Privacy Guard - GnuPG.org

 

[SecondCor521]

I could tell you what I do, but then I'd have to kill you... ;-)

Seriously, my approach to security is two-fold:

First, I keep my passwords and critical data in a relatively secure but handy spot, and my passwords are relatively strong but not cryptographically ideal. Generally speaking, I have a password-generation algorithm that I have committed to memory, so most of the time I can generate the correct password on the fly.

Second, I monitor everything. If my data is compromised I believe I will find out rather rapidly -- I check my credit report daily, I check my banking and investing accounts nearly daily, I have a credit alerting service, and most all companies I work with would send me emails or mail if a thief changed my account somehow.

Between those two things I feel safe enough.

2Cor521

 

[rgarling]

I like Password Vault.

Since this is at least the second time I've seen TromboneAl recommend this, I decided to give this a try.

It is much better than what I had been doing and since it is an encrypted file, you can leave it on your desktop. The tool makes it easy to find your info and will actually launch the associated url and copy the password to the clipboard ready for pasting (with a setable clear clipboard timeout). It has a tool that will help generate strong passwords, so you can have different strong passwords for each site (and don't even have to type them in).

 

[Goonie]

Committed to memory. They're made of a random combination of names & numbers from dates & places. Somehow I remember which one goes where.

Mostly the same thing here....but once in a blue moon I forget one, so.....

Bruce Schnier (sp) a well known security guru keeps his on a paper list in his wallet.

.....yep......got a list of my cryptic pw hints in my wallet.....also a copy in my big-@ss safe. And just to cover all bases..........

I use something similar as well... I connect to it via USB as needed (when I can't remember the password or need to update it). The file contains basic info on all of our accounts/assets.

The file itself on the USB drive is password protected......

......I keep a password protected file, on my password protected USB Flash Drive.....that I carry with me all of the time. It also contains copies of all of my important papers and files, as well as all of our vacation pix.....and a couple of old DOS games that I still like to play occasionally. Oh, and it also contains a copy of the combo to the big-@ss safe!

And if all that ain't enough......there's a copy of the list in the safety deposit box down at the bank!

However, when all is said and done......I almost always remember what password to use at which site. And if I use the wrong one and end up with a "wrong username or password" message, then I remember the correct one......9 times out of 10 anyway.

 

[jambo101]

I only have the bank password committed to memory,all other passwords are the same so i only have to remember 1.What could some one do if they knew my password to this forum,? or any other forum i visit.

 

[Goonie]

And now for something [-]completely different[/-] semi-related.....

Back when I was still employed, I had a master username and password for all the important stuff! I had fellow employees try to figure it out....with absolutely no success.....never even close!

My standard username was.........ummmm......"username". Can ya guess what my standard password was? Yup! It was "password"! It was easy for me to remember.....but waaaaay to difficult for my co-workers to figure out!

Of course they never figured out that the icon labeled "Chemical List" was actually a solitaire game, and the one labeled "Lab Equipment" was actually 'Tux Racer'. Or that if I moved the mouse cursor to a 'hot corner', a fake spreadsheet would instantly appear on screen.....to cover up the fact that I was playing cards or sending a penguin careening down an icy slope!

(end of mini-hijack)

 

[jIMOh]

I use password themes.

for financial sites, all passwords follow a certain theme and that theme will never be forgotten unless my mind goes.
for work sites, they follow a similar pattern, but different theme
for social sites, I use similar format to work sites

I have a spreadsheet which reminds me of all account locations and the login id at that site. The theme is there, but unless you know the contents of the theme, it would be impossible to guess.

 

[rayvt]

I do a similar thing, and sometimes I would list it as Ro123 if the dog's name was Rover (in other words, just use the first 2-3 letters instead of the whole thing, or sometimes just one of the numbers would be enough, like Ro3). All it takes is enough to jog my memory. I don't list anywhere what the passwords are for.

You gotta be careful with methods like this. You've got to be able to reliably remember the passwords. I well recall when I was in the hospital for 2 weeks last year....I felt so crappy that I could barely remember what month it was, let alone arcane things like remembering what corver of a sheet of paper tolook at. Also, you've got to make sure that your spouse (or whomever) can find the passwords when/if you are dead or incapacitated. Or lose your memory.

 

[W2R]

You gotta be careful with methods like this. You've got to be able to reliably remember the passwords. I well recall when I was in the hospital for 2 weeks last year....I felt so crappy that I could barely remember what month it was, let alone arcane things like remembering what corver of a sheet of paper tolook at. Also, you've got to make sure that your spouse (or whomever) can find the passwords when/if you are dead or incapacitated. Or lose your memory.

Good point. When I returned to work two months after Katrina (and all the mind-bending evacuation and cleanup and so on that followed), after going through unusually tight security and then climbing up six flights of stairs due to elevators totalled by the storm, and seeing/hugging friends I feared had drowned, I sat down at my computer at work and thought, "OMG - - what if I don't remember the password?" We get three tries and it locks, and I was pretty sure the IT people were swamped with password resetting requests, if they were even on duty. It turned out that I remembered and didn't even have to get out my sheet. But that was just luck.

On the other hand, I have been managing multiple computer passwords for well over 35 years and haven't had any serious problems that couldn't be addressed in a routine manner.

 

[Moemg]

. Also, you've got to make sure that your spouse (or whomever) can find the passwords when/if you are dead or incapacitated. Or lose your memory.

Good point ! That's why I keep mine in a binder in a fire proof safe . I want to make it as easy as possible for my loved ones . Once a year I write my daughter a detailed letter with everything she needs to know and where to find it . Having been in that position you are so crazy with grief that you need all the help you can get .

 

[Lsbcal]

I guess I don't have to remind you that participation in this thread is a security breach . I keep all my really critical passwords in a physical form off the computer. Important excel files are protected by very strong passwords.

Here is a link to creating strong passwords:Password Strength & Password Security - Microsoft Security

and here is the password checker: Password checker

 

[W2R]

Good point ! That's why I keep mine in a binder in a fire proof safe . I want to make it as easy as possible for my loved ones .

I don't mean to be rude, but what passwords would your loved ones need from the binder, and why? The reason I ask is that I would think that the executor would have to deal with financial institutions directly anyway, to give them the death certificate and such. Maybe I am over-simplifying!

 

[dixonge]

I used to really struggle over ease of use vs. strength. I finally settled on a 'theme' or system of password selection that makes each and every password I use on the internet completely different, yet I can remember them all without writing them down.

Example: if the domain name is 'goofy.com' I would use a set of numbers (like a pin number, 4-6 digits) and a combination of letters from the domain name. So if my pattern was to use the last two consonants and last two vowels, in reverse order, the password would be 123456fgyo (assuming I count y as a vowel, and assuming 123456 was my pin number)

The slight risk with this system is that if someone gets one of your passwords they might be able to figure out your system. But it seems safer than using the same password on every site, and much easier than using a truly random password generator.

Gina Trapani wrote a great piece on Lifehacker.com about this, and the comments below the article are good reading as well.

Geek to Live: Choose (and remember) great passwords