Password management

category: offtopic [glöplog]
Managing all my passwords is becoming a serious headache:

- tons of websites requiring a password
- different password for each site
- secure passwords, that just aren't rememberable
- accessing all this from a bunch of different devices (desktop, laptop, work computer, phone, ipad...)

Any suggestions for a good way of managing them all?

I just had a good look at lastpass, then a much closer look because I'm not much for the idea of storing all my passwords on their servers. They did actually get hacked recently. Seems there was no real damage, as they have pretty good systems in place, but still I'm not too keen on the whole concept.

I guess the ideal solution would be something like lastpass (heavily encrypted file containing all my login details, master password to access it, some kind of browser integration) but with me hosting the file myself somewhere. This way I can protect it however i want, and there's little incentive to go after it (one file containing unknown stuff for one person isn't going to have the appeal of a big site with details for thousands of people, which pretty much guarantees major loot). Anything like that exist?
added on the 2011-07-15 12:11:48 by psonice psonice
LastPass has worked well for me. And just to be clear, the encryption happens BEFORE it is uploaded to their servers, so they don't store your plaintext passwords at any point.
added on the 2011-07-15 12:32:38 by menace menace
browserID to teh rescue?!

added on the 2011-07-15 12:45:20 by pro pro
Use the "forgot my password" at every website on every log-in!
added on the 2011-07-15 13:26:09 by okkie okkie
okkie: i'm already heavily dependent on that :D

menace: yeah, it does look good. The only 'issue' as I see it, is that they're storing a large number of these encrypted files that they don't have keys to. That's an appealing target still, because if you can get access to their system, you own the bank vault. If you have access to that, it's likely not impossible to add something to the site that captures keys as the customers log in. It would be *hard*, but the nature of the contents means it's a desirable target. Thus, I'd prefer something distributed (or local).
added on the 2011-07-15 13:49:38 by psonice psonice
ofcourse a great majority of sites with a "forgot your password?" link send unencrypted emails with the new pass or link the to where you can change it is.
anyone snooping your traffic can get it before you do. but maybe thats just me being paranoid ;)
added on the 2011-07-15 16:24:13 by psenough psenough
It's 100x more likely that a site you use somewhere is storing unencrypted passwords along with your other details and also has a simple sql injection flaw, and some guy somewhere has access to one of your accounts. Which is why you need different passwords everywhere, making it impossible to remember them all :/
added on the 2011-07-15 16:35:42 by psonice psonice
yes. it is. just saying, dont bet your security on emails.
added on the 2011-07-15 16:39:36 by psenough psenough
amen to all the above.
passwords are a constant fucking headache.
passwords, pin numbers, it's never ending. rolling passwords.. peh.

numbers, characters, case changes... every now and then some new prick site wants to throw another curveball to remember (Your Password does not have alternating symbols with numbers followed by a random non-dictionary sequence of vowels and constenants). ffs.

someone who comes up with a sensible solution is going to be a multi fuckin trillionare.
added on the 2011-07-15 16:56:12 by baldrick baldrick

works on most os / mobile phone
e.g. put the encrypted db in a dropbox and access from android phone etc...
added on the 2011-07-15 16:59:12 by pandur pandur
I'm liking the look of keepass
added on the 2011-07-15 17:17:15 by baldrick baldrick
or random public wifi networks where i can login to things with my phone being secure.

or wifi networks in general for that matter.

sorry, i'll take off my tinfoil hat now :)

keepass seems nice.

been using mac osx's keychain lately. fully aware that it isnt all that secure either. ;) but atleast it gets automatically backuped with the rest of the stuff :)
added on the 2011-07-15 17:27:09 by psenough psenough
maybe get rid of the accounts

+ focus doing your own thing

'tons' of sites only messes with your head, think about how much you can accomplish without all these services

you got tops 10k days left, the 'evil-loop' has soon decremented @ -1
why do you give a fuck if on a stupid website your account gets stolen ?
added on the 2011-07-15 18:29:10 by Oswald Oswald
Oswald: because many of these sites have access to financial stuff? I don't care about the password, it's the money that follows it ;) Yes, I could do most of this stuff offline. But it eats much more time than worrying about passwords, and I'll be fucked if I'm spending a good chunk of my life in a queue somewhere.
added on the 2011-07-15 20:13:14 by psonice psonice
+1 KeePass
ps: yes, I've also been using keychain. Better still, if you have mobile me it syncs your keychain between computers, so I can access stuff between my various computers + also at work. Looks like that will disappear though, it seems to be unsupported by icloud and mobile me is closing :( Hopefully that will be fixed at some point.

I'll have a look at keepass (wtf with the name? kee-pass is terrible, keep-ass is at least english, but wtf would that mean? :D )
added on the 2011-07-15 20:37:59 by psonice psonice
stores links to all the ass pr0n in the intrawebs!
added on the 2011-07-15 22:05:47 by psenough psenough
This is why we need more websites that use OpenID.
http://passwordmaker.org/ Is also a option.
added on the 2011-07-17 01:21:33 by neptun neptun
lastpass, really it rocks.

it's also the only app that i know that really tried to make a version for every damn (modern) platform out there. as an opera+nokia user, typically nothing works for me. lastpass, no problemo.
added on the 2011-07-17 11:02:06 by skrebbel skrebbel
ps. i really don't see how a keepass file hosted on dropbox is better than lastpass. it has all the same safety (locally encrypted, then hosted at some service provider's cloud), and way less of the usability (auto-type? oh come on.)

lastpass is rather web-focused, though. if most of your passwords are to SSH servers, keepass might do it better.
added on the 2011-07-17 11:05:50 by skrebbel skrebbel
Write your passwords on a sheet of paper and store it at a safe place...
added on the 2011-07-17 12:04:05 by Adok Adok