Dealing with Login Fatigue – How to Make Managing Usernames and Passwords Easier

Check out the open source Keepass. It adds right click URL follow, password gens and a ton of options making it a great tool for those of us fighting the password gods. Oh…and it runs great off a USB stick.

http://keepass.info/

xto

If you have a Mac look at 1 Password http://1passwd.com/ it rocks

For relatively low-risk sites such as forums and social networking sites, I tend to use similar, easy to remember passwords. For anything server and client related, I use Pastor on OS X to store obnoxiously-long, random passwords. I saved my password file as “pwd,” so whenever I need a login, I just hit ⌘+Space+pwd to open my file. If I need my passwords on other computers, I export my password file as a TSV and place it on my encrypted jump drive (rare though). According to the developer, Pastor will be able to group passwords in the next release, which will make finding logins even easier.

Personally, I’m far too paranoid to trust my passwords with Gmail or any other online app. I much prefer an offline system.

Nice, have added both 1passwd and keepass to the post, thanks guys!

The best thing about Keepass is that it is available for all OS – Win, Linux, Mac, Windows Mobile etc. I synchronize password database with my PPC phone and I’ve got passwords everywhere.

A bit of healthy paranoia is always good, Google has way too much info on us all already! Still an interesting idea, especially for those not-so-important passwords, like my ta-da-list login and things

I just put them in word docs and keep them on an external hard drive. That was I can easily do a “find” for the site and I’m done…and lazy when it comes to passwords.

I use KeePass with different databases/files to separating clients/work from personal use.

…and dont forget to password protect Firefox….

I use Super GenPass, a small bookmarklet that generates a password based on a hash, my password, plus the URL of the site. It means each site I visit has a different password, but I only have to remember one.

There are drawbacks: I can’t sign onto Blogger with my google ID because Super GenPass will give me a different password for blogger.com than it will for google.com.

Another is that I don’t actually know my password for these sites! I have to have a copy of the bookmarklet handy in order to log in.

Another vote for KeePass, I could not imagine living without that app now. I use it for everything. Netbanking, domain names, FTP details, server logins, etc. And the inbuild password generator is really handy to help get away from those generic “password” passwords I allways seem to use in haste when prompted for a new password.

what’s wrong with the mac-native keychain.app? seems like it does all of the above (except easy portability).

I construct mine like this:

Google would be Gwhatever
MSN would be Mwhatever

At work, where I change it once a month:

April is WAwhataver
May is WMwhataver

It works for me – pick a ‘whatever’ and go!

You can use google word processor ‘docs’ to store passwords etc and then have access to it anywhere. You can also actually use gmail as an email account….really!

I use Passwords Plus from DataViz – this synchronises with my Palm PDA do I have access to passwords and other stuff (like bank information) away from my computer.

Dave

On Linux I have been using Revelation. It is a GTK app and KeePass looks like crap in Gnome.

Anybody here use Serverskine (Mac only)?

I just just one login and one, maybe two, passwords across the board. If I change one password, then I just change them all. I hate having to remember a ton of passwords so I avoid it at all costs.

I tried out Serverskine a few months ago, but I didn’t like it for a few reasons:

1) no line breaks in password comments!
2) opening the file wasn’t as simple as Pastor – when you open your password file, an extra blank window shows up.

@alan: I use Pastor because it’s easier IMO to add and find passwords and login details for email, MySQL, and other web services.

I used to work in an environment where I had access to sensitive information via the web, and I started looking for a more secure method for my passwords. Though I’ve now moved to KeePass to store them, I used to use a deceptively named (and password protected) text file on a password-secured flash drive. For the actual passwords, I keep a list of randomly generated 50 character passwords in Notepad++, where it’s easy to reach when I need a new one; for really important logins (like the sites I used to use), I put two of them together to make a 100 character randomly-generated password. (I use http://www.pctools.com/guides/password/ to create them; you can select what types of characters you want in your passwords.)

John @ One Man’s Blog wrote a few weeks back about password hacking (http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/); he wrote that a 14-character, mixed-case & special characters password would take 154,640,721,434,000 years to crack with a brute force attack. By comparison, you’re 4-digit-minimum would take a little over two hours to crack; ratchet it up to the normal “at-least-6-characters” would go down in just over a week. Pretty scary stuff.

if you’re a scientist (especially a chemical scientist) there’s a really neat way to devise passwords you will never forget but that are essentially uncrackable – I’ve written up my idea on the Sciencetext.com site, you can get the gist of it here

For those of you looking for a portable password manager, you’re only choice is an online service (unless you want to carry around the USB stick). I’m a co-founder of PassPack, so I’m clearly biased towards my own product, but there are others too if you want to shop around.

But even if you don’t want to try that, there are many very dangerous techniques described above. I’ve done a ton of research on this, and written a few articles, so here’s a few that will be helpful:

Why sending passwords via email (yes, even Gmail) is bad

Why you MUST use many passwords, and a password manager

Online vs Offline password managers

I hope that helps. I’m always happy to answer questions, so feel free to contact me. My email is listed on PassPack’s contact page.
Cheers,
Tara Kelly
PassPack, Free Online Password Manager

PS. Google has been know to leak passwords in the past. Google is in the business of searches, not security.

I say Roboform kicks ass! They also have Roboform portable that you can take with you on a stick. Plays well with PortableApps as well. I wish I could sync it with some online server though and I wish they had Linux support.

When managing passwords for clients (viz. their FTP accounts, Admin passes, etc.) I always take a part that is related tot he user then some digits and then another random letter.

If I made a project for a dude named Johnny he’d probably end up with “Cash542J” or something like that; If the project would be about boats the pass could be “KeepMFloating239F”

For my own personal passwords it’s simple: I know them by heart (I cannot say them out loud when someone asks, I really have to type them down) and change a few characters every now and then. To practice a new pass I just type it in a few times … my hands will start to know them

Mac OS Keychain works great for me. However, too many times have I forgot my passwords as I keep adding a ridiculous string of numbers to the end of them.

I only use two, maybe three passwords for everything so it’s not hard to keep track. But, I while ago I found it was getting to be cumbersome, so I went old fashioned, bought a little notebook, and wrote username/password combos down in it. I only have to use it rarely, and it’s easy to take with me if I’m not at my computer.

Call me boring or even naive and maybe careless but I also simply use a notepad for my passwords for my clients logins. For myself and personal logins, I use a similar login id and passwords

@Jermayn
What happens if a glass of water gets spilled on the notepad? Or it gets lost? Or your office burns down or gets broken into?

You have a responsibility towards your clients to keep their information safe. In some countries, you could even be held liable for not employing “reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and ensure correct use of information.”

Please choose – and use – a password manager.

I use a password manager, but I didn’t like any of the ones I tried. I kept wanting to add information that didn’t fit in any of the fields they provided and a generic comment field meant things got messy. So I fired up Excel and a few encryption macros later I had my very own custom password manager. All the functions of Excel are now available for use with your passwords. It does, of course, require that you have Excel on whatever computer you plan to use.

It’s free if anyone wants to give it a whirl.

I’m using gmail as my account where I get al the emails. And i use the concept maker of gmail as my notebook where I write less important passwords into, so I can rember them. I give them a tag so I now where to find them.

@Marios Alexandrou
Be careful, the MS Excel encryptions have all been amply cracked. Same goes for all of MS Office, and even OpenOffice.

Have you tried PassPack? There is a simple notes field so that you can jot down comments. It’s a free service, and it uses an encryption algorithm which has been approved by the US government “for top secret” documents.

Tara,

I’m not using Excel’s built-in password functionality. That, as you’ve pointed out, has been found to be very weak. Instead, I’ve taken the BlowFish encryption algorithm and implemented it as a set of macros in Excel. To crack these encrypted fields would imply that you’ve found a flaw in the BlowFish encryption routines.

If you’re on a Mac, like me, OS X’s built-in Keychain app is defintely the way to go.

It has the advantage that most OS X programs store their passwords in the login keychain already so it already has the foundations of a handy central repository for you to store additional passwords.

You can create multiple keychains with different master passwords and can store these new keychains on a USB drive, should you wish. (Though they’d only be accessible from another Mac.) It even has a password generator so you can create unique strong passwords e.g. for websites you don’t use much.

There’s a fairly good tutorial on using Keychain here (though it’s a little ad-laden for my tastes, sorry):
http://www.mostofmymac.com/articles/the-key-to-keychain-effective-use-of-apple-keychain/

My tip would be to configure it to show in the Status Bar (up by the clock), it makes it much, much more immediate to use. Open up Keychain, go to its Preferences, and under the General tab tick the “Show Status in Menu Bar” checkbox. You now get a little padlock icon up by your clock which allows you to open Keychain.app, quickly lock your screen or keychains, etc.

For Windows users, back when I was a Windows sysadmin used I relied on the excellent, free & open-source software called PasswordSafe:
http://passwordsafe.sourceforge.net/

From the site “Password Safe is an open-source tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords.”

You can store its database on a USB drive; I used to store it on a network share. I’d imagine the executable can run from the USB drive, too, so should be portable. (But Windows-only.) There was a PocketPC/Windows Mobile version around back when I used it, which was really useful: I’d store a copy of the database on my iPaq and have instant access to the passwords.

Originally created by legendary crytographer Bruce Schneier — he’s the “daddy” of modern crypto algorithm computer programming implementations, see his book Applied Cryptography — I’d be willing to bet that the encryption in this software is top notch.

As far as password management advice goes, I’d *never* use Gmail — or any other e-mail system — as a password repository. It’s just not trustworthy for many reasons, but it’s a non-starter for Gmail because the traffic isn’t encrypted past the initial sign-in, so should you be using it over an open wireless network all your passwords are flying through the air completely unencrypted and rife for the picking. I’ll pass on that risk, thanks!

But then, I’m not sure I’d trust any third-party with the entire set of passwords. I’d go with a password manager as you then control the data and its security yourself, but I’d also take the added step of regularly printing out the passwords unencrypted on paper — or at least the “master” password along with details on how to get to the password archive — and storing this in a secure location such as the home/office safe. Back when I was a network admin I considered this essential: if I got hit by a bus the company would be be a lot less stuck than if I took the password archive’s master password and its contents to the grave! (This also applies to family members. For instance, should the worst happen, can they get access to the household accounts on your computer?)

There are ways to set up GMail as a virtual drive ManxStef, so you could tie that in with your password storage ideas too.

db

The idea of Google password storage is good in theory, but I won’t trust GMail until they take it out of beta! That beta basically means, hey if we get hacked and all your stuff is on our site…. you shouldn’t have used our beta gmail account. I would do the same but with an established trusted site such as yahoo or msn. At least if your stuff gets hacked there you can attempt to sue or settle out of court. Google makes billions but it has been what 2 or 3 years of gmail beta, what is up with that? I think its time they put some of those development dollars into a full fledged product instead of hiding behind the beta curtain!

I haven’t give this area much thought myself, I use Keychain on my computer to store most of my information, it works fine with most web information for myself.

For clients, I’ve pretty much stuck with a document (Pages, Word, or Excel) that has login information for sites, email accounts and any FTP information. I tried Serverskine but didn’t like the lack of email account support, so a simple table structure in a document works fine for me.

After reading some of the comments I may want to look into some sort of password manager and consider stronger passwords as well.

Folks, GMail isn’t safe for storing passwords – it’s not encrypted.

this is exactly what i am dealing with right now…LOGIN FATIGUE! thanks for your wonderful suggestions, I am enlightened.

I tried using Keepass and KeepassX on a USB stick. That way it didn’t matter if I was using my Mac at home or a PC at work. But then I misplaced my thumb drive and just about had a heart attack when I couldn’t find my backup.

My solution was to move the password database and key file to my iDisk on my dot mac account. Now it just doesn’t matter if I’m at home or at work I’ll always have access to my passwords. I still keep a copy on my USB drive but it’s a backup in case I’m using a computer that doesn’t have internet access. If I loose it, NBD…

I’m not using Excel’s built-in password functionality. That, as you’ve pointed out, has been found to be very weak. Instead, I’ve taken the BlowFish encryption algorithm and implemented it as a set of macros in Excel.

I wonder nobody mentioned FF manager ?