
Ask HN: Best way to protect my passwords as a user? - unwantedLetters
I have very little knowledge of passwords and how to keep them protected. My "keep myself safe" strategy simply has different passwords for different websites - I try to keep special characters in.<p>It seems to me that with all these websites losing their data and seemingly(to the untrained eye) being completely incompetent I need a better system to manage my passwords.<p>Can anyone suggest a good system to protect my passwords? For example - If the best way is to save and use complex 20-30 digit long random passwords, then how do you save those passwords?Surely you're not memorizing passwords for all your services, so you're using some sort of password manager so any ideas on which password manager is good? 
Or perhaps is it good to have a "passwords file", use some random password generator (or perhaps generate MD5 hash of some text and use that as a password) and then keep all of them under some protected file on your system?
Or is Mac OS X's Keychain Access any good for storing passwords?<p>I am asking this question here because there are people in this community who are known to be knowledgable about the security of systems, and that makes them more eligible than I to answer these questions. I have done a little reading on the subject and find discovering a good way to protect myself very difficult. I hope I can get some help in this community.<p>Thanks in advance.<p>(As always, any articles/information that educate me on this topic will be helpful)
======
benologist
I've started using 1password and as I sign in to services I use changing my
passwords to one it generates. One big problem is I don't actually remember
most of what I've signed up to over the years, but at least I can secure what
I _do_ actively use / remember so an old, compromised password won't get
access to very much.

<http://agilebits.com/products/1Password>

------
aorshan
The biggest problem with online passwords is not how many characters you have
or anything like that. It is password redundancy. If you use one password (or
small variants on that password) for every site you use, then if one account
is compromised, then all of your accounts are compromised. You want to have as
many different passwords as possible.

------
Acorn
Personally I use an online password manager. (Passpack)

This allows you to randomly generate strong unique passwords for each website,
and have them accessible from anywhere.

You are obviously putting trust in the service, but you have to weigh up what
is more of a risk; the service going AWOL and stealing your passwords, or
someone breaking into your accounts due to bad/repeated passwords.

LastPass is another major online password manager.

KeePass is a great offline solution. There's also 1Password.

~~~
bakhlawa
Don't these online services all have the eggs in one basket problem? The
likelihood of them getting hacked might be low, but the impact of such an
occurrence would be very high (all passwords exposed).

~~~
unattended
The possibility of a site getting hacked or being attacked may be low but not
unexpected. Many of these services don't know your actual passwords, they just
have a file that's cryptographically secure with your passwords in there which
in the case of an actual breach, only you (the owner/creator of said password
list) has the keys to get into it. You just have to be responsible enough to
know where your keys are to get at that list or it's lost for good. The
likelihood of someone actually cracking into those password files without
knowing the password is actually much lower than the site storing them getting
compromised. And in the event of 1password, if and when they become aware of a
breach they're usually upfront about it and require you to reset your master
password before you can use the service again for the sake of security.

------
Revisor
I suggest Keepass to generate and store your passwords with the password
database shared via Dropbox.

It's multiplatform and works pretty much everywhere. After the initial setup
even my non-geeky GF can use it.

------
pwg
Use Password Gorilla : <https://github.com/zdia/gorilla/wiki>

------
tox
there is always a trade-off between an online repository and an offline one.
take into account the possibility that they can be compromised and also note
how you can recover passwords if you lost the password repository (if there is
a password recovery system).

