
Ask HN: Where are you storing your passwords? - icoloma
Linux passwords, database passwords, third-party system passwords, mail passwords... At some point they have to be written down somewhere, and the possibility of a plain text file leaking online gives me the creeps. Manual encryptation means that at some point (while editing) it exists unencrypted on disk, and a leak could happen (a backup copy of your text editor, for example).<p>I am not talking about browser plugins that can help only with web-based interfaces. The mix-up of interfaces means that at some point you have to write them down, securely. How are you guys doing it?
======
adpd
I use KeePass (<http://keepass.info/>) to manage all of my passwords.

From their website:

KeePass is a free open source password manager, which helps you to manage your
passwords in a secure way. You can put all your passwords in one database,
which is locked with one master key or a key file. So you only have to
remember one single master password or select the key file to unlock the whole
database. The databases are encrypted using the best and most secure
encryption algorithms currently known (AES and Twofish).

I'm always keen to manage my passwords in the best possible way, so I'll be
following this discussion closely to see if I should be modifying my tools and
practices.

~~~
cowsaysoink
Same, but I use <http://www.keepassx.org/> as it works better with linux.

------
speeder
In my head =D

At first I used one password for everything. Then two, but that was a accident
(ie: I forgot to change one default auto-password but got so used to it that I
started to use in other places).

Then the first one was cracked. I changed passwords in lots of places, and
started to use 3 passwords total.

As this kept balooning, I decided to instead create rules for my passwords
(rules that only make sense to me, of course, they are totally arbitrary and
almost random).

The result is that I have now about 20 different passwords, but I can remember
them all with enough effort. Sometimes there are a random site that I don't
used in a while that I cannot login at first, but as I try several of the
possible variations of my rules, eventually it work (erm... or not :P this had
happened a couple times already, and I needed a password reset).

My associate use lastpass.

~~~
brandoncor
Did you find out who cracked it? And how did you find out? Just curious if you
were targeted specifically.

~~~
stevekemp
I had a password exposed via a compromise/dump of the perlmonks.org website a
year or two ago.

That didn't bother me since I use per-site passwords, stored in a pwsafe
database. But it is an example of sites compromising passwords.

------
sp0rk
I'm surprised LastPass hasn't been mentioned yet. I've had nothing but good
experiences with the company and the product itself. It is primarily a browser
plugin for storing web passwords and sensitive information but you can also
use the secure notes feature to store passwords for other applications. There
are several multi-factor authentication options available as well.

~~~
ja27
I use LastPass with the Google 2-factor authentication app. I also keep some
secure notes in it.

------
ScottWhigham
This topic comes up all the time. You might want to do a search and sift
through some of the other popular threads.

~~~
icoloma
I did a search on HN and SO and found nothing. Do you have a link to
investigate further?

------
sdoering
Me, I am having them all stored in my mind. But I made it a little bit easier
for me. I do have 3 standard-passwords, that I change twice to thrice a year.
Each one of them is used on multiple accounts - but, everyone is appended by
something specific for every usecase.

For example: d453ER#T p0NY_jondoe@MoogleGail could be a password for one
GMail-Account with the alias jondoe, while for Facebook, the passwd might be
d453ER#T p0NY_jondoe@Fratzenbuch (Fratzenbuch is German denigration for
facebook) for the FB-Account with the GMail-Adress from above.

I hope this did help you...

------
alok-g
I store the first and last characters of my passwords in plain text on my
local machine __. It's enough to remind me what my password is, while still
remaining unknown for anyone else.

 __Well, actually my browser homepage is a simple HTML file carrying all my
bookmarks, residing locally on my machine. This is much better than having a
largely blank Google home page and having bookmarks additional clicks away.
This HTML file has website links together with the first/last password letters
next to them.

------
lordkinboat
I use Keychain on Mac OS X to store passwords automatically and I make
password protected notes for sites or apps where passwords are not recommended
correctly.

I make general rules for passwords and follow those. I also use poor, easy
memorisable passwords for various sites that I don't deem important but
require a login and password.

------
skosch
I have a random 8-letter password memorized (includes uppercase and numbers),
but I prepend the first 2 characters of the md5-hash of the
service's/website's name. That way I just have to quickly open a terminal
whenever I forget a password.

I recently learned about YPassword and I think it's a similar idea.

------
ishbits
LastPass with a premium subscription so I can use the mobile app.

I chose LastPass as I use Linux, Mac and iOS daily. I used to use KeepPassX,
but eventually found that LastPass fit my usage patterns better.

------
e1ven
1Password on OSX is one of the only blockers from using Linux as my primary
desktop right now- I've tried LastPass, KeepPass, and others, but haven't
found anything that works as well ;(

~~~
ubercow13
Can you elaborate on how it's better than LastPass, if you can remember the
differences? I'm using LP at the moment as 1Password is considerably more
expensive but I'd be interested to know in what sense it might be worth the
extra?

------
eduardordm
After reading Moonwalking with Einstein I started to exercise my memory skills
and now I just use my brain.

