
Ask HN: How to you create and manage passwords? - rscott
I have a confession: I use the same password for pretty much everything, even though I know it's a bad idea and unsafe and all that. The problem is remembering my password at the dozen plus email and web services I use.<p>Is there a good solution that exists for remembering passwords? I know it's built into Firefox, which is nice, but I need something that can travel with me to use on my iPhone and other computers I might need to use. Ideally, it would magically sync up and password retrieval would be amazingly simple and secure.<p>So I ask you, HN, how do you create and manage your own passwords?
======
mixmax
I take a layered approach.

One password for all the stuff that isn't really important like sites I visit
a few times and then leave.

One password for sites I trust and use on a regular basis, but where a
compromised password isn't the end of the world. HN is in this category.

Seperate and strong passwords for stuff that matters, like netbanking, gmail,
etc. To remember these I have a system set up so that the passwords are
similar in a non-trivial way, like [first words of sentence][number I
remember]. One password derived from this could be tqbfjotld!1249057, easily
derived from "the quick brown fox jumps over the lazy dog!", and 1249057 which
is the serial number for the motor in my boat. This way I only have to
remember a phrase and a number I already know for entering secure sites.

Using this system I don't have to rely on potential unsafe software, or
writing down passwords that may be compromised.

~~~
3pt14159
Same here. I've written up my methods here, which are similar in spirit, but
not the same in execution.

Basic level password example: "pi975315703" -> alpha-numeric, easy to remember
because I have typed it a billion times.

Medium strength: "C0caC0la1s<3pt14159" -> Coca Cola (upper case because it is
a company) is not as good as pie always use 0 for o and 1 for i.

High Strength: "9T&11E:ttttttttteeeeeeeeeee+pi975315703" -> all I have to
remember is "nine 't's and eleven 'e's plus weak password" but someone trying
to hack it with a hash table or whatever would be significantly slowed.

Max strength (where life or my job hangs in the balance): _get university text
book and ruler, goto page 314_ _hold ruler along 3rd column of paragraph text,
read each letter downwards_ _write on bottom left corner of page in very light
pencil "3X5%"_

"WdeAdehaeeadyej.dR35Tyismdy+3X&5%:xxx%%%%%+pi97531570" -> I think you should
get the idea here.

I'm also super paranoid about key loggers. One of my friends did this to the
whole school when I was 16, so ever since then I have never entered high or
max on a public computer, just in case. All told I think I have about 35
active passwords that I can easily remember (or obtain in the textbook one).

~~~
palish
You're too hardcore for me, man. Is a 50+ letter password really worth it? My
tiny brain barely remembers the 5 or 6 passwords I always choose to use.

------
maneesh
I use SuperGenPass, which hashes the domain of a website with a Master
password, so you only need to remember one password. Then, every time you log
in, you just enter in your master password, it automatically hashes it, and
you get a new password for logging in like af49AgsdU8

EDIT: here's the link <http://www.supergenpass.com/>

~~~
brl
This scheme is hugely flawed.

If you steal a password list from a website you can identify all the passwords
generated by this utility (10 characters, uniform distribution over
alphanumeric characters) and then simply crack the master passwords with a
brute force attack. If you have stolen multiple SuperGenPass generated
passwords from the same website, you can crack them all at the same time with
no additional penalty. After recovering the master password you can then log
into every single online account belonging to the user.

They seem to generate the password hash with simple md5, which is about the
worst possible choice they could have made. Any master password which is low
entropy enough to carry around in your brain can probably be cracked in a few
days at most.

~~~
jsteele
Except that you don't use the full MD5 sum, so it's not a simple matter of
brute-forcing it.

~~~
brl
For the default password length of 10 characters they use ~60 bits of MD5
output. That's more than enough information to uniquely identify the master
password.

------
mikeyur
The way I create passwords is to make an algorithm that no one else would know
- which creates unique passwords for every site I use, but I can never forget
the password since the algorithm stays the same. Example:

initials + last 3 characters in domain of site + year of birth + random
sequence you know.

my + tor + 91 + e72BQo -- HN my + igg + 78 + abwBs$ -- Digg

Again, just examples. It works for me and I never forget my passwords as long
as I remember the algorithm.

~~~
kirse
I think I read about this hashing technique here and have been using it ever
since. There's no need for any password tools and you simply remember one
algorithm. After about a month of usage it takes no time to type in the PW for
any site.

I designed mine to be a little more mixed up, so hopefully even if someone
intelligent got my password it would just look like an assortment of
characters instead of an obvious hash.

------
jmah
I use 1Password (for OS X and iPhone), which lets me generate random passwords
for different sites. It can't auto-fill on the iPhone, so you have to go into
the app and write it down somewhere (or remember it) temporarily. It's got
syncing and stuff too. <http://agilewebsolutions.com/products/1Password>

~~~
drenei
I have a question - is there a password manager out there thats made it
possible to access passwords from a computer that isn't yours? I'm guessing
not, because of the obvious security issues.

Because I'm not always in front of my laptop, or desktop and don't have an
iphone I use a system similar to what is here - different passwords for
different sites, with a system that helps me remember them.

~~~
inerte
You can either use a website to manage your passwords or a USB drive. I use
keepass to keep some of my passwords on a USB stick...

Not perfect, not 100% secure (nothing is), but always accessible :)

~~~
drenei
Thanks! I like the USB drive idea (maybe on a keychain) in conjunction with
keepass (I'll need to look more closely at keepass - I skimmed over it a while
ago). Also I like the supergenpass suggestion below - less to carry, and as
long as I have the bookmarklet on a browser, and my master password, easily
accessible. More to think about! :)

------
shizcakes
I'm actually quite surprised at the lack of mention of KeePass in this
comments thread: <http://keepass.info/>

I've been using it for years at this point, and I love it - it's very well
supported, and is fast and straightforward to use - both for creating new
accounts and recalling old accounts. In fact, I don't know my password to the
majority of sites that I am signed up for, and instead use a randomly
generated string.

That helps my peace of mind in cases where sites like monster.com get hacked -
I don't need to change every password on every site, only that one.

[Edit] - By the way, Version 2 is written in Mono-compatible .NET, which means
that it is accessible as a cross platform application. (It's not quite Python
or Perl, but it works for me)

------
markessien
The system I use is this - I use a fixed combination of letters that never
change (4 letters), and then I follow it up with an 8 digit series of numbers,
ending up with 12 digit password.

I have a contact on my phone where all the passwords are stored as phone
numbers (just the number, not the letters). If I ever forget the password, I
just look it up on my phone. If my phone is ever stolen, the thief will never
figure out that a particular contact happens to be having my password as their
phone number, and even if he does, he does not know the fixed letter
combination I tack on.

And I change this passwords every few months, and when I first change it, I
use my phone to remember it. Furthermore, I split the passwords into 3
categories - important, not so important and the password I share with family.

------
makecheck
The Mac's Keychain Access program (Utilities folder) is pretty good for this.
Most programs I use directly support it, e.g. Mail passwords, and web site
passwords in OmniWeb. You can also add your own passwords or secure notes
without having a program "support" the keychain.

Sync of keychains is possible, but only if you pay for MobileMe (nee
iTools/.Mac).

Unfortunately, Firefox uses its own password manager on the Mac instead of a
keychain.

------
wallflower
The first or second letters of the words of motivational quotes with a few
letter substitutions (e.g. 0 for 'o', 3 for 'e') and some random symbols work
well for me as easy to recall and strong passwords. Plus when you type it in,
you have to think about the quote and whether you are applying it.

w3tm0mccab1ca$@

hvh1faa0n3tac)&

"What ever the mind of man can concieve and believe, it can achieve" -Napoleon
Hill

------
DenisM
Shameless plug follows:

Our product Memengo Wallet <http://www.memengo.com> is a password manager that
can be used in three different ways:

    
    
      1. Store your passwords on the iPhone app (Windows mobile phone also supported). Encrypted with AES-256.
      2. Store your passwords on the web site (AJAX). Encrypted with AES-256 within 
         the web browser - plaintext never leaves your computer.
      3. The iPhone and the web site can be synchronized. There is a sync button in the iPhone app.
    

I can answer any questions. We also answer all support questions submitted
from the web site (with a return address).

FAQ:

1\. Q: The web site makes me uneasy. What if you decide to change your program
to fish out the encryption key form the client? A: The web site does not add
to the problem - any password mamanger app on the iPhone can phone home
without your knowledge.

------
twopoint718
I have a mix of methods. For sites that I rarely visit or are of no real
consequence if the password were compromised I use a memorable one for them
all.

For sites that I care about the security I generate a random password with
something like this:

    
    
        dd if=/dev/urandom bs=1 count=12 | uuencode -
    

then store that in psafe (<http://www.hep.wisc.edu/~dan/psafe/>) with a master
password that I remember. This way if some site's password does get
compromised, it doesn't translate to any other site. I suppose I could also
carry around the encrypted psafe file with me on a USB key, but I've found
that I don't really need to log into these sorts of sites when I'm out.

~~~
DenisM
Your command never generates lower-case letters. :-)

------
yan
Here is a post from an earlier comment on how I manage my passwords:
<http://news.ycombinator.com/item?id=384658>

------
dguido
<http://www.bugmenot.com> FTW

If you can't remember all the passwords to the accounts you have, one solution
it to create less accounts.

------
jseifer
I use 1Password from Agile Web Solutions. It's great -- it imported all of my
passwords from Firefox and I just save new ones that way. It also does work on
the iPhone as a password filler if you use the bookmark. If you use Dropbox
you can keep your password keychain in there and update it among all of your
macs. It would be ideal if Windows and Opera were supported but maybe some
day. For now I just go between Safari and Firefox.

------
myav
I like an very simple approach, which allows me to avoid using password
managers.

For all accounts which are of little importance to me (in other words, for
ones which can be recreated without any problems) I have got the one easy-to-
remember password. "foo87b@r" is the good illustration of what I mean. There
are two simple words, separated by a number, and one special symbol. It's very
easy to commit in your memory, doesn't look easy to brute force.

But what if there is a malefactor which knows your universal password? If so,
you are in trouble. He has all the keys to your e-money, mailbox...

To protect things that matters I'm using unique passwords made on basis of the
general pattern. It will prevent your accounts from being accessed using the
insecure "foo87b@r" pass.

To illustrate that, suppose that our patter is: __&_1_H@ckN!ws (placeholders
for further substitutions are marked by "_")

Let's generate password for the [n]ew[s].[y]combinato[r].com site (which
characters of url are used when generating password is up to the user).

Here is your secure password: ns&y1rH@ckN!ws

So, to use it you should be able to remember one simple password, one pattern
and the princible describing how to get new passwords from the existing
pattern + URL.

I've been using this scheme for the last two months.

------
hachiya
For over a year I've been using a GPG-based "password wallet" through a shell
script based on this Linux Journal article.
<http://www.linuxjournal.com/article/9861>

I just run wallet.sh -e and enter the wallet password, and then vim (or editor
of your choice) opens up with your passwords. It can be handy to store other
important data in this GPG protected file as well. When you exit vim, the file
is re-encrypted automatically.

I keep automatic backups of the gpg encrypted wallet file for safety.

The nice thing about this approach is that you can view and edit the file in
whatever way you are comfortable, e.g. with vim. No GUI needed, so you can
access it over SSH quickly (and yes, you could use the GUI solutions with SSH
forwarding, but nothing beats a text editor in terms of speed).

Also, for generating passwords, you can use a Vim keymapping to shell out and
run something like apg or spassgen to generate a random password.

I typically store website account info like this:

hotmail.com:hachiyamail@hotmail.com:password

or for more verbose account information:

americanairlines.com

hachiyamail@hotmail.com

Password: flyamericanairlines

Mother's Maiden Name: Smith

PIN: 2342

------
fhars
For web sites I don't want to access from my phone, I use the PasswordMaker
plugin for Firefox, which generates site specific passwords from a single
master password that never gets saved anywhere (except maybe swap space, I
haven't looked into that). The only problem I've run into were overzealous
input sanitizers on some sites that refused some of the characters in the
generated passwords.

For really important passwords I use strong random passwords with a security
copy on paper stored in a safe place. Depending on the password and how often
I need it that may be the safe at work, a binder with all the important
related personal documents, or that place all people use to keep valuable
small pieces of paper, the wallet in my pocket (there usually without a full
domain name).

Then I use old safe passwords which I no longer use for their original purpose
but still remember as passwords for situations where PasswordMaker is no
option.

------
grouchyOldGuy
I store all my account URLs, user IDs, and passwords in a text file that is
inside of an encrypted TrueCrypt volume. The TrueCrypt volume appears as an
ordinary file on my computer, and the password to decrypt it is stronger than
any password inside the file (13 characters, mixed case with some numbers and
symbols mixed in).

For non-critical accounts, I use an old Kerberos password from a long-expired
ISP account that I used to have. It's burned into my memory as strongly as my
own birth date. For more secure account needs, I have s stronger and longer
password that I use. When I need to rotate passwords regularly, I use three
characters of the month, a symbol, two digits of the year, and my old Kerberos
password all concatenated together. It's easy to remember and difficult to
crack because it's eleven characters long, and mixed-case alpha-numeric.

------
njharman
Password Safe <http://passwordsafe.sourceforge.net/>

I believe it is a security risk to reveal password usage/methodology and so
must politely refuse to elaborate.

------
jackowayed
I use a different pass for basically everything. The strength depends on how
much I care about my account at the service. I've been known to do stuff like
"<servicename>sucks" when I really don't care about it. Everything somewhat
important is longish, with some capitals/numbers/special chars.

I have FF remember all of my passes basically (on my own computer with a good
password on it.) I make fairly heavy use of "forgot pass" functions to make up
for forgetting some passes.

------
GiantCrayon
I just finished reading a book on this very topic, and recommend it highly.

_Perfect Passwords_ by Mark Burnett, available at:

[http://www.amazon.com/Perfect-Passwords-Selection-
Protection...](http://www.amazon.com/Perfect-Passwords-Selection-Protection-
Authentication/dp/1597490415/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1233437215&sr=8-1)

It's full of great analysis, as well as a fun table of the 500 worst passwords
of all time. :)

(Note: I am not connected with the publisher or author in any way.)

------
tannerhiland
Roboform (<http://www.roboform.com/>) sounds similar to some of the password
managers here, but also does form filling. There's also a Robo2Go app that
let's you tote your passwords on a USB drive.

The browser integration is really nice in that login fields can be prefilled
as you visit different sites.

Also there's a password generator than can be customized for special
characters, upper, lower, numbers, length, etc.

------
yason
I have a single password and a mailinator address for anything that requires
login or registration. Fake name, fake password?

Then I have different, good passwords for my login and Gmail. These are easy
to type and generated from a passphrase so they look nothing like dictionary
words and yet there is a good way to remember them when they're new and my
fingers haven't learned them yet. These are about 10+ characters long but
those that are easier to type are favoured.

Old passwords from the previous category are often reused for middle-level
services such as HN, Reddit, Slashdot, FaceBook and others where I have a long
(or expected long) residence and high correlation with my privacy or
personality. This is mostly for convenience since my fingers have the kinetic
memory for about 6-7 such passwords: something I've typed for months or a year
as my login password is something I'll also remember the following montsh or a
year as my reddit password. If I forget, I try all recent password patterns
that my fingers can remember. Has worked so far.

Online banking login + passwords are nowhere but my head. In fact, I don't
know them if someone wanted me to write them down. Instead, my fingers
remember them. The login + password are set by the bank. I also have to look
up a code from a pad of one-time PINs sent to me by my bank in order to
successfully log in to the online services.

Anything else that is either important or rarely used (Amazon, online stock
brokerage service etc.) are stored in a file encrypted for my private GPG key.
I open it with Emacs, type in the GPG passphrase, let Emacs decrypt the
contents and edit the file as usual. Saving will automatically encrypt the
data before writing to disk. Looking up a password is a matter of decrypting
the file to stdout from the command line and piping it to less. The private
GPG key is protected with a passphrase that is about 50 characters long. It is
not written anywhere. The passwords in this file are generated by a Perl
script I wrote in the 90's. The output of the script is 16 bytes of random
characters and numbers.

It seems that I rely a lot on my memory. Most of them are memorised in my
fingers rather than the lexical part of my brain. I have maybe ten passwords
that I need every week or month, and those are in my head, probably because I
can keep them there. In addition, I have several PIN codes I must remember,
and I do. (Cell phone PIN, two bank cards, SecurID user PIN, door lock
code...)

So, go figure how to hack me.

------
r11t
KeePassX(<http://www.keepassx.org/>) is an excellent free cross-platform
password manager for storing user names, passwords, urls, attachments and
comments in one single database.The database is encrypted either with AES
(alias Rijndael) or Twofish encryption algorithm using a 256 bit key.

------
asnyder
I use KeePass (<http://keepass.info/>), it's free and open source. It stores
all your passwords in addition to being able to generate passwords with a
myriad of options. You need only remember a single password to get in. They
also have a bunch of plug-ins for various different uses.

------
epi0Bauqu
Random username and password for each site, generated by
<http://duckduckgo.com/?q=pw>

I keep them in an encrypted file on an encrypted disk. I let my browser
remember them though, and I have the frequently used ones (ssh, gmail, etc.)
memorized.

------
xenoterracide
here's an article I wrote on creating them, and having them be recoverable.
[http://xenoterracide.blogspot.com/2008/04/making-secure-
reco...](http://xenoterracide.blogspot.com/2008/04/making-secure-recoverable-
passwords.html)

------
projectileboy
For sites like this one, I use one of two or three easy to remember passwords.
For banking sites and such, I create strong passwords, which I keep written
down (the Bruce Schneier approach).

------
arc
Not extremely sophisticated from the generation side but SecretBook for Mac is
really pretty clean. iPhone version as well.

<http://bookshelfapps.com/>

------
dbc
"Password Gorilla" is a GPL-licensed, cross-platform password manager.
<http://fpx.de/fp/Software/Gorilla/>

~~~
blender
+1

------
chris11
I probably need to use more passwords. I make them by creating simple
geometric patterns on my keyboard. It's easy to remember, and they aren't
common words.

------
izak30
As per a post on Joel on Software, I've started using PasswordSafe (SWT..the
java one) on all my machines, and sync the datbase with dropbox. It's great.

------
urlwolf
For me it's lastpass.com. They do it right: they remove the passwords they
(easily) find on my HD. The problem is still the master password, I agree.

------
juliend2
I use <http://passwordsafe.com> to manage my password. Its good enough for me.

------
DaveChild
I use this: <http://www.angel.net/~nic/passwdlet.html>

------
dattaway
I use passook. Its a perl command line generator for pronouncable passwords of
selectable strength. Quick and dirty.

------
m0sh3g
clipperz.com FTW

They also have community version that you can install on your own server

~~~
mightybyte
I have to add another vote for Clipperz (<http://clipperz.com>). I started
using it to manage insecure passwords. I tried to use a generic insecure
password as others have mentioned above, but I kept encountering slightly
different password restrictions that made this very difficult. I think
Clipperz is web-based password management done right. Encryption is done in
the browser and the javascript code is open source. Only encrypted data is
stored on the server, so they can't even get your information. I highly
recommend at least checking it out.

------
travisjeffery
1Password is __teh__ shit.

