

Ask HN: Password managers? - gcv

I've been getting annoyed at dealing with passwords. I have a pretty good mental system for generating good, difficult-to-predict passwords, but even so, I've been thinking about switching to a password manager. I am primarily a Mac user, and it seems that 1Password is a highly-recommended Mac utility, but it makes me a bit nervous.<p>1. I often use machines other than my primary Mac. These machines include Linux and Windows installations. How can I visit registration-required sites if their long hex-string passwords are trapped on a different machine?<p>I see that 1Password provides something called my1Password (https://my.1password.com) for web-based password use, but I have just 1Password's word that everything is perfectly secure back-to-front, and that it doesn't have nasty exploits on its site. In addition, how exactly am I supposed to use this password from the browser? Does it show up in clear-text on my.1password.com, and then I'm supposed to copy and paste it into a password field, thereby exposing the password to the system clipboard on a potentially untrusted machine?<p>2. I don't know if I trust a password manager not to leak the password somehow, somewhere. This particularly applies to banks and other sensitive sites.<p>3. It doesn't look like 1Password supports passwords for things like remote Unix hosts using ssh. I use passphrase-based private key authentication with ssh, but this does not mean that every Unix machine I log into has passwords completely disabled, which still leaves me with a slew of passwords to track.<p>So, HN: how does everyone here deal with passwords? Password managers? Paper notes, as Bruce Schneier recommends (http://www.schneier.com/blog/archives/2005/06/write_down_your.html)? Mental systems? A hybrid approach (write hex strings on a sheet of paper and import them into password managers on every trusted computer)? Use "Passw0rd" everywhere?
======
mechanical_fish
I created a complex paper-based system once. Then I got bored with the tedium
of retyping big strings of characters off a sheet of paper and started just
using 1Password for everything.

You can use 1Password to create passwords that aren't associated with websites
and stuff them into the equivalent of encrypted notes. When I need one I just
pull up 1Password using Quicksilver and do a cut-n-paste. It's a little bit
tedious, but not as tedious as paper -- and, as you say, I don't do it that
often. I use ssh-keychain for most of my logins.

If you're freaked out about the probability that 1Password will somehow leak
your bank password... don't put your bank password into it. Use paper for
that. I avoid allowing my laptop's copy of 1Password to know any password that
could be used to harm my finances.

If you have a need to log in to registration-required sites on other
machines... carry a piece of paper with the passwords you need. 1Password will
print things out for you (also good for emergency backup -- stuff a paper log
of your passwords in a safe deposit box).

1Password also has an iPhone app. I avoid using it because my need for
portable, secure passwords is low compared to my fear of losing the phone and
having to change all my passwords.

Really, you shouldn't type secure passwords into random other machines,
anyway, since any of them could be compromised. Keysniffers. Rootkits. If you
often log into security-sensitive accounts from strangers' machines... perhaps
you should consider getting a laptop, an iPhone, a Nokia, or an EEE?

95% of my passwords are of scant interest to anybody, such that the (tiny)
risk of allowing a piece of software to remember them for me is nil. I advise
getting the software, and letting it go to work on the 95%. If you don't want
to trust it with the remaining 5%, don't trust it.

------
ScottWhigham
I use <http://keepass.info/> and have for a while now. Works great and is
free.

