

Ask HN: where to keep passwords - awongh

Right now my system for keeping passwords is terrible and unorganized. I'd like to know what the best and most secure and also accessible way is.<p>I'm talking about personal passwords too, but mostly I'm thinking about work passwords. Your client's hosting or domain registrar password, the system db admin password, your basecamp password, etc. etc., etc., -you can't remember them all, what do you do so that they're secure, but you can access a system when you're not in front of your main machine? Or instead of a super-mega secure bunch of passwords (that you change regularly, like they say you should), is it better to have a single (or a couple) secure one(s) you can remember, then not have to keep anywhere?
======
Serene
Better to memorize 3-4 master passwords. I heard about KeePass password
management utility but never used it.

A new authentication device will be available later this year - based on
Hitachi's Finger Vein imaging (VeinID) and fingerprint identification
technology.

------
yradunchev
$ nano passwords

<enter all your passwords here>

ctrl+x y

$ gpg -c passwords

and you have all your passwords in a password protected and encrypted file. To
decrypt:

$ gpg passwords.gpg

~~~
awongh
sounds ok, does the -c mean that I don't need to make any keys, like if I look
at the file on another computer?

~~~
yradunchev
yes - it's just password protected and encrypted with the passphrase you use
when gpg asks you. all you need to open the file on another computer is gpg
and, of course, the passphrase used.

even better - when you need certain password you can do:

$ gpg -d passwords.gpg | grep yradunchev@mail.me

and you will get the password for that mail account only and the entire
encrypted file will stay encrypted and never will be saved as plain text file
on the system you use at the moment.

~~~
awongh
of course you need to keep this file in a secure place as well, because if you
don't need keys, then anyone in possession of the file can brute force the
password, right? (this assumes that the password you've chosen isn't random w/
non-alphanumeric chars, too long, etc.) ....then that requires another
password for dropbox, etc..... it never ends if you start to get paranoid I
guess.

~~~
yradunchev
yeah - if you start to get paranoid you will end in a mental institution :)

no, seriously, if you choose a good 'primary' password -it's ok. Choose
somethimg around 10-15 chars and use digits, caps, smalls, special. But do it
in a way that it's easy to memorize. There is a plenty of papers on how to do
this around the net. But in short (and very paranoid way to construct
password):

1\. Get a phrase that is meaningful (for you at least);

2\. Get first letter of the first word, second letter of the second word,
third from the third etc. If there is not fifth letter in fifth word - use
last one;

3\. Substitute some of the letters with look-alike digits or chars: A for 4, a
for @, l for 1, e for 3, s for 5, g for 9 etc etc;

4\. Make second, forth, eight (or first, third, fifth) chars uppercase (if
they are letters);

5\. Done.

It sounds complicated but it isn't. It's easy. And soon enough you will be
able to construct such a passwords in a seconds in your mind. :)

example:

 _'Someones screaming my name, Come and make me holy again, Im the man on the
silver mountain'_

1\. Scyeedeeynmennern

2\. sCyeEdeeYnmenNern

3\. 5Cye3deeYnmenNern

Not very good example because all of these repeated characters but you get the
idea. You can memorize it just singing Rainbow's 'Man on The Silver Mountain'
to yourself :)

And don't go very paranoid. If you want to be very very very very secire - use
retina-scan device or DNA tests before you give access :)

------
sunchild
1Password. <http://agilewebsolutions.com/products/1Password>

~~~
briandoll
+1 for 1Password. It also can generate difficult passwords for you, so you're
not even aware of what they are. Add private sharing via Dropbox and your
secure passwords are with you on every machine.

~~~
sunchild
"private sharing via Dropbox"

Wouldn't that expose your passwords to a prying DropBox admin? I don't use DB,
so I'm not sure whether you generate your own key to encrypt data at rest.

~~~
briandoll
Your password archive is encrypted at rest with a passphrase that you set.
Even if you got my password archive and you had 1Password you'd still need to
crack the master passphrase before it would be useful.

