
Ask HN: How do you manage your passwords? - pft
A while back someone posted a link to qwertycards.com, a (low security) product that promised an easy way to keep track of all of your passwords whilst staying secure.<p>This got me thinking about what I should use - after a year of using Lastpass to store &quot;super secure&quot; passwords and then logging in repeatedly to it, i&#x27;m starting to get fed up.<p>What do you all use?
Do you spend a lot of time memorising them?
Do you use medium security passwords that are easier to remember?
Do you use Lastpass&#x2F; 1Password&#x2F; another service? If so what do you recommend?
======
maxcan
1password on iOS/OSX. There was a big discount on both a while back and I
jumped on it. Even today, I'd consider paying for it. I've tried all the open
source options, none of them worked nearly as well as 1pwd.

~~~
mtry1
[http://www.theregister.co.uk/2015/03/11/dropbox_sdk_flaw_lef...](http://www.theregister.co.uk/2015/03/11/dropbox_sdk_flaw_left_microsoft_office_mobile_open_to_attack/)

1password is vulnerable to hackers because they rely on third party storage
via dropbox. I wouldn't trust my sensitive info with them.

~~~
wglb
First, you are not required to use dropbox with 1Password.

Second, the data stored in dropbox is encrypted by a key that only you have.
Dropbox has no way to see what is inside that bundle without your long
password.

------
cwt
I use lastpass. Never tried any other password manager. I don't mind logging
into it. On my phone I can swipe my thumb. The only thing I don't like is
having to type out the long random passwords on non-physical-keyboards - like
setting up a roku to connect to amazon play and spending an extra 15 clicks
switching case/keyboard.

How often do you have to log into it? Is it specific to a device?

~~~
pft
I'm guessing you use Lastpass premium if you use it on your phone? I use
lastpass on all my devices. I like the phone app but I got premium for free
for one year and it's about to run out. Looking for a free alternative.

~~~
anakha
It's only $12 a year for the premium service. Do you feel you're not getting
at least $12 value for the ability to have a reliable, secure password manager
that is actively supported?

I'd skip lunch for a day to pay for it.

------
boydjd
keepass. I don't trust a service to store my passwords.

I use a key file and a passphrase to secure my keepass database. The database
is stored on dropbox, the keyfile is stored elsewhere.

~~~
JshWright
Same here. KeePass2 on Linux, KeePassX on OSX, and KeePassDroid.

~~~
davegauer
I've had a _great_ experience using KeePassX on both Windows and Linux.

I use a sometimes-synced copy of the database on KeePassDroid on my Android
phone. Actually, the user experience of KeePassDroid can only be described as
vile, but that it works at all (allowing me to have all of my passwords
securely available on my person) is awesome enough.

------
toki5
My muscle memory is astonishingly strong (probably from two decades of
classical piano training).

I use this to my advantage with passwords: When I need to generate a new one,
I play a "song" into Notepad (or vim as the case may be). Not a known song,
but a seemingly random string of glyphs that make sense in my head at the
time.

Practicing typing that string forms a powerful association with that
account/website and that "song," and my hands remember it for the rest of my
life.

The one big drawback to this is that it's nearly impossible for me to enter
passwords on my phone without having a keyboard handy and arduously trying to
recreate the string. Also, changing a password (not that I usually need to) is
a little difficult because I have to retrain myself.

The advantages are: They're not written down anywhere; I don't have to
struggle to remember which permutation of some base string I used this time;
they don't follow any sort of pattern.

------
enoch_r
I use pass: [http://www.passwordstore.org/](http://www.passwordstore.org/)

It's fantastic, free, simple and works across multiple platforms.

I also set up a simple web front-end for it, so I can use it from my phone:
[https://pw.mkn.io/](https://pw.mkn.io/)

~~~
stevekemp
The biggest downside to this is that the names of your sites are in plain-
text.

------
baldfat
> logging in repeatedly

Repeatedly? Only at my work do I ever have to retype my password. My home is
logged in and my phone has a pin.

What repeatedly is driving you away?

PS Lastpass is best in class for me

EDIT: I never memorize my passwords for sites. After having friends who were
penetration testers I never do anything half-way secure. I actually can't wait
till I have some kind of rfid of some sort to access lastpass.

------
mtry1
Keeper - [https://keepersecurity.com/](https://keepersecurity.com/)

I've tested just about every password manager because it was up to me to
choose the most secure one for my company after we noticed some suspicious
activity going on.

There a few products I liked, but I can say unequivocally that Keeper is the
best solution for IT folks. It's hands down the most secure and it's the most
intuitive for people of all backgrounds.

Keeper generates 256-bit encryption keys using PBKDF2 with HMAC-SHA256 and a
minimum of 1,000 rounds, and user data is encrypted with 256-bit AES ciphers.
They're a zero knowledge platform, so the cipher keys to encrypt and decrypt
user records are not stored or transmitted to the cloud.

Works on every browser and platform, including Linux.

They have all of the standard password management features as well, like
autofilling logins, generating random, complex passwords, two-factor auth,
fingerprint login, etc... It's made my life a lot easier.

~~~
Old_Crow
My wife and I use this. I have an android phone and she has an iphone. We
share records back and forth and she really likes the touch id quick login.

------
chilicuil
I use a shell alias:

alias getpass='_getpass() { _g=$(printf "sauce%s" "${*}" | md5sum | openssl
enc -base64 | cut -c1-16); printf "%s" "${_g}"|xclip -selection clipboard
2>/dev/null|| printf "%s\\\n" "${_g}"; }; _getpass'

like this:

$ getpass mail@domain.lts

$ getpass user@domain.lts #for ssh logins

~~~
eli
Seems like that would be pretty annoying for passwords that must be changed
periodically (or even just occasionally).

~~~
chilicuil
yep, it doesn't allow changing passwords because of its fixed nature. I use it
for my personal needs

~~~
ntucker
Easy enough to include a version number as another arg with the identifier,
and include that in the hash. Then all you have to do is keep track of what
version each of your passwords is on, which is not sensitive information and
could be stored in greppable plaintext.

------
ftwinnovations
I use a secret scheme that only I know. It works like this - I have one single
long complex "base" password, which is no problem for me to remember, which
has letters, numbers, caps, and symbols so all password checkers are happy.
Then, for every site I change that password using my secret scheme. I won't
say what mine is, but an example is that I change the 3rd character to match
the 3rd character of the URL, and I add a character to the end equal to the
URL's first character, but shifted right one column on the keyboard (V becomes
B for example).

Basically it's one base password and one repeating scheme, that gives me a
unique complex password on every site, that's easy to remember, and doesn't
require any special software to maintain!

~~~
fallinghawks
I do something very similar - a base password made unique by the URL. The pain
in the behind is when you're on a site that requires a password change every X
days, and you have to make up something else.

~~~
webhat
For passwords that change I use something similar to the Dominic mnemonic
system to add a suffix to the password, this is for passwords that I really
need to remember myself.

------
raimue

      $ vim passwords.gpg
    

I configured vim to

a) automatically pipe *.gpg through gpg on open and write,

b) to not keep viminfo, swap files or undo history for these files, and

c) to close automatically if I leave this file open for longer than 10 seconds
without cursor movement.

This modeline at the top of the file hides everything besides the first
indentation level:

    
    
      # vim:set foldenable foldmethod=indent foldclose=all foldlevel=0 foldminlines=0 foldtext='\ \ (hidden)' fillchars+=fold\:\  :
    

I have been using this approach for years. There might be better alternatives
now, but this still works for me. I admit this is not perfect, as I still need
to look at the password in plaintext for copy and paste operations.

~~~
fj8pPoh1Jq4m
Would you mind sharing how you got 'b' & 'c' to work?

------
GrandTheftR
I use KeePass (and KeyPassx on Mac OS), and use network drive to store the DB
files.

For password security, I have different levels of passwords, for less
important service, will just use less secure password and will not store in
security DB.

------
tptacek
I use and recommend 1Password.

~~~
coherentpony
I also recommend this. I use it on my phone too. The downside is it's not
targeted towards linux users. That said you can hack together access via
Dropbox if you need access to your vault on linux.

~~~
cschmidt
Is there a writeup on how to access it via linux?

~~~
cpach
Here: [https://guides.agilebits.com/1password-
mac/5/en/topic/1passw...](https://guides.agilebits.com/1password-
mac/5/en/topic/1passwordanywhere)

------
woebtz
KeePassX (Mac) + cloud storage and unique "low security" derived passwords for
each service _1_.

I made a clone (lazypass.com) of passwordtable.com, so I could use a custom
no-look-alike's character set (sans-"iILl1...o0O", etc.) and to improve
lookups -- but the improvement, in practice, seems to be somewhat negligible.

I feel that important passwords should to be stored on paper or encrypted for
a close friend/parent/spouse to recover should you get dead... is that kind of
a similar concern?

 _1_ Until they tell me to make a new one that can't be the same as the
previous. :(

------
fierycatnet
I use lastpass because it's been mentioned. It's been almost 2 years now and I
like it. It's pretty cheap and works on mobile, pretty convenient. I haven't
tried anything else.

------
mcbetz
Keepass (Win/Linux) and MacPass (Mac). Certainly not as polished as 1password,
but it's Open Source and cross platform.

And it has plugins for FF and Chrome for auto entry on websites (Win only so
far).

What I often use and enjoy a lot is it's import and export functionality. For
example if I want to add URLs to get auto completion working and I want to do
that in batch, I export a CSV, edit this in LibreOffice and import it back
into Keepass.

~~~
fluidcruft
The Achilles heel for Keepass for me (and what ultimately sent me to LastPass)
was that there wasn't any way to use it on a Chromebook conveniently (yes,
there's crouton, but I don't find that acceptable).

( It would be cool if something like Keepass could be built around smartcards
or these new-fangled U2F dongles... I've be come quite a convert to the
smartcard approach after setting up my yubikey to work as an OpenPGP smartcard
)

------
calcrafoord
[http://supergenpass.com/](http://supergenpass.com/)

I use a chrome extension and an android app most of the time, and the "mobile"
browser version when neither of those are handy.

I like the fact that nothing is ever stored anywhere. Feels clean.

------
usermac
I use a system. I use a general subject the a number then the service name. In
this way all my passwords are different yet memorable. So here would be
"car44hackernews" and for facebook would be "car44facebook".

------
rikkus
Spreadsheet in Google Docs, 2FA on Google to keep it safe. Passwords generated
with my generator here:
[https://without.azurewebsites.net/pass.html](https://without.azurewebsites.net/pass.html)
and kept to 64 chars where the service allows that many. Most get saved in the
browser, Remote Desktop Connection Manager, etc. - so I'm not looking them up
often.

I like the fact I can get to this from anywhere. Even from IE on my Windows
Phone, if I need to copy+paste (e.g. to log into the Spotify app after
installing it).

------
eli
I use KeyPass synced over Dropbox to all my devices. My wife really like
Dashlane, which has some neat (if a little scary) features like the ability to
automatically change many account passwords at once.

------
eterm
I use the same passwords across almost all my accounts. I realise it's not
secure but nearly everything that asks for a password doesn't need to be
secured.

The few I use a different password for are gmail, steam, my bank and my work
domain. Muscle memory kicks in quite quickly because they're all typed so
often, so while I can't actually remember what my password is to say it, I can
remember enough to start typing and the muscles take over.

I find when faced with a new password that just saying each character in my
head as I type them helps memorize them.

------
dpayonk
I use an internal (in my head) algorithm that bases (in part) on the domain
name of the site I log into. For example, ycombinator.com could be z4O9999asdf
Which represents

[1 letter after domain][c is 3rd letter of alphabet][numeric letter
representation][last 4 SSN][pseudo counter] It might not be as high tech as
software, but I think it offers a reasonable security / ease of use combo.

Note: This is nowhere near my algorithm and tokens have been made up for the
purposes of this example.

------
stffndtz
Mnemosyne
[https://www.subclassed.com/apps/mnemosyne/details](https://www.subclassed.com/apps/mnemosyne/details)

You can use it as a standalone generator, but also as a manager since it will
generate the same password for the correct name + passphrase + output
variables.

It's not much of a "useful" manager to me though, so I'm using Mnemosyne to
generate the passwords and 1password to store them. Works like a charm!

------
Patrick_Devine
I use KeePassX and keep copies of the database on my computer and on a thumb
drive. I've been looking for an alternative to TrueCrypt for the thumb drive.

------
mikro2nd
A Little Black Book and a Pencil.

------
thehoff
Another lastpass user here. I used to use an in memory algorithm like dpayonk
mentioned.

But having a family and lots of other obligations, others in the household had
to have an easy way of logging into sites (ie. financial).

Lastpass makes it easy. Just the one password for them. And I use the notes
feature quite a bit due the mentioned reason above.

Two-factor on any site that allows it makes it a little tricky but that's all
explained in my lastpass notes.

------
gpvos
PasswordSafe (on Windows, Android, and under Wine on Mac), because I want to
own my data and not be forced or pressured to use some cloud service. Also,
PasswordSafe was the most secure according to some tests.

Currently still using DropBox to sync the password file and backups, but will
switch soon to ownCloud with my own server.

The Firefox password manager contains copies of many of the passwords, but I
don't sync those between machines.

------
rbcgerard
1password - its expensive, but i am very happy with it...

~~~
oddevan
I use a combination of the free tier of 1password on the phone and iCloud
Keychain for Safari on everything. The canonical password is in iCloud, but if
it's a random/nonstandard password I also put it into 1password (often by
hand) since (a) TouchID makes 1password infinitely easier to unlock and (b)
it's easier to browse/view saved passwords in 1password versus opening
Settings then Safari then... you get the idea.

------
Old_Crow
Keeper: 256 bit client side encryption to Amazon S3. You can save passwords,
files, autofill website logins, fastfill to apps on android. Easy to share
info between other Keeper users. The app has a password generator and a
strength meter. All you need to remember is your master password. Free if you
only use it on one device, $9.99 if you sync it to the cloud and use it on
another device.

------
joeyrobert
PasswordSafe
([http://passwordsafe.sourceforge.net/](http://passwordsafe.sourceforge.net/))
for password storage + encryption. I sync the .psafe3 file using Bittorrent
Sync (Windows, Linux, Mac, Android and iOS clients). Works really well and I
own my data.

------
apricot13
I don't like to keep all my passwords in any one place. and some I refuse to
put in writing at all.

Basic passwords I keep in lastpass. Important ones are in multiple keepass
files - if an account requires two passwords I keep them in seperate files
Super important ones I have written down in various places

------
gk1
Passpack [https://www.passpack.com/](https://www.passpack.com/)

------
EliRivers
I've got about 17 years' worth of passwords written in the pages of a book I
acquired 17 years ago.

I did back it up about three years ago with a photocopier. Probably about time
to do that again.

------
normloman
Keepass across platforms.

------
iamlolz
I use Lastpass Enterprise to manage the workplace users and their passwords,
overall it works quite well. For personal logins I use Keepass synced using
Google Drive.

------
sputnik27
I use 'pass', a simple shell script which uses gpg.
[http://www.passwordstore.org/](http://www.passwordstore.org/)

------
bob12345
I use a qwertycard, I don't see it as being 'low security', but obviously not
as convenient as the software password managers out there.

------
sam_lowry_
In git-encrypt: [https://github.com/shadowhand/git-
encrypt](https://github.com/shadowhand/git-encrypt)

------
webjames
I've used Lastpass, and Password Box in the past, however i now use Dashlane,
i've found that it has a good UI and works well.

------
alexchantastic
1Password on all the platforms I use (OSX, iOS, and Windows). Great looking UI
and an abundance of features. Great support.

------
zuccs
I use 1Password for personal and Meldium for work so we can assign different
passwords to different users.

------
patatino
only in my head: e-banking / main e-mail account / master password for
1password

with 1password: sites like paypal, social stuff, other e-mail accounts, etc.

and for the not really important sites 2 different "trash" passwords (and some
combinations of them) only in my head

------
vilmosi
I remember them. Around 4 or 5 in total, depending on how much I care about
the account.

------
shmerl
KeepassX is a good option.

------
chriogenix
lastpass premium, works well across all my devices. for a little more security
you can use a yubikey with lasspass. this isnt without its issues but i think
its sufficient for most.

------
masterofmisc
Lastpass here! - Been a user for a few years and havent looked back

------
migbac
Plain text file encrypted with Vim's Blowfish encryption

------
Killswitch
I feel like I go against the grain, I use OS X Keychain.

------
kitwalker12
lastpass. although all their apps with the exception of the chrome extension
could use more work

------
brotoss
Memory

------
NeKrArXe
I use Dashlane.

