Ask HN: Where are you storing your passwords?
Linux passwords, database passwords, third-party system passwords, mail passwords... At some point they have to be written down somewhere, and the possibility of a plain text file leaking online gives me the creeps. Manual encryptation means that at some point (while editing) it exists unencrypted on disk, and a leak could happen (a backup copy of your text editor, for example).
I am not talking about browser plugins that can help only with web-based interfaces. The mix-up of interfaces means that at some point you have to write them down, securely. How are you guys doing it? I use KeePass (http://keepass.info/) to manage all of my passwords. From their website: KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). I'm always keen to manage my passwords in the best possible way, so I'll be following this discussion closely to see if I should be modifying my tools and practices. Same, but I use http://www.keepassx.org/ as it works better with linux. In my head =D At first I used one password for everything.
Then two, but that was a accident (ie: I forgot to change one default auto-password but got so used to it that I started to use in other places). Then the first one was cracked.
I changed passwords in lots of places, and started to use 3 passwords total. As this kept balooning, I decided to instead create rules for my passwords (rules that only make sense to me, of course, they are totally arbitrary and almost random). The result is that I have now about 20 different passwords, but I can remember them all with enough effort. Sometimes there are a random site that I don't used in a while that I cannot login at first, but as I try several of the possible variations of my rules, eventually it work (erm... or not :P this had happened a couple times already, and I needed a password reset). My associate use lastpass. Did you find out who cracked it? And how did you find out? Just curious if you were targeted specifically. I had a password exposed via a compromise/dump of the perlmonks.org website a year or two ago. That didn't bother me since I use per-site passwords, stored in a pwsafe database. But it is an example of sites compromising passwords. I'm surprised LastPass hasn't been mentioned yet. I've had nothing but good experiences with the company and the product itself. It is primarily a browser plugin for storing web passwords and sensitive information but you can also use the secure notes feature to store passwords for other applications. There are several multi-factor authentication options available as well. I use LastPass with the Google 2-factor authentication app. I also keep some secure notes in it. This topic comes up all the time. You might want to do a search and sift through some of the other popular threads. I did a search on HN and SO and found nothing. Do you have a link to investigate further? Me, I am having them all stored in my mind. But I made it a little bit easier for me. I do have 3 standard-passwords, that I change twice to thrice a year. Each one of them is used on multiple accounts - but, everyone is appended by something specific for every usecase. For example: d453ER#T p0NY_jondoe@MoogleGail could be a password for one GMail-Account with the alias jondoe, while for Facebook, the passwd might be d453ER#T p0NY_jondoe@Fratzenbuch (Fratzenbuch is German denigration for facebook) for the FB-Account with the GMail-Adress from above. I hope this did help you... I store the first and last characters of my passwords in plain text on my local machine. It's enough to remind me what my password is, while still remaining unknown for anyone else. Well, actually my browser homepage is a simple HTML file carrying all my bookmarks, residing locally on my machine. This is much better than having a largely blank Google home page and having bookmarks additional clicks away. This HTML file has website links together with the first/last password letters next to them. I use Keychain on Mac OS X to store passwords automatically and I make password protected notes for sites or apps where passwords are not recommended correctly. I make general rules for passwords and follow those. I also use poor, easy memorisable passwords for various sites that I don't deem important but require a login and password. I have a random 8-letter password memorized (includes uppercase and numbers), but I prepend the first 2 characters of the md5-hash of the service's/website's name. That way I just have to quickly open a terminal whenever I forget a password. I recently learned about YPassword and I think it's a similar idea. LastPass with a premium subscription so I can use the mobile app. I chose LastPass as I use Linux, Mac and iOS daily. I used to use KeepPassX, but eventually found that LastPass fit my usage patterns better. 1Password on OSX is one of the only blockers from using Linux as my primary desktop right now- I've tried LastPass, KeepPass, and others, but haven't found anything that works as well ;( Can you elaborate on how it's better than LastPass, if you can remember the differences? I'm using LP at the moment as 1Password is considerably more expensive but I'd be interested to know in what sense it might be worth the extra? I start using 1password a month ago (half price while the Macworld sales). But I only use it for important services like email, Dropbox, because I am too lazy typing the master password. After reading Moonwalking with Einstein I started to exercise my memory skills and now I just use my brain.