#1 Edited by MattyFTM (14348 posts) -

Hey guys, I've always tried to be reasonably secure with my passwords. I use unique passwords on my email and Whiskey Media, and I have multiple tiers of password I use on other sites depending on how much I care about the service, and how much personal information they hold. But in light of the recent Steam security breach I'm looking to get all 21st century with my password management and use one of the many pieces of software available to manage unique passwords on every site like Lastpass or 1password.

Does anyone use any of these things? Which ones would you recommend? I preferably need it to be free since money is tight, so Lastpass is looking like the best option right now, but are there any better free offerings out there? I don't need it to work on phones or anything like that, I just need it to work on Windows.

Thanks.

Moderator
#2 Posted by TheJohn (553 posts) -

Yeah, I'd like to know as well. Anyone?

#3 Posted by AhmadMetallic (18955 posts) -

Nope, I have unique passwords for my important accounts, 16-20 digits long, which I've either memorized or have written down on a piece of paper that I keep in my PC's desk drawer.

#4 Posted by Maluvin (264 posts) -

I've used KeePass and I dig it. I've also moved towards using pass phrases rather than passwords.

Online
#5 Edited by snide (2413 posts) -

The two major players are 1Password and LastPass.

They both do relatively the same thing but in different ways. 1Password stores all of your data in a physical encrypted file on your personal machines. They simply build a really nice, clean retrieval piece of software that generates and accesses that file. That means that if you want to use 1password in multiple places you must put that encrypted file onto Dropbox, so that it can be read and written to from several places. The other disadvantage is that if you didn't use dropbox, and lost all the computers that had the software on it, you'd lose those files, and your passwords.

LastPass instead stores those passwords on its servers, rather than on a file. The advantage here is that you don't need to worry about setting up dropbox to access those passwords, as it's natively backed into the service itself. The main disadvantage though is that now your passwords are stored on a single website, that while secure (and probably more secure as dropbox) means that if the laspass service itself was ever comprised, you'd be pretty fucked.

In general if I were to boil it down I'd say this about them.

  • 1password is a clean, elegant product that requires some setup time and a dropbox account. They charge you a 1 time fee.
  • Lastpass is a working, but utilitarian product that is easier to set up. They charge you a monthly fee.

Either is much better than reusing three passwords over and over. I personally use 1password because I like their UI and extensions better. For your gaming or application passwords, I'd still recommend not using generated passwords, because they can be a bitch to look up and reenter. For Netflix, Steam, Battle.net and other passwords you plan to have to type in often I recommend the following...

#6 Edited by Emilio (3380 posts) -

Since money is tight, I recommend a pad of note paper and a pencil.

Jot down a sick password with numbers, lowercase and uppercase, and then type that into your sites.

Or better yet, type it in a text doc and then print that sucker out for a hard copy of your info!

#7 Posted by TheJohn (553 posts) -

Thanks guys.

At first glance, the XKCD strip seems to have the best idea, but @AhmadMetallic 's method of writing stuff down on paper is so crazy it might just work.

#8 Posted by nickb64 (214 posts) -

@MattyFTM: I really like Lastpass, though I wish their mobile app was free instead of $12/year. As far as I know, it's free to use the browser extension and desktop Vault client, but like I said, the mobile app is $12/year.

#9 Posted by Kingfalcon (141 posts) -

If you're interested, I'd suggest you message Will Smith about this. The guys over at Tested actually discussed this at length in a podcast not too long ago and, like Dave, they preferred 1Password. I wish I could give you the podcast number, but I do not remember it myself, unfortunately.

#10 Posted by Winternet (8007 posts) -

Hmm, this got me interested. I was reading some stuff about it, but I'm not clear on the meaning of entropy.

#11 Posted by Burzmali (452 posts) -

I use an algorithm to generate a unique password for each site, based on something special about the site. This is the easiest, free way I've found to have unique, difficult to guess passwords for every site. As an example, you could do an algorithm like this (no, this isn't my algorithm):

1. Start the password with the last three characters of the website address, reversed, but change the each letter in some way based on something else you always have with you. For instance, look at the keyboard and change the first letter to the letter immediately to the left on the keyboard. Change the second to the letter or number that is up a row on the keyboard, and the third to the letter on the right. Wrap around the keyboard as necessary. In the case of Giant Bomb, this would be 'vkp'.

2. Add a constant string of letters that you capitalize based on some info about the website. Example: add 'car' and capitalize the letter closest to the first letter of the website name ('Car' for this site).

3. Add a certain number of repeating character pairs based on how you feel about some aspect of the website. e.g. If Giant Bomb is my second favorite video game site, then I have '@3@3@3' at the end.

The end result is the password vkpCar@3@3@3. Contrast that to my password for Yahoo, which would be i0jcaR3$3$3$. Ultimately, this means someone would have to get a couple of my passwords in order to figure out my login info for every site I visit. And even then, they'd have to put in some significant effort to figure out the algorithm, and they'd have to know my opinion of the site with relation to other similar sites.

It sounds complex, but you get used to it really quickly. I've been doing this since the Gawker hack and it took all of a couple days to get used to it.

#12 Posted by BionicRadd (617 posts) -

@Burzmali said:

I use an algorithm to generate a unique password for each site, based on something special about the site. This is the easiest, free way I've found to have unique, difficult to guess passwords for every site. As an example, you could do an algorithm like this (no, this isn't my algorithm):

1. Start the password with the last three characters of the website address, reversed, but change the each letter in some way based on something else you always have with you. For instance, look at the keyboard and change the first letter to the letter immediately to the left on the keyboard. Change the second to the letter or number that is up a row on the keyboard, and the third to the letter on the right. Wrap around the keyboard as necessary. In the case of Giant Bomb, this would be 'vkp'.

2. Add a constant string of letters that you capitalize based on some info about the website. Example: add 'car' and capitalize the letter closest to the first letter of the website name ('Car' for this site).

3. Add a certain number of repeating character pairs based on how you feel about some aspect of the website. e.g. If Giant Bomb is my second favorite video game site, then I have '@3@3@3' at the end.

The end result is the password vkpCar@3@3@3. Contrast that to my password for Yahoo, which would be i0jcaR3$3$3$. Ultimately, this means someone would have to get a couple of my passwords in order to figure out my login info for every site I visit. And even then, they'd have to put in some significant effort to figure out the algorithm, and they'd have to know my opinion of the site with relation to other similar sites.

It sounds complex, but you get used to it really quickly. I've been doing this since the Gawker hack and it took all of a couple days to get used to it.

I do something similar, but this post is extra entertaining in light of the XKCD strip above

#13 Posted by Burzmali (452 posts) -

@BionicRadd said:

@Burzmali said:

I use an algorithm to generate a unique password for each site, based on something special about the site. This is the easiest, free way I've found to have unique, difficult to guess passwords for every site. As an example, you could do an algorithm like this (no, this isn't my algorithm):

1. Start the password with the last three characters of the website address, reversed, but change the each letter in some way based on something else you always have with you. For instance, look at the keyboard and change the first letter to the letter immediately to the left on the keyboard. Change the second to the letter or number that is up a row on the keyboard, and the third to the letter on the right. Wrap around the keyboard as necessary. In the case of Giant Bomb, this would be 'vkp'.

2. Add a constant string of letters that you capitalize based on some info about the website. Example: add 'car' and capitalize the letter closest to the first letter of the website name ('Car' for this site).

3. Add a certain number of repeating character pairs based on how you feel about some aspect of the website. e.g. If Giant Bomb is my second favorite video game site, then I have '@3@3@3' at the end.

The end result is the password vkpCar@3@3@3. Contrast that to my password for Yahoo, which would be i0jcaR3$3$3$. Ultimately, this means someone would have to get a couple of my passwords in order to figure out my login info for every site I visit. And even then, they'd have to put in some significant effort to figure out the algorithm, and they'd have to know my opinion of the site with relation to other similar sites.

It sounds complex, but you get used to it really quickly. I've been doing this since the Gawker hack and it took all of a couple days to get used to it.

I do something similar, but this post is extra entertaining in light of the XKCD strip above

The XKCD suggestion, with 25 characters, is harder to be worked out by a computer, but almost all websites have a limit of 20 or fewer characters (16 is the most common limit IIRC). Picking 4 random 4- or 5-letter words (or some other variation that adds up to 16 or 20) isn't nearly as difficult to work out by a computer, especially since it's susceptible to a dictionary attack.

Anyway, no password is completely safe, but the algorithm method incorporates more password security ideas while still being easy to remember and keeping safe the passwords used for other sites. It's pretty rare for a hacker to try to brute-force a password. Much more often, the person guesses a weak password, gets a password from a weaker site and assumes (often correctly) that their target uses that same password all over the place, or simply gets some accounts that were stolen in a mass crack like the PSN/Gawker/Steam attacks.

#14 Posted by nickb64 (214 posts) -

@Kingfalcon: I believe it was this most recent one or the one previous. I think it might have been the previous one, since I think Gary was on the show, and this most recent one, he was out of town down here in LA.

#15 Posted by BabyChooChoo (4303 posts) -

@Maluvin said:

I've used KeePass and I dig it. I've also moved towards using pass phrases rather than passwords.

This. I also upload the password file to my email storage and back it up onto my external HDD every few days just so I have a backup copy in case my computer blows up.

#16 Posted by MonkeyKing1969 (2575 posts) -

Improving your memory to re-call passwords is the best tactic to use. In your head is the best protection until someone discovers mind reading. I don't write down passwords ever.

Just make a system that you ALWAYS use to make passwords. Memory tricks are easy to use and foolproof unless you damage your brain...in which case you already f'ed.

Online
#17 Posted by Dagbiker (6939 posts) -

I use roboform and have it on my stick.

#18 Posted by MattyFTM (14348 posts) -

So I decided to go for LastPass since it seems to be the best option that is free. It's $1 a month for the mobile apps, but as I said, I just need it for my computer. I'm finding it really good so far. Aside from an accident where I nearly deleted my newly generated Whiskey Media password (fortunately it was still on my clipboard, and even if it wasn't I've since found out that LastPass has a way to access deleted passwords) it's been great. It's easy to use, generates and remembers passwords and I can access them all from the web interface, so even if I'm on another computer I can access my passwords without downloading any software.

I've kept my email password as something I can remember since I was paranoid that for some inexplicable reason LastPass could disappear from the internet and take my passwords with it. That way, I can still access my email and use forgotten password systems to access stuff. Plus I use Google's 2 step verification, so I could have a super weak password that everyone knows, and they still couldn't access it unless they also had my phone.

It still feels weird not knowing my passwords, and thinking that they're up in the cloud, but it's a better option than having to change my password on a million websites everytime something I use gets hacked. Now I've just got to pray that LastPass never gets hacked.

Moderator