Password Management Software.

Avatar image for mattyftm
MattyFTM

14914

Forum Posts

67415

Wiki Points

0

Followers

Reviews: 4

User Lists: 11

#1  Edited By MattyFTM  Moderator

Hey guys, I've always tried to be reasonably secure with my passwords. I use unique passwords on my email and Whiskey Media, and I have multiple tiers of password I use on other sites depending on how much I care about the service, and how much personal information they hold. But in light of the recent Steam security breach I'm looking to get all 21st century with my password management and use one of the many pieces of software available to manage unique passwords on every site like Lastpass or 1password.

Does anyone use any of these things? Which ones would you recommend? I preferably need it to be free since money is tight, so Lastpass is looking like the best option right now, but are there any better free offerings out there? I don't need it to work on phones or anything like that, I just need it to work on Windows.

Thanks.

Avatar image for thejohn
TheJohn

595

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

#2  Edited By TheJohn

Yeah, I'd like to know as well. Anyone?

Avatar image for ahmadmetallic
AhmadMetallic

19300

Forum Posts

-1

Wiki Points

0

Followers

Reviews: 1

User Lists: 11

#3  Edited By AhmadMetallic

Nope, I have unique passwords for my important accounts, 16-20 digits long, which I've either memorized or have written down on a piece of paper that I keep in my PC's desk drawer.

Avatar image for maluvin
Maluvin

750

Forum Posts

5

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

#4  Edited By Maluvin

I've used KeePass and I dig it. I've also moved towards using pass phrases rather than passwords.

Avatar image for snide
snide

2692

Forum Posts

1858

Wiki Points

0

Followers

Reviews: 3

User Lists: 14

#5  Edited By snide

The two major players are 1Password and LastPass.

They both do relatively the same thing but in different ways. 1Password stores all of your data in a physical encrypted file on your personal machines. They simply build a really nice, clean retrieval piece of software that generates and accesses that file. That means that if you want to use 1password in multiple places you must put that encrypted file onto Dropbox, so that it can be read and written to from several places. The other disadvantage is that if you didn't use dropbox, and lost all the computers that had the software on it, you'd lose those files, and your passwords.

LastPass instead stores those passwords on its servers, rather than on a file. The advantage here is that you don't need to worry about setting up dropbox to access those passwords, as it's natively backed into the service itself. The main disadvantage though is that now your passwords are stored on a single website, that while secure (and probably more secure as dropbox) means that if the laspass service itself was ever comprised, you'd be pretty fucked.

In general if I were to boil it down I'd say this about them.

  • 1password is a clean, elegant product that requires some setup time and a dropbox account. They charge you a 1 time fee.
  • Lastpass is a working, but utilitarian product that is easier to set up. They charge you a monthly fee.

Either is much better than reusing three passwords over and over. I personally use 1password because I like their UI and extensions better. For your gaming or application passwords, I'd still recommend not using generated passwords, because they can be a bitch to look up and reenter. For Netflix, Steam, Battle.net and other passwords you plan to have to type in often I recommend the following...

No Caption Provided
Avatar image for emilio
Emilio

3581

Forum Posts

1268

Wiki Points

0

Followers

Reviews: 1

User Lists: 6

#6  Edited By Emilio

Since money is tight, I recommend a pad of note paper and a pencil.

Jot down a sick password with numbers, lowercase and uppercase, and then type that into your sites.

Or better yet, type it in a text doc and then print that sucker out for a hard copy of your info!

Avatar image for thejohn
TheJohn

595

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

#7  Edited By TheJohn

Thanks guys.

At first glance, the XKCD strip seems to have the best idea, but @AhmadMetallic 's method of writing stuff down on paper is so crazy it might just work.

Avatar image for nickb64
nickb64

216

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#8  Edited By nickb64

@MattyFTM: I really like Lastpass, though I wish their mobile app was free instead of $12/year. As far as I know, it's free to use the browser extension and desktop Vault client, but like I said, the mobile app is $12/year.

Avatar image for kingfalcon
Kingfalcon

153

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#9  Edited By Kingfalcon

If you're interested, I'd suggest you message Will Smith about this. The guys over at Tested actually discussed this at length in a podcast not too long ago and, like Dave, they preferred 1Password. I wish I could give you the podcast number, but I do not remember it myself, unfortunately.

Avatar image for winternet
Winternet

8454

Forum Posts

2255

Wiki Points

0

Followers

Reviews: 0

User Lists: 6

#10  Edited By Winternet

Hmm, this got me interested. I was reading some stuff about it, but I'm not clear on the meaning of entropy.

Avatar image for burzmali
Burzmali

456

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

#11  Edited By Burzmali

I use an algorithm to generate a unique password for each site, based on something special about the site. This is the easiest, free way I've found to have unique, difficult to guess passwords for every site. As an example, you could do an algorithm like this (no, this isn't my algorithm):

1. Start the password with the last three characters of the website address, reversed, but change the each letter in some way based on something else you always have with you. For instance, look at the keyboard and change the first letter to the letter immediately to the left on the keyboard. Change the second to the letter or number that is up a row on the keyboard, and the third to the letter on the right. Wrap around the keyboard as necessary. In the case of Giant Bomb, this would be 'vkp'.

2. Add a constant string of letters that you capitalize based on some info about the website. Example: add 'car' and capitalize the letter closest to the first letter of the website name ('Car' for this site).

3. Add a certain number of repeating character pairs based on how you feel about some aspect of the website. e.g. If Giant Bomb is my second favorite video game site, then I have '@3@3@3' at the end.

The end result is the password vkpCar@3@3@3. Contrast that to my password for Yahoo, which would be i0jcaR3$3$3$. Ultimately, this means someone would have to get a couple of my passwords in order to figure out my login info for every site I visit. And even then, they'd have to put in some significant effort to figure out the algorithm, and they'd have to know my opinion of the site with relation to other similar sites.

It sounds complex, but you get used to it really quickly. I've been doing this since the Gawker hack and it took all of a couple days to get used to it.

Avatar image for bionicradd
BionicRadd

627

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

#12  Edited By BionicRadd

@Burzmali said:

I use an algorithm to generate a unique password for each site, based on something special about the site. This is the easiest, free way I've found to have unique, difficult to guess passwords for every site. As an example, you could do an algorithm like this (no, this isn't my algorithm):

1. Start the password with the last three characters of the website address, reversed, but change the each letter in some way based on something else you always have with you. For instance, look at the keyboard and change the first letter to the letter immediately to the left on the keyboard. Change the second to the letter or number that is up a row on the keyboard, and the third to the letter on the right. Wrap around the keyboard as necessary. In the case of Giant Bomb, this would be 'vkp'.

2. Add a constant string of letters that you capitalize based on some info about the website. Example: add 'car' and capitalize the letter closest to the first letter of the website name ('Car' for this site).

3. Add a certain number of repeating character pairs based on how you feel about some aspect of the website. e.g. If Giant Bomb is my second favorite video game site, then I have '@3@3@3' at the end.

The end result is the password vkpCar@3@3@3. Contrast that to my password for Yahoo, which would be i0jcaR3$3$3$. Ultimately, this means someone would have to get a couple of my passwords in order to figure out my login info for every site I visit. And even then, they'd have to put in some significant effort to figure out the algorithm, and they'd have to know my opinion of the site with relation to other similar sites.

It sounds complex, but you get used to it really quickly. I've been doing this since the Gawker hack and it took all of a couple days to get used to it.

I do something similar, but this post is extra entertaining in light of the XKCD strip above

Avatar image for burzmali
Burzmali

456

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

#13  Edited By Burzmali

@BionicRadd said:

@Burzmali said:

I use an algorithm to generate a unique password for each site, based on something special about the site. This is the easiest, free way I've found to have unique, difficult to guess passwords for every site. As an example, you could do an algorithm like this (no, this isn't my algorithm):

1. Start the password with the last three characters of the website address, reversed, but change the each letter in some way based on something else you always have with you. For instance, look at the keyboard and change the first letter to the letter immediately to the left on the keyboard. Change the second to the letter or number that is up a row on the keyboard, and the third to the letter on the right. Wrap around the keyboard as necessary. In the case of Giant Bomb, this would be 'vkp'.

2. Add a constant string of letters that you capitalize based on some info about the website. Example: add 'car' and capitalize the letter closest to the first letter of the website name ('Car' for this site).

3. Add a certain number of repeating character pairs based on how you feel about some aspect of the website. e.g. If Giant Bomb is my second favorite video game site, then I have '@3@3@3' at the end.

The end result is the password vkpCar@3@3@3. Contrast that to my password for Yahoo, which would be i0jcaR3$3$3$. Ultimately, this means someone would have to get a couple of my passwords in order to figure out my login info for every site I visit. And even then, they'd have to put in some significant effort to figure out the algorithm, and they'd have to know my opinion of the site with relation to other similar sites.

It sounds complex, but you get used to it really quickly. I've been doing this since the Gawker hack and it took all of a couple days to get used to it.

I do something similar, but this post is extra entertaining in light of the XKCD strip above

The XKCD suggestion, with 25 characters, is harder to be worked out by a computer, but almost all websites have a limit of 20 or fewer characters (16 is the most common limit IIRC). Picking 4 random 4- or 5-letter words (or some other variation that adds up to 16 or 20) isn't nearly as difficult to work out by a computer, especially since it's susceptible to a dictionary attack.

Anyway, no password is completely safe, but the algorithm method incorporates more password security ideas while still being easy to remember and keeping safe the passwords used for other sites. It's pretty rare for a hacker to try to brute-force a password. Much more often, the person guesses a weak password, gets a password from a weaker site and assumes (often correctly) that their target uses that same password all over the place, or simply gets some accounts that were stolen in a mass crack like the PSN/Gawker/Steam attacks.

Avatar image for nickb64
nickb64

216

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#14  Edited By nickb64

@Kingfalcon: I believe it was this most recent one or the one previous. I think it might have been the previous one, since I think Gary was on the show, and this most recent one, he was out of town down here in LA.

Avatar image for babychoochoo
BabyChooChoo

7106

Forum Posts

2094

Wiki Points

0

Followers

Reviews: 2

User Lists: 2

#15  Edited By BabyChooChoo

@Maluvin said:

I've used KeePass and I dig it. I've also moved towards using pass phrases rather than passwords.

This. I also upload the password file to my email storage and back it up onto my external HDD every few days just so I have a backup copy in case my computer blows up.

Avatar image for monkeyking1969
monkeyking1969

9095

Forum Posts

1241

Wiki Points

0

Followers

Reviews: 0

User Lists: 18

#16  Edited By monkeyking1969

Improving your memory to re-call passwords is the best tactic to use. In your head is the best protection until someone discovers mind reading. I don't write down passwords ever.

Just make a system that you ALWAYS use to make passwords. Memory tricks are easy to use and foolproof unless you damage your brain...in which case you already f'ed.

Avatar image for dagbiker
Dagbiker

7057

Forum Posts

1019

Wiki Points

0

Followers

Reviews: 0

User Lists: 16

#17  Edited By Dagbiker

I use roboform and have it on my stick.

Avatar image for mattyftm
MattyFTM

14914

Forum Posts

67415

Wiki Points

0

Followers

Reviews: 4

User Lists: 11

#18  Edited By MattyFTM  Moderator

So I decided to go for LastPass since it seems to be the best option that is free. It's $1 a month for the mobile apps, but as I said, I just need it for my computer. I'm finding it really good so far. Aside from an accident where I nearly deleted my newly generated Whiskey Media password (fortunately it was still on my clipboard, and even if it wasn't I've since found out that LastPass has a way to access deleted passwords) it's been great. It's easy to use, generates and remembers passwords and I can access them all from the web interface, so even if I'm on another computer I can access my passwords without downloading any software.

I've kept my email password as something I can remember since I was paranoid that for some inexplicable reason LastPass could disappear from the internet and take my passwords with it. That way, I can still access my email and use forgotten password systems to access stuff. Plus I use Google's 2 step verification, so I could have a super weak password that everyone knows, and they still couldn't access it unless they also had my phone.

It still feels weird not knowing my passwords, and thinking that they're up in the cloud, but it's a better option than having to change my password on a million websites everytime something I use gets hacked. Now I've just got to pray that LastPass never gets hacked.