Password management
- Anmelden oder Registrieren um Kommentare zu schreiben
I saw a few articles on Ars about password management and whatnot. Their conclusion is to basically use a password mananger (they end up recommending propietary software), but of course there are free alternatives. It got me to wondering, though, what does the community use? Do you guys use a random password generator? If so, how do you securely store or remember passwords?
I use random passwords (base64-encoded, 48 bits of entropy:
8 characters), one for each site, all written on several pages in my
wallet. It solves remote problems (if anyone gets my password from a
site, they already control that site, they won't get access to other
sites). (Guessing the password for a site is imo impractical, changing
them should help.)
This solution depends too strongly on physical security and not losing
the wallet (and limits the choice of wallets and clothing to ones that
can fit the password list). It has another problem: many such random
passwords do not contain special symbols required by some sites.
I know several other solutions:
- some first digits of SHA2 sum of a single secret + site domain name;
needs a terminal
- an encrypted file with passwords: I don't know a good solution for its
synchronization between multiple computers; not ok for computers that
I trust for some passwords only
- single password, OpenID, etc: bad for security and won't work for
sites not supporting it or requiring frequent password changes
- easy to remember passwords (http://xkcd.com/936/): imo not practical
for 70+ sites requiring them
I decide my passwords manually. They're not random, but based on random phrases. A fake example:
G2ye$4a^
(This example stands for "go to the money for a carrot".)
They're not easy to remember, but if I use the password often, I'll end up remembering them fairly quickly. In the meantime, I store them all somewhere, but in a tricky way so that casual lookers and novices trying to find out my passwords don't see the right ones.
I use a kind of "algorithm" to convert data only I know into passwords. Sounds very abstract.
Example: Take your five favorite flowers, choose x unchangeable attributes of this flower and arrange everything like:
Nameoftheflower_attribute1_attribute2_attribute3
You have to remember this order.
With this you look up the values of the attributes and generate the passwords.
I know, flowers are a bad example.
You need something with many alternatives, for instance musicians.
If someone cracks one of your passwords, it's unlikely that he supposes a kind of scheme in the password. If he does, it's very unlikely he will recognize the bunch of numbers as attributes of the flowers, if you chose them cleverly, AND finds the right flowers.
Though, it's not impossible, and that's the disadvantage of my method.
The advantage is:
Different passwords for each site and you only have to remember one.
You can find the others by trying out your favorite flowers and looking up the proper attributes.
I use KeePassx. It has a good password generator with the option to collect entropy. Allows me to have long, randomly generated passwords for each requirement. The password database is protected by a password which can be a long phrase and include all sorts of characters including spaces. You can also link it up to a password file which you can keep on a USB pen drive for extra security.
For most internet services I use passwords generated by apg, and they
look like this.
The apg string I use is " apg -a 1 -n 3 -x 15 -m 15 -M LN ".
This passwords, I store in a password protected LibreOffice Calc
document hidden around and with the file type termination removed/changed.
For devices (like root or portable) I use passwords created based on the
querty keyboard as such: 2-3 letters, 2-3 numbers until I reach 19
characters, each character from the opposite side of the keyboard; then
I throw a "special" character inside and replace a couple with something
that helps me identify the device. The device passwords I change every
six months by changing just 3-4 characters.
--
I use: trisquel.info | fsf.org | eff.org | torproject.org | flattr.com
| duckduckgo.com | h-node.com | skepdic.com | riseup.net |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
In the past I've used Lastpass, but that is a proprietary solution so I don't use it anymore. I currently have my passwords stored in a GPG-encrypted text file on my hard drive, but that's not a long-term solution. They're all different, contain letters, numbers and symbols, and each one uses the maximum number of characters allowed by that particular site. Sites that don't have a maximum get 100 characters.
KeePass looks interesting, is 100% free, and runs under Wine/Mono. It has a good random password generator, plugins to allow synchronisation across computers, two-factor authentication, Firefox integration, and more. I think this is the future.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIJYRYACgkQgijxUCZnvlsEDQEAvCAMMGezcPnwcsnG2cCqXH0U
2NsMosi/RSw6IubqKiYBAKMwOiqbWWVj2TjKJDruX04Ba1t0tqqhnWwmy7xetQJC
=kSWH
-----END PGP SIGNATURE-----
- Anmelden oder Registrieren um Kommentare zu schreiben