Managing your passwords - what's your strategy?

Cytherian

Vista Guru
As many of you are probably aware, it is important to have a strong password--something not easily guessed or hacked. You'll find that in many cases where you are registering on a website, you'll be given some interactive feedback on how strong your password is (e.g. "1234" is extremely weak, "Joe1234" is a little better, and "Joe_1234_Montana" is strong).

It is often discouraged not to use the same user ID and password in all places. So, in time you'll find that you've amassed quite a number of different credentials (for e-mail, website login, banking, etc). How do you keep track of them? Well, if you are able to keep your life rather simple, you may have 2-3 different credentials so it's not hard to remember them. But what if you've got dozens?

While I try to help ease the effort of remembering passwords by using a fairly consistent pattern (like taking the initials of a website, embed a combination of numbers and dashes that isn't my birthday or SSN and is easy for me to remember, followed by my initials), I began to find that the task of remembering all of them was a bit daunting. (NOTE: For accounts that require significant security, such as banking, I use a different password string pattern I won't disclose here). So, I had to find a workable solution.

There are a number of different solutions to managing your passwords. Here are three I've come to know:

  • The first and easiest of all is to write them down on in a private notebook or paper that you keep handy yet locked away for safe keeping. It's not electronic, so it has absolutely no direct connection at all to the source and is completely invulnerable to hacking. But, it's not easily revised/edited without looking sloppy, cannot be centralized for access from multiple places, and has the capability of being lost or damaged.
  • The second way is to use a 3rd party software program for managing credentials. There are a number of them available for download on the Internet. Some are free and some require a nominal fee. Are they a good solution? Well, that depends upon their approach. If they create a 128-bit encrypted file with a seed that only you know, that's pretty good. But there's also the matter of portability. If the password file is installed and embedded in your system, you can't easily copy it elsewhere for safe keeping and reference for when you're away from your computer. You always need the client software to read it. One easy way around this is to have a USB drive with the credential software installed on it, so you can take it with you. Yet, there is also an on-line solution called Last Pass (see Tom982's post below).
  • The third way is to create your own password file. Now, anytime you put data in a file, there is the chance that it could be copied and read by someone else. You do not want to create a file called "passwords.txt" and have "username, password" labeled on your credentials. At the very least, you'll want to use a file type that you can easily password protect. Microsoft Excel has 2 levels of security, one for reading and one for modifying. Although talented hackers can break through this, most people won't be able to. There is also the matter of how you label your credentials. It's best to have 3 columns: user name, password, e-mail. But, if it's also useful to have the website as well. Of course with this combination, even without labels it starts to become clear as to what the data is. My solution? I use Microsoft Excel and create 100 worksheets inside a workbook file. For the first few and last worksheets I have some benign data entered. This way it looks like the file has a mundane purpose. BUT... embedded on several worksheets located around the 80th sheet, I have my password worksheets. It's easy to get there--just hit "last" then click a few times on the "back" direction and I'm there. Also, with ALL of my passwords I leave a common numeric sequence out, replaced by "..". Only *I* know what this numeric sequence is. So, if by some chance someone found these worksheets, they wouldn't know what the correct password really is, providing yet another layer of security.
    --> Probably a more effective solution is to use whatever document you wish and encrypt it with "True Crypt", which is a very effective (and free) open source solution.


My way of managing my credentials via an Excel workbook probably appears a bit tedious, but once I started doing it, the time it takes to load the spreadsheet, supply the password, then navigate to the worksheets takes me less than 20 seconds. Plus, I can copy this file up as an attached document to a draft e-mail on-line, so I can reference it from anywhere.

Now, I know my strategy isn't as secure as 128-bit encoding, but I feel it's clever enough that most hackers won't even think that this file has any useful meaning and will easily bypass 99% of attention. Even if it does get any attention, as a recently edited file perhaps, opening it up is another element of subterfuge. The leading and trailing worksheets don't look like they have any information desirable for the hacker and they'll just abandon it. But using something like TrueCrypt encryption is probably the safest way to go for protecting a password document.

What's your credentials management strategy?
 
Last edited:

My Computer

System One

  • Manufacturer/Model
    HP Pavillion dv5t
    CPU
    Intel Core Duo 2.53GHz
    Memory
    4Gb
    Graphics Card(s)
    NVidia GeForce 9600M GT 512Mb
    Screen Resolution
    1280x800 32bit
    Hard Drives
    Seagate Momentus XT 500Gb
    Hitachi Travelstar HTS543225L9A300 250Gb
    Mouse
    Microsoft 4000
Hi Gary,

I use LastPass to store all of my passwords (excluding online banking etc.) :)

https://lastpass.com/

The Chrome Extension is great and caters for my every need - I would highly recommend LastPass to anyone. All of your passwords are encrypted on your PC, then that file is uploaded to the LastPass servers, so you're the only one with access to your passwords.

For really sensitive stuff (online banking etc.), I have an excel spreadsheet (not encrypted) that's stored in TrueCrypt file container. I used a AES-Twofish-Serpent encryption algorithm with a RIPEMD-160 hash algorithm. I also have a keyfile stored on a USB drive that's only connected when I want to access this file container. That way, if someone manages to get remote access to my PC, the TC file container is as good as useless to them if they steal it. In the off chance they manage to crack the 30 character (upper, lower, symbols and numbers) password, they can't do anything without the keyfile. It really isn't worth their while either - they'd probably spend more on their leccy bill than they'd get from my account :p

Tom
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Tom, thanks so much for your tips. Great info! I'll definitely check out LastPass and TrueCrypt. :)
 

My Computer

System One

  • Manufacturer/Model
    HP Pavillion dv5t
    CPU
    Intel Core Duo 2.53GHz
    Memory
    4Gb
    Graphics Card(s)
    NVidia GeForce 9600M GT 512Mb
    Screen Resolution
    1280x800 32bit
    Hard Drives
    Seagate Momentus XT 500Gb
    Hitachi Travelstar HTS543225L9A300 250Gb
    Mouse
    Microsoft 4000
Tom, thanks so much for your tips. Great info! I'll definitely check out LastPass and TrueCrypt. :)

It's nothing compared to the info in your first post! I wonder how many views this thread will have in a few years time from people stumbling upon your advice :)

LastPass is brilliant; perhaps TrueCrypt is overkill, but I've set it up now, so I might as well use it.
 

My Computer

System One

  • Manufacturer/Model
    Build #1
    CPU
    Intel Core i7 3770K @4.4GHz
    Motherboard
    ASUS P8Z77-V PRO
    Memory
    Corsair Vengeance 2x4GB DDR3 1600MHz Low Profile (White)
    Graphics Card(s)
    Gigabyte Radeon HD 7850 (2GB GDDR5)
    Sound Card
    Integrated on motherboard
    Monitor(s) Displays
    23" LG LCD/LED IPS
    Screen Resolution
    1920*1080
    Hard Drives
    Samsung EVO 128GB SSD
    Seagate Barracuda 2TB 7200rpm
    2x500GB Seagate FreeAgent 5400rpm
    PSU
    Corsair TX650W V2 (80+ Bronze)
    Case
    NZXT Phantom 410
    Cooling
    Corsair H100 Water Cooler, 1x140mm and 1x120mm stock fans
    Keyboard
    Microsoft Desktop 2000 Wireless Keyboard
    Mouse
    Microsoft Desktop 2000 Wireless Mouse
    Internet Speed
    95 Mb/s Download 70 Mb/s Upload
Back
Top