Jesus Christ, Use a Password Manager Already

As a person who spent a long time today changing passwords (in part due to the Gawker thing, but I had been meaning to for a while), I have some <i>very</i> nasty things to say about how many sites have stupid restrictions on passwords - why do you care if I want a password that's longer than 8 characters? Why do you care if I want to include a non-alphanum in my password? wtf, really, why? It's easier to <i>not</i> have those restrictions on a field so why why why are you going to extra trouble to add them? Oh I'm getting mad just thinking about it.

Here's why not to, at least for me:<p>1. I don't want a single point of failure, though I suppose an email account fulfills that role no matter what you're using. My email account password is 30-34 characters long.<p>2. I use multiple computers, multiple OSes, sometimes not owned by me, and sometimes multiple browsers.<p>3. Many accounts I couldn't care less if they got compromised; they get the same password as each other, which is still complex.<p>&#62; hashing your master password with SHA-256, encrypting the result a default of 6000 times with AES, and then hashing it again<p>Any crypto-geeks around to say whether this makes it more secure or less? I've heard it said many times that multiple encryptions and hashings can actually make the encryption weaker.

Using a password manager is a great idea in theory. In practice, I have the same problems with the concept as many other people do. It's great if you have, say, a MacBook, a Windows system, and an iPad that you want to keep synced. When you have one of everything, your options are narrowed drastically. Many of these solutions also either punt on synchronization and rely on me to find an option I like to handle that problem, or they use some kind of cloud service not under my control. I don't need or want that cloud service. I don't care how well the file itself is protected; you can't attack what you don't have.<p>What I do have access to from most of those systems is SSH to a machine I control. I'd be willing to run a password manager on that system, but I haven't yet found one I'm willing to install. I'm not going to put Qt and X11 on the system just to run KeePassX. I'm tempted to write my own at this point. It'd at least solve the password management problem in way that I'm comfortable with (i.e. any problems in the solution are my own fault and if I get owned, I'm the only one to blame) and without having to send a copy of the encrypted database out to the cloud (except in tarsnap backups, but I'm already trusting cperciva with the keys to the kingdom there!).

What can I say? I use keepassx. I keep the db on dropbox -- so that it's always available to me -- and protect it with a key file and a password.<p>Good luck getting into all my accounts. First you need to crack my dropbox account. Then you need to guess which file out there on the interwebs I use to protect it. Finally, you can try to crack the password I use. I'll even give you a clue: the password is less than 40 characters.<p>So yes, use a password manager. It's trivially simple and stress free.

Ok, so I've definitely lost about 3 dozen client passwords when my password manager was eaten by a drive failure. And then when I went to restore the backup discovered that the creator of the password manager was no longer supporting the software.<p>So my faith in password managers has been shaken. I greatly enjoyed having to ask all my clients for their passwords again.<p>I have a new system, but if someone ever got ahold of my drives who knew what they were looking for, that would be hellish

I use the default OS X password manager Keychain access.app and symlink the keychain file to Dropbox. It manages all my web, app, WiFi, mail account passwords. It has a nice feature to generate different styles (memorable, letters&#38;numbers, numbers only, random, FIPS-181) of password at various lengths up to 31 chars.<p>The interface is less polished than 1Password, but since it comes by default on every OS X install I just use it. Meanwhile 1Password seems really annoying from time to time: it always asks to save passwords but seldom autofills for me. Maybe I just use it wrong…

No one mentioned lasspass (<a href="http://lastpass.com" rel="nofollow">http://lastpass.com</a>) -- desktop benefits and portable. Other than the fact that your passwords are out there on the Internet (in encrypted form) for someone to hack into, is there any other downside to using something like lastpass?

At what point does "good practice" become justified OCD? Not every account is equally important. Have unique passwords for email and financial accounts - absolutely, but does it really matter if someone compromises your HN password? As long you keep that completely separate from anything that can really hurt you, why obsess over it?<p>Despite popular belief, writing down your password and storing it in a lock box is leagues better than storing it online. The number of people who have access to your physical belongings is many orders of magnitude less than the number of people who can attempt to compromise an encrypted database.<p>"Don't write your password down" might have been good advice in the 90s when most people only used a computer at work and the internet wasn't as ubiquitous as it is today.

text file + gpg + long passphrase<p>You can also setup vim to read/write it easily<p><pre><code> augroup GPG au! " decrypt before reading au BufReadPre *.gpg set bin viminfo= noswapfile " decrypted; prepare for editing au BufReadPost *.gpg %!gpg au BufReadPost *.gpg set nobin " encrypt au BufWritePre *.gpg set bin au BufWritePre *.gpg %!gpg -ear email@wherever " encrypted; prepare for continuing to edit the file au BufWritePost *.gpg silent undo | set nobin augroup END</code></pre>

The author looks down on browser's password managers but to me they seem like the perfect solution -- relatively safe, with reliable auto-fill and, most importantly, already installed and configured. Syncing is just a matter of moving your profile to another computer.<p>Am I missing something? Is there some inherent flaw in these managers? Firefox will even encrypt the passwords by default and allows the user to set a master password. Exporting passwords is a little annoying, but how often is there a need for that?

I've always found it odd how people say Jesus Christ as if it were a curse word. I wonder where this practice originated. Is it common in other parts of the world for other religions? Do people in China have an equivalent saying? Oh Buddha! etc.<p>-Genuinely curious

1password + Dropbox is pure awesomeness. Great browser integration. Works on iPhone as well.

Maybe this is a case of premature optimization: but what if you ever need to log into a site from a public computer where you can't install your password manager.<p>I realized that without a password manager you're forced to choose between 1) having one super-secure password and 2) having multiple easy-to-remember passwords.<p>My compromise is this: have a password template. This is a string that changes in a predictable way based on the site. This could be something as silly as "password_${site_name}", making my gmail.com password "password_gmail" and my twitter password "password_twitter".<p>Obviously, the formula won't be terribly complex, so if I tell yo my gmail pass you can probably figure out my twitter pass given though time. But that doesn't bother me, since I'm mostly concerned about gawker-type incidents where my password is among thousands of others, in which case the bad guys will exploit the 90% of the passwords that do work instead of trying to reverse-engineer those 10% which don't.

Password? Use your brain to memorize it all! Really, I've been memorizing hundreds of password with just a simple key, hint, and reminder. Rather than using a password manager that actually a computer programmed system. You'll only forgot your password if you lost your brain!<p>Okay, for a serious situation, I'm using a basic text storage then encrypt it with a trusted modern encryption system, high bit level.And some cloud computed storage web app that already moving on the new way to store and encrypt your password. That's it? Nope, it's useless.<p>But for real, there are lots of another way to store your password than using a password manager or a computer. Sometimes we can do it manually. For your life, use your idea. Peace.

I use SuperGenPass with a strong master password. It's not perfect (a malicious website could use Ajax to fish for my master password on a sign-up form), but it gives me a single password to remember, different passwords for every site, and I can keep the HTML page that runs the hash function on my thumb drive and use it anywhere.<p><a href="http://supergenpass.com/" rel="nofollow">http://supergenpass.com/</a>

I like clipperz.com. Completely web based. Encryption is done client side in javascript, so not even clipperz can access my account.

Wasn't Mozilla at some point working on a browser based global identity system?<p>I can't seem to find information about it anymore.

username: yeshua password: wwjd<p>But seriously, I visit so many sites and use so many different computers that I have my passwords indexed in a little black book encoded with my own personal code. They would have to pry it from my cold dead hands to get them.

The name Jesus Christ is a sacred name. He is my Saviour. Please don't defile it.

Vim:<p>set cm=blowfish<p>:X filename &#60;--- encrypts with blowfish<p>I have Vim everywhere I work. Blowfish is "good enough" for me. :-)

Notational Velocity was designed from the ground up as a desktop password manager and follows all of these rules, using PBKDF2-based key derivation with a default of 8000 iterations, adjustable in units of measured CPU time. Security features are described in greater detail here:<p><pre><code> https://github.com/scrod/nv/wiki/Database-Security</code></pre>