I used to memorize a few passwords; mentally graded as "very secure" (for things like my Google Apps and my laptop's disk encryption password), "somewhat secure" (for services like DropBox or HipChat) and then "probably insecure" (for services like Facebook or Skype). Recently I decided that the approach is simply too insecure and started using 1Password to create and manage strong, unique, passwords for every service that I used.<p>I'm really interested to find out what HN tends to do.
I've been using LastPass for years. Of course, there's no way to be completely safe using a cloud-based service and closed-source code, but so far they've conducted themselves in a trustworthy manner, and the system they've built has safeguards against remote security failures.<p>Their cross-platform support is great as well. The only thing that's missing is a solid way to retrieve passwords on Android. The LastPass "keyboard" is abysmal, and switching between their app and the one you want to enter the username/password in can be painful. I'm not sure if there's an easy way to solve this problem, though, given the sandboxed nature of mobile apps.
Randomly generated passwords, encrypted file. "Open source password manager" is the closest match, though it's not a specific solution.<p>Sharing between full keyboard/desktop systems isn't so tough, but transferring 30 character passwords to mobile devices very nearly exactly sucks.<p>Answering a now-deleted comment: "Using a tool would defeat the purpose of a password for me (a key hidden where we still can't read - the brain)."<p>The purpose of authentication isn't to provide <i>absolute</i> proof against compromise. It's to provide an asymmetrically difficult means for you vs. someone else to access systems. There are hacks against memorized passwords just as there are against encrypted safes of passwords. The question is: which makes you most secure?
I have a gpg encrypted file with them in just in case, but mostly I know them from memory, or rather I'm able to find them back.<p>I have a few "roots" passwords which depends on the necessary level of security and the importance of the service. Them I know by heart. Then for each service I add a few characters (letters, numbers, punctuation signs) which depends on the service and feel natural as prefix and/or suffix (sometimes it's a bit more complex if it can be fun).<p>For instance lets say a root is "icanh4zcheeZbugr", then maybe my reddit password will be "reddicanh4zcheeZbugr,t".<p>It works pretty well in practice. More than one time I was sure to have forgotten a password and was actually able to rediscover it quickly.
I GPG encrypt them and email them to myself using Thunderbird/Enigmail. I don't claim this makes any sense, I started doing it before password managers were popular. I keep meaning to start using `pass`.
For my less secure passwords, I use a tabla recta:<p>I keep a grid of random base64 characters on a laminated card in my wallet. I use a secret algorithm to derive a site's password from that grid. This gets me a unique password for each site, but I don't have to remember it. The code for generating the table is in this gist:<p><pre><code> https://gist.github.com/dunhamsteve/3259075
</code></pre>
(You might want to tweak the font - 1 and l are very hard to distinguish in Courier.)
Firefox's password manager for web stuff, system keyring (whatever comes with Ubuntu) for passwords to GPG and SSH keys, and pass[1] for everything else.<p>[1] <a href="http://www.zx2c4.com/projects/password-store/" rel="nofollow">http://www.zx2c4.com/projects/password-store/</a>
I use password hasher / generation extension for browser, which makes sort of HMAC of password with domain. Then I use few master passwords depending on sensitivity of a site. But at the end - each site has its unique very strong password.<p>Firefox: <a href="https://addons.mozilla.org/pl/firefox/addon/password-hasher/?src=ss" rel="nofollow">https://addons.mozilla.org/pl/firefox/addon/password-hasher/...</a><p>Chrome (same algorithm): <a href="https://chrome.google.com/webstore/detail/pawhash/adgekjfphhgngpdoklolpjenmgneobfg" rel="nofollow">https://chrome.google.com/webstore/detail/pawhash/adgekjfphh...</a>)
I have a unique password for every single one of my accounts (including computer logins and SSH keys). Each password is randomly generated, and meets sufficient entropy to withstand sophisticated attacks from even the most determined hardware, government entity, or organization.<p>I store all my passwords locally in an offline encrypted database. I absolutely will not store my passwords online. The moment AES is broken, is the moment some rogue LastPass employee steals your encrypted database, and attemps to crack it, using the current break(s), to get access to your accounts.
I keep everything in keypass and write the ones that I need to bring with me on a piece of paper which I keep on my person[1]. People who are likely to steal your wallet are not likely to be interested in your passwords and people looking to mug you for your passwords are just about as likely to break into your house and steal or mess with your home computer IMO.<p>[1] see <a href="https://www.schneier.com/blog/archives/2005/06/write_down_your.html" rel="nofollow">https://www.schneier.com/blog/archives/2005/06/write_down_yo...</a>
I've personally been enjoying Dashlane. It has quirks, weird behaviors, and occasional sync issues, but it's been light-years ahead of LastPass for me. Don't know about Keepass.
I use RndPhrase (<a href="https://github.com/brinchj/RndPhrase" rel="nofollow">https://github.com/brinchj/RndPhrase</a>). It's a plugin to your browser that lets you enter your own password on each site, and replaces it with secure per-domain passwords. It also has a nice web interface at <a href="http://rndphrase.appspot.com/" rel="nofollow">http://rndphrase.appspot.com/</a>, so you can use it even if you're not on your own computer.
I use (and created) the Passable Google Chrome extension: <a href="https://chrome.google.com/webstore/detail/passable/bpkpmidmfbiafdmlbgcnpjpkkafnijgc?hl=en" rel="nofollow">https://chrome.google.com/webstore/detail/passable/bpkpmidmf...</a><p>I also take advantage of any service that uses 2-factor auth and use HDE OTP on iOS
I'm using Sticky Password - <a href="http://www.stickypassword.com/features/cloud" rel="nofollow">http://www.stickypassword.com/features/cloud</a><p>So, I can remember only one master password and for every new password I use password generator in SP. It is the best, 'cause generator make very strong passwords.
I have a base password that I use on every website.<p>Then for every website, I (for example) use the first letter of the domain name and the last letter, add it to the beginning of my password. Then I take the last letter of the domain name and add it to the end of my password.<p>This way I only have to remember my tiny algorithm + my base password.
We got burgled last year, my laptop with an unencrypted drive was stolen, and I thought it was a good opportunity to be more grown up about passwords, so moved to 1Password. When heartbleed happened, I will admit that I didn't have the heart to change every last one of them (300+) again.
I have to say - I have been unfailingly impressed by Lastpass. For $12 a year they provide a lot of value add, and seem (at least to someone who knows shamefully little about the nuts and bolts of security) to be fairly transparent about what using their service means for Users.
I use this trick to generate (in my head) a unique password for each site: <a href="http://blog.rabidgremlin.com/2009/12/28/tip-creating-easy-to-remember-passwords/" rel="nofollow">http://blog.rabidgremlin.com/2009/12/28/tip-creating-easy-to...</a>
KeePass on my PC, KeePassX on my Mac, and iKeePass on my iPhone & iPad, with a shared database on DropBox.
I'm pretty happy with that setup, except for iKeePass, which is a little clunky. I'd really like to have a better KeePass client on iOS.
For very important accounts such as banks I use KeePass. For everything else I use a password generator I wrote called hash0: <a href="http://github.com/dannysu.com/hash0" rel="nofollow">http://github.com/dannysu.com/hash0</a>
I have previously used LastPass, 1Password, and RoboForms. Nowadays, I used Dashlane -- it's far-and-away the best password manager I've ever used. Both their Android client and Chrome extension have great UX.
Shameless plug for my iOS app PasswordGrid, that create an easily printable grid for random passwords:<p><a href="https://itunes.apple.com/app/id359807331" rel="nofollow">https://itunes.apple.com/app/id359807331</a>
1Password for OS/X and iOS (iPhone and iPad). Backup passwords for GMail and Dropbox are printed and stored in a safe place in my home, in case two-factor authentication doesn't work (e.g. iPhone stolen).
You need to remember only your Gmail password. The rest--
I simply maintain a single Google spreadsheet(well ordered) to
store every password for services like Facebook, Twitter, Github, etc.
I have a gpg encrypted file on a server that I manage manually - made slightly easier by the gpg plugin for vim. Not found a password manager with a UI that I get on with yet.
I memorize my email passwords (just 2-3) and put the rest in KeePass with backups online. Worst case scenario I have to request a forgotten password via email.
I take the second letter of each service, repeat it a bunch of times, and then concatenate that with something else which is the same every time. So every password is different and also complex enough.