Do you use a password vault?

I'm thinking that now that I'm using a laptop (a bit too easy for someone to walk off with) I should give some thought to upgrading the storage of my user names/passwords.

I'm currently using an ancient phone book program.... not the best method by far. Anyone have a suggestion for a secure database?

A few of the better ones are reviewed here:

http://password-management-software-review.toptenreviews.com/index.html
.

I don't keep any of my passwords on my computer.

I've got over 40 user names and passwords. 4 for each of my websites...(upload codes, SSL certificates etc), 2 for credit card processors, Newspaper substription, Woodworker Supply Pro login, User and PW for the 'Creek....

Ken, Do you write them down on paper, or do you let your browser store them for you? If you don't type the password for the 'Creek and you still get in, your user name and PW are stored on your computer and the browser enters it for you, so they're stored somewhere in there anyway.
.

I have written down my passwords and user names in a personal shorthand that my youngest daughter (a computer security expert) has approved. She understands them in case of accident or death but, I don't thing anyone else can and they are readily available for me to look up.

Mitch,

My Creek password and the password for 1 other woodworking website where I am a member are the only 2 passwords on my computer. Everything else I have written down and stored in a fireproof safe about 15 feet from where I am sitting and I have to enter them manually. 40 passwords...I'll bet I can come close.

I also keep some of the major important ones in our lock box at the bank.

The one's at the bank are there in case of a house fire and the demise of the LOML and I simultaneously. The kids would find them there.

I keep my passwords written down in a book and frequently refer to them because I have some pretty strange combinations of characters, numbers and letters for the screen names and passwords. I have two or three that I actually remember. The only passwords that are on my computer are the ones stored as cookies and those are frequently cleared.

I keep mine mixed into a completely random pile of papers that cover what looked like a normal desk at one time. I doubt anyone could ever find them, including me...

There has got to be a better way!!!

I used to use Roboform, but after I switched to Linux, I use LastPass.

I used 1Password and the data is stored on Dropbox so I can use it on 2 different computers. I can also sync it to my iPhone. It is a Mac only program.

If you go to this link:

http://sourceforge.net/softwaremap/trove_list.php?form_cat=778

you can "shop around" for a password manager that will suit you. These are all open source programs which not only means that they are cost free but the quality tends to be high because the source code get scrutinised by others.

Note that many are for Linux but there are usually some Windows programs on Sourceforge too.

I put all of my passwords in a Microsoft Word document. I emailed it to myself so I can always get to it. The document itself is password protected in case someone finds it.

Which reminds me of a blond joke.

The computer security officer at a local company was helping a blond reset her password. He said, "What do you want your new password to be?" She replied "SleepySneezyDopeyDocHappyBashfulGrumpy".

He said "Why do you want such a long password?" She replied "DUH! You are the ones that says it has to be seven characters."

Good Luck,

Bill

I have to enter them manually. 40 passwords...I'll bet I can come close.


Ken: That's a false sense of password security. If you can remember them a program can scan through thousands of easily remembered passwords.

Mitchel: I store mine in a program I wrote myself. The problem with open source programs is that the encryption methods are known. That is half way to decoding the contents.

I use passwords that would be almost impossible to remember, something like...

HKu6C9%gWAq

My software generates a password similar to that on demand when I set up a new account somewhere. It also has some functions to thwart key-loggers. I have never bothered finishing off (Help files etc) the software, but I am sure you can find something similar.

It also has some functions to thwart key-loggers.

So far, every 'better' program I've seen fills in the spaces for you. I thought at first that's kind of cool... it's really so that the keyboard isn't used for PW input. I've heard that a very simple keyboard spy can remember every keystroke. Keystrokes can also be 'read' by remote in an electronically quite environment without even touching the computer or planting anything on the computer. At the office, the network may store keystrokes because they are generated pre encoding/encription.
.

The problem with open source programs is that the encryption methods are known. That is half way to decoding the contents.

I disagree, PKI type encryption is a known encryption, but that does nothing to help decode it.

Ken: That's a false sense of password security.

Dave,

Read what I said....2 stored on the computer 1 for the Creek...one for another woodworking site.


The rest are written down and stored in a FIREPROOF safe 15 feet from where I am sitting. I don't memorize them. I get the paper and read them as I'm entering them. You obviously have too much confidence in my memory!:rolleyes:

+1 for RoboForm (http://www.roboform.com/).

It has lots of cool features and it's adaptable for an individual's needs. http://www.smileyshut.com/smileys/new/Happy/happy-thumb-up-045.gif (http://www.smileyshut.com/get-smileys-huts-free-smiley-code/3439.html)


http://www.clicksmilies.com/auswahl/ernaehrung004.gif (http://www.clicksmilies.com/s1106/ernaehrung/food-drink-smilies.html)

I use KeePass. It's open source. I only have to remember one password and it generates every other password for me. I have no clue what most of my passwords are.

I use a random number generator function in a spreadsheet combined with letters & characters. I keep the results in a password protected file on a USB drive. That USB drive is used only for passwords. Plug it in, login and unplug it. I use copy/paste so a keystroke logger shouldn't be able to figure them out. After I copy/paste a password, I copy other random stuff to the clipboard so it hopefully overwrites the password.

Read what I said....2 stored on the computer 1 for the Creek...one for another woodworking site.

You obviously have too much confidence in my memory!:rolleyes:

:) Ken, when you wrote, "40 passwords...I'll bet I can come close." I assumed from that you were suggesting that although they were in the safe, you could also remember most if not all of them.

So far, every 'better' program I've seen fills in the spaces for you.

I've heard that a very simple keyboard spy can remember every keystroke..

All true Mitchel, but using the DDE (Dynamic Data Exchange, a standard Windows function) system to pass the keystrokes to the waiting Password position, that same data can also be copied to the key-logger's data file. Same for copying and pasting. If you can pass data to another program, you can pass data to any program.

But -- having said that, there are ways to use the actual stored password data in such a way that a key logger cannot copy. I won't go into the techniques I use, but trust me, my software will defeat a key-logger with better than 99% certainty.

Plain dumb luck would account for the small part of that last 1%. A risk I am happy with. :)

I use copy/paste so a keystroke logger shouldn't be able to figure them out.

Hi Curt,

Dead easy to grab. Once you use Ctrl=V (Paste) the key logger could have it also. Clearing it from the clipboard after the "Paste" command is all too late.

Your system would be safe enough for most things though, but I would not be doing personal banking on a computer at the Library. :D

Hi Curt,

Dead easy to grab. Once you use Ctrl=V (Paste) the key logger could have it also. Clearing it from the clipboard after the "Paste" command is all too late.

Your system would be safe enough for most things though, but I would not be doing personal banking on a computer at the Library. :D

Nah, I use a guy in Nigeria for my financial transactions:D. Interesting, I thought keystroke loggers looked at actual keystrokes, doesn't look like it. There are apparently keystroke loggers and root kits for Linux, so using a non-Windows system isn't a panacea either. I suspect there is a whole lot more malware in terms of volume for Windows than there is for *nix systems so playing the odds Mac or Linux is less likely to get nailed, but it's not impossible.

It'd be inconvenient but if I were REALLY paranoid, I'd be tempted to use a LiveCD Ubuntu disk. Go directly to the bank or financial institution's site, do the transactions, log off and reboot. Unless the malware were on the image from which the LiveCD were created, there doesn't seem to be many opportunities for crapware to load. Nothing can be written to the CD so rebooting makes every trace of the session go away completely and permanently, I presume. The inconvenience would be for example Chase sets a cookie when you log onto their site. If that cookie isn't there when you log on next time, they have a procedure to verify that an authorized person is logging onto that Chase account. Using a LiveCD which would not store any cookies, you'd have to go thru the verification process each time. Major PITA.

Interesting, I thought keystroke loggers looked at actual keystrokes, doesn't look like it.

Some do but the better written ones also follow the mouse tracking and clicks. The process being used is an inbuilt function of Windows that is being used in an unkind way. :)

You have to draw a line somewhere and arrive at acceptable risk. It is almost impossible that I would have a key-logger on any of my computers and I don't use computers at the Library etc. I played with the key-logger prevention process as an intellectual challenge.

So far I have been able to beat the test key-loggers 100% of the time but I know there is just one remote possibility of the logger grabbing the correct data. Even then, it would only work that one time and never again.

Nothing is 100% safe. :)
http://news.bbc.co.uk/2/hi/technology/8478764.stm

What's so critical you need such complex logins? You afraid someone's going to hack into your sawmill creek account and post woodworking projects they created, but posted in your name? :D

It's easy. Just make them all "Mypassword". They'll never figure that one out ;)

Banking is one thing, but chat forums are another, seems to me. I guess you can change your identity every so often too. A friend of mine thinks someone is looking at him no matter what computer or name he uses. Just because you're paranoid, doesn't mean they are not out to get you.

What's so critical you need such complex logins? You afraid someone's going to hack into your sawmill creek account

:) Scott, I was amused when thinking about that last night and wondered if I should have added that for things like this and other forums, I have no idea what the password is. I am still using the default when I signed on and I clicked "Save password."

However for my online banking, web hosting for my various websites and the customers sites that I manage, there is a need for strong passwords.

The key-logger stuff was a fun exercise.

I use a few sites that force me to change my user name and password every 6 months... credit card security protocols. Forget making one up that means something to you. Caps, # of chars., alpha/numeric..... I need to have a way to deal with this stuff. Even the upload code for one of the magazines I advertise in makes a new PW every so often.

Yep, someone simply logging onto a forum as you isn't so bad, but if a rotten b*stard who has a beef with you gets/guesses/uses your identity to inject a worm that brings down a server... your phone rings. Most software starts as free trial software and they keep it easy and makes 'password' the password. My website host has 3 sites on one of his servers with 'password' still in place. Many people still don't get it.
.

I use a few sites that force me to change my user name and password every 6 months... credit card security protocols. Forget making one up that means something to you. Caps, # of chars., alpha/numeric..... I need to have a way to deal with this stuff.
.

The paranoia over hackers has created an environment the actually makes security less secure. Requiring non-meaningful passwords, and requiring that they be changed freequently (at work it is every 90 days), results in users having to write their passwords down somewhere. Speaking of work, our servers use extremely weak passwords that have not changed in years - we have never been hacked - and we are in a "worst case" environment; a college system with 13 colleges and close to 100,000 students. The development accounts are used by all of the developers and the passwords are all the same and easily guessable.

It used to be that a brute force attack on passwords was feasible but a slow process. Nowadays most sites will disable an account after a very small number of attempts - commonly 3 attempts.

I used to be a DP supervisor for a major Northern California city. The police department was separate from our systems with a different staff. I got a call one day that their system was down - a disk drive had filled up and the police information system, had crashed. The SysAdmin was in D.C. at a conference and was unreachable since she was on a field trip.

I went into the PD offices and in less than 5 minutes had a "super user" account and password (found taped to the bottom of a keyboard) and was able to get in and fix the problem.

I have been in offices at the various colleges and seen the user-id's and passwords taped to the monitors or the desk top.

One other password incident was a company that was demoing a financial package to one of our schools. We were asked to check it out and were given a test account to use. One function was to get a list of users - I looked at that then decided to see how secure the master account was for the company. It turned out the password was all asterisks (the on screen prompt) and a simple enter put me into the system with access to everything - no restrictions. (we passed on the system).

However for my online banking, web hosting for my various websites and the customers sites that I manage, there is a need for strong passwords.

Obviously you've got more money than I do :) I figure anyone wanting to hack into my bank's accounts would have enough common sense to sort it by the largest accounts first, in which case I'm safe :D

I translate mine into Navaho and keep it in safe deposit box with no key.

Just kidding.

Don't tell anyone, but I just use my dog's last name.

I can trust all of you, right.

This isn't recorded anywhere, is it?

Obviously you've got more money than I do

Hmmmmm Scott, I hadn't thought of that. Good point. Sorta like at the check out when the girl asks, "Debit or Credit" and I say "Credit, who has money?" :o