Password Management Programs
2 recommendations:
1. Password Safe - written by Bruce Schneier; uses blowfish
2. Password Agent - uses AES; lots of nice features; auto fill; password generation;
designed to work from a flash drive; and many more.
Google for them; Both are free
-
We used Keepass to both generate and store all the ShmooCon attendee registration badge pickup hashes.
http://keepass.sourceforge.net/
The database of passwords is encrypted itself with a master password and can be stored on a USB dongle or similar. Temp copy to clipboard features, and plenty of export mechanisms--we exported to CSV at the last minute and created a quick DB web front-end for actual registration.
Something lightweight and similar would just be a gpg-encrypted file with server, username, and password fields on USB drive.
Just don't lose that puppy. heh.
Sincerely,
BeetleLeave a comment:
-
This coming from the guy that entrusted his laptop to us with NO PASSWORD locking the poor windows box down?Originally posted by ck3k
the jpg idea is a good one..
The only flaw with AST's suggestion is for many different applications you would probably tend to start using the same passphrase for different apps, unless you associated a song with each app.
A trick I have used (other then stenography) is to keep the passwords in a file that is gpg encrypted (both private key and password required). Private key is in different location (think removable media), and password file is on an encrypted partation.
Another technique that Bruce Schneier suggested is have the password to be 2 parts.. one is something you can write down (or use the the above "Che being paranoid" technique), and memorize the other part.Leave a comment:
-
Good points....
But my head is the most secure place that I feel they can be 'stored'. Hopefully that same head will prevent many methods of password interception.
I don't use the same password for all my accounts (notice "passwords" in my post) and its plenty complex for almost any rainbow table out there. Plus each is 'rated' by level of importance.
By that same token, i use a variation of a smilar set of complex chars and spaces, so its only a matter of time before i know the correct sequence (if i haven't logged into something in a long time..). Capturing even 3 of my passwords would not give you access to any of the others. Plus I have a good memory. I think i've said enough about my password scheme.
This made me laugh for hours:
http://it.slashdot.org/comments.pl?s...6&cid=11459507
ppl might find this intresting if they didn't read it already:
http://ask.slashdot.org/article.pl?s...&tid=172&tid=4Leave a comment:
-
Do you really believe this is more secure, though? Thoughts:Originally posted by dYn4mic
- Any reasonable level of encryption is going to just as secure as you storing them in your head.
- By the pigeon-hole principle, you are reusing passwords with sites such that a compromise of one server potentially means the compromise of many of your accounts.
- When you accidentally use the incorrect password while accessing an account, you run the risk of revealing that password (although most sane shared-secret schemes avoid this problem).
- You are likely to memorize the passwords for the accounts that you use the most, anyway.
Leave a comment:
-
Cool. Thanks gzzah. AES is nice. heh.
And dementeddemon, defaults\profile\localstore.rdf thats what i implied with saying: (are they in .mozilla/firefox/..).... but... nice try.
ps. Your slashes are backwords, this isn't windows...and its not a rule you've gotta post a reply on every thread. I asked my brother and he said you should cut back on Posts per day. Just an idea....Leave a comment:
-
Mozilla/Netscape used to (probably still does) Base64 encode the username and passwords if you didn't set up a master password.Originally posted by dYn4mic
These are all stored under your Profile directory: key3.db and signons.txt for Firefox.
As for encryption type, I believe they are using AES.Leave a comment:
-
i didnt know where they were stored so i asked my brother and he looked around and said that they might be stored at Mozilla Firefox\defaults\profile\localstore.rdf but he isnt for sure.Leave a comment:
-
Friend,
http://www.menopause-online.com/ginko.htm
Im against the storage of passwords. I've gotta remember maybe... 10 or so... and manage fine with complex and secure passwords.
Buuut... maybe http://passwordmanager.sourceforge.net/ if you are forced at loaded gunpoint.
Questions.. on Firefox 1.0-
"Privacy is also improved with the addition of a master password for protecting all saved passwords." You have to enter this each time you use a saved password i understand..and
I know its all about your whole 'profile'... I searched a little but to no avail... sooo
Anyone know what encryption method does firefox use or any tests of firefox password storage security? or where the data(hashes?) is stored? (in .mozilla/firefox/...)Leave a comment:
-
heh, thats awsome. but i'm not learning piano just to randomize my passwords... but i like the idea........ keep 'em comingLeave a comment:
-
hmm here's an idea for those who know how to play the piano (just a little).
You can assign a music note keyscheme on your keyboard (which you will keep in your mind) -as an example, in a qwerty keyboard you can use "y,"u","i","o","p","[","]" for the first scale of music notes, then use "shift" + "y,"u","i","o","p","[","]" for the second scale, etc, and then you just play the basic melody of some song (almost) as you would in the piano. This can easily be composed from 60+ characters, and obviously the password would appear to be nonsense. ;)
The good thing is it works, with little exercise you can enter very large passwords quickly and with no fear of forgeting them.
The bad thing is that you usually don't remember what keys you enter, which could cause you problems in a keyboard with different scheme.Leave a comment:
-
As someone else pointed out, your computer generally copies the passwords over during the synchronization. However, tools like Keyring and Strip use Triple-DES and AES. It breaks down into a single source of attack (i.e., it is susceptible to offline attacks), but it is going to be extremely difficult.Originally posted by KeLviN
Perhaps, but if you are careful with your passwords, then such information should be the least of an attacker's worries.Originally posted by pezzLeave a comment:
-
I like this idea too, its kind of like adding on to the previous stated pass phrases to make it more secure, i might have to look into this too.Originally posted by pezzLeave a comment:
-
First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.
However....
I have 2 suggestions:
Passphrase priority roll-down
1. Assign priority to all sites, devices, systems, personal usage..
Ex. Online Banking (1), Root(2), yahoo mail (3), etc...
For all priority 1's use the same pass phrase, after 30 days roll that phrase down to prioty level 2, after 30 days roll to 3, etc....
2. Obtain two secure, covert USB devices (Ex. DiskGO and istick). Store your PGP encrypted password list on one device, and the keys on the other.
Keep both devices in different locations on your person. (ex. Pen in your pocket, and the istick tucked neatly into a personal orifice)Leave a comment:
-
c:\Palm\[userdir]\memopad\memopad.pdbOriginally posted by KeLviN
Unless you use one of the many programs specifically written for storing and encrypting your password lists. :)Leave a comment:
Leave a comment: