Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Poll: How do you manage your passwords?
27 points by malanj on May 5, 2014 | hide | past | favorite | 58 comments
I used to memorize a few passwords; mentally graded as "very secure" (for things like my Google Apps and my laptop's disk encryption password), "somewhat secure" (for services like DropBox or HipChat) and then "probably insecure" (for services like Facebook or Skype). Recently I decided that the approach is simply too insecure and started using 1Password to create and manage strong, unique, passwords for every service that I used.

I'm really interested to find out what HN tends to do.

Commercial password manager (e.g. 1Password)
201 points
Open source password manager (e.g. Keepass)
91 points
Memorize a few passwords and use each password for more than one service
69 points
Memorize different passwords for every service
23 points
Write down your passwords
14 points
Hosted SSO tool (e.g. OneLogin)
0 points


I've been using LastPass for years. Of course, there's no way to be completely safe using a cloud-based service and closed-source code, but so far they've conducted themselves in a trustworthy manner, and the system they've built has safeguards against remote security failures.

Their cross-platform support is great as well. The only thing that's missing is a solid way to retrieve passwords on Android. The LastPass "keyboard" is abysmal, and switching between their app and the one you want to enter the username/password in can be painful. I'm not sure if there's an easy way to solve this problem, though, given the sandboxed nature of mobile apps.


Notably, their code for their Firefox extension^1, while not free software, is available to look at. Firefox extensions are delivered as an XPI file (https://developer.mozilla.org/en-US/docs/XPI), which is simply a renamed .zip . So it can be extracted with gunzip, 7-zip, winzip, etc.

Inside the .xpi are various human-readable files, including .js, .xml, and .config files (https://developer.mozilla.org/en-US/docs/Bundles).

So you can literally examine the source of any Firefox extension. And not just source you hope is the same as the delivered extension^2, but literally the running code.

So no, it's not free software. But it is accessible for you to read^3.

[1] I _know_ this is true for Firefox. I think it is for Chrome, but I'm not sure. I have no idea for any other browser.

[2] How do you know the code for e.g. Firefox that you clone from https://hg.mozilla.org/mozilla-central/ is the same code used to build the browser downloaded at mozilla.org ? You don't, unless you go to the lengths of building it yourself and doing a bitwise comparison of the executables, but that is going to be error-prone. But you can pull the Lastpass extension out of your profile and see the exact code being run.

[3] Unless they download code from somewhere and eval() it.


There is a recent update on android that is fantastic. An overlay will appear on any app requesting a password, including the browser.

It's actually better than integration with a computer.


That overlay only shows up for me after I've switched to the LastPass keyboard and selected the password and filled in the box, too little way too late.


Shows up for me without issue so long as I've already logged in to the LastPass app. Not using the lastpass keyboard either.


I think I saw that once or twice after updating, but it then stopped working for me. I'll have to investigate what's going on.


I find it a bit weird that the OP only mentioned 1password and omitted lastpass which has been cross platform for longer and is free for basic use.


The latest updates solve this problem (in Android at least) by using the accessibility features. When a login appears (in an app or browser) an overlay appears with matching credentials that you can copy with a single click.


It is great when this new feature works, but unfortunately it doesn't work all the time. Hopefully it will continue to get better.


I just stick to the bookmarklets on the mobile browser


Randomly generated passwords, encrypted file. "Open source password manager" is the closest match, though it's not a specific solution.

Sharing between full keyboard/desktop systems isn't so tough, but transferring 30 character passwords to mobile devices very nearly exactly sucks.

Answering a now-deleted comment: "Using a tool would defeat the purpose of a password for me (a key hidden where we still can't read - the brain)."

The purpose of authentication isn't to provide absolute proof against compromise. It's to provide an asymmetrically difficult means for you vs. someone else to access systems. There are hacks against memorized passwords just as there are against encrypted safes of passwords. The question is: which makes you most secure?


I have a gpg encrypted file with them in just in case, but mostly I know them from memory, or rather I'm able to find them back.

I have a few "roots" passwords which depends on the necessary level of security and the importance of the service. Them I know by heart. Then for each service I add a few characters (letters, numbers, punctuation signs) which depends on the service and feel natural as prefix and/or suffix (sometimes it's a bit more complex if it can be fun).

For instance lets say a root is "icanh4zcheeZbugr", then maybe my reddit password will be "reddicanh4zcheeZbugr,t".

It works pretty well in practice. More than one time I was sure to have forgotten a password and was actually able to rediscover it quickly.


I GPG encrypt them and email them to myself using Thunderbird/Enigmail. I don't claim this makes any sense, I started doing it before password managers were popular. I keep meaning to start using `pass`.


Pass looks good! The only thing missing for me is a way to use it on iPhone/Android. I currently use KeePassX and it works pretty well with Dropbox sync.


What is `pass`?


http://www.zx2c4.com/projects/password-store/

I started using it earlier today actually (moving from KeePassX and have been meaning to for a while) and so far I really like it. As an Emacs user the Emacs integration plugin is also pretty amazing and it has import functionality for most known password managers.


OP is likely referring to http://www.zx2c4.com/projects/password-store/


For my less secure passwords, I use a tabla recta:

I keep a grid of random base64 characters on a laminated card in my wallet. I use a secret algorithm to derive a site's password from that grid. This gets me a unique password for each site, but I don't have to remember it. The code for generating the table is in this gist:

  https://gist.github.com/dunhamsteve/3259075
(You might want to tweak the font - 1 and l are very hard to distinguish in Courier.)


Firefox's password manager for web stuff, system keyring (whatever comes with Ubuntu) for passwords to GPG and SSH keys, and pass[1] for everything else.

[1] http://www.zx2c4.com/projects/password-store/


I use password hasher / generation extension for browser, which makes sort of HMAC of password with domain. Then I use few master passwords depending on sensitivity of a site. But at the end - each site has its unique very strong password.

Firefox: https://addons.mozilla.org/pl/firefox/addon/password-hasher/...

Chrome (same algorithm): https://chrome.google.com/webstore/detail/pawhash/adgekjfphh...)


I have a unique password for every single one of my accounts (including computer logins and SSH keys). Each password is randomly generated, and meets sufficient entropy to withstand sophisticated attacks from even the most determined hardware, government entity, or organization.

I store all my passwords locally in an offline encrypted database. I absolutely will not store my passwords online. The moment AES is broken, is the moment some rogue LastPass employee steals your encrypted database, and attemps to crack it, using the current break(s), to get access to your accounts.


I keep everything in keypass and write the ones that I need to bring with me on a piece of paper which I keep on my person[1]. People who are likely to steal your wallet are not likely to be interested in your passwords and people looking to mug you for your passwords are just about as likely to break into your house and steal or mess with your home computer IMO.

[1] see https://www.schneier.com/blog/archives/2005/06/write_down_yo...


I've personally been enjoying Dashlane. It has quirks, weird behaviors, and occasional sync issues, but it's been light-years ahead of LastPass for me. Don't know about Keepass.


I use RndPhrase (https://github.com/brinchj/RndPhrase). It's a plugin to your browser that lets you enter your own password on each site, and replaces it with secure per-domain passwords. It also has a nice web interface at http://rndphrase.appspot.com/, so you can use it even if you're not on your own computer.


I use (and created) the Passable Google Chrome extension: https://chrome.google.com/webstore/detail/passable/bpkpmidmf...

I also take advantage of any service that uses 2-factor auth and use HDE OTP on iOS


I'm using Sticky Password - http://www.stickypassword.com/features/cloud

So, I can remember only one master password and for every new password I use password generator in SP. It is the best, 'cause generator make very strong passwords.


I have a base password that I use on every website.

Then for every website, I (for example) use the first letter of the domain name and the last letter, add it to the beginning of my password. Then I take the last letter of the domain name and add it to the end of my password.

This way I only have to remember my tiny algorithm + my base password.


This is almost as bad as just using the same password. Anybody who breaks one is gonna notice that the site's name is in the password and suddenly know all your passwords.

It's 2014. Password managers are great.


This was an example. I am not actually concatenating 1st+2nd letter to my password. You can use the 1st letter of domain name in the middle of the base password, you can add the first and the last letter, resulting in a letter which will be added to the beginning etc. And in a 10-12 character password, it's very hard to 'notice' this.


True, but there are some algorithms that allow you to combine a domain name with a single password and get a good unique password out. Unfortunately it's hard to compute bcrypt hashes in your head.


And if you're going to be using something to derive keys and store the results, you might as well just pump out a random string and stash it in the password management app of your choosing :)


I do something very similar to this, base password which is some digits and then some key word that comes to mind based on the website. For example I might use 123456cashmoney for my bank and 123456friends for facebook. Usually I use the first thing that comes to mind when I see the domain as I am very likely to think that same thing a year down the road when I am trying to remember that password! I've had a high success rate with this, rarely reset passwords for websites I dont access but once a year (ie turbotax)


Using words related to the target domain is one of the tactics most beloved by attackers, as that's where they'll be starting their dictionary attack. Hitting a bank? There are a few hundred bank-specific words, let's start with those, plus all the "cute" leetspeak substitutions and with prefixes/suffixes tacked on.


We got burgled last year, my laptop with an unencrypted drive was stolen, and I thought it was a good opportunity to be more grown up about passwords, so moved to 1Password. When heartbleed happened, I will admit that I didn't have the heart to change every last one of them (300+) again.


I have to say - I have been unfailingly impressed by Lastpass. For $12 a year they provide a lot of value add, and seem (at least to someone who knows shamefully little about the nuts and bolts of security) to be fairly transparent about what using their service means for Users.


I use this trick to generate (in my head) a unique password for each site: http://blog.rabidgremlin.com/2009/12/28/tip-creating-easy-to...


8 characters, 4 of which are static between your passwords and 4 of which any reasonably clever person can connect with the service name, in a predictable pattern, appears to be roughly as secure as using the same weak password on any service.

8 characters is well below the threshold of brute-force attacks these days, and once I've got one, and I see it has the site name in it, I'm gonna catch on to the game and there goes your other sites' passwords.


Me too :-)


KeePass on my PC, KeePassX on my Mac, and iKeePass on my iPhone & iPad, with a shared database on DropBox. I'm pretty happy with that setup, except for iKeePass, which is a little clunky. I'd really like to have a better KeePass client on iOS.


For very important accounts such as banks I use KeePass. For everything else I use a password generator I wrote called hash0: http://github.com/dannysu.com/hash0


I have previously used LastPass, 1Password, and RoboForms. Nowadays, I used Dashlane -- it's far-and-away the best password manager I've ever used. Both their Android client and Chrome extension have great UX.


Shameless plug for my iOS app PasswordGrid, that create an easily printable grid for random passwords:

https://itunes.apple.com/app/id359807331


1Password for OS/X and iOS (iPhone and iPad). Backup passwords for GMail and Dropbox are printed and stored in a safe place in my home, in case two-factor authentication doesn't work (e.g. iPhone stolen).


I do the exact same, but with the added step of adding the backup passwords for Google/Dropbox to the extra text fields you can add in 1Password. (For the very rare case of "I lost my phone/ipad, am not home for the physical backup codes, but still have access to 1Password on my Macbook")


You need to remember only your Gmail password. The rest-- I simply maintain a single Google spreadsheet(well ordered) to store every password for services like Facebook, Twitter, Github, etc.


I have a gpg encrypted file on a server that I manage manually - made slightly easier by the gpg plugin for vim. Not found a password manager with a UI that I get on with yet.


I don't store them. I use the password recovery feature.


I memorize my email passwords (just 2-3) and put the rest in KeePass with backups online. Worst case scenario I have to request a forgotten password via email.


LastPass. Strikes me as just insane to use anything else.


What is insane about using Keepass (or 1Password)?


KeePass2 on my computers and my androids, with a very secure passphrase and the database synced between devices via dropbox. It works great!


This is my exact setup. Haven't had any issues with it so far.


I've been using keepass for several years now, I'm very happy and I can use it on my mobile phone too.


What's insecure about having a good password in memory?


How many passwords do you memorize?

Do you use any of these at more than one site?


There should be an option for PwdHash!


using eWallet and after I got it down works very well for me.


I take the second letter of each service, repeat it a bunch of times, and then concatenate that with something else which is the same every time. So every password is different and also complex enough.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: