April Gilford asked me an interesting question recently:
“…I need a high-security password management program, preferably free. What can you suggest? My log-ins and passwords are getting out of hand as my online presence increases. I need something to keep them organized but secure…”
If you’re in the same boat - here are 4 different ways you can go about it:
1. Use master passwords
Instead of using different passwords for different sites, try simplifying the process. Try using…
- One password only for sites which need maximum security (e.g. email). Keep the number of sites on this password to a bare minimum so you can change passwords easily.
- One password for sites I think can trust (e.g. Digg.com)
- One password for sites I don’t really know much about
…When in doubt - use the less secure one. This layered system helps ensure that if any password leaks occur - it should be properly contained.
2. Lock up your passwords with KeePass
KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database.
What I like about it is that it’s lightweight, portable (can be put on a thumbdrive), and extensible (look for the plugins on the KeePass homepage to get more features).
3. Generate and store hashed passwords with Firefox Password Hasher
Password Hasher is a Firefox security extension for generating site-specific strong passwords from a master key and a site specific keyword.
Here’s the concept:
Let’s say for example your master password is “readfriedbeef”, and the site in hand is digg.com
With those two parameters - Password Hasher will generate a complex hashed password e.g. “dmZ3)nkU” , which you can use (and store on your PC). Given the same master password and site, Hashapass will always give you the same result. That’s so you don’t have to store your generated passwords anywhere.
The advantage is that it’s incredibly secure, but the drawback is that it works best only if you use a machine with the Password Hasher extension installed or you will probably never be able to remember your complex hashed password.
You can however attempt a workaround by carrying a portable version of Firefox with you with the Password Hasher extension installed or use the online version.
Firefox browsers only of course - Internet Explorer users, please feel free to upgrade :)
4. Export your Saved Firefox Passwords for Easy Reference
Password Exporter is a Firefox extension allows you to export and import your saved passwords and rejected sites between computers. Your passwords will be exported to an XML or CSV file and can be encrypted if you want.
You can then use this as a reference guide stored on your computer.
Bonus tip: These passwords were listed by PC Magazine in May 2007 as the most commonly used passwords around:
- password
- 123456
- qwerty
- abc123
- letmein
- monkey
- myspace1
- password1
- blink182
- (your first name)
Don’t use them :)
What password tips do you have? Tell us in the comments!
[tags] security, tips [/tags]
December 7th, 2007 at 10:34 pm
Thanks for the answer! I am definitely going to give KeePass a try.
December 7th, 2007 at 11:18 pm
RoboForm is quite a good alternative to store web based passwords. The downside is that the free version only supports up to 10 passwords if I was not mistaken.
December 8th, 2007 at 1:43 am
I use Clipperz, an online password manager with auto login to sites which eliminates keystrokes of entering in user name and password. I like it a lot because I change up my passwords more than I did before. For bank and credit card I use their password generator to create totally random passwords and I do that frequently.
Another site is PassPack which is very similar though you are limited to 100 passwords for free and then there is a fee whereas Clipperz so far is free.
Some people take issue with using online solutions such as Clipperz and PassPack but I find their terms of security reassuring and took the leap with Clipperz.
December 8th, 2007 at 3:50 pm
@April - my pleasure
@Syahid Ali & Ellen - thanks those are brilliant tips
December 10th, 2007 at 11:59 pm
I use an Excel spread sheet, alphebetized listing the name of the site, the URL, my user name and password.
December 11th, 2007 at 9:56 pm
As a proponent of KISS principle, I use 3 master passwords for 3 classes of sites. If a site requires change of password every month, e.g. online trading account, I will append the month of change into the password.
December 20th, 2007 at 12:58 am
I know few languages . so mix the words from two different language to make a password.
December 26th, 2007 at 11:48 pm
I used to stay away from those password managers, both online and offline. The reason is that they were just glorified excel lists and most had a password generator.
I’ve never heard of Clipperz though. The automatic login part is intriguing.
One tip I’ve found interesting is having a root password and appending different things to it based on the account.
Eg. root = root3 (through in a number cuz some require)
gmail password: root3gmail/root3gmail.com
This way you have a relatively short password to remember, but you solve the password length problem with with concatenation.
Baz L
February 8th, 2008 at 2:26 am
Encrypted Google Spreadsheet accessed via SSL (https). Available from any computer, free, and secure.