Lately I have noticed that I am utterly overwhelmed with usernames and passwords. I have several different logins and passwords at work — one to sign on to the corporate network, another to log into the Web-based helpdesk, another for a monitoring tool that we use, yet another for our contact-management system and so on. I easily have ten different username/password combinations just for work.
Then there's the plethora of e-mail username/password combinations for my personal e-mail, my free Webmail accounts, my logins for my home computers, logins for various online services such as my online banking, student loan management, online bill paying interfaces for Qwest and other companies, other username/passwords for online shopping... various (annoying) required username/password combinations for things like the New York Times online, Washington Post, Salon.com, Slashdot, kuro5hin.org, Freshmeat, etc.
Bottom line: I'm drowning in passwords and usernames. I have about five different usernames I use with freebie services that I've picked because they're easy to remember, and about ten different passwords that I rotate between those freebie services that would be no big deal if they were cracked.
Then I have to come up with unique passwords for things like online banking, billpaying and shopping — it would be a big problem for someone to be able to log into my online banking at will if they figured out my password.
My question is how one should keep track of these things securely. Assuming that one does not have a memory like a steel trap, how are you supposed to keep track of some fifty or more username/password combinations and the services they match up with? It's definitely a security hazard to write them down or store them in some unencrypted form on your home computer. How can you keep a record of these things securely?
7 Comments
If you are a KDE user, you might look at the kde wallet (new in 3.2 I think).
It can store web form data, passwords, etc.
Also, firefox can store some items like that.
Yeah, I'm aware of those things... doesn't help much when you switch computers regularly, and it doesn't do much for passwords for remote computer logins, db logins and so forth -- I use Firefox/Mozilla's password features pretty heavily, but there are a number of sites/pages where they don't work.
Sending yourself a GPG-encrypted mail with all the stuff inside, so you only have to remeber the mantra. Works best with mutt on a remote server, so you can access it from everywhere.
I have been using strip - http://www.zetetic.net/solutions/strip/ - a free password manager for palm OS to manage all my passwords - allows me to use unique passwords for everything. I wish it has a desktop app to sync with but still very handy. One word of warning - i have heard there is a flaw in the password generator so don't let it pick your passwords for you.
Encrypt a file with the passwords, mail it to yourself. If you move around to diffrn't systems, try emailing to a service that allows you to get it from webmail.
Or leave it on your secure desktop at home and SSH to it. This might be more trouble than it's worth ...
Not foolproof, and I wouldn't (myself) leave it on a web-based anything. YMMV.
Keep reusing 3 passwords over and over
i store them encrypted in a file and view/edit with vim. so as to not ever have the file unencrypted on disk i start vim like so:
vim -b -n -c '%!gpg 2>/dev/null' -c 'map :wq :%!gpg -e -r me 2>/dev/null:w:q ' $HOME/secretfile
and then :wq writes out the buffer encrypted