Carrying passwords...

How do you carry around all those passwords/ pin numbers securely?
Writing it on a post-it in my wallet seems like a really bad idea...

I use a program called eWallet. It has Windows PC/mobile, Mac/iOS, Blackberry, and Android versions. One remeberable password allows me access to all the pure hash passwords w/ a random generator. I also use it to store other info such as serial numbers, clothes sizes, club memberships, etc.

I use LinkeSOFT's Secret! It uses strong encryption and syncs the database between my iPhone and my PC. Before my iPhone I ran it on my Treo and several PalmOS PDAs before that. I like it a lot.

No affiliation other than as a customer.

Do you really have that many that need to carry them around with you? If you do, sure, get some electronic app/gadget that stores them all encrypted and accessible via a master password (which you will have to remember). This can be on a SmartPhone, on a thumbdrive, etc. depending on your needs. But consider first, do you really need that many when you're mobile that you can't just memorize them?

guess I'm old fashoned...typically use favorite authors surname, stored on my cell phone, last four digits of the phone number is the pin

Generally, the program should have strong encryption. If your computer/phone is stolen, a moderately skilled hacker could hack your program and then have access to all your passwords. I need to upgrade my password program to practice what I preach.

"Not writing passwords down" is not an option for me. I have over 100 passwords or combinations I may need at any given moment. My job alone has about 12 different things that require a password, and those passwords require odd combinations of numbers and unique characters.

Oh yeah, I include padlock combinations in there. How many times have you left a padlock alone for 2 years and had to cut it or trash it because you couldn't remember the combination? I simply don't have enough time to go through the whole process of resetting a password, or buying a new padlock, every time I forget one.

I just store padlock combinations as phone numbers. For example, I might have a "phone number" for "Sonny" (fictitious) ... 217-0412. Who would know that Sonny is one of our horses, and that the padlock combination to his supply cabinet is 17-04-12 (discard the first digit of the "phone number").

A hockey gear locker combination could be stored under "Wayne Gretzky" or one of your other favorite players.

A three digit banking PIN could be stored with four random digits prepended to it under "Butch Cassidy" (because he robbed "banks")

Etc. This is good enough for me, for the non-critical stuff. Come to think of it, the only "critical stuff" I'd be accessing will always be from home, not while mobile. I haven't used a PIN anywhere for years (I use charge cards, not debit cards).

keypass is another popular one. You can have multiple 'safes' to keep different things separate, for example home and work stuf (be sure work is ok with it of course). So you categorize and then have just a few master passwords depending on the category/security level.
I have a half dozen 'single sign on' passwords for work, then all the different utilities to pay bills, multiple bank accounts for myself and my kids, and then all the various forums.
Setup one 'safe' for all the joint accounts that you and your wife use so if anything were to happen to one of you the other has access.
Most password programs will have hooks into your web browser so it will put in the right user/password for you once you enter the master password.

Here's a common way of remembering numbers. I just write mine this way on the device or card. With the numbers assigned to different sounds to the ones here.

You build associations between each individual number and a sound. Since words are easier to remember than numbers, you construct a word from each group of numbers and then memorize the word(s).
Each number is assigned a consonant.

0 - z, s, soft c - "z" is the first letter of zero. The others have a similar sound
1 - d, t - t has one downstroke d has as similar sound(some variants include th)
2 - n - n has two downstrokes
3 - m - three downstrokes, also "3" looks like "m" on its side
4 - r - last letter of four
5 - l - L is the Roman Numeral for 50
6 - j, sh, ch, soft g - a script j has a lower loop / g is almost a 6 rolled around
7 - k, hard c, hard g, q, qu - capital K contains two sevens
8 - f, v - script f looks like a figure-8 (some variants include th)
9 - b, p - P is a mirror-image 9, b sounds similar
Notice that similar sounds are grouped together. The system goes by sound rather than spelling, and the unused sounds (vowels and the consonants "w", "h" and "y") can be put into a word anywhere without changing the value.

E.g
"ledge" = 56.

qjs

Ouch, my brain hurts trying to understand that.

Be careful with that stuff. It seems complicated at first, but once you have practiced a few times, it is difficult to stop doing it. it is like a virus.

Most of my passwords, the secure ones always, are a series of motions on the keyboard. I do not think of them as letters, numbers and punctuation characters. These are super-secure once you get the hang of creating them effectively. However, I cannot even tell you what these passwords are, unless I have a keyboard in front of me to type them on and look at the result. It's like playing the piano. You don't think of individual notes when performing, you think of the phrasing, expression, and where you are going with it (not the individual notes to get there). Sounds weird, I know, but then I'm just a geeky engineer (and a pianist!)

Until you get a new keyboard

I once tried to check mine email in Switzerland, i couldn't. I just could not type mine password on a Swiss keyboard...

Hmmm... you bring up a very good point. I doubt I could type my password ("a series of movements on the keyboard") even on one of those ergonomic curved/split keyboards. Let alone a keyboard with a foreign alphabet layout. This might keep me from working (yea!) To access my home computers from outside, no passwords would work - I use public key pairs exclusively. But then, I'd still need to type the password to unlock the keyring on my thumbdrive. Hmmm ... maybe I need to go back to the golden standard "password123" (you wouldn't believe how many people I know who actually use that one!)

Another vote for KeyPass. One nice thing about it is it avoids keystroke loggers if you or whatever computer you are using is so infected. Copy/paste passwords/usernames with an auto clear of the copy/past memory after a few seconds.

Plus one more for keepass. It also uses the same database for Windows and android so it is easy to keep your passwords synchronized between your phone and your PC.

Given that one that I use a LOT is 10+ random case sensitive alphanumeric digits and any financial passwords are similarly complex, trying to remember them would be pointless. Mobile access is a bonus most of the time. With my PDA and computer access, its possible to access any site that I've set a secure password for. I don't use the PDA for web access due to browser limitations and screen size.

I checked out that KeePass application for my droid phone and Windows and Linux. It looks pretty nice. Their tutorial video mentions using Dropbox for "cloud" storage of the database file, so it is accessible anywhere. But I don't like the fact that this is stored on some third-party server out there on the internet somewhere. I already have my own "cloud" storage on my local LAN (one of my Linux boxes is my file server). All my home computers can access this, and so can my droid phone when it's connected to my LAN via WiFi (using the excellent "ES File Explorer" droid app). I assume my wife's iPhone has some similar WiFi based LAN access app, but I haven't investigated that yet.

However for remote access (not on the LAN) Dropbox might be good. I wouldn't store any files there that I hadn't encrypted myself, prior to using the encryption built-in to Dropbox. Also, I just don't like the idea of having to install an app on my computers that does automatic remote syncing. That's a big 'ol security hole just waiting to be exploited. So I don't think Dropbox is for me, but it may be good for others.

I try to minimise the number of passwords that I use in order to facilitate remembering them.

Intruder alarm at work required a password that I had to remember and could not alter,but I altered other passwords to match the intruder alarm. I have since changed job, but the password is in regular use for a number of purposes and reliably memorised.
I purchased a number of combination padlocks, set them all to the same number, it is the last four digits of a previous employers phone number.
With a little thought, numbers of passwords can be much reduced.

There is a lot to be said for useing the phone numbers or birthdays of living or deceased relatives as passwords, ones OWN details might be too easily guesed.

Most internet forums require a password, this should not be readily guesed, but I see no harm in use of the same password for multiple forums.

Whether it's your birthday or mine, there are only 365 different possibilities in a year. A single human could go through all those possibilities in a few hours. A computer in a few milliseconds. Even if you add the year to the birthday, we're only talking seconds or minutes for a computer to guess each possibility. You have to remember that computer crackers are not specifically targeting YOU usually, they are targeting anything they can get. If you happen to be the poor soul who's birthday is January 1st, 2001 and you use 010101 as your password because you think there are a lot of birthdays out there - too many for even a computer to figure out - you're going to be owned on about the third guess.

Many tricks (disguises, mnemonics, etc) mentioned here may be fine for non-critical stuff. However, a reasonably skilled hacker would think those cracks are child's play. A good hacker isn't sitting there staring at your passwords. They're dealing with computer programs that have complex algorithms involving complex math that does most of the work. The hackers are not trying hard at all.

Do you think nobody cares that much about your passwords? Well, they probably don't, but the hack isn't hard. The situation is your laptop or cell phone is stolen/lost. The hacker has all the time in the world at that point. Again, they're not trying hard. Their tools are doing most of the work.

I embrace that concept. I do not leave passwords exposed in any manner. If I use a system for disguising passwords, it's after I've applied some sort of password holding software program.

Off topic sorta...

I really hate admitting this, but password protection may be a situation where good ol' pen and paper is superior. That is, if you store the paper in one safe. At that point, the only way to get the password (from you) is by getting into that safe or into your brain. You leave no exposure via your lost computers, cloud computing, etc.

Even better is store passwords on an encrypted computer who's single purpose in life is to store your passwords, and then lock that encrypted computer in one physical safe. (Storage in only your brain is obviously the highest security, but for me personally that's not an option.)

All the fancy encryption algorithms cannot beat a system where your password is simply not stored on any computer in any way, shape, or form. Of course, your third parties (e.g., bank computers) store passwords somewhere, but you have no control over that storage.

If you are using paper ( or index card ) for your passwords, it may help to throw some imaginary passwords in the mix. Just like remembering strokes on the keyboard, you will remember which ones are real passwords and which ones are fake.

No one stores passwords anymore. Encrytped or otherwise.

What is stored is a one way hash. There is no way to get the password from the hash.

When you enter your password, the password you enter is put thru the hash algorithm and the output compared to the hash stored on the computer system. If the correct password was entered, the hash will be the same.

But there is no way to go backwards from the hash and get the password.

Okay, the following is super-nerdy and nitpicky, and may not be of interest to anyone.

Most systems don't store your password. They store a hash of your password instead. A hash function is supposed to be a mathematical "trap door" that takes an input, does math to it and comes out with a fixed-length output that's repeatable and unique to the input. That's impossible, so there are multiple inputs that can repeat the same output. That's called a hash collision.

Anyway, when you enter your password, the system authenticating you performs the same hash function on your input and compares the hash output to the hash output it has stored in your user record.

You can pen and paper store a password if you have a system.

Here's one. Password is combination of a word, with numbers and symbols. Then you encode it for yourself.

"pizzabyTigger88" is what is written

To me that means the password is "pepper93))oni"

Pizza = pepper oni
byTigger = the year my cat Tigger was born
88 = )) - caps and add a key

And only I know the last 3 letters of the major word come after the other keys.

Do this for yourself. Easier than most codes, only decodeable by you and those in the know.

You'll wear out the safe door that way egtting your passwords every time you need to sign in to something.

1) how do you get around the keyloggers that are on your work computers? Most larger companies log all computer input, not just web history. Makes things much easier on the HR department for both personnel and corporate espionage issues.

2) don't Google and Apple store all their customers' smartphone data on company servers? Don't they claim access to everything that goes thru your phone?

This is actually harder to do than you might think. Logging all Internet access is pretty easy (it isn't cheap to do it well, but it isn't hard). Logging all access to files is tougher but do-able. Logging all network access is hard. Logging keystrokes sounds easy to do but you need to deliberately neuter or compromise your workstation security software to do it, as well as spend a lot of time and effort reviewing the logs. Almost none of my customers have attempted to do this. This is very rare outside of high-security government facilities.

Logging Internet access from company networks and workstations is generally legal, but make sure you have a written policy in place to support it. Logging email is a federal felony without a written policy and some evidence that the end-user was aware of the policy. Logging keystrokes is a dicey area of law; you'd most likely end up with civil liability and criminal liability is a real possibility. Consult an attorney first.



They log usage information but do not (as far as I know) log keystrokes/button pushes or log the activities of third party apps.

Not quite. The amount of key presses would cost too much to store that much data for a key logger. they monitor web sites and may have some pattern detection programs .

At least google only stores what data your phone sync's with them, calendar, gmail, etc. You can store data on the sd card or use other e-mail programs that they don't access or store.

KeyPass allows copy/past of user/pwd to avoid this as well as trojans you might have on your personal computer. They'd see your payment amount/date, but not the password.

Primitive keystroke loggers cannot read the paste buffer. Modern malware generally can.

Well there you go. My advice is generally worth just what you paid for it!

Absolutely, in my job.
One password for the computer. One for my Electronic Medical Record (actually 2 programs). 1 for my TSP account, 1 for my DFAS account (both military payment systems). My 2 bank accounts. My online access to EMR (of course, different password required!). There's 2 programs we use for continuing education that have different user ID's and passwords.

I've counted up to 13 passwords I typically need to access. Most of the work-related ones won't have the same log in requirements and need to be changed every few months. My solution is a freaking notepad.

13 is pretty low. I have three banks I have accounts at, so three accounts and passwords for me, then one for my wife (I download and store her retirement statements for her so I have to use her account), then two more user accounts and passwords for the kids cd's at the third bank. There is 6.
7. Health insurance site
8. dental insurance site
10. optical insurance site
11. cable/internet/phone web site
12. power company web site
13. gas company web site
14. domain/e-mail hosting site
15. domain registration site
16. work computer sign on
17. work single sign on
18. Cell provider user/password.
19-123456789. all the web sites and forums like this

To the common passwords listed above, add about 50 more numbers for me to remember:

-All my combination padlocks belonging to me or family (especially my parents).

-Serial numbers and company phone numbers for various safes belonging to me or family.

-Passwords/phone codes for home security systems belonging to me or family.

-Wifi networks belonging to me, friends, or family

-Social security numbers and passport numbers of family members (especially my daughter)

-Credit card numbers for buying stuff online. (I often don't carry around my credit cards, but I always have my smart phone.)

-Frequent flyer numbers (high security is unnecessary, but still...)

-Member numbers of my professional licenses (high security is unnecessary, but still...)

=====

In my family, I'm the guy to call if they forgot how to access whatever it is they're trying to access. Over several years, I'd say I've received about 30 such calls. I can't just use a notepad. In my case, the notepad method would be boldly irresponsible.

I have somewhere around 100 passwords that I need to know for my customers. That's why I use a password database app uses strong encryption and syncs with my PC.

For what it's worth, I keep all of my passwords on a piece of paper in my wallet in a format _something like_ the following:


Bank A 22174 55431 33101 24118 24566 jymcl
Bank B jncny 22411 !ljm* 308A1 23411 44389
Ins ID 33981 33231 SML)@ 30222 16720 79811
etc

By starting the password at a predetermined string and introducing blocks of characters that you ignore, you can conceal your password pretty effectively.

For example: password starts at second to last character in 5th block and goes in reverse order.

or you can do first 2 characters of each block, etc.

and in the cloud/ backed up (encrypted, of course) Anyone tried kneepass?

True. You're still depending on the other site to get it right, though. If the site makes a mistake, the password database may get copied, and then even if it only contains hashes, the hackers can use try to break them (for example, using "rainbow table" attacks.) They may not get your password, but they can get another string with the same hash that's as good as your password. They can also try dictionary attacks, as proved quite successful with the Gawker password leak (190,000 passwords decoded and published).

And that's if they are trying to get it right. XKCD makes this point better than I could.

Not sure if this is applicable to the thread but I just purchased This external hard drive. At 1 Terabyte I'm able to back up 3 separate computer MyDoc folders (biz & personal computers), all my photos and movies/videos along with back ups to my online stuff. Its states and some reviewers back up the claim that it is 'rugged' or 'military grade'. I'll toss a secure access program on it and it stash it in my EDC pack as part of my electronic's kit.