How do you manage your passwords?

Question

Obviously seeing as how many of us here are system administrator type people, we have a lot of passwords strung out across numerous systems and accounts. Some of them are low priority, others could cause serious harm to a company if discovered (don't you just love power?).

Simple, easy to remember passwords just aren't acceptable. The only option is complex, hard-to-remember (and type) passwords. So, what do you use to keep track of your passwords? Do you use a program to encrypt them for you (requiring yet another password in turn), or do you do something less complicated such as a piece of paper kept on your person, or is it somewhere in between those options?

Answer 1

KeePass is great.

Answer 2

I have a very simple way of dealing with passwords:

I don't like password managers, but I like crypto, so I take advantage of one-way hashes (md5, sha1, etc) and generate passwords using them.

How it works?

First, I choose a good long password that I will use everywhere. For example qwerty (don’t use that, just an example). Now for every site, your password will be the md5 (or sha1) of qwerty + site name. For example:

$ echo “qwerty http://www.facebook.com” | md5
9d7d9b30592fd43dd6629ef5c12c6e9a

$ echo “qwerty http://www.twitter.com” | md5
cdf0e74e19836efb20f29120884b988d

That way my password for facebook is 9d7d9b30592fd43dd6629ef5c12c6e9a and for twitter is: cdf0e74e19836efb20f29120884b988d

Both long and secure. If someone steals my twitter password he has no way to reverse back to figure out the other passwords. Plus, doing that you don’t need any password software stored (just the md5/sha1 binaries which come by default on Linux and are easy to find on Windows).

Answer 3

Password Safe has solid encryption and a random password generator. Groups of passwords are then distributed as encrypted files based on who needs which passwords.

Answer 4

We keep our passwords printed out, in a binder with our other network documentation, and in our physically secure server room that only a few people have access to.

I don't know what 'real sys admins' think of this but I think this is a good solution for us. I am interested in the other answers to this question.

Answer 5

We have a PGP encrypted text file. It is encrypted to each of the sysadmin's keys. We use a vim plugin to make it easy to update.

At a previous job we used a similar scheme, but used symmetrical encryption because we hadn't discovered the plugin (or it didn't exist yet) and no one had spent the time to work out how private keys would work.

Answer 6

I use a program called pwsafe on my desktop. If I need a password from somewhere else, I SSH over and use that.

Answer 7

I have a photographic memory, I can remember passwords to zip files I created in the 80s - not actually as cool as you might think :)

Answer 8

KeePassX is a cross-platform KeePass alternative. A very nice (Qt) GUI and almost identical functionality.

Ehtyar.

[edit] Forgot to mention it supports KeePass DBs [/edit]

Answer 9

I have tried many and for personal use, my favorite is LastPass (free, standalone or browser add-on).

Still looking for a solution for work and have compiled a list of requirements and possible solutions in another post.

Answer 10

Lets assume that you have a lot of (different) passwords for various on-line services and equipment you own. You would want to store these in a file.

Never keep your password file open (as in unencrypted) on your machines/servers. Having said that, do not keep it encrypted with some web-space provider that gives you encryption support either -- unless your really trust them.

For mobile storage of passwords, consider TrueCrypt volumes or files that you can store where ever convenient -- like your pendrives or even e-mail attachments. TrueCrypt is supported on almost all platforms and provides very good security when you decrypt the files for viewing. Then, you have to just take care that you do not copy or leave the file on some system (or deleted files folder).

Ah! and get serious with your password generation :-)

Answer 11

Keychain. I've tried 1password, but keychain does what I need it to do, and I like the way it works better.

Answer 12

I would recommend PasswordVault

A group in our IT Department use it and really like the features it has to offer.

The passwords are always encrypted. Individual users can choose what passwords to share. Best of all the software is free.

Whatever you decide to use make sure the OS is secure and that the passwords are encrypted.

Answer 13

Unfortunately, within a password protected spreadsheet.

Answer 14

I keep my passwords in a text file so it's easy to look at - don't need any application. I keep the file encrypted with a long passphrase that I've never ever written down. I guess one of these days I should tell my wife what it is...

The "working" version of the file is printed out in a small font so it fits on one sheet of paper and it's folded into the little notebook that I carry around and keep track of like my wallet. Basically, I follow Bruce Schneier's advice and have good passwords that are written down somewhere secure.

Our "what if one admin gets hit by a bus" plan is that each of us has their own encrypted password file. There's a small enough number of us and we're all not dumb enough to leave a printed list lying around, so it works well.

We also have a small file in the shared directories we use that has the less critical passwords we all refer to.

We "generate" our own complex passwords for the most critical uses: I usually go first and pick a letter or number. Then the next guy picks one, then me (or another guy), and so on. We end up with things like pl8u7ke which turn out to be not too hard to remember if you use them pretty much every day.

Answer 15

For personal passwords, since I use multiple computers, I like the free online service Clipperz. Encryption is done client-side and stored remotely. For work-related, +1 for Password Safe.

Answer 16

For personal passwords, I use 1Password. It has a great (free) iPhone/iPod Touch application so I have my passwords with me where ever I go.

Answer 17

You should check out the Yubikey (http://www.yubico.com/).

It generates an OTP for use in a two-factor authentication system, but for non-network-accessible applications, it can be configured to output at 64-character pseudo-random (for all intents and purposes, unguessable) password, or you can set the password yourself.

The static or one-time password is output as though from a keyboard, so it nearly universally available. I use mine on Linux, MacOS and Windows.

PS edit: I'm toying around my own Yubikey but have no vested interest; I just think it's a very handy password tool.

Answer 18

for personal passwords, I use PassPack.

Answer 19

I use 1Password from Agile Web Solutions. It integrates seamlessly with all common browsers on the Mac and with the help of Dropbox, I can access the same password collection from all of my machines.

If you need to access your secrets from different OS platforms, KeypassX is a good choice.

Answer 20

If you have OS X systems as your client workstations, you can use the Keychain Access program to manage passwords. We use a keychain file in a shared location accessible by system administrators and just link it in to our Keychain Access program.

Answer 21

I was using the TIPAS service on twitter:

http://twitter.com/tipas/

But, for some reason, the twitter admins appear to have broken searching.

Answer 22

In the heads of several people. The really important ones are written on small pieces of paper, then stuck in small envelopes. We staple through the envelopes, so it's obvious if anyone opened it up.

Answer 23

Personally I use eWallet, so that I can sync my password file to my phone. It does cost $30, but I've been happy with it over the years and the support has always been fast and courteous.

In a work situation, my preferred solution is Portable KeePass or similar. The executable and the password file can be put on a floppy or USB key. Master password written on the outside of the floppy/USBkey. Seal this into an envelope, sign your name and date across the flap, then put clear tape over the date and signature. Update with a new envelope every 6 months or so(1).

The envelope is then placed in a secure location. Every so often, the envelope(s) themselves should be inventoried.

---

(1)Optionally keep the old envelopes for historical purposes - if not, old ones must be destroyed.

Answer 24

I use the diceware method of generating passwords (so that they are easier to remember than true random garbage):

http://world.std.com/~reinhold/diceware.html

I try to use password groups for access to different types of systems, to both limit the number of passwords I have to remember at any given time and to limit damage if one is compromised.

Then I change them regularly. How regularly you change them depends on how quickly you can train yourself to remember new passwords.

If you absolutely have to, you can keep the results of the dice rolls locked up somewhere like a safe or a safety deposit box. Re-creating the passwords from the rolls (just doing the word list lookups) is an annoying enough task to serve as a deterrent to forgetting. And the worst part is that once you've looked up the first couple of words, you usually remember the rest anyway.

Answer 25

I use apg and pwsafe on my personal server. apg (Automated Password Generator) creates random passwords according to criteria you can define, and pwsafe is just the command-line Linux version of Password Safe.

I can always SSH into my server to get my passwords if necessary, though for low-value sites I do wind up using the same password in multiple places.

Answer 26

I'm using gpass (GNOME password manager). It's a small GTK application, requires master key to view all other passwords, uses blowfish for encryption and has the possibility of generating new passwords.

http://projects.netlab.jp/gpass/

Answer 27

To help remember passwords I find that it is useful if they are pronouncable so you can at least say them.

I keep a list of a few passwords that I commonly need in my wallet. Not 100% secure but I think it's unlikely to cause any major issues.

The master list of all passwords is kept in a fireproof safe.

Answer 28

I just have a spreadsheet at google docs with the data.

Answer 29

I use Passkeeper. It's simple, free, lightweight and doesn't require installation.

Answer 30

In a prev. life, when I had to "remember" 20 different passwords for various environments with different password-generation rules for each one, I used Whisper32. It did the job well enough.

Answer 31

We use CyberArk, as we needed a PCI compliant solution (and we have HIPPA needs too), plus it is almost all customer systems. I'm not thrilled with CyberArk, but it does work.

Answer 32

We use SplashID. Works on my desktop and WM phone. It's the only one I have used and I like it.

Answer 33

iPhone + Handbase (encrypted database app).

I need something to keep passwords that moves with me. I need access to the passwords at home, at work and anywhere because I'm oncall 24x7 1 week in 2, and I don't stay at home when I'm oncall. I need to have access to passwords anywhere and any time. It's no good keeping them on a laptop when I'm at a restaurant in another city and the laptop is at home. I use PCs, Macs and Unix systems and move between them all day, so a Windows-only app, or a Mac-only app won't work for my needs.

I used to keep them in a Palm TX in Handbase (still encrypted), but moved to the iPhone recently which wasn't a good move. The iPhone version of Handbase is a bit wordy, and takes much longer to enter data and retrieve it. And I had a One Time Password generator on the Palm, which I needed. I haven't found one for the iPhone yet.

I keep the database labeled something innocuous like Wine Tastings, so it doesn't look to enticing if I lost the device. The database is backed up. If I lost the iPod, the encrypted password database would probably get erased, and the company would buy another iPhone and I would restore the database.

However I remember about 100 of the most commonly used passwords. I only need to look up the less used.

Answer 34

Password Agent has worked well for me.

Answer 35

I've taken to using an IronKey for some of this. There are some passwords I just plain memorize, like the admin passwords I use every day. For those passwords that I have to know but use once or twice a quarter, putting it on a text-file on an IronKey USB drive works well. It now mounts on Windows, Mac, and Linux! Kind of like truecrypt, but more portable.

Answer 36

I use automatic password generator 'apg' to provide a list of possible difficult-to-guess but easy-to-remember passwords. Like the following example:

wuWesvupt7 (wu-Wes-vupt-SEVEN)
quirrardAj9 (quirr-ard-Aj-NINE)
urf5Olmenoy (urf-FIVE-Olm-en-oy)
yebTywalAk5 (yeb-Ty-wal-Ak-FIVE)
TihekDuiRen8 (Ti-hek-Du-i-Ren-EIGHT)
Flyahit7 (Flya-hit-SEVEN)

I choose the one I like most and then I save it using 'pwsafe'.

pwsafe has the benefit that you can backup the password file easily and you can merge files in the case you have several computers.

Also, the password goes (by default) to the X clipboard so others can't watch it.

Being both tools command-line makes them easily accesable so you don't have to mess with GUI menus.

Answer 37

Network password manager is cool. Multi user, ACL per tree, audit on who accessed/changed what.

Complicated passwords tends to be short. Long password (>15) are stronger today, they still resist to rainbow tables and are a pain to brute force. So i tends more to do sentences: "Ireallylikemygmailaccount!" is tronger than "g{#é'4ùdfg", and you don't have to write it down to remember it. Moreover, importants things:

• Will the password be stored securelly on the remote system ? Many web site store your password in clear and send it back to you when you don't remember
• Is it send over an encrypted channel ? ftp account over wifi in clear is not secure...

Answer 38

I'd like to +1 David Pashley's answer above ( i'm new here so need more 'reputation')
I have normally just used a text file encrypted with the different sysadmin's gpg keys and checked into our internal company subversion server. This made it easy to get the changes out to the other admins.

Answer 39

For those on Linux w/ Gnome, you should check out Revelation. Clean interface, applet for taskbar, easy to use. I love it.

Downside is that there aren't a lot of export options (to KeePassX for instance) that are very useful. Because being able to export your database can be important, I wrote a Ruby script for it once, which worked for me.

Answer 40

I admin linux from a Mac OS X desktop / laptop / iPhone and SWEAR by 1password. Brilliant, frequent updates, rock solid. Can do password storage, generation, logins for web pages, secure notes. With DropBox you can easily sync across machines.

Worth switching to a mac just for 1password. http://agilewebsolutions.com/products/1Password