It's so difficult to track dozens of passwords in different locations. Syncing fails from time to time and you end up with collision correction avoidance syndrome.
Is there a single source of safe, online, commercial password storage anywhere? One that will be around for years to come and one that is truly safe enough to ensure protection?
Use keypass and store the database in gmail, live mesh, or what ever online file storrage solution you want. Then you can always get a copy of it for use assuming you have access to keypass which can be on a flash drive and an internet connection.
If you are really set on an online model, a few of my coworkers use Passpack, and they are pretty happy with it. I can't say yea or nay, because I don't use it, but it seems pretty secure and safe.
I've found LastPass to be a wonderful password manager for my personal passwords. Check out the feature list.
I'm still on a quest for the best (yet affordable) enterprise worthy password manager.
I wouldn't use one online. I would (and do ) use KeePass. On a side note you can check your passwords rough strength here
Bruce Schneier has Password Safe, which is secure enough for Bruce Schneier to endorse, if you care. It might be Windows only though. http://www.schneier.com/passsafe.html
The simpler the system, the better.
Consider a password system that consists of:
So, given your master password is very long, fast to type and not found in any dictionary (e.g. Very12%Long91!Password86#EasilyTyped) the password you use at example.com would be a hash of a hash of Very12%Long91!Password86#EasilyTyped+example.com
$ echo -n 'Very12%Long91!Password86#EasilyTyped+example.com' | sha1 7d123b486ece9841879135562125d3317e7d4436 $ echo -n 7d123b486ece9841879135562125d3317e7d4436 | sha1 5a19c98f66fc82e6af85b8bcf341734b6c44a8d6
There are browser extensions that can help you with this. It's slightly annoying to use this system on non-web systems that don't offer to remember passwords and you have to invent a scheme in case someone makes you change passwords every so often.
Of course, you can only enter your master password on trustworthy terminals.
I wouldn't advise using an online service as well. You have no guarantee that your data isn't accessible to others. If you're on a linux system, try Revelation, simple and straight-forward
Have a look at Yubico's Yubikey; it sounds like it might be what you're looking for. A Yubikey connected to a MacBook http://yubico.com/img/finger_key.jpg
http://yubico.com/products/yubikey/
It's default (i.e., designed) configuration is to be used as a one-time pad for two-factor authentication online, but it also has a "static password" mode which will output (the same) 64 pseudo-random characters when a little green capacitative circle is touched. Works as a USB keyboard so it's universal and works even offline. The random string static password can be changed any time.
A little over 30 $ and arrives in a regular 30 gram envelope (which I thought was too cool to be true) and in no time flat.
Honestly, all the tricks of keeping an encrypted file on a USB key are at once a massive hassle and mostly unecessary. All you need is a password with reasonable entropy that you can't easily guess or bruteforce. Enter Yubikey.
I'm developing some OTP online authentication applications with their API; it's pretty neat, actually. I can vouch for its physical sturdyness, too.
Clarification: I offered this as an alternative to online password storage, especially as it's API based and can be used online. Though, it could also act as a replacement for multiple passwords, if you were comfortable with that.
SuperGenPass might be your answer. It doesn't store anything, can be used from any browser, no accounts needed. It works by hashing a "master" password with the top two levels of the domain. I've chatted with the creator, he's a friendly guy.
From their site:
SuperGenPass is a different kind of password manager. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit. There’s no software to install: SuperGenPass is a bookmarklet and runs right in your Web browser. And since it never stores or transmits your passwords, it’s ideal for use on multiple and public computers. It’s also completely free.
Being javascript it's had plenty of code review, It has a bookmarklet that's worked perfectly on 99% of the sites I've tried it on, and the occasional time it hasn't you can easily use the mobile version and copy and paste.
I recently created a system that can store passwords online and safe. The site is: http://allekalleprojects.net/onlinepasswords
Gpg encrypted text file stored in version control. Use a couple of scripts to decrypt/encrypt the file as desired. You control the availablity of the file, you can use distributed version control to still have access when you're offline, and how long it will be available is determined by you (i.e. it is easy to switch to different systems if required). Gpg also has the advantage of being able to encrypt to multiple recipients, allowing more than one person to view the password file. Encrypt different files to different recipients to limit who can access credentials for a certain group.
This isn't an answer to your question, but it is related - the execs at Twitter just had their Google accounts broken into, exposing a bunch of confidential information about the company.
I'll assume that Twitter is a much bigger target than you are, so that certainly had something to do with the break-in. I also don't think this incident rules out cloud computing completely. However, ANY online password service is a big target. Passwords are too important to store online.
I'd be hesitant to store my sensitive information with an external company. Have you considering implementing a web-based product yourself; you can then make it externally facing if you wish, making it accessible from anywhere.
