Recently I worked with a client who wanted to secure a number of his servers and services. I found that he was using a combination of notebooks and Firefox "remembered" passwords as his password management technique. From the start, I will announce that my worst password manager award goes to the "Firefox remembers my passwords for me" technique (although Firefox isn't the only browser guilty of this...). For anyone reading this who has not yet seen the light -
- Open Firefox.
- Select Tools - Options.
- Select the Security tab.
- Select the "Saved Passwords" button.
- Select "Show Passwords", and confirm that "Yes" you want to show passwords.
- Winner! Security at its finest.
My alternative to this is KeePass Password Safe. KeePass is free, open source, available cross-platform, and keeps all of your passwords in a password-protected, encrypted database. That's right, you still need to remember one password to manage all of your entries, but without that master password, no one can access any of your passwords.
A couple of other great features:
- KeePass allows you to store not just URL, user, and pass. It also has title and notes column, and all of these columns can be used to sort (except password, and user on some *nix packages). It also includes a search functionality for filtering your entries by keywords and strings.
- You can create groups for organization, and also select icons for quick visual organization of different password types.
- Need a password? Highlight the KeePass entry for which you require the password, and use Ctrl-C to copy it to your clipboard. Don't worry about the clipboard keeping your password around, it automatically removes the data after a configurable amount of time. Don't like to use Ctrl-C? Well, even though you should remedy that situation by learning to love Ctrl-C, you can also configure KeePass to copy password data to the clipboard by double-clicking.
- KeePass stores entries in a database, but is not limited to a single database. This means you can have a work database, and home database, with distinct entries, and distinct master passwords.
- KeePass is lightweight, using virtually no resources and requiring almost no storage space. I have about 200 user/pass entries, where about have include URL data and Notes, and the resulting database is 18KB. The entire installation directory is around 1.5MB, and a good chunk of that is the uninstaller executable.
KeePass is a great tool. I keep my multiple KeePass Databases on a portable flash drive, along with the installation packages for Mac OS X, Linux, and Windows, just in case I am using a computer without KeePass installed (and without internet connection). You can also get versions of KeePass that will run on a flash drive, but this seems like overkill to me for such a small application.
My one concern with KeePass is that the latest releases use .NET, and hence are not natively cross-platform. KeePass seems to be aware of the ramifications of their decision, and continues to make their 1.x releases available (and even updates them occasionally).
If you are not using a password manager yet, you should consider KeePass. If you have a large number of sensitive passwords stored in your browser, you should consider deleting them, and storing them elsewhere.
// TODO croquet rules, Habari theme(s), GWT/GAE
// --imperialWicket
Why use a separate utility when Firefox has a master password which protects its password database?
Use the "master password" setting immediately above the "show passwords" button you mentioned in step 4.
@Joe - Using the master password definitely improves security if you are using Firefox (other browsers now have similar functionality). If it is important that you have access to web sites without the necessity of manually entering login information, this might be a good solution.
However, if you have any truly sensitive data, or are paranoid about privacy (like me), utilities like FirePassword, or other simple decryption scripts allow this solution to be bypassed without great difficulty.
Another reason that I prefer a non-browser-integrated password manager, is because I have a lot of passwords that do not necessarily map to a URL (database, ssh, etc.). But, I realize that not everyone requires password management beyond websites.
A couple other points are that a password manager lets you review your passwords in a more meaningful way (group and arrangement control), schedule password expiration, and have easy access to the passwords in multiple browsers.
That said, you make a great point; and I should have mentioned the master password functionality for anyone who stumbles here and does not want to change to a password manager. Everyone should at least be using the master password option.
Third option: Use a folder with nifty text files in it, which gets yet another nifty feature, aka STRONGK encryption with TrueCrypt ;)
My personal way of doing it - whats easier to use than a text file? Same goes for my GTD thingy - a simple text file with a fuckload of stuff put in for every week .. simple, but handy as fuck - even works on ages-old mobile phones (like my Siemens SK 65) ;)
BTT: That approach of corpse works with the mentioned solution as well - easy sharing and backup for your passwords! Just copy your encrypted folder to some backup space or your new system drive - start up TrueCrypt, (live) decrypt it, done! ;)
cu, w0lf.
@fwolf - Thanks for the tip, TrueCrypt works great too. You're right that it offers even wider compatibility, my only hesitation with this technique is that it may be 'scary' to a non-technical user.
That said, *.txt is the unspoken gold-standard in technology. A text file just works, anywhere and everywhere, and you can't sing enough praises for that behavior.