Passwords coming out of my ears

foodog plug-discuss@lists.plug.phoenix.az.us
Tue, 13 May 2003 22:40:32 -0700 

Ed Skinner wrote:
> 
>      I have accounts, logins and passwords at fifty (50) [exactly!] systems
> ...

I don't have that many accounts, but I have a bunch.  The strategy
differs depending on the security I need.

>      So, what do you do to keep track of all this? Do you:
> 1) Have the memory of an elephant?

That helps.

> 2) Keep the account names, system names and passwords in a [horror!] clear
> text file you can search when needed?

I don't, but for throwaway passwords that'd be an option.  If throwaways
offer to store the password in a cookie I'll usually let 'em.  (do other
people use your computer or your login?)

> 3) Keep the above data encrypted but, still in a file (and under the
> protection of a single "master" password)?

Yup.  For systems that I login to infrequently I have a gpg-encrypted
list of username/pwd that I can refer to.

> 4) Keep everything on PostIt notes stuck here and there?

Not a good plan; probably OK if you live alone tho'

> 5) Use only two or three passwords over and over, a "good" one for secure
> websites, a "bad" one for unsecure sites that send you the password in
> cleartext Email every now and then, and a "throwaway" in case all else fails?
> 6) ... What?

For throwaways I'll generally use the same lame password; "wellduh", for
example.

For secure passwords, two suggestions to start with: 1, learn to write
in 1337 (Leet), 2, choose a passphrase and misspell it in leet. Combine
those techniques with a host-specific prefix or suffix and you're on the
road to using good passwords.

For example, a base passphrase could be, mnemonically, "Furby Killer". 
Leet and misspell that to "fErb3k1LR", for Hotmail use "hotfErb3k1LR" -
"hot furby killer".

On lame systems with a password length limit (AFP servers, for ex),
truncate your passphrase - you shouldn't run into that situation very
often.

Once you commit your base passphrase to memory you'll become adept at
typing it quickly and accurately.  Combine that with a gpg-encrypted
list, or a printout kept in a safe place.  Oh, and it's a good idea to
change passwords now and then.  I like to hit them all in one day
whenever possible.

My 0.03 cents 8-)  allowing for inflation.

Steve