Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[phi2008]

I have a million(different!) passwords that I use on the many different sites I visit. I'm beginning to find trying to remember them all very irritating so I'm considering using LastPast to manage them all. Does anyone else use a password management service or have any suggestions for safe, hassle-free, password management?

[lloyd]

Take

[lloyd]

Take a look at keepass. http://keepass.info/

[kitzuser87430]

Use lasspass its great.

I've been using it for a couple of years; no problems at all.

Ian

[Ronski]

There's also Roboform.

[jelv]

+1 for Keepass

[UncleUB]

Use lasspass its great.

I've been using it for a couple of years; no problems at all.

Ian

Same here,its an excellent programme.

[Chrysalis]

I use keeppass, excellent program, it also will generate secure passwords for you as well, and auto flushes the clipboard when a password is copied to it.

given the risk of compromises on services such as the recent twitch and that some sites will enforce strong passwords, a password manager in todays age is essential.

[tbailey2]

Use lasspass its great.

I've been using it for a couple of years; no problems at all.

Ian

Ditto

[jelv]

I don't think anyone who has used a password manager would ever go back to the old way of trying to remember passwords. It makes it far easier to have a unique password for each site. I use the password generation feature of Keepass and like the way you can specify the length, what character sets are used etc. so I end up with passwords that would be impossible to memorise. Useful also that you can put it on to a USB stick and run it from there which means you can take it with you.

[guest]

I view password managers as a single point of failure so I don't use them but I can understand why people do.

In terms of memorising passwords - its not that hard & rather than just length its entropy you look for.

Entropy in terms of passwords is improved if you utilise all of the extended ASCII character set. This gives you just under 8 bits of entropy for each character you use.

So a random password somewhere around 17 characters would give 128 bits of entropy. That's a fair bit of keyspace to search.

However a non-random password around 17 characters has significantly less entropy - probably somewhere around 40 bits of entropy so that's a lot easier to brute-force in these days of supercharged graphics cards running billions of hashes per second.

What I did (long ago) was to set rules whereby I'd substitute numbers/symbols for letters but only under certain circumstances. eg I might substitute ¬ for L provided its not at the start of a word or there are more than 2 L's in the word. Now that sounds cumbersome but it allows you to generate easily memorable passwords with high entropy once you get used to it.

My current "secure" password for encrypted files is around 30 characters long & that generates 264 bits of entropy - ie the keyspace of the password is larger than that of the algorithm (AES) so logically you'd be better off brute-forcing the file rather than the password. That's a bit simplistic as stuff like XTS comes into play for disks etc.

I just don't want to depend on a single product to do this - after RSA I don't trust any product 100%.

It depends what you're using the password for - if its a commercial website then I'd expect them to have some sort of rate-limiting function running on login attempts so anything with more than 30 bits of entropy is OK (12 character non-random extended ASCII password). If they have vulnerabilities then its likely that even a 17 character non-random password will be cracked within weeks at best as the "username/passwords file" will be available offline. I don't particularly worry about this scenario as that's VISA's problem - they aren't getting any money out of me for fraudulent transactions.

[Chrysalis]

rizla your point is valid, password managers are not bulletproof, but the alternative for me before I started using them was I was using one of 3 memorable passwords on sites, and I had the same password for yahoo and msn email and since both had the same username when my yahoo got hacked the same pereson clearly thought he would try the same on hotmail which worked, lesson learned at that point.

With keeppass you can lock it in itself so needs a passphrase and optionally also a keyfile to unlock, so I utilise both of those.  The passphrase for keeppass is not stored anywhere but my head and its not a word in the dictionary, just a combination of letters and numbers I have managed to remember luckily.

so whilst they not bulletproof they better than someone using something like a maiden name on everything.

[tonyappuk]

I'm sure others here will not agree but at my advanced age I'm not fussed who reads my emails or knows what forums I've joined. I use the same user name and password wherever possible unless it's in connection with my finances. I usually try to use Paypal for purchases and the banks and finance houses force you to use what they consider to be safe passwords. To remember them I use a little book (horror of horrors!) but I challenge anyone to find it in my disordered study.
Tony