How do you store your passwords?

[aeris]

Hi,

I've been using Password Safe on Windows for all my passwords but I want to move them over to my gentoo box. So how do I store them safely?

I was thinking about keeping them in a text file encrypted with gpg (symmetric) and to fetch the entry I want with something like the following:

[neilhwatson]

The only safe way to keep passwords is to never write them down. Keep them in your head. As of yet, no one can hack that
_________________
The true guru is a teacher.
Neil Watson

[aeris]

Of course, that would be the ideal solution, but i have more than 100 passwords in Password Safe for different sites, services and servers. Hard to keep in your head don't you agree?

( Please don't tell me to use the same password for all )

[bsolar]

[aeris]

[neilhwatson]

I'm going to go on a rant here (I apologize in advance). I believe there is a market for password saving applications because the average user is so grossly ignorant of computer security that they only see passwords as an inconvenience.

How many times have you seen users write passwords on post-it notes on their monitors? Users often share passwords with each other. I often see users leave their computers unattended and unlocked for long periods of time. Users often pick passwords that are rediculously easy to crack.

You are warned against having the same password for many services yet, storing different passwords in one location defeats the purpose of having different passwords. To retrieve all of your passwords I only need crack one.
_________________
The true guru is a teacher.
Neil Watson

[aeris]

If I ask you how to drive a car, would you tell me to ride a bike?


First of all I love passwords, I don't see them as an inconvenience.
At my previous job the network administrator used Password Safe because he had to keep track of a bunch of passwords, so I'm not the only one.

Users who write down their passwords on post-it notes doesn't use applications like Password Safe, atleast not among the people I know.

If I only have to remember 1 password I can select one that is almost impossible to break with brute-force.

/ mikael

[neilhwatson]

[Sesquipedalian]

I use gringotts to store passwords as well as various other sensitive information. It's nice, simple and flexible
_________________
What tha........

[aeris]

[ddsn]

I have to agree w/ aeris. For many people, choosing a common password for sites/services that have teh same security clearance is not an option.

Or should I go and tell all of my customers to please change their administrator passwords so it would be much easier for me to remember? No.. Why not? Because I would get fired faster than Gentoo boots...(And that is pretty quick, atleast for my system)
So, a powerful software to keep order and security amongst the passwords is most wanted for many..

Someone who reads this forum must atleast have some experience with a good program?

How does Admins at larger companies handle this?

[ghuug]

I'm using GnuPG for storing passwds. I don't have the same password for all resources I use, but each time I create a password it is something like

[guero61]

Not linux-based, but I use STRIP on my Visor -- it's incredibly useful when we sysadmins change passwords, because then we can just beam each other the encrypted passwordset, and *boom*, it's all synced!

[thewalledcity]

[aeris]

[ebrostig]

I agree with aeris that there is a need for applications like he asked about.

There is a lot of systems that can not even use the same password, restrictions on lenght, contents, mix of numbers and letters and special characters etc.

Plus the fact that some people need to have access to passwords used by several. How about this:
You are in charge of the IT department of a small to medium sized business. The sysadmin with the root password got killed in a car accident. How do you get into the server to change it? By having a central repository for system passwords in an organization you can ensure that the systems are accessible and that your business continues to run without a hitch even if some key personell is no longer with you.

Yes, aeris, a very valid question IMHO.

(Oh and let us know what you find and you experience with it)

Erik
_________________
'Yes, Firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'

[johnk73]

Figaro's password manager also works well, theres no ebuild and it requires gnome libraries.

[Hypnos]

[burmashave]

[sessionID]

[Hypnos]

I have submitted an ebuild for gpasman-1.9.2 (pre-2.x, uses GTK2):

http://bugs.gentoo.org/show_bug.cgi?id=26600
_________________
If you don't have backups, you deserve to lose your data -- read about my simple backup scheme.

[To]

[Cluster]

One of my concerns is trusting my passwords to a proprietary (non-text) format -- if one of these password safes chooses to screw up at an inopportune time, my passwords might be lost. So instead:

For 99% of protected content, I use a homegrown utility to generate a random password based on the site's requirements (no symbols, alphanumeric only, numbers only, etc.), and I keep those passwords (about 150 so far) in a plain text file which I keep encrypted using asymmetric encryption through GnuPG.

On my personal workstation, I decrypt the file to a tab in Gnome Terminal, and then just leave this tab open until a reboot. This keeps the file secure at all times, and the passwords are only cached in RAM. The way I see it, if someone broke into my apartment, broke into my room, then knew my screen saver password (which is not in any file), then they must be me.

Furthermore, because I use asymmetric encryption for this file, only my workstation (and another copy of the encryption key which I keep physically locked up) can decrypt the file. I've been using this system for about two years now, and have peace of mind.

[Dlareh]

I use a three part password. Part is based on the year I started using the service, part is based on an extremely simple mental hash of the service's name, and the other part is base on standard set of symbols for the /type/ of service (I have about 10 different ones of those)

It's a very convenient system -- differenet, strong passwords for everything and very easy to keep track of without writing or storing them down anywhere.
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet?

[Chris W]

I use Password Gorilla. I keep Linux and Windows binaries (no install required), along with the encrypted password file on a USB flash drive. While there are some questionable claims on the website (e.g. "It is not possible to break into a password database without knowing the master password.") this does a reasonable job of ensuring privacy.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein