Storing passwords

[mtbc]

Passwords are tricky to deal with. I like to have fairly long, random ones and to not reuse them. With the various accounts I have this means there are rather a lot of passwords to remember, an especial challenge when some must be changed on a regular basis and others ought to be.

Further, some authentication like for online banking requires various ancillary information: answers to security questions and the like. I do not like to give correct answers to these, nor reuse the answers, so that is even more to remember.

Some people use mnemonics but it is easy for one's mind to blank out on something well-known. I could keep written records in our safe but one sometimes require a rarely used password exactly at an inconvenient time or place. I certainly do not trust password-keeping apps.

I am not proposing or soliciting answers so much as noting that practical password management is a hard problem. Still, as ever, others' thoughts are most welcome.

Comments

[mindstalk]

I think Bruce Schneier actually recommends writing stuff down. Probably not a post-it on your monitor, but in your wallet or something. For most people that's not the high risk avenue of attack. One thing I'd suggest with that is 'dehydrating' or 'poisoning' what you write down: either don't write down the whole thing, or add a decoy part you know to leave out, or both. That way if someone does get the record, it's not immediately useful; a mugger or SO is more likely to give up than use it as the basis of a faster brute force attack. Dehydrating is probably more robust, vs. multiple passwords with shared poison.

It's a bit like having a password app, except instead of having a master password to unlock or hash=generate final passwords, you have a master password[1] to generate via appending or prepending or such.

[1] If you have one strong shared component; you could also have multiple weaker ones. Password length limits sometimes force that.

[mtbc]

Suggestions much appreciated, thank you.

[mtbc]

These days I have settled on strong poisoning for written notes: by means of long keys I remember and a non-trivial Emacs workflow I can extract a password fairly quickly from the notes, or a bit longer if only pen and paper. And, for electronic notes, simply hiding them behind open-source encryption whose passphrase is not stored when not in use.

[mindstalk]

Whoah, year old reply!

[mtbc]

Well, things were still settling. (-:

[goldibehr]

I use a password manager app on my android phone, with the "master" database file on my PC at home. There's just too many to remember, and more and more sites are locking you out after a few wrong guesses.

[goldibehr]

Using an encrypted password manager also lets you make up wacky answers to the security questions. But a downside is that you need to hope no other app is snooping on you while the manager is running.