How I manage my passwords

Posted by JuryDutySummons On March 6, 2012 1 COMMENT

Password management is an important topic, but one that doesn’t seem to get enough attention.   So… here’s how I manage my passwords.

Every account I have has a unique password.  It is important to do this due to the very real risk that one account somewhere might become comprised. If one account is compromised then any account with the same password is at risk.   Even the strongest of passwords can be comprised if the website storing them doesn’t follow the best practices to ensure your security.

How do I store my password?

I store all of my passwords in a program called KeyPass. (http://keepass.info/) Keypass creates a strongly encrypted password database and protects your computer from certain kinds of keyloggers.  Keypass also includes tools to evaluate password strength and to generate strong passwords.

Since I work on multiple computers I need access to this database wherever I am.  In order to facilitate this I use DropBox (https://www.dropbox.com/).  Dropbox is also encrypted using a strong encryption mechanism providing two layers of protection.

How to I create passwords?

These accounts fall into a number of categories.  The first and smaller category includes those passwords that I need to memorize.  Very few passwords fall into this category, but they include the password I use at work, my home computer, and keypass encryption key.  Here’s how I design these passwords:

  • I take two or three words.   (Ex: happy potato)
  • Take a few numbers (470)
  • And combine them in some way (hap5py7potato0)
  • And then add in a capital letter  (hap5py7Potato0)
  • If I’m feeling cheeky, I convert one of the numbers into it’s equivalent symbol. (hap%py7Potato0)

This of course isn’t the most ideal way of setting a password, but it does result in something that can be memorized and is still quite secure.

The second category of password are those that I don’t necessarily need to be typed.  For those I use a random password generator, such as the one included in keypass or this one: https://www.grc.com/passwords.htm.  Here are some example outputs from keypass:

  • 4EX5txowqyr^P9pD9z$0
  • 4,5rwz`Ec#q’2jm`$M5?
  • G*aMLaN7GR\@z6EzVv;2
  • x7x1-t5KP=g/onue-9yU

These generated passwords are highly configurable to match the requirements of whatever website you are working with and result in a password that can not be brute-force hacked given current computing capabilities .   According to haystack testing (https://www.grc.com/haystack.htm) one of the above passwords would take a  few million times longer than the age of the universe to crack using brute-force methods.  For comparison, the “hap%py7Potato0” example from earlier password would only take 15 million years.

One Response so far.

  1. JimmyO says:

    That’s pretty neat, might try it to as I has previously used a single password for multiple accounts and when somebody hacked one… well…
    I also have quite a lot of accounts across the web and i need to keep track of those so this should help.

    On another note I really should get back studying…

Links