Nerdy Security Discussion

[grahams]

Ok, I've been having a debate in my head for about a week now, and so I figured I'd open it up for discussion:

Right now, I have three classifications of passwords:

• "Secure" - A memorable, yet obscure base (would look random to most people) with host-specific unique data inserted within (via a mental hash function)
• "Screen-door lock" - a simple mixed

Comments

[wxs]

I use an approach very similar to what you currently use. I'm not willing to go with the alternative approach you mention for exactly the reasons you mention (a single point of failure).

[jluke]

If the only upside of a keychain is convenience, would you consider using it to store only the low-stakes passwords? Is this an all-or-nothing proposition?

[jon]

For web sites, I started using hash-based passwords a couple of years ago. The Password Composer Greasemonkey script does a nice job, and there are similar browsers extensions and standalone tools.

The major downside is that you basically never "know" your password because they're unique for each site and not easy to memorize. It's especially annoying when you need to enter passwords on something like an iPhone.

I'm considering moving to more of a "key vault" solution, but I still need to think that through.

I think I still remember your "Who Cares" password, by the way. =)

[gib]

I've used password safe from time to time, and usually share the vault across systems where I need access to it (home, work). I use the same system to sync SSH keys, login scripts, etc.

On a related note, SSH Key Chain is a decent OSX SSH agent.

[bds]

Work encourages KeePass and people carry it on a USB stick. But I still secure my passwords with NotePad.exe and brass knuckles.

keypass

[anonymous]

i use keepass for almost all of my poker sites:

http://keepass.info/

i dont even know what my passwords are for most of the sites.