One of my New Years resolutions is to try and expand my use of online services to minimize the amount of paper waste and filing I need to do. As I start to consider growing my number of accounts and passwords, I started thinking about how I'd manage all of the passwords. Between financial services, managed devices on my network, various web forums and manufacturer support groups I'm looking at upwards of 30 accounts.

With many online accounts, it's not uncommon for me to have to use the 'Forgotten Password' feature. My idea of a 'secure password' changes, and it's hard to coordinate a password change across many accounts.

Anyway, I keep thinkig about creating a spreadsheet with all of this data so I don't have to keep resetting it. But then I think that the spreadsheet isn't very secure. It's also cumbersome to have to cut-and-paste info from the sheet to whatever password dialog box.

So all of this leads me to consider a more automated solution. I'm thinking about trying something like this:
https://www.ironkey.com/

Question for folks on the board... How do you manage all of the various accounts and passwords?

I use STRIP (http://www.identicentric.com/products/strip/) (Secure Tool for Remembering Important Passwords), an application that runs on my Treo. It stores my passwords in an AES-encrypted database, so all I have to remember is a single password to access the tool. And I always have my Treo with me. There's no copy-paste ability of course, but I don't find that a liability--I'd rather have to retype a password than accidentally leave it in my clipboard buffer.

BTW, Lani introduced me to this tool ca. 1998, when we all had Handspring Visors. I've maintained the same database ever since, through two version upgrades and across five PalmOS devices.

Question for folks on the board... How do you manage all of the various accounts and passwords?

I have a dedicated rolodex. Since I don't have to travel with a laptop, this stone age solution works great.

If you plan to keep your passwords in a spreadsheet, you should encrypt the spreadsheet and "wipe" the original file from your HDD. I use the program "PGP" for all of my PC file encryption. PGP allows you to wipe files, also. (A "wipe" operation deletes a file and overwrites the HDD so that none of the original file data remains.)

If you plan to keep your passwords in a spreadsheet, you should encrypt the spreadsheet and "wipe" the original file from your HDD. I use the program "PGP" for all of my PC file encryption. PGP allows you to wipe files, also. (A "wipe" operation deletes a file and overwrites the HDD so that none of the original file data remains.)


I'm starting with a spreadsheet now. But given the bloatware of windows and excel, I'm wondering just how secure you are? So let's say you either 'browse' your spreadsheet from it's encrypted partition... Or you copy it out to a local unsecured, open it up and then wipe it when you're done.

What is the possibility that the OS paged out a copy of your memory/application data and now an unsecured copy is sitting out on your HD?

I use STRIP (http://www.identicentric.com/products/strip/) (Secure Tool for Remembering Important Passwords), an application that runs on my Treo.

Thanks for the recommendation.

I certainly see the advantage of a machine portable implementation.

One question, consider a password generator like this:
http://www.4cm.com/passwords/

If you get an "extremely secure" password like this one from that page:
@8=f8t-tlUXc~drgc+4r*uh2NiheP*M&ET

...are you really going to want to type that by hand?

I'm not knocking your solution. I just am looking for something that is portable (say via USB drive) that also supports auto completion, so I don't have to worry about typing in a *very* secure password.

I must be getting old. I write things down... with a pen... on paper.

I'm starting with a spreadsheet now. But given the bloatware of windows and excel, I'm wondering just how secure you are? So let's say you either 'browse' your spreadsheet from it's encrypted partition... Or you copy it out to a local unsecured, open it up and then wipe it when you're done.

What is the possibility that the OS paged out a copy of your memory/application data and now an unsecured copy is sitting out on your HD?

I guess that's a possibility, don't know the answer.

Question for folks on the board... How do you manage all of the various accounts and passwords?

Well, rather than tell you how I do it, let me pass along some tips I've heard over the years.

• Use a single password, but prefix the password with two letter of the web site of interest.
Thus, for example, if your password is "tarzan" then the MousePlanet password would be "mptarzan" and the Disneyland web site password would be "dltarzan" and the Doom Buggies password would be "dbtarzan", etc.
That makes memorization super duper easy.

• Use a word which does not appear in a dictionary and does not appear on any ID card in your wallet/purse.
One way to accomplish this is to use a common word but add a digit or two.
For example, my favorite baseball player growing up was Wes Parker of the Los Angles Dodgers, who wore uniform number "28". So my password could be my name or my street, but appended, or prefixed, with "28".

So if you combine these ideas, MousePlanet might be the password "mptarzan28", Disneyland would be "dltarzan28", etc.

So even if the common word is guessed, (based on stolen ID cards), the number suffix is very unlikely to be guessed.

Well, rather than tell you how I do it, let me pass along some tips I've heard over the years.
...
So even if the common word is guessed, (based on stolen ID cards), the number suffix is very unlikely to be guessed.

http://www.foxnews.com/story/0,2933,351497,00.html

I understand you're not talking about a complete duplication, but there is still a heuristic that could be programmed into a computer.

Very interesting tips. Also interesting to have an old thread resurrected as a sort of time machine.

In the time which I had originally started the thread, I have purchased an Iron Key. (http://www.ironkey.com)

All I can say is WOW! Until you experience the convenience and security of one click access to totally random passwords, you don't know what you are missing. The IK is a secure USB hard drive that has it's own Mozilla environment built in. I have my browser, bookmarks and passwords with me where ever I go. I also have ~4GB of secure storage.

Once I started getting up to speed on Mozilla, IK and the secure password storage, I just kept adding accounts. I signed up for any online access offered by my banks, brokerages, utilities, etc. I estimate I have about 20 "serious" (e.g. money is involved) accounts. And probably about 40 more recreation accounts. All of these now have one click access...

The device is built as strong as it's name. It has an epoxy filled case. The data is hardware encrypted, so even if someone managed to extract the flash chips, there's no way short of a brute force attack to crack it.

And for casual attempts at password cracking, the unit will self destruct after ten consecutive incorrect password attempts. So although I'd be upset at the $$$ lost in having to replace a lost/stolen IK, I won't be concerned about identity theft.

As for the data, the passwords are stored at Iron Key's secure site. They are double 128-bit AES encrypted. I backup my IK's secure data to an encrypted TrueCrypt partition on my hard drive. So my replacement IK can be updated with my secure backup and the IK password backup.

More data and accolades on IK can be found here:
https://www.ironkey.com/pressrelease20080404
THE IRONKEY NAMED BEST SECURITY HARDWARE AT 2008 FOSE CONFERENCE AND EXHIBITION
IronKey USB Flash Drive Selected from Pool of 150 Entrants

https://www.ironkey.com/pressrelease20080414
NIST CERTIFIES IRONKEY WITH FIPS 140-2 LEVEL 2 VALIDATION
IronKey USB Device Meets Rigorous Security Standard for Government and Large Enterprises

Ok, enough of the sell. I am really a satisfied customer. If someone wants more information, or if you get one and need help, just PM me.

And no, I don't work for IK. :)