@dravidian: "So how secure is KeepPass?"

You can read about KeePass's security here. As long as you have a reasonably secure master password, it's certainly good enough for personal use. Unless you work for the CIA, a foreign government, or a high-profile company, it won't be worth an identity thief's time or effort to crack it, especially if you take his recommendation for making it resistant to dictionary attacks.

Indecision

I keep my passwords written on a piece of paper, with the site name and my user name too. I keep this paper taped to the wall next to my computer in my home. I assume that anyone I allow in my house won't steal my passwords. This will, of course, change once the kids are old enough to bring home friends who can read. And we don't do any online banking; that would complicate things if someone broke into our house. As it is, no one breaking in is going to mess around with my Wikipedia account.

Heidi7Sue

How about this:

Have your list of sites that require passwords, number them.

Write down your passwords in your wallet, number them.

Match up the numbers. Passwords are useless without websites and vice versa.

Jarick

What I never understand is why people choose things that are readable or semi-readable for passwords. Whenever I type in a password, it shows up as a series of dots or asterisks. So it doesn't matter if the password is sIm0nj0n3s or jkjkj*(*(*98989, they're both series of dots. The latter one has the great advantage of being really easy to type and you end up storing it in your muscle memory. I always use passwords that look complex but are amazingly simple like 7uj8ik or yhnujmik,. However, I have a large repertoire of passwords that have the same "finger pattern" but start at different places on the keyboard. The only thing I need to jog my memory is a single letter -- where to start. And I use that letter as my password hint.

CWW

Pin numbers are nice and easy to obfuscate: save them in your cellphone contacts hidden in phone numbers.

Yes passwords are hard to remember: some banks require special characters, others explicitly deny them and then on top of that, you only access them once a month if that.

pantsonfireliarliar

Keep your passwords encrypted (Truecrypt - open source, free) on a USB flash drive and keep that with you or in a safe place. If you put them in your wallet, you just give thieves one more piece of your identity if they manage to steal your wallet and act on it before you can. Keep an encrypted backup flash drive in a safe place as well since flash drives will eventually fail and your passwords will be lost without a backup. This method requires you to remember only one password - the one to unencrypt your flash drive. Schneier may be an IT guru of some sort but that password-in-the-wallet advice is ridiculous.

Mark

Mark

I use the 3 password approach with the strongest password for the most sensitive and the weakest for required sign-ups logins, etc. Its funny how memorization is becoming a lost art. I remember in high school I had to memorize 3-4 different padlock combinations (locker, PE, sports, etc.), in addition to all my school stuff.

ARP

Great ideas. I have a couple of variations.

I keep my USB drive in my billfold - it's a seriously tiny one - Kingmax Superstick - and there's a chance that someone who stole my wallet would not find it. Everything on the USB drive is encrypted.

I have several other normal USB drives that have the same info that are scattered at work and home, so I'm not hosed if my wallet is stolen.

For really secure stuff, I use TrueCrypt with a complex password plus a keyfile so even if someone could somehow get a copy of the PW, they couldn't get in. I use some security by obscurity for my keyfile - it's stored with a zillion other files that look identical.

Typically, the encrypted file and the related keyfile are never stored in the same place, e.g. the encrypted file is on the USB drive and the keyfile is on the hard drive or vice versa.

dvan

So how secure is KeepPass? It looks more user friendly than PasswordSafe. But I'm thinking PasswordSafe's early versions were first written by Bruce so theres a good chance its securely designed (and reviewed).

One option I've considered for the 'last resort printout' is to encrypt the password file with a generated 'one time pad', and print out the one time pad. In the event of an emergency, I can retype the one-time pad by hand from the printout and decrypt my data file.

Admittedly I dont have anything remotely important enough for me to bother with this. But its something that crossed my mind. Supposedly a long, randomly generated OTP is the most secure way to encrypt something of value.

dravidian

Wow. What a profoundly stupid idea. Why dont you also add your bank account numbers and social insurance number while you are at it. Then curl up in a ball and cry inconsolably when you lose your wallet.

I use 1password and forget about it.

hardcoreUFO

@tvjames: "As I write I've decided when I go home tonight that I ought to keep that USB key in the fireproof safe..."

"Fireproof" safes are only designed to keep paper safe. Paper is safe up to 450 degrees. Your USB drive will be destroyed at a much lower temperature.

Like I mentioned above, my USB drive lives in my pocket. If my apartment burns down, my passwords are OK as long as I'm wearing my pants. You probably don't want to do that unless you encrypt your list, though, in case it gets lost.

Indecision

This question came up recently on the DIYPlanner boards too. How about encoding your password with a simple transposition cipher? Simple enough to encode and remember, but it would probably utterly confound the thief.

activevoice

I agree with the other comments that a wallet is a bad place for written passwords. I prefer an encrypted electronic version such as PasswordSafe mentioned above, stored on a TrueCrypt volume. If I absolutely have to write down a password, I would obfuscate it somewhat, using a variety of techniques. While it would be bad to reveal exactly what I use, here are some ideas that can be combined to help hide a password in plain sight:

- Interspersing another word into the password so that "password" combined with "complex" becomes "pcaosmspwloerxd"
- Adding a few irrelevant characters at the beginning and the end so that "password" becomes "lhpasswordhl"
- Using opposite case
- Writing them down vertically instead of horizontally

ddumond

I had a co-worker that also did this. The only bad thing about it, is he suddenly passed away one day; and my boss had to ask his next of kin for his list of passwords in his wallet, as he was the lead system administrator and had some passwords that no one else had.

MikeDawg

I like Urban Ride's idea. If you have to write them down, only write down part of them. I'd also suggest writing down a lot of fake ones on the same piece of paper ones, labeling none and also not including usernames.

Personally, I'm not going to pick a bunch of passwords so complex that I'm screwed if someone steals my wallet - (a) they can get in and (b) I can't.

I have a rather stupid scheme that combines a set part of the initials of the website I'm visiting with a phrase. It allows me to create unique passwords but if someone figured out one, they'd be able to figure out others. For sites I could care less about, I use standard password on all those sites. Of course, my email address with each and every site is also unique -- using Google Apps for My Domain and the catch-all account allows me to establish a new email address (myname."site"@domain.com)

My really important passwords are in a password protected Excel file on my computer and backed up to a USB key stored elsewhere. (As I write I've decided when I go home tonight that I ought to keep that USB key in the fireproof safe in case the computer gets stolen or house burns down.)

tvjames

I save most of my passwords in an encrypted volume from which I run Portable Firefox with a slew of saved passwords. Password to the volume is long and convoluted and a mishmash of languages. So most things are safe.

This means I only have to memorize a few passwords for sites that won't save 'em on the computer - like ebay or the bank.

dagwud

@urbanride: -- this is an excellent idea that I've seen suggested on several security sites. At my office I'm always trying to get the user community to create stronger passwords --- or anything that isn't five of the same character. Maybe now at least they'll have 'eeeee+facebook'

stever

I use locknote.exe, as single encrypted text file.

However, I only have about 5 different usernames and 5 different passwords I use.

I can remember these (and I don't have them written down anywhere, and have never forgotten them in the past 10 years), and simply record each site with the initial of the username and the initial of the password used on that site in locknote.

I use different usernames and passwords for sites I consider of different levels of importance.

For financial and shopping sites I use a particularly secure password and uniquely derive the others by reference to the individual site itself - e.g. for amazon.com or apple.com I use the first 3 letters of the site scattered at specific points within my most secure password.

It sounds a bit complicated but it's actually all very easy to remember and I very rarely have to refer to my encrypted textfile.

I don't think it could be any easier or more secure.

inbetweener

A while back, someone broke into my PayPal account due in part to my own negligence (I had used the same password for PayPal, and the email attached to my PayPal account). Immediately after, I realized I needed more secure passwords, but who can remember truly secure passwords, especially a different one for every site?

I needed a solution for keeping track of passwords that met the following requirements, in order of importance:

1) Secure. If I lose my list, nobody else should be able to use it.
2) Resilient. It should be impossible to permanently lose its contents.
3) Portable. I should be able to use it no matter where I am.
4) Convenient. It should be usable no matter where I am, and what sort of computer I'm using.
5) Versatile. It should be capable of storing useful information other than passwords.

I found a solution that meets all of these requirements acceptably. It's a combination of software, hardware, and personal diligence. But it's easily maintained, especially once you're past the initial setup (doing a brain dump of all your passwords might be harder than you think). I'll explain it by going through how each of the requirements are fulfilled.

Secure, Convenient: My passwords live in a KeePass database. It's natively a Windows program, but is Open Source and has been ported to Linux, OS X, and PocketPC as well. The program secures your passwords with enough encryption to keep out just about anyone but the NSA. Of course, you'll need a secure password to lock the database with, but it's the only one you'll have to remember.

Resilient, Portable: I have a USB flash drive that lives in my pocket. You should have one, too. Every time I change my KeePass database, I copy it to the flash drive. The database is tiny (mere kilobytes) so the flash drive doesn't need to be a huge expensive one. Since this drive never leaves my pocket (except when it's actively in use), I don't have to worry about a catastrophe at home destroying my only records of my passwords; and since there's a copy on my home PC, I still have the list even if the flash drive is lost, broken, or stolen.

A possible downside is that a computer is needed to access the list, but since these are all passwords to Internet accounts, that doesn't bother me.

I also have a free account a Mozy which backs up, among other things, the KeePass database. So, in the unlikely event that my apartment burns down and I lose my pants at the same time, Mozy still has a copy too. (The caveat here is that I need to keep the Mozy password both secure and committed to memory. I use a slight variation of my KeePass password.)

Versatile: I use the "notes" section in each KeePass entry to store other information related to the account. Answers to security questions go in there. For banking sites, account numbers and phone numbers are stored in there. I can even use it to store non-password information by simply entering whatever I want in the "password" field, like account numbers or social security numbers.

Because I am confident in the encryption that KeePass uses, and in the strength of the password I've secured it with, I'm OK with this information being in one place.

Conclusion: Thanks to this solution, I can have truly secure passwords on my financial sites (for example: "uj}8do@7/2E"d\[79G%\"), I can have different passwords everywhere without having to remember them all, I don't need to worry about the list being lost or stolen, and I can access the list wherever I go.

Indecision

Like others, I keep my passwords with me electronically (Palm, iPhone, what have you). I have about 10 passwords that I commonly use, which I can remember easily with a slight reminder. So when I store my passwords, I only list the first few letters and type the rest as asterisks: yc******* or st****1*.

As an added note, I do think it is important to have usernames and passwords for important things recorded somewhere SAFE in case of an emergency. If you're incapacitated, or comatose, or dead, your next of kin may need that information.

schlappette

Is it really that hard to memorize them. I tend to use similar (not exact same) passwords. I believe if you can't memorize it then it is way to complicated. Obviously if you have more than 20 passwords then you should right them down, but I use the majority of mine everday so I really don't have too. The easiest way and most secure is to remember them, but some people are just idiots and stick them under the keyboard, on their monitor or in a drawer at their desk. Come on people.

ghnvt

The main benefit of writing down passwords is that you can choose considerably stronger passwords than ones you can memorize.

I wouldn't be surprised if Schneier has his banking portal password written down, if only because that's one password that should be very strong. Of course, it's probably "written down" in his password vault rather than in his wallet, as he probably doesn't do online banking on unsecured terminals at Internet buffets.

cjc

I agree with BKPATT. Frankly, Im surprised that someone like Brue Schneier would recommend such as an approach.

For myself, I find the key to devising and remembering good, strong passwords is to utilize a pass PHRASE instead. Then utilizing the first letter of each word in the phrase, replacing them with a mix of upper/lowercase and special characters, I end up with a pretty darned good - and easy to remember - password. Just my $.02.

japapuss

A lot of us have moved to the "treat your passwords like cash" concept. We figured out that simply saying "Don't write your passwords down" doesn't work - people do it anyway. It's like the abstinence education of IT Security. Better to tell them it's best not to write the passwords down but then tell them good ways to protect the passwords if they do write them down. Which they will.

I think there is also some unspoken pieces of Schneier's comment - don't keep listings of usernames and passwords in the same place and also don't write down passwords that you don't need to write down! The passwords for sites/systems that you log into frequently you already probably have memorized - why would you write them down? If Schneier access his online banking portal on a regular basis, presumably you won't find that password in his wallet.

Troy F.

In the end, the argument is about how physically safe we can make access to our devices, not about the passwords themselves. If I create a 32 character password from non-alpha numeric and even some international characters, great! But if I then decide to use a Microsoft wireless keyboard or accidentally leave my browser open after using Outlook Web Access, then what good is my excessively complex password? I guess its only as good as the Microsoft system that I put my trust in.

jimforcy

I use PasswordSafe, and save the psafe file on a small Truecrypt encrypted file on my USB drive. I keep this truecrypt file small and separated so that its easy to backup often. I backup the Truecrypt file about once every two weeks to my home computer.

For sensitive sites like my bank accts, I record the minimum information in PasswordSafe that I need to remember (e.g. I don't save the bank card # which is reqd to log in - since I carry that with me physically).

As a failsafe, I keep one single printout of my super important passwords in a drawer at home.

dravidian

I write down my usernames and passwords as well. I have about 5 or 6 different strength passwords that I write down using a two letter or number code. So S2 could correspond to a 7 character length password that I am familiar with.

remthewanderer

I like URBANRIDE's idea - add some prefix or suffix to all your passwords only you know. Don't write that down. So not only would someone have to guess what the password is for - they would be missing the additional prefix/suffix.

Jim

I also write them down but they stay safely hidden at my home and office. IMO carrying them in your wallet is a really bad idea.

If I find Bruce's wallet, I've got his credit cards, his bank cards, AND his passwords. Depending on how many passwords he uses someone could probably log into his accounts, set up new ones, transfer funds, and be gone in a couple of hours.

Maybe before he even realizes his wallet is missing. And if he also carries his social security card, it could be game over for Mr. Schneier.

devnull

Ahhhhh, because losing your wallet isn't bad enough with having to call companies to cancel and reissue cards, obtain a new driver's license, health insurance cards, membership cards, and on and on.

Now, we also want people to lose their virtual identities at the same time they lose their physical identities. While you are at it, just write the PIN numbers of your cards on the back on the Signature line, and you might as well throw your Social Security # on a slip of paper as well, nothing worse than having to remember that. Mr. Schneier just lost some credibility as a "security expert."

I will say, I agree with the physical writing things down. The suggestion just above is quite a good one - have your passwords consist of a difficult string of characters that is either prepended or appended (or both) by another string of characters not actually written down.

For heavens sakes though, don't put the paper in your wallet! I've NEVER lost my wallet (nor my keys, cell phone, or most anything else of value) due to my own slight OCD about such things and propensity for caution. The worst I've done is driven off before I pulled my card from the ATM and had it sucked back in the machine. I knew it within hours though and the card was cancelled, not to mention my "primary" checking and my "cash withdrawal" accounts are separate, and the primary is inaccessible from the cash withdrawal ATM card.

I can imagine the first thoughts through someone's mind after losing a wallet (right after the string of bad words)... WHERE? HOW? WHEN?

At least with my paper stored securely in my home, I know the only way that paper is going to be in the wrong hands is if someone breaks into my home, and even then it is in a place where one would not think to look to find online passwords or account information.

Be smart people - there is no 1 safe way - combining multiple security measures and introducing variance is crucial - sit down and come up with your own methods, be creative. Take pride in your own security measures, keep them current when passwords change or new accounts open, and make it fun!

bkpatt

I think the key to not writing down your passwords, is not writing them down, and leaving them by your computer.

I use eWallet to store my passwords, and a random password generator. Most passwords I have no clue about (like the one for Gawker sites) and have to look up every time. I can generally learn a new random password for my PC within a few unlocks after changing it.

Rick Lobrecht

This is probably not the most secure thing but I have almost everything using two passwords. One password is for super secure stuff like banking and my email. The other is less secure like when i sign up for forums.

I have about 15 "passwords" written on a page in my wallet. Only two of them are real. If I forget, I can look at the list and recognise the right ones.

CarbonRod

I do this for some hard to remember stuff, but I use the cell phone notepad instead of my wallet.

SciotoSurfer

I have 3 passwords. One I use for sites that I don't really care about (facebook, myspace, cooking recipes, etc), I have a special one for online banking thats in russian, and a special one for my email and school account thats in french.

mlhoward516

Write down the complicated part of your password; for example if my pw was "7jds^@VDjamesbrown". Then you would only write down the "7jds^@VD" part. This way you can remember the easy part. If somebody finds your piece of paper than even if they have the username they still would not have the correct one.

urbanride

This is something I also do. And I make sure that the passwords are listed with no information that will tell someone else what site they are used on.

I sometimes add clues or hints that only I would understand to tell me what site the password is for.

chris-mcc

@stokely: If your account numbers have the right number of digits, you can put them in your address book as someone's phone number or ICQ account.

infmom

I have a small Circa notebook that I keep on my desk for jotting things down. Many of my passwords are in there--but in code. Since I remember a lot of obscure things like the first phone number our family had, I could use that as part of a password along with some other nonsense word that is part of my family's history, and note the combination as something like "phone-dad" to indicate the number and the fact that the rest of it is a word my dad made up. Good luck to anyone, including my brothers, trying to figure THAT out.

infmom

Haha, I feel kind of vindicated by hearing him say this. I've carried a piece of paper in my wallet for years, with my banking details. There's nothing to identify each account, just the account number, and only a hint or partial password. I feel safe enough about it.

stokely

CWW: Pretty interesting advice, actually.

Why carry all your passwords in your wallet? I have them written down - in a booklet at home. I figure the odds of that booklet being stolen by somebody who wants to see how much money I have in my bank account, or read my boring emails, is far less than me losing my wallet and somebody finding it and just to be deviant deciding to commandeer my email and bank logins. A non-descript booklet at home isn't even likely to be stolen during a burglary (they usually go for the electronics, not the paperwork).

I don't find myself needing to log in to a lot of tings from computers that aren't my own. When I triavel I might jot down the passwords I've forgotten, but rarely find a need to do anything but check bank balances or email on other computers. And those passwords are remembered.

ADVICE: One good way to remember passwords is to never use auto-fill or "remember the password" option. That way you're forced to enter the passwords each time, which helps you remember them. It's annoying when I get used to the computer remembering my password, then I clear my cookies, re-format my HD, or buy a new computer and I can't remember the passwords because I never had to.

olegna

For bank info I use my email address book. For example, Natwest Bank will be Norman Bently, his mobile number will be my account number, and his email address will be my security number.

For example, if my security number is 123456, then I will use the letters on the phone keypad to turn that number into the domain name (1=vo for "voicemail"). In this case, vobeglo. So its norman.bently@vobeglo.com

If I ever forget my security number, I just type "vobeglo" on my phone et voila!

CaraimanG

Security is really all about trust, and risk acceptance. If you trust your wallet is safe and are willing to accept the risk of what you keep there and it is stolen, thats up to you.

Despite all the 'best practice' advice out there by security experts, people are still going to do what they are comfortable with. That includes in companies that say "our password policy is that you do not write it down and keep it at your desk, you have to use this program to store passwords." Then these companies are surprised to find out that users are writing down passwords on sticky notes attached to the monitor/laptop/desk.

jtimberman

The point is that there are too many passwords that have to be entered. Each site, application, or process requires a separate password. At work, I have to change passwords every few months on my Novell log in, encryption, applications, etc. and it drives me crazy.

I need biometrics... I need the concept/theory of biometrics to be put into action. LDAP helped a bit because it reduced the sheer number of places that required a separate log in -- but ultimately, until my fingerprint or retina is recognizable as unique by everything that I need to use, I will be frustrated.

Andamom

@ARP: I have my 14 digit bank card memorized, using techniques popularized by Harry Lorayne, star of many infomercials selling his memory course.

You can get the basics from one of his paperbacks, available second-hand for a dollar or less.

JamesF

It's likely that Schneir practices good wallet security, too, of course.

JamesF

If computers mfr's would implement a biometric security method using a standard finger prick to draw blood and upload the digitized representation to an encrypted website for DNA analysis of each logon attempt, the current password hassles could be avoided. (kidding) ;-)

- Tim

1Time

I use a system of generating unique passwords tied to the domain name of the website. Here is the basic principle, it can be done in lots of variations.

Take a domain like www.randomsite.com

The password rule could be:

1st letter domain name, uppercase -> ("R")
2nd last letter TLD (Top Level Domain, "com") -> ("o")
3rd last letter domain -> ("i")
1st letter uppercase TLD -> ("C")
1st favorite special character -> (".")
Number of letters in domain name -> ("10″)
2nd favorite special character -> ("-")

Password: RoiC.10-

Or, example domain: www.anotherpage.org -> password: AraO.11-

Advantages:
# Easy to remember
# Can be used even w/o access to 1Password
# Much safer than other password variations

dreinmund

Secure passwords are large unique randomly generated passwords stored in an open source password manager and properly backed up.

@TVJAMES: your password protected excel file is not secure.

one password for more than one site is probably a bad idea:
Some sites do not hash your passwords and you can not be sure. Even using a two-way encryption or even hashing without a salt is not the secure way to store passwords used for authentication purpose only. Just give them a random generated password and do not use it twice.

I agree with BKPATT. If you want to use a paper, it should be for recovery only and keep it in a secure physical location. Only write the passwords that you might forget that you can not reset/recover in a reasonable way.

@CJC: but writing down case sensitive alphanumeric passwords including special characters is not really nice and probably let you choose easier to write passwords.

Even if you printed them, typing them back is painful. Not like using auto typing of password managers.

Moreover, you have to clean your temporary files and may be look more deeply because your document might be cached somewhere without encryption on your HD and memory.

@1TIME: you want your DNA to be published? Well, even yet it is less secure than random generated passwords and private keys because it is a single key that you probably can never change or even hide.

@DREINMUND: that's still not a unique password. In a sense of proper security, they are all considered them a single password. If someone figured out one of your passwords then most probably he can figure out all the rest. Remember, you published how you generate them.

Mahmoud

Writing down passwords is a terrible idea, unless, as previously mentioned, it is for the sole purpose of password recovery, and the paper itself is secured. I have a few ways to create easy to remember, yet very secure pass phrases. One of them is to use equations. For example:

I might use something like:

"Solving for c: c=[b^2-(2·a·x+b)^2]÷(4·a)"

Which is nothing more than the quadratic formula (x = (-b±√(b^2-4·a·c))÷(2·a)), solved for c. It utilizes unmodified keys, keys modified with shift, keys modified with option, and keys modified with option shift. Some of the characters have multiple symbols that mean the same thing mathematically, so it is easy to change it up. Also, by using characters that are not labeled on the keyboard it's harder for anyone to try to watch me and make sense of my password. While it is easy to learn via muscle memory, if I don't use it often, all I have to do is remember "solving for c: " and that it is the quadratic formula, plus which symbols I used for multiply and divide.

It's very easy for me to remember, yet it is a secure 40 character pass phrase. (That example is a little bit more simplistic than I would actually use. I prefer obscure equations that even many mathematicians would not recognize.

UCF_Chris