Ask HN: Best way to protect my passwords as a user?

[unwantedLetters]

I have very little knowledge of passwords and how to keep them protected. My "keep myself safe" strategy simply has different passwords for different websites - I try to keep special characters in.

It seems to me that with all these websites losing their data and seemingly(to the untrained eye) being completely incompetent I need a better system to manage my passwords.

Can anyone suggest a good system to protect my passwords? For example - If the best way is to save and use complex 20-30 digit long random passwords, then how do you save those passwords?Surely you're not memorizing passwords for all your services, so you're using some sort of password manager so any ideas on which password manager is good? Or perhaps is it good to have a "passwords file", use some random password generator (or perhaps generate MD5 hash of some text and use that as a password) and then keep all of them under some protected file on your system? Or is Mac OS X's Keychain Access any good for storing passwords?

I am asking this question here because there are people in this community who are known to be knowledgable about the security of systems, and that makes them more eligible than I to answer these questions. I have done a little reading on the subject and find discovering a good way to protect myself very difficult. I hope I can get some help in this community.

Thanks in advance.

(As always, any articles/information that educate me on this topic will be helpful)

[benologist]

I've started using 1password and as I sign in to services I use changing my passwords to one it generates. One big problem is I don't actually remember most of what I've signed up to over the years, but at least I can secure what I do actively use / remember so an old, compromised password won't get access to very much.

http://agilebits.com/products/1Password

[aorshan]

The biggest problem with online passwords is not how many characters you have or anything like that. It is password redundancy. If you use one password (or small variants on that password) for every site you use, then if one account is compromised, then all of your accounts are compromised. You want to have as many different passwords as possible.

[Acorn]

Personally I use an online password manager. (Passpack)

This allows you to randomly generate strong unique passwords for each website, and have them accessible from anywhere.

You are obviously putting trust in the service, but you have to weigh up what is more of a risk; the service going AWOL and stealing your passwords, or someone breaking into your accounts due to bad/repeated passwords.

LastPass is another major online password manager.

KeePass is a great offline solution. There's also 1Password.

[bakhlawa]

Don't these online services all have the eggs in one basket problem? The likelihood of them getting hacked might be low, but the impact of such an occurrence would be very high (all passwords exposed).

[unattended]

The possibility of a site getting hacked or being attacked may be low but not unexpected. Many of these services don't know your actual passwords, they just have a file that's cryptographically secure with your passwords in there which in the case of an actual breach, only you (the owner/creator of said password list) has the keys to get into it. You just have to be responsible enough to know where your keys are to get at that list or it's lost for good. The likelihood of someone actually cracking into those password files without knowing the password is actually much lower than the site storing them getting compromised. And in the event of 1password, if and when they become aware of a breach they're usually upfront about it and require you to reset your master password before you can use the service again for the sake of security.

[Revisor]

I suggest Keepass to generate and store your passwords with the password database shared via Dropbox.

It's multiplatform and works pretty much everywhere. After the initial setup even my non-geeky GF can use it.

[pwg]

Use Password Gorilla : https://github.com/zdia/gorilla/wiki

[tox]

there is always a trade-off between an online repository and an offline one. take into account the possibility that they can be compromised and also note how you can recover passwords if you lost the password repository (if there is a password recovery system).