We all have passwords, and they need to live somewhere. My history:
Oh the days when they could all be kept straight in my head…that was great. I was a big fan of picking a single word, then substituting in one numeric character for a similar looking letter. 5wordfish and c1etus were my favorites. You may recognize Cletus as a (then) lesser known character on the Simpsons. Who ever would think that I’d pick his name, and be smart enough to stuff a letter in the middle? Those were the days. My Geocities account couldn’t have been safer.
Eventually, sites started requiring an uppercase letter…fine. Then C1etus it would be. However, this soon morphed into inconsistent requirements from web account to web account. Lame. Okay…time to formalize this a bit further…add a rule so I’ll know it’ll be one of three potential password case combinations. Swell. It’s a little more complicated, but I can handle it. Most of these sites don’t lock me out with three tries anyway.
This worked pretty well, but shoot, soon my standard username was taken by someone else. Who would have thought that “soupanderson” would be such a popular handle? Soon, two handles became three, became a dozen–and was sometimes one of my four email addresses (a lot at the time).
This turned into a text file with codes…website name, code for whether it was a username or email address, last letter of the user name, then a hint to which of my growing array of passwords.
Lately, every site thinks their formula for password requirements is somehow better than any other site. Must be 9 characters, have at least one uppercase letter, one lowercase letter, one number, one special character, no spaces, and no repeating letters.
IE and Firefox (ok, an chrome too) have integrated password managers. I adopted the Firefox password manager with an extension called “master password timeout” which forces me to enter a super password if I’m not active in the browser for any 2 minute period.
This worked great…but made me nervous. I’m not the best at locking my workstation if I walk away, and I was an early adopter of portable applications (read: carried my digital life around with me on a 512MB USB drive, later my iPod).
Then came the popularity of online banking. All of a sudden, I could access secure information about my financial life through my home (or public–yikes) PC. It started with credit cards, then moved to online brokering and banking like e-trade, then got mainstream with Wells Fargo, TCF Bank, and US Bank. At this point, it didn’t take a slack-jawed yokel to recognize that a simplistic password strategy was just asking for trouble.
I decided to abandon the browser-saved-credentials ship while I was ahead of the game. My go-forward solution:KeePassPortable (based on KeePass Password Safe). I’ll deep-dive on the app another time, but the important bullets include:
- Encrypted password file: All of my passwords live in one file, which i can back up as desired, and have a single, ridiculously difficult password to remember, as well as an optional keyfile.
- Easily searchable: one search box to go through my entire password database.
- Lightweight, portable application: It’s not intrusive into my computing experience, and open source to boot.
- Each entry gives me latitude to add notes and other meta data so I can keep things straight.
The biggest downside is that I find myself more and more dependent on KeePass. As this compounds, I need to open my password file more often, which provides more opportunities for my master password to be compromised. Though this can be a bit nerve-racking, a good password rotation should keep this in check.
I’ve held firm with the KeePass approach for a solid couple of years now, and it’s still the best play as far as I’m concerned.