Monday, November 21, 2011

So the combination is... one, two, three, four, five?

SplashData recently released a list of the most commonly used passwords on the Internet. (Based on published lists of stolen passwords.)

(Geek challenge! Name the movie and the TV show that are the source of two of the passwords on the list.)

So, in the interests of doing my part to halt the usage of easily hacked passwords, I thought I would share my password system. And some links, if you want to try it, too.

The tools you'll need:KeePass is the key (ahem) of the whole system. This open source password manager fits my needs perfectly, as it works in Windows, Linux, and Android. (Also Mac and iOS.)

KeePass in action.

KeePass will generate random passwords, includes keyboard shortcuts to copy passwords (and then clear the clipboard after a set amount of time), and stores everything in an encrypted file using one- or two- factor authentication. Whenever I create an account on a website, I fire up KeePass and generate a random password for it. (Sample password: Egz0B2GC4pZf2u5VBVYi)

So now I've got an encrypted file, accessible only via the KeePass application using my master password (and/or a keyfile). But I want to access that file from anywhere! Enter ... the Dropbox.

It's a box. For dropping.

Dropbox has added some policy updates of late that have made me a little nervous, but I'm still OK using their service to store encrypted data. Simply place your encrypted file in your free Dropbox folder, and now you can access it from any computer, phone, tablet, or computerized llama you use. (Note: Dropbox may not yet be compatible with computerized llamas.)

Finally, for the lazy (like myself), Google Chrome can help with your all new fully random and completely nonsensical passwords. (You know, the ones you'll never, ever remember.) Chrome will remember passwords just like most modern browsers, but, in a twist, will also let you sync that data across all your Chrome installations.

Score! Your information is encrypted on Google's servers, too!

Before and after time! Before, I was using one or two passwords on every site. And frequently the same username. These passwords, while not dictionary words, were also not the most secure. I did this primarily because 1) I needed passwords I could remember because 2) writing them down is a Pretty Bad IdeaTM.

Now, every account I have has a different password (though usually still the same username), but I only have to remember two - my KeePass file's master password and my Dropbox password. The second is not strictly necessary, unless you ever want to access your password file from a computer that is not your own. (Bonus protip: throw the KeePass installer in there, too. It's small.)

Yes, using a password store takes just a little more time and effort, but, with the number of security leaks in the news, and the lists of accounts available in the seedier parts of the Internet, it may well be worth it to keep your accounts secure. Added comedy trope bonus: tell people your password is so secure, you don't even know it.


  1. I write all mine down! I keep them in a locked index card box! In a locked filing cabinet! With a sign on it that says "Beware of the leopard"! (Seriously!)

    Except my papajohnsonline password. That's in my gmail.

    But hey! I like the idea of doing it like you do! (The voodoo, not the tutu.) I'm not sold on it really being available /everywhere/. It's fine that your password store is in DropBox but - what about KeePass?

    P.S. Don't google "Beware of the leopard" with safe search off.

  2. It's just everywhere enough, in decreasing order of usability. The stand alone version of KeePass (designed to be used with flash drives) runs on Windows on takes up very little space in your Dropbox folder. If the computer you're on isn't Windows or lacks the prerequisite of .NET 2.0, you can still fall back to displaying the password on your mobile device and typing it by hand. Though the truly paranoid may want to keep their leopard on hand during this maneuver, in case there are any password savants looking over their shoulder,

  3. Alrighty, I've joined the cause and am now running Sheezy Plan B91-PKD! Got that USB portable KeePass install sitting in Dropbox along with my new password DB. 95 entries! Also got a key file, but am leaving it out of the ol' DropBox. And no Chrome.

    If it's as good as you claim, I look forward to shredding my index cards! And if it's not? Well... let's just say that Silky (my leopard) won't be very happy.