SEARCH

How-To Geek

What You Said: How You Keep Track of Your Passwords

2011-04-29_105413

Earlier this week we asked you to share your techniques for managing and organizing your passwords. Now we’re back to highlight the tools, tricks, and tips you use to wrangle your passwords and internet security.

Photo by Linus Bohman.

The response to our Ask the Readers on Wednesday was prolific; you guys logged hundreds of responses. The responses covered your favorite software, tricks you used to generate passwords without software, and more. Let’s start off by looking at the popular apps you used to manage your key rings.

LastPass, KeePass, and Passes of All Sizes

2011-04-29_110338

The majority of you are using a password manager of some sort to manage and organize your passwords. Using an application is a great way to keep track of your passwords as it essentially removes your brain from the entire equation and allows you to assign randomly generated passwords to every single login you use. Rare is the human who could remember 200 logins that were all as random as “&xv$v1oGkuXjs*OBfS79”. The following applications are ordered by the number of times they appeared in your comments.

LastPass: LastPass is a web-based solution that readers, as a whole, absolutely love. It makes good password management incredibly easy. Quite a few of you commented on how you had resisted trying LastPass until you finally gave it a whirl and loved it (this mirrors my own experience of holding out on LastPass only to find out that it was completely awesome when I finally started using it). Gouthaman highlights one of the best things about LastPass:

All my passwords are offered automatically by LastPass when creating an account and they pop-up whenever I need to login. This means that I use a different password for every single web service and yeah, I don’t even remember my Twitter/Facebook/Google password, but my LastPass does!

Kaylin notes that switching to LastPass has overhauled her approach to password security:

LastPass Premium remembers passwords for me. Before that, I had one or two major passwords that I used for most sites. Then I came to realize that method is risky. My LastPass score was only 13 when I started using it, and now I have a much better score because I have changed my habits, thanks to LastPass.

For the curious, Kaylin is referring to the LastPass Security Challenge. LastPass users can take the challenge—which does a local and secure analysis of your passwords—to see how good your password practices are. It scans your password vault and check to see if you’re using varied passwords, multifactor authentication, and the number of passwords you have stored and then assigns a score based off that.

LastPass offers a free service and a premium service that costs $12 per year. You can compare the free and premium services here.

2011-04-29_120115

KeePass: Many of you just weren’t comfortable with the idea of syncing your password keyring to the cloud, no matter how well encrypted and tested the mechanism might be. That ruled LastPass out, but made you a prime candidate for KeePass—an open-source password manager with a huge following. KeePass offers nearly all the same basic features that you’ll get with LastPass—random password generation, category-based organization—with just a little more hassle syncing things to your browser. You guys overcame the limitations of KeePass with a variety of hacks and fixes. Dave was one of the many readers who used Dropbox to sync their KeePass database between machines:

KeePass, on Dropbox for access by my several machines. On crucial sites (banking, credit cards, &c.) I use 20+ character gobbledygook passwords generated by KeePass. On many forum-type sites I use the same old user name and password, since the worst that could happen is that someone could post something in my non-recognizable name.

Doc uses KeePass and offers a stern word about using only a handful of simple passwords:

KeePass Portable on my D: drive, with another copy (program & database) on my USB drive…password protected, of course.

To those that use “1 or 2 or 12 passwords for everything”…just wait until an account is hacked and somebody you thought you could trust is rummaging through your bank account and emails. If you’re that lax in keeping your password secure, you’re probably using your birthday, your middle name, etc. to generate all these passwords…and they’re easily cracked. Use uppercase and lowercase letters, numbers, and some punctuation to generate real random passwords and store them securely! Better yet, change a few of them each week just to be safer. (Just ask Sony how much pain a hacked account can cause!)

Roboform: Although not as popular as LastPass and KeePass—likely due to a very underpowered free option and a fairly high-priced commercial option—RoboForm still had a strong following. It’s available as both a web-based and a desktop-based solution. Robbie offers a solid overview of the service here:

Roboform (now known as Roboform Anywhere).

Has the advantage of automatically (and securely) synchronizing your passwords across all your instances (unlimited).

Has a very nice configurable password generator feature for times when you want maximum security or when you don’t feel like thinking of a new password.

Also lets you attach notes to each login, allowing you to save things like answers to those annoying security questions that you’ll never remember the exact answer several years from now.

If you are using someone else’s computer or don’t want to install Roboform on a particular machine, you can look up your username & password on online.roboform.com.

Roboform comes in three versions Free, Desktop ($30), and Everywhere ($20 per year, $10 for first year). You can compare the versions here.

Using Your Brain and Analog Solutions

2011-04-29_115151

As handy as application-based solutions are, some people prefer to stick with memory-based solutions or analog-based solutions instead. Quite a few readers shared their tricks for using mental algorithms. Jim offered the most detailed explanation:

[I use] 3 stages:
1) a set of words – sentence, phrase, addresses etc that you can remember – needs to make a string that is at least 50 characters long
2) an algorithm that allows you to get a set of characters from that set of words – such as every ‘n’ characters
3) write down the start point in that string, and the value of ‘n’ that you will use and the number of characters…

And – for those ‘passwords’ that require numeric values the location within the string of the numeric that will be generated from the alpha code in the string – either a=1..i=9, j=10 etc.

And for those that require a non-numeric character there is the characters associated with the number on the keyboard that you get from using the number generator from the string

So – that’s 3 numbers, and optionally – another 1 or 2 numbers. You get to write down a 5 digit code that lets you re-create the passcode, but never write down the source string so no-one else can calculate it.
For the number and special character – you decide if the clue number is going to be from the string start, from the startpoint (first number) , or from the end point 1st+2nd*3rd etc.

Once you have the algorithm pick a character to be the Capital letter, the number and the special character. Consistency makes it easy to remember the character selection algorithm/calculation/formula and after a while you won’t even have problems remembering the source string.

Source – string – what names etc. do you pass on the way to work – streets, shops, business names! Avoid bringing the relations [such as a spouses name] into it.

While his technique is thorough, it’s certainly a bit more work than just letting a password manager randomly generate and recall the password for you.

2011-04-29_115854

As a halfway between remembering them all and storing them digitally, several of you settled on a paper-based system. Driftwood writes:

As my spouse is not computer literate (read that geek) we keep our passwords in a binder near the computer. It’s not elegant nor geeky, but it works well for us, and if I’m not available someone else that needs in can get there.

Richard takes the passwords-as-recipes approach:

Since 1981, I’ve used index cards and index card file box. Low tech and always handy.

Edron goes the old school route:

I have a composition notebook with all my passwords and save it in a 2 ton safe where my birth certificate and gold are stored.

Now some of you may be shaking your head at the idea of storing passwords on paper. Realistically speaking, however, the chances of somebody breaking into your house and stealing your passwords are next to zero. Even if your home is burglarized they’ll be there for the stuff they can sell easily like electronics and jewelry—and not for the long-con stuff like stealing your identity and trying to harvest money from your bank accounts. You can read more about our take on it in this previous article What’s Wrong with Writing Down Your Password.


For more information on how your fellow readers store their passwords, make sure to hit up the lengthy comments thread on the original article here. Have a tip or trick to share? Sound off in the comments here.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 04/29/11

Comments (36)

  1. johnp80

    I use keepassx since it is multi-platform, however, I just noticed that keepass now includes versions for linux, so might have to give it a shot again :)

  2. devnet

    Keepass on dropbox is the EXACT SAME THING as LastPass…your passwords are in the cloud.

    What would be more secure is using SpiderOak…the stuff they store is encrypted so well that even THEY can’t unencrypt it…no matter if they wanted to or not.

  3. John

    I use the first three letters of the service + a combination of 3 four digit sets + one of 4 five letter words. That way I end up with a 20 character alphanumeric password that is unique to the service. I also happen to have a photographic memory so I just remember them.

  4. kim

    @devnet LastPass actually stores your passwords on your computer, in some heavily encrypted fashion that I don’t understand. If I were choosing a service now I’d be tempted to use an open source one because I believe in that (Linux user here), but LastPass is pretty awesome. Now if only I could teach my parents to use it..

  5. RomelSan

    Always Use KeePass and if you want in the Cloud, then sync with DropBox
    any other service can be hacked & cracked

  6. BleedblueinFla

    Has anyone use Yubikey with Lastpass for two-factor authentication? Is it worth the 25 to 45 dollars for personal use?

  7. Michael Titman

    I know this isn’t a solution that 99% of the population would use, but I use hard-drive serial numbers I’ve memorized throughout the years as my passwords. They’re usually pretty strong, lengthy, and I usually mix up the case when letters are involved. It’ll become a problem when I start to become senile though…

  8. Scribbly

    I’m probably one of the many that moved from RoboForm to LastPass due to steep upgrade fees.

    I also use KeyPass, but mainly for other things.

  9. DavidQ

    Even though I purchased a lifetime subscription to Robofom in the early days, I switched a couple of years ago to LastPass. I got tired of Roboform’s frequent upgrades, and I liked having everything in the could where I could get to it from anywhere. Likewise, I switched my wife from 1Password on the Mac to LastPass. The one big annoyance I find with LastPass — actually with inconsiderate web site designers — is Flash-based login needless fanciness that LastPass can’t deal with.

  10. Steve

    I stayed with Roboform, really good despite having to upgrade my netbook and PC as well as my Roboform to go, this is only a small fee really to protect valuable data and accounts, it is clear, simple to use and they offer good customer support too.

  11. Sharkey

    Am I the only one who uses PasswordSafe?

  12. Ms Hanson

    (Inset sound or needle scratched across vinyl record here.) Re: your last paragraph:

    “Now some of you may be shaking your head at the idea of storing passwords on paper. Realistically speaking, however, the chances of somebody breaking into your house and stealing your passwords are next to zero. Even if your home is burglarized they’ll be there for the stuff they can sell easily like electronics and jewelry—and not for the long-con stuff like stealing your identity and trying to harvest money from your bank accounts”.

    As a 2-time survivor of ID theft, my research supports paperless backup – and that means no binders or notes with passwords. Apartment living exposes me to random visits by (low-bid) services bestowed by management. I NEVER allow anyone in unless I’m around.

    Escalating ID theft COMMONLY originates with itinerant workers in these trades. Example: local car dealers referred each other to a wonderful cleaning service, which worked after dealer hours. All that info in the loan, sales & repair depts. was sold wholesale (sic), as uncovered by a 2-year sting.

  13. Jamiem

    For those concerned with LastPass in the cloud, take a read or listen to the in depth review of LastPass on Security Now! with Steve Gibson: http://www.grc.com/sn/sn-256.htm

    After Steve’s breakdown of how LastPass handles security, I paid the $12 to get the premium version that syncs with my iPad.

  14. Cricket

    Well, I’ve always written them down… in varying ways… the last one was in the sense that I wrote down the name of a horse, and used the owner’s first name as a password. I’m a farrier, and have almost four hundred horse names to choose from, and a quarter that many people. If I need numbers… well, I’ve got numbers I use… ;>)

    Not the most useful solution for most folks… but it works for me. Any real life “database” where you know the answers that aren’t written down anywhere… someone’s name, means the color of their car, say, would work… those of us with absolutely no memory for passwords cheat where we can…

  15. ICYTAZ

    Hey all , I’ve been using RoboForm for years now and have always found it really useful especially as when it comes down to it I couldn’t remember the 12 character passwords it creates for me using letters, numbers and symbols. In fact RoboForm lets you use as many characters as you like but twelve characters is easy enough and being able to sync them to a server is great as I never have to worry about losing any of my passwords, Contacts, Bookmarks and Safe Notes. With all the extras like Safe Notes for encrypting small amounts of information and Bookmarks and Contacts I can always be safe in the knowledge my information is safe online. Although I still never use it to keep banking log on details as I’d rather remember those details the old fashioned way. The latest edition of RoboForm works really well with IE9 and Firefox 4. It isn’t free but very cheap to know all my detailed logins are safe and backed up. As for filling bloody online forms out and new accounts details it’s great to right click and have it all done for me with Form Filler, it really makes joining yet another bloody forum easy and quick. Worth every penny in my mind, I’ve looked at the other password managers available and still wouldn’t change from something that’s been trustworthy for over three years.

  16. Ming

    I use the initials of words in a sentence to create my password. Eg: If you live close to a bank then the sentence would be something like: ‘Just 2-minute walk to ANZ’ transformed into initials of ‘j2mWtAnZ’ – use lower and upper case in turn to make it safer. Then you need a reminder just in case you forget it. It can be just ‘ANZ’ and state it how many characters it is and whether you use upper and lower case in turn or not. If you want to make it longer, just ‘fantasize’ another two, and group them together. This way even if someone hack into your password notes, he/she can only guess what those reminders really mean. The pattern of lower upper case combination can vary – lower upper or lower lower upper, etc. But you’d better keep one pattern only unless there is a reminder in place.

  17. 7SeVeN7

    for passwords i use whats arround me , my login for windows is my product # for my keyboard,p/w for my hotmail, my monitors serial #, p/w for skype my mouse serial #, get the idea,my tv,toaster,stove etc etc ALL their serial/manafacturers #`s are my passwords. will always have these arround me so will never forget my p/w (of course if ghet new mouse etc etc, i`ll i change the corrsponding p/w)

  18. Laser

    Along time ago, RoboForm ( the original ) was considered spyware. Ad- Aware and Spybot S&D used to pick up on it all the time. The modern version probably is not even related to the original but the name itself would make me hesitate to try it.

  19. KGeorge

    i have stored my passwords as notes in my cell phone!!!!! not the safest but it always has been handy.

  20. Dan

    I use Pins.exe It can be used on you PC, laptop, USB stick etc. Just need a good secure password to open it so nobody else can.

  21. Robert

    I tried LastPass with Chrome. Since I already had passwords remembered by Chrome the two seemed to conflict with one another. Maybe I should stop using Chrome and try LastPass again. Opinions?

  22. Sean @ SpeedySparrow

    I personally use ‘Roboform Everywhere’, works excellently on FireFox and I have used it for over 3 years now. I started off with LastPass but it did not serve what I wanted to achieve.

    Roboform actually serves me and it’s attribution to the Add-ons of FireFox really make it an all in-one perfect password remembering system.

  23. Saptashwa

    Actually, I use LastPass on my External HDD in the form of LastPass Pocket. It is better than KeePass in the way that it doesn’t store your passwords locally (it requests the passwords from Vault). But it offers the same great offline multiple-computer support.

  24. Saptashwa

    @Robert You can import the Chrome passwords using LastPass. As for me, I use both, so that even if I don’t have LastPass extension installed on some machine, I can just sync with my Google Account, and that’s it. So for me, I’m keeping both.

  25. Saptashwa

    And How-To-Geek, please move to Disqus or some other alternative, the WordPress default comment system isn’t up to the mark. No replying, for that matter! Ridiculous in this day and age.

  26. Dan

    Last Pass Premium

    I switched to LastPass many years ago from Roboform and have continued to be impressed by the product. I purchased the premium version 3 years ago and my entire family actively uses Lastpass on our laptops, android tablets, google tv, and our droids (fantastic app). We primarily use Google Chrome but it works on FF or IE as well. LastPass is well worth the $12 a year and I make a habit to print out a list of all the passwords every 6 months and put it in our safe deposit box just in case a catastrophe were to occur where we needed to get a hold of hard copies. I use my droid phone app far more then I thought I would and the key to it all is an aggressive password. My Lastpass password is a pain but I am comfortable no one would guess it even if they watched me type it in over my shoulder. I typically use the 25 character password generator for all of my sites.

  27. Stephen

    If you know how to write music on paper, you can convert you passwords into musical notes. No one will think to look for hidden passwords on sheet music, and sometimes you can make some nice little melodies.

  28. Michael

    In the event of the inevitable……

    Sooner or later, and hopefully much later….someone else is going to have to handle your affairs and should know how to access your passwords. We learned the hard way when my sister died unexpectedly and I was appointed executor. She had a paper list of a few of her passwords, but the rest were in her head. Since she also had a small business, I had to jump in and try to handle her customers. This was complicated by the fact that I could never figure out her email password, and was eventually locked out of her account after too many tries. I learned that the email provider would not release her account even with the proper legal papers, due to the privacy of the other individuals who she corresponded with in those emails.

    So just a caveat — let someone you trust — spouse, parent, adult child, know how they can locate passwords to your accounts if the unexpected should happen. You will make their tasks a bit easier at a difficult time.

  29. ssc73

    PasswordSafe. The only issue is there is not port to Android…………yet.

  30. jon

    I agree with a couple of posters – PasswordSafe is free and seems brilliant – can’t think why it didn’t register on the popular programs. I now have 250 passwords and other bits of useful info stored, and never have to type a password, even that to PasswordSafe itself which I load using a bat file.

  31. durr

    - Keepass on dropbox is the EXACT SAME THING as LastPass…your passwords are in the cloud. -

    Wow, the cloud is so cool <3 … – wait … dropbox has opend the doors to the fbi, ah who gives a damn it's still a great solution. who would not put his/her keys in the public bathroom which is protected by some unknown guy who just tells that he will never let anyone touch your keys, even though your keys are in a portable safe.

    Makes perfect sense

    - What would be more secure is using SpiderOak…the stuff they store is encrypted so well that even THEY can’t unencrypt it…no matter if they wanted to or not. -

    Yeah encryption is allways safe, no matter how stupid and naive somebody is.

    I am 12 and what is this? Srsly, you broke the first rule of securing your passwords, you talked about security … and you guys call yourself geeks …

  32. durr
  33. Hawker

    (Note to Ed…….)
    Yeah…You might want to go over this page and make a few corrections regarding Lastpass!…LOL!!
    http://www.zdnet.co.uk/news/security-threats/2011/05/05/lastpass-hack-risk-forces-users-to-change-passwords-40092684/?s_cid=215

  34. Cathleen Caffrey

    I have last pass and use it sometimes. But it is very frustrating because it keeps not recognizing sites I’ve already saved passwords for and asking me again if I want to save the site. I basically use the program just to fill forms now.

    I ended up with multiple versions of the same site. Anyone have any suggestions as to how to avoid this problem? I tried every option I could think of and nothing seems to help.

    It is SO frustrating to read such raves and not hear anyone else comment about this. Am I alone in having this problem?

    Thanks for any feedback. caffreyc@pacbell.net

  35. G-Man

    LastPass possibly hacked? Another good reason to keep passwords safe on your own computer (like with KeePass) and out of the cloud (including using KeePass w/Dropbox).

  36. Dungscout

    I am using the identity safe go along with Norton toolbar. It can be a good option though it doesn’t have the password generator or auto fill form.

Enter Your Email Here to Get Access for Free:

Go check your email!