I recently decided to upgrade my password policy to be more secure. My actual workflow is the following:

I use a set of "patterns" to build my passwords, depending on what the password is for, so that I can have different passwords everywhere that I can recover quite easily. But it's flawed in the sense that those password are "predictable". So I'm moving toward randomly generated passwords, managed via a keyring. This solution, while being more secure, require more efforts to deal with. Here are a few problems that need to be solved:

• Portability: it should be easy to carry with you, and work on different systems
  
• Security: this holds all you passwords, so someone getting his dirty hands on it should NOT be able to access it, at all costs
  
• Usability: you login to different services a lot everyday, it should be easy/quick to use
  
• Availability: you should not depend on the machine you're using to be able to use your passwords. You need a way to use it everywhere
  
• Reliability: you don't want your password keyring to be corrupted, as it will lock you out of everything
  
• Stupidity-proof: As for reliability, you'll probably want a sort of "backup" solution, in case your primary solution goes wrong
  

I did not found a solution to all these problems. So far, I imagined the following:

• Portability: plain text file, with one password per line and a hint for each password
  
• Security: encrypt the file with a modern algorithm (AES, Twofish, ...)
  
• Usability: a quick CLI program should be enough to grab passwords, and easily scriptable
  
• Availability: I'm not sure about this one. Make it publicly available via HTTP perhaps? no idea on how to sync it accross devices
  
• Reliability: add checks upon encryption, before replacing the file. Or maybe versionning it
  
• Stupidity-proof: Have it backed-up in plain text on an encrypted USB stick
  

What do you think about this system, would you use it yourself? If not, what would you do differently, or what would you improve?

The main drawbacks for me is portability and stupidity-proof.
It's extremely annoying, with the current solutions, to carry the db of passwords with you and to have to install the appropriate program to read it.

Just imagine yourself wanting to login to your account on another machine.
> Huh, wait let me plug my USB
> Ah, I need to install the 32 bit version of the program to read the DB
> Oh, I don't remember the password to open the briefcase

In those cases you just don't login at all and wait until you get home.

At the moment I stick with the passwords that are in my head and if I can't remember it there's always the "forgot your password" button.

EDIT: The only good password management tool I use is the one that comes with Firefox sync.

NB I'm not a sysadmin, but my thoughts are :-
A pendrive around your neck, but as pointed out above, that needs access to a usb port, which may not be available, so the only obvious alternative is a small pocketable notebook (attached to your belt at all times, whilst at work).

(28-04-2015, 08:54 AM)bsdkeith Wrote: NB I'm not a sysadmin, but my thoughts are :-
A pendrive around your neck, but as pointed out above, that needs access to a usb port, which may not be available, so the only obvious alternative is a small pocketable notebook (attached to your belt at all times, whilst at work).

> Wait a sec, let me check my password.

:) You could carry a whole system in that! ;)

Thinking about it again, the penkey/drive isn't really a solution for corporate companies.
When you take security courses you learn to not let anyone use any usb port on any machine you have.
Just leaving a usb port open can lead to physical escalation.

However, it's still a solution for personal use.

Quote:> Wait a sec, let me check my password.

you unzip the big pocket, open it up and then a small screen lights up, fixed to the top part.
Meanwhile, a small keyboard slowly move upward in an electric clickety sounds.
An electric female voice now speaks: "Please enter your master password, and validate with enter"
type type type
"Hello mister z3bra. Your password for http://nixers.net is: 'Iluvp0niez'. Thanks for trusting banana bags security systems. Have a good day."

Would totally pay for that!

(28-04-2015, 10:20 AM)z3bra Wrote: "Hello mister z3bra. Your password for http://nixers.net is: 'Iluvp0niez'. Thanks for trusting banana bags security systems. Have a good day."

Since when saying your password out loud is secure?

PS: I'm sure someone tried to login as z3bra using Iluvp0niez.

That was for the ironic part ;)

Am I the only one who does not need a password manager? I really don't see them useful, I know that some people have multiple accounts/password, but I am the same and can still manage them. They are pretty lengthy too.