What to do with passwords once you create them

Cryptography expert Bruce Schneier used to write his passwords down on a slip of paper and keep it in his wallet.

Today, he uses a free Windows password-storage tool called Password Safe that he designed five years ago and released into the open-source community. The desktop application lets users remember only one master password to access their password list.

But Schneier still recommends the paper method for people who don't have their computers with them at all times like he does. "Either write the passwords down and put them in your wallet, or use something like Password Safe," he said in an interview on Wednesday.

PGP creator Phil Zimmermann stores his passwords in an encrypted text file, which he described as a "cumbersome, manually operated password management system."

And crypto cracker Karsten Nohl's method is much simpler yet harder--he stores all his passwords in his brain.

"I use a nontrivial function to diversify passwords for every use," Nohl said. "Disclosing anything about the function would lessen its strength. Security-through-obscurity, but only because I cannot compute any strong ciphers in my head."

An informal survey of a dozen or so security experts reveals that some of them still rely on the paper and pen method. One respondent even admitted to succumbing to the post-it-note under the keyboard cliche! (If you do choose to write the passwords down you should avoid including the Web site or other identifying information, obviously.)

Password management isn't sexy but it's a problem that touches everyone who touches a computer. Not only are people forced to create new passwords at a dizzying level as they join social networks, do e-commerce and deal with frequently expiring passwords at work, but there are new and novel password theft methods all the time. Just this week Mozilla disabled a Firefox add-on that was intercepting login data and sending it on to a remote server.

There are a variety of solutions for people who want to upgrade from the paper-based practice. To cover them all would be an exhaustive and impossible task, but I'll mention a few notables.

For those whose computer is always at hand, password managers stored on the desktop can be a good option. In addition to Password Safe, sources recommended another open-source software called KeePass. For the Macintosh, there's 1Password ($39.95), which my colleague Jason Parker said was "the best in its class for the Mac."

I was curious about the USB-based password managers and gave MyKey ($29.99) a try. I found it worked great but it does have some limitations--it only works on Windows-based PCs with the MyKey software installed. This meant I couldn't use it on my home Mac or on friends' computers I used during a recent vacation, something I wouldn't be able to do with a desktop-based system either.

The Yubikey ($25) is another USB password device, but it differs in that it works on any computer or major operating system platform and requires no client software.

"It's the same thing as putting the passwords in your wallet; it's putting them on something physical that you are securing," Schneier said when asked his opinion of using USB devices for storing passwords. "People can lose their keys or their wallet. Just put the passwords on the one you are less likely to lose."

If you want to use a password manager that is not tethered to a particular computer, there are also hosted services where the passwords are stored in the cloud. This offers convenience the other methods don't, but it means you are at the mercy of the security measures deployed on whatever computer you are using, so be cautious about using Internet kiosks and other public Web-surfing computers. You also have to trust that the company hosting the server holding your passwords won't get hacked or otherwise compromised.

If you are interested in a free online password manager service, CNET Blogger Dennis Reilly wrote about RoboForm Online late last year.

Many people find the saved passwords feature on browsers handy, but they may not realize that attackers who get physical or remote access to the computer can easily see those stored passwords. This CNET TV video shows you how to hide them in Firefox by creating a master password for the browser.

A free extension for Firefox, Chrome and Internet Explorer called LastPass encrypts passwords and stores them on your hard drive and is beloved by colleagues at CNET News, as well as Download.com and CNET sister site ZDNet. It runs on the major operating systems, syncs data between multiple browsers, and automatically logs you into a site with one mouse click. And if you are using a computer other than the one you normally use you can retrieve your login information from the LastPass Web site.

Regardless of how you manage your passwords, experts say you should be careful to choose ones that have an appropriate level of security for the intended use or Web site. For instance, you can get by with an easy password for a Web site where all you do is log on to read news. But you should choose a much stronger password--meaning it is more difficult to guess or to figure out using a dictionary attack tool--for banking and other sites dealing with sensitive information like credit cards. And use different passwords for the different sites so that if one password is compromised your other sites or accounts aren't at risk.

Schneier has an excellent essay on how to choose more secure passwords, CNET blogger Larry Magid provides tips for creating strong but easy-to-remember passwords here, and I provide additional suggestions in this story.

"Passwords still work, as long as you use them properly," Schneier said.