This topic has been archived, and won't accept reply postings.
What is the best way to manage usernames and passwords for a number of different users? I have been asked to look in to this. The system needs to be easily and change details and be able to print them out individual user’s passwords out without revelling another user.
I was going to propose a password protected excel document use the tabs for user names and a few columns for company, username and password. This should be easy to set up, update and print out.
However I would like to have a few other suggestions to give, any ideas?
I was going to propose a password protected excel document use the tabs for user names and a few columns for company, username and password. This should be easy to set up, update and print out.
However I would like to have a few other suggestions to give, any ideas?
In reply to goldmember:
dont.
Sorry not ultra helpful but centrally storing passwords is a nightmare (in a non hashed and salted form anyway, obv the latter is sometimes needed).
If you do decide on it though dont use password protected excel, since the password protection isnt the best in the world.
dont.
Sorry not ultra helpful but centrally storing passwords is a nightmare (in a non hashed and salted form anyway, obv the latter is sometimes needed).
If you do decide on it though dont use password protected excel, since the password protection isnt the best in the world.
Post edited at 23:13
In reply to dissonance needvert :
Cheers Folks.
Any alternatives to excel you can suggest? I know the simplicity and easy of implementation with excel will appeal.
Cheers Folks.
Any alternatives to excel you can suggest? I know the simplicity and easy of implementation with excel will appeal.
In reply to goldmember:
"Manage usernames and passwords" for what? For access to a machine/directory or individual applications?
Many OS these days come with or can be extended by password self-service mechanisms. No administrators should ever really be put in a position where they record individuals details.
"Manage usernames and passwords" for what? For access to a machine/directory or individual applications?
Many OS these days come with or can be extended by password self-service mechanisms. No administrators should ever really be put in a position where they record individuals details.
In reply to goldmember:
There are sites like Passpack and Lastpass that do it. I am sure they'll have many of the features you need but you need to be comfortable with storing them online, depends what they impact would be in the unlikely case they were compromised. It's tricky because sometimes people don't trust such systems (I am included) yet in the absence of any system passwords keep flying around unsecured by email, stored in plain text etc.
I wouldn't use excel.Ideally I think you should at least mention that it's not good practice, users should have their own passwords and there should be a mechanism for resetting them.
There are sites like Passpack and Lastpass that do it. I am sure they'll have many of the features you need but you need to be comfortable with storing them online, depends what they impact would be in the unlikely case they were compromised. It's tricky because sometimes people don't trust such systems (I am included) yet in the absence of any system passwords keep flying around unsecured by email, stored in plain text etc.
I wouldn't use excel.Ideally I think you should at least mention that it's not good practice, users should have their own passwords and there should be a mechanism for resetting them.
In reply to Simos:
There's a small Windows application called Keepass that we use for that purpose at work.
Neil
There's a small Windows application called Keepass that we use for that purpose at work.
Neil
In reply to goldmember:
We use http://www.passpack.com at work. Each member of staff has to have and account and all company related passwords are shared between sysadmin and each member of staff. It is free and brilliant. I have since added to it and now have in excess of 60 password entries.
We no longer have that conversation that goes "I have forgotten my password...". The answer is a simple "Passpack it". You can also share passpack passwords so if someone forgets their passpack passwords, you can still get in.
> What is the best way to manage usernames and passwords for a number of different users?
We use http://www.passpack.com at work. Each member of staff has to have and account and all company related passwords are shared between sysadmin and each member of staff. It is free and brilliant. I have since added to it and now have in excess of 60 password entries.
We no longer have that conversation that goes "I have forgotten my password...". The answer is a simple "Passpack it". You can also share passpack passwords so if someone forgets their passpack passwords, you can still get in.
Post edited at 10:04
In reply to BlownAway:
This. Users should be responsible for their own details and admins don't need to know user passwords, and certainly not stored in an excel document (lol) in cleartext..
> "Manage usernames and passwords" for what? For access to a machine/directory or individual applications?
> Many OS these days come with or can be extended by password self-service mechanisms. No administrators should ever really be put in a position where they record individuals details.
This. Users should be responsible for their own details and admins don't need to know user passwords, and certainly not stored in an excel document (lol) in cleartext..
In reply to goldmember:
If you really want to use Excel, how about passwording it and then encrypt the file with any one of the free encryption programs out there. May not be best practice though.
If you really want to use Excel, how about passwording it and then encrypt the file with any one of the free encryption programs out there. May not be best practice though.
In reply to goldmember:
I could imagine the auditors reaction if we told them someone has access to all of the passwords.
I could imagine the auditors reaction if we told them someone has access to all of the passwords.
In reply to ByEek:
Sounds like a recipe for disaster on many fronts.
Why on earth can't people just man (or woman) up and take responsibility for remembering passwords, without resorting to ridiculous excel spreadsheets, so-called 'specialist' applications and/or post it (TM) notes.
> We use http://www.passpack.com at work. Each member of staff has to have and account and all company related passwords are shared between sysadmin and each member of staff. It is free and brilliant. I have since added to it and now have in excess of 60 password entries.
> We no longer have that conversation that goes "I have forgotten my password...". The answer is a simple "Passpack it". You can also share passpack passwords so if someone forgets their passpack passwords, you can still get in.
Sounds like a recipe for disaster on many fronts.
Why on earth can't people just man (or woman) up and take responsibility for remembering passwords, without resorting to ridiculous excel spreadsheets, so-called 'specialist' applications and/or post it (TM) notes.
In reply to BlownAway:
My approach up until now has been to have two passwords. Every account I join uses one of the two passwords. However, it has been a niggle over recent years that neither is particularly secure even though they are made of letter and numbers and if discovered, naturally any hacker would be able to access a large number of accounts. If my email were compromised, I would be screwed because said hacker would then have the power to effectively lock me out of all my accounts as change of password validation emails end up in my inbox.
I therefore now use random passwords generated by passpack and stored in passpack. I have over 60 different passwords currently stored from facebook to my bank logins. Each password is unique. Because of the nature of the way passpack works these passwords are entirely safe and only I can get to them. My online world is a lot more secure than it was, the only inconvenience being that I have to log into passpack account when I want to log into something. This minor inconvenience pales into insignificance when compared to having your identity stolen.
Just out of curiosity, are you genuinely able to remember 60 secure passwords?
> Sounds like a recipe for disaster on many fronts.
> Why on earth can't people just man (or woman) up and take responsibility for remembering passwords, without resorting to ridiculous excel spreadsheets, so-called 'specialist' applications and/or post it (TM) notes.
My approach up until now has been to have two passwords. Every account I join uses one of the two passwords. However, it has been a niggle over recent years that neither is particularly secure even though they are made of letter and numbers and if discovered, naturally any hacker would be able to access a large number of accounts. If my email were compromised, I would be screwed because said hacker would then have the power to effectively lock me out of all my accounts as change of password validation emails end up in my inbox.
I therefore now use random passwords generated by passpack and stored in passpack. I have over 60 different passwords currently stored from facebook to my bank logins. Each password is unique. Because of the nature of the way passpack works these passwords are entirely safe and only I can get to them. My online world is a lot more secure than it was, the only inconvenience being that I have to log into passpack account when I want to log into something. This minor inconvenience pales into insignificance when compared to having your identity stolen.
Just out of curiosity, are you genuinely able to remember 60 secure passwords?
In reply to goldmember:
Bad idea - the best system would never have a list of passwords in cleartext available to a sysadmin. If someone forgets a password the sysadmin should be able to let them create a new one.
People tend to use the same password for lots of different things because they can't remember many different passwords. That means a list of 100 people's passwords is likely to have some which are the same as the person uses for their bank or Amazon or personal e-mail. Being able to honestly say no-one ever sees your user's passwords can avoid accusations if someone gets hacked.
Password storing applications need to be treated with extreme care - if you wanted to hack a bunch of passwords offering a password storing app would be a great way of doing it. Similarly, the people providing it may not be competent to write sufficiently secure software in which case the app will be a target for hackers.
Bad idea - the best system would never have a list of passwords in cleartext available to a sysadmin. If someone forgets a password the sysadmin should be able to let them create a new one.
People tend to use the same password for lots of different things because they can't remember many different passwords. That means a list of 100 people's passwords is likely to have some which are the same as the person uses for their bank or Amazon or personal e-mail. Being able to honestly say no-one ever sees your user's passwords can avoid accusations if someone gets hacked.
Password storing applications need to be treated with extreme care - if you wanted to hack a bunch of passwords offering a password storing app would be a great way of doing it. Similarly, the people providing it may not be competent to write sufficiently secure software in which case the app will be a target for hackers.
In reply to goldmember:
Go low tech if that works for your requirements - hand written and locked in a filing cabinet or safe.
Go low tech if that works for your requirements - hand written and locked in a filing cabinet or safe.
Post edited at 11:12
In reply to ebygomm:
With all due respect, I'm not even going to bother reading that.
Password reset applications have been available and evolving for the past few years; all done safely, within the security domain of the operating system.
Auditors have field days when they find out about password storage applications. I have seen the aftermath a number of times.
Man up. If a company can't deploy a reset mechanism, put in place an internal process that is quick and efficient, but most importantly make sure that passwords AREN'T stored outside, and that people understand that they are responsible for managing their own credentials.
> password fatigue
With all due respect, I'm not even going to bother reading that.
Password reset applications have been available and evolving for the past few years; all done safely, within the security domain of the operating system.
Auditors have field days when they find out about password storage applications. I have seen the aftermath a number of times.
Man up. If a company can't deploy a reset mechanism, put in place an internal process that is quick and efficient, but most importantly make sure that passwords AREN'T stored outside, and that people understand that they are responsible for managing their own credentials.
In reply to ByEek:
No, and I would never claim to be able to, but that's largely irrelevant.
I never said anyone should have to remember 60 passwords.
I clearly made a point that the technology exists (and has done for a number of years) for password reset. Companies choose to deploy reset or not. They can choose to allow administrators to CHANGE passwords on request, but they should never store passwords.
> Just out of curiosity, are you genuinely able to remember 60 secure passwords?
No, and I would never claim to be able to, but that's largely irrelevant.
I never said anyone should have to remember 60 passwords.
I clearly made a point that the technology exists (and has done for a number of years) for password reset. Companies choose to deploy reset or not. They can choose to allow administrators to CHANGE passwords on request, but they should never store passwords.
In reply to BlownAway:
Could you point me to the part in this answer that suggests a company should use password reset applications rather than storing passwords as your later posts have suggested?
> Why on earth can't people just man (or woman) up and take responsibility for remembering passwords,
Could you point me to the part in this answer that suggests a company should use password reset applications rather than storing passwords as your later posts have suggested?
In reply to BlownAway:
These applications are very useful for system logins e.g. database logins used by applications. And not everyone has a good memory for random strings of characters (the most secure passwords).
I didn't pick up on the OP suggesting this was a substitute for password resets on individual user accounts. It isn't a good substitute.
Neil
These applications are very useful for system logins e.g. database logins used by applications. And not everyone has a good memory for random strings of characters (the most secure passwords).
I didn't pick up on the OP suggesting this was a substitute for password resets on individual user accounts. It isn't a good substitute.
Neil
Post edited at 11:46
In reply to BlownAway:
True, but then it comes down to a question of support. I am not a sysadmin, but I would imagine that in a large organisation that implements a strict password policy but doesn't have an easy way of managing passwords on behalf of users, they will spend a huge amount of time resetting people's passwords. Something that is a complete waste of effort. People have to write down their works passwords somewhere (I have 13 work related passwords) so better use something that is secure than delegate such a responsibility to the user who will no doubt use a non-secure spreadsheet or worse.
The thing that we IT folks forget is that we are imposing a very IT centric concept (passwords - and lots of them) to people and all their lazy traits. I hale any website that allows authentication using GMail or Facebook login credentials because they understand the nightmare of passwords that befalls their users.
> I clearly made a point that the technology exists (and has done for a number of years) for password reset. Companies choose to deploy reset or not. They can choose to allow administrators to CHANGE passwords on request, but they should never store passwords.
True, but then it comes down to a question of support. I am not a sysadmin, but I would imagine that in a large organisation that implements a strict password policy but doesn't have an easy way of managing passwords on behalf of users, they will spend a huge amount of time resetting people's passwords. Something that is a complete waste of effort. People have to write down their works passwords somewhere (I have 13 work related passwords) so better use something that is secure than delegate such a responsibility to the user who will no doubt use a non-secure spreadsheet or worse.
The thing that we IT folks forget is that we are imposing a very IT centric concept (passwords - and lots of them) to people and all their lazy traits. I hale any website that allows authentication using GMail or Facebook login credentials because they understand the nightmare of passwords that befalls their users.
In reply to ebygomm:
Why? It's both the responsibility of the company and the users.
Users SHOULD man up. Companies SHOULD have the correct systems and/or process in place.
The fact that the response you mention doesn't refer to password reset mechanisms isn't important; the two are not - and shouldn't be - mutually exclusive.
> Could you point me to the part in this answer that suggests a company should use password reset applications rather than storing passwords as your later posts have suggested?
Why? It's both the responsibility of the company and the users.
Users SHOULD man up. Companies SHOULD have the correct systems and/or process in place.
The fact that the response you mention doesn't refer to password reset mechanisms isn't important; the two are not - and shouldn't be - mutually exclusive.
In reply to ByEek:
I agree. People have their FB accounts hacked on a regular basis...
> I hale any website that allows authentication using GMail or Facebook login credentials because they understand the nightmare of passwords that befalls their users.
I agree. People have their FB accounts hacked on a regular basis...
In reply to BlownAway:
Yes. Because people have weak passwords or disclose them. That doesn't get around the headache that befalls a user that has to manage 20+ accounts, that each require a password.
I now only have two passwords and one of those can be compromised and you still wouldn't be able to get hold of all my passwords. Still no ideal, but a damn sight better than having two passwords for all of my accounts, neither of which was particularly secure.
> I agree. People have their FB accounts hacked on a regular basis...
Yes. Because people have weak passwords or disclose them. That doesn't get around the headache that befalls a user that has to manage 20+ accounts, that each require a password.
I now only have two passwords and one of those can be compromised and you still wouldn't be able to get hold of all my passwords. Still no ideal, but a damn sight better than having two passwords for all of my accounts, neither of which was particularly secure.
In reply to ByEek:
But I disagree with this:
What IS a complete waste of effort is the remedial actions taken when passwords are compromised, or auditors identify failures to comply with security processes, start to ask more questions about "how do you change your password, or reset it if you've forgotten it", or discover spreadsheets containing passwords in clear text.
The aftermath of the above can often be more time consuming and expensive to resolve than the deployment of a simple process (led by a help desk/superusers, SMEs... whatever it needs to be) to assist with password changes, even in a small company.
Delegation isn't needed when you know you can either reset your own password securely or have it changed by the helpdesk (or others, as above). If people think they need to write down their passwords, then their infrastructure is not supporting them.
But I disagree with this:
> Something that is a complete waste of effort.
What IS a complete waste of effort is the remedial actions taken when passwords are compromised, or auditors identify failures to comply with security processes, start to ask more questions about "how do you change your password, or reset it if you've forgotten it", or discover spreadsheets containing passwords in clear text.
The aftermath of the above can often be more time consuming and expensive to resolve than the deployment of a simple process (led by a help desk/superusers, SMEs... whatever it needs to be) to assist with password changes, even in a small company.
> People have to write down their works passwords somewhere (I have 13 work related passwords) so better use something that is secure than delegate such a responsibility to the user who will no doubt use a non-secure spreadsheet or worse.
Delegation isn't needed when you know you can either reset your own password securely or have it changed by the helpdesk (or others, as above). If people think they need to write down their passwords, then their infrastructure is not supporting them.
In reply to BlownAway:
Fair enough. But people need to write passwords down and will do so regardless of any policy. Surely it is better to provide them with a tool like passpack than just ask them to wait a several hours for their password to be reset each time they need to log into the system that is only required three times a year?
> What IS a complete waste of effort is the remedial actions taken when passwords are compromised, or auditors identify failures to comply with security processes, start to ask more questions about "how do you change your password, or reset it if you've forgotten it", or discover spreadsheets containing passwords in clear text.
Fair enough. But people need to write passwords down and will do so regardless of any policy. Surely it is better to provide them with a tool like passpack than just ask them to wait a several hours for their password to be reset each time they need to log into the system that is only required three times a year?
This argument about whether or not online password storage tools are fit for purpose is very illuminating, but I don't think its helping the OP very much. In any event I think the answer depends on the value of the information being protected: storing all my forum accounts in passpack = fine; storing the root password for the bank mainframe = not cool.
I think it might help if the OP was a little more clear about what these passwords are for and why he wants to have a record of them.
Are these passwords customers use to access your system? Passwords your employees/colleagues use to access other people's systems? If the former, do you control the system the passwords are for (so you could do some form of reset instead)?
Why do you want a central record of them? To remind people when they forget?
What would the consequences of a breach be? What do these passwords protect? If they are the pointless and annoying accounts some vendors make you create on their website so you can view prices, then security matters less than accounts where people can spend money, or access confidential information. Bear in mind that if these are supposedly private passwords that your customers/employees created, they might have re-used their bank passwords.
What is the current system? What's wrong with it?
It is rather unlikely that Excel is the best way to go. As mentioned above, cleartext passwords make professionals weep and auditors rage. Most would also be queasy about one person (you?) having access to everyone's passwords. If you do go down that path, you should be aware that passwords on excel documents can be broken in a matter of minutes using freely available tools.
I think it might help if the OP was a little more clear about what these passwords are for and why he wants to have a record of them.
Are these passwords customers use to access your system? Passwords your employees/colleagues use to access other people's systems? If the former, do you control the system the passwords are for (so you could do some form of reset instead)?
Why do you want a central record of them? To remind people when they forget?
What would the consequences of a breach be? What do these passwords protect? If they are the pointless and annoying accounts some vendors make you create on their website so you can view prices, then security matters less than accounts where people can spend money, or access confidential information. Bear in mind that if these are supposedly private passwords that your customers/employees created, they might have re-used their bank passwords.
What is the current system? What's wrong with it?
It is rather unlikely that Excel is the best way to go. As mentioned above, cleartext passwords make professionals weep and auditors rage. Most would also be queasy about one person (you?) having access to everyone's passwords. If you do go down that path, you should be aware that passwords on excel documents can be broken in a matter of minutes using freely available tools.
In reply to Jack B:
However I would imagine auditors to have no problem with proper, secure password tools like Keepass which are used by big businesses including where I work. Their advantage is that they mean very secure passwords can be used (e.g. 32-character strings of random numbers and letters) and that people don't just set all their passwords to the same thing.
Neil
However I would imagine auditors to have no problem with proper, secure password tools like Keepass which are used by big businesses including where I work. Their advantage is that they mean very secure passwords can be used (e.g. 32-character strings of random numbers and letters) and that people don't just set all their passwords to the same thing.
Neil
In reply to ByEek:
Why would people 'need' to write down passwords? The entire point of a password is that it's secret. Writing it down (and being stupid enough to stick it on your computer monitor for example) should be grounds for disciplinary action. It's like a doctor locking up patient files and leaving the key taped to the filing cabinet.
> But people need to write passwords down and will do so regardless of any policy.
Why would people 'need' to write down passwords? The entire point of a password is that it's secret. Writing it down (and being stupid enough to stick it on your computer monitor for example) should be grounds for disciplinary action. It's like a doctor locking up patient files and leaving the key taped to the filing cabinet.
In reply to goldmember:
You can hide them pretty easily on your computer on some unobvious file on your computer that's given some obscure name, and you can play doubly safe by spelling out the website it's used for phonetically, e.g. 'you kay sea', or referring to it indirectly eg. 'british climbing website'. That's what I do anyway - or is there some danger I've overlooked?
You can hide them pretty easily on your computer on some unobvious file on your computer that's given some obscure name, and you can play doubly safe by spelling out the website it's used for phonetically, e.g. 'you kay sea', or referring to it indirectly eg. 'british climbing website'. That's what I do anyway - or is there some danger I've overlooked?
In reply to Gordon Stainforth:
Well the obvious danger is that anyone who has access to your computer has access to all of your passwords. Security by obscurity doesn't work, that's why people use passwords/encryption in the first place.
Well the obvious danger is that anyone who has access to your computer has access to all of your passwords. Security by obscurity doesn't work, that's why people use passwords/encryption in the first place.
In reply to goldmember:
ok, haven't amde it to the bottom of the thread so sorry if i'm repeating advice
rather than doing what you are asking, i'd turn it around and ask why users have so many different passwords in the first place? are these systems all managed by your own company or 3rd party websites?
Single Sign On using a directory service such as LDAP (in windows land you'd be looking at active directory) is a much more efficent method for business users and much simpler for the sysadmin and users to manage
basically you log onto your workstation using a active directory domain account and you permission your applications / intranet sites in AD. the user launches the app and active directory presents their logon details and gives them access to the application that their account is authorised to access.
ok, haven't amde it to the bottom of the thread so sorry if i'm repeating advice
rather than doing what you are asking, i'd turn it around and ask why users have so many different passwords in the first place? are these systems all managed by your own company or 3rd party websites?
Single Sign On using a directory service such as LDAP (in windows land you'd be looking at active directory) is a much more efficent method for business users and much simpler for the sysadmin and users to manage
basically you log onto your workstation using a active directory domain account and you permission your applications / intranet sites in AD. the user launches the app and active directory presents their logon details and gives them access to the application that their account is authorised to access.
In reply to Removed User:
How else do you propose I memorise my 65 passwords? All of which are different consisting of 10 or more random characters, numbers and punctuation marks.
You can log into my passpack account if you like but you won't see any of my passwords without the packing key which is the only password I need to remember.
> Why would people 'need' to write down passwords? The entire point of a password is that it's secret.
How else do you propose I memorise my 65 passwords? All of which are different consisting of 10 or more random characters, numbers and punctuation marks.
You can log into my passpack account if you like but you won't see any of my passwords without the packing key which is the only password I need to remember.
Post edited at 14:38
In reply to ByEek:
I'd suggest yours is a special case. I don't know what you do but that's an excessive amount of passwords to need to remember. For the normal person needing to remember a few passwords writing it down is just ridiculous.
I'd suggest yours is a special case. I don't know what you do but that's an excessive amount of passwords to need to remember. For the normal person needing to remember a few passwords writing it down is just ridiculous.
In reply to Removed User:
I wouldn't say I was a special case. I have two email accounts (work and personal), then there is Facebook, 3 online banks, one credit card, online energy suppliers, eBay, online supermarket, Amazon, online mortgage, nursery vouchers, pensions (3) and so on... to name just a few.
I wouldn't say I was a special case. I have two email accounts (work and personal), then there is Facebook, 3 online banks, one credit card, online energy suppliers, eBay, online supermarket, Amazon, online mortgage, nursery vouchers, pensions (3) and so on... to name just a few.
In reply to ByEek: I'd still suggest yours is a special case. You must be in the extreme minority of people who feel the need for a strong, completely random password for every 'junk' site you login to, like nursery voucher websites.
It's a bit strange because these days the overwhelming majority of accounts that are compromised aren't compromised due to weak/guessable passwords.
It's a bit strange because these days the overwhelming majority of accounts that are compromised aren't compromised due to weak/guessable passwords.
In reply to Removed User:
To keep using ByEek a an example, Id want a decent password for at least the email accounts, the online banks, the credit card, the mortgage, the pensions, ebay and amazon. By my count that's 12 separate passwords, if you're picking decent passwords then that's still a lot to remember, especially if for things you're unlikely to use on a regular basis (e.g. pensions, mortgages etc.)
To keep using ByEek a an example, Id want a decent password for at least the email accounts, the online banks, the credit card, the mortgage, the pensions, ebay and amazon. By my count that's 12 separate passwords, if you're picking decent passwords then that's still a lot to remember, especially if for things you're unlikely to use on a regular basis (e.g. pensions, mortgages etc.)
In reply to Removed User:
Just in a work related context I have 20 plus passwords to remember.
Some have to be updated monthly
Some are generated and unchangeable
Different complexity requirements, different lengths, different rules on reuse
I don't find it surprising that people resort to storing passwords as notes in their email folders.
Just in a work related context I have 20 plus passwords to remember.
Some have to be updated monthly
Some are generated and unchangeable
Different complexity requirements, different lengths, different rules on reuse
I don't find it surprising that people resort to storing passwords as notes in their email folders.
In reply to Neil Williams:
Used keepass before, it's also on Linux which was great for us but it is a bit of a pain to use. Secure though...
Used keepass before, it's also on Linux which was great for us but it is a bit of a pain to use. Secure though...
In reply to Removed User:
The other option is password reuse or at the least password patterns.
Given that its not unknown for login information to be poorly secured by companies if their security is breached then you risk losing access to other sites.
For example adobe got breached and given the poor hashing used quite a few passwords could be made plaintext.
Facebook took the leaked list and tested for password reuse on their own site. They found enough they decided to disable those accounts and push people through a special authentication routine.
So on an individual level using a good password manager isnt necessarily a bad thing, although I would avoid an online variant.
I use one for most passwords and site info.
What is a bad thing though is what was being suggested initially which is other people having access to it.
> (In reply to ByEek) I'd still suggest yours is a special case. You must be in the extreme minority of people who feel the need for a strong, completely random password for every 'junk' site you login to, like nursery voucher websites.
The other option is password reuse or at the least password patterns.
Given that its not unknown for login information to be poorly secured by companies if their security is breached then you risk losing access to other sites.
For example adobe got breached and given the poor hashing used quite a few passwords could be made plaintext.
Facebook took the leaked list and tested for password reuse on their own site. They found enough they decided to disable those accounts and push people through a special authentication routine.
So on an individual level using a good password manager isnt necessarily a bad thing, although I would avoid an online variant.
I use one for most passwords and site info.
What is a bad thing though is what was being suggested initially which is other people having access to it.
In reply to Removed User:
The problem is that I was using the same password for my 'junk' sites as I do for my email and banking. So if the junk site was hacked, it wouldn't be too much effort to get into my email and bank.
If I am rare in figuring this out then the worrying fact is that I am being stigmatised by people who are clearly completely unaware of how easy it would be to have their lives tipped upside down for want of using secure passwords - even for junk sites.
> minority of people who feel the need for a strong, completely random password for every 'junk' site you login to, like nursery voucher websites.
The problem is that I was using the same password for my 'junk' sites as I do for my email and banking. So if the junk site was hacked, it wouldn't be too much effort to get into my email and bank.
If I am rare in figuring this out then the worrying fact is that I am being stigmatised by people who are clearly completely unaware of how easy it would be to have their lives tipped upside down for want of using secure passwords - even for junk sites.
In reply to goldmember:
Nice simple explanation of password strength and good passwords: http://www.xkcd.com/936/
Probably a recap of the other posts, but there you go...
Use something like Keepass locally, keep an offline backup on a CD in case the worst happens.
Never upload/disclose passwords to any 3rd party site outside of your administrative control.
Use unique passwords for everything different site/application - keepass makes this easier.
Keep your AntiVirus up to date, there are trojans out there that will try to sniff your passwords.
Use HTTPS wherever you can, this'll help https://www.eff.org/https-everywhere
HTH
Nice simple explanation of password strength and good passwords: http://www.xkcd.com/936/
Probably a recap of the other posts, but there you go...
Use something like Keepass locally, keep an offline backup on a CD in case the worst happens.
Never upload/disclose passwords to any 3rd party site outside of your administrative control.
Use unique passwords for everything different site/application - keepass makes this easier.
Keep your AntiVirus up to date, there are trojans out there that will try to sniff your passwords.
Use HTTPS wherever you can, this'll help https://www.eff.org/https-everywhere
HTH
In reply to goldmember:
By default I would say that any user who cannot remember secure passwords required to access important business systems is clearly too stupid to be given access to the systems in the first place!!!!
By default I would say that any user who cannot remember secure passwords required to access important business systems is clearly too stupid to be given access to the systems in the first place!!!!
This topic has been archived, and won't accept reply postings.
Elsewhere on the site
Loading Notifications...