Today – with the need to register online for everything, the personal
overhead in creating and managing user-id’s, account names, and passwords is
getting out of control. I use a separate MS-Word document to track all this
stuff. I use different level passwords (level 1-3) where Level 1 is for stuff I
do not care about and is open through Level 3 which I rarely use on things like
online-banking, etc. In the MS-Word document I do not actually record the
password – I trust myself to remember this, but I do annotate the account with
the specific level password I use (level 1, level 2a, etc)
This actually works OK for me, but still – I need this MS-Word document
to remember all my references and if I am not on my own computer, I am a bit
lost… I was a thinking of maybe putting this on an FTP site, but I am
concerned for the obvious security issues.
I cannot be alone with this problem. Is there a better system out there?
A personal password management system that enables me to access all my accounts
and level passwords in a secure manner? I see there are things like
PasswordLocker, but I am not sure I trust the security piece.
Do you have any suggestions?
|My approach has changed since this article was written. I now recommend and use Lastpass. See Managing Lots of Passwords for a video demonstration (with transcript).|
First off, I have to say that your approach is already pretty good. The fact that
you’re not actually storing the passwords themselves, but just a mnemonic
device for yourself, is an excellent technique that most people don’t think
My approach is similar, I use different “levels” of passwords, for example,
but I use Excel instead of Word.
Become a Patron of Ask Leo! and go ad-free!
I have a spreadsheet in which I keep all the sensitive information, and
that, then, is kept in an encrypted virtual drive using free open source
software called TrueCrypt. I’ve written about it before, discussing how to keep the data on my
Unfortunately I don’t really have a good solution for access anywhere
without having your own computer in front of you. Your approach using numbers
to represent passwords seems reasonably secure, and I’d probably be ok with
putting that on a password-protected website or ftp site. Even if someone did
get that list, they would only get your mnemonics, and not your actual
passwords. It would take a little work, but depending on how server-savvy you
are, you could encrypt that on the server and only decrypt on demand when the
correct passphrase is supplied. You could further put it on a secure (https)
page so as to prevent network sniffing.
The more common approach is to use a USB thumb drive with the data thereon
encrypted. Even a small inexpensive one is large enough to carry both the data
you care about, and the decryption software needed. The downside, of course, is
that to access the information you’ll need access to a computer with a USB
port, and an operating system compatible with the decryption software.
TrueCrypt, for example, is Windows only. In a case like this, I would keep the
data in a plain text file, so as not to require an additional program, like
Word or Excel, to view the data once it’s decrypted. And I’d certainly keep
an UNencrypted version in a secure location as backup.
Most password management programs that I’ve seen all boil down to something
very similar: an encrypted database with a secure UI to view and alter the
contents. I’ve come to avoid those programs simply because their encryption is
often unproven, the database formats non-standard, and like you, I’m just not
sure I always trust them.
And they don’t solve the access-anywhere problem that you’re asking
So I know that didn’t answer your question about alternatives, but given
your approach, I’d be ok with the information on a password protected ftp site.
Hopefully I’ve given you some additional approaches to think about as well.