So here is how I manage all my passwords (Opinion Wanted)

[vulcanman]

After spending years chasing the next best app for Password Management .. I have returned to the stone age technique ...

I created an excel spreadsheet 47 rows X 7 columns and populated it with absolutely random 12-character passwords. Each password has uppercase and digits.

So cell A17 would, say, contain the word 5Re4sGawerTy

I print two copies of this file (or how many ever) and then delete the original electronic version of the file.

Now lets say I want to open an account on Amazon.com ... I decide that the username will be A17 and password would be G40

I create a draft email in gmail with the subject line "Amazon U/P" and in the message box type in A17 (username) and G40 (password). By the way I use 2-factor authentication for all my Gmail accounts ... and it uses a password system that does not depend on this technique. LOL!

When I want to remember my username and password I do a quick Gmail lookup and then use the hard copy for the actual password.

If I want to change passwords ... I recreate a new random password list but can continue to use my gmail draft folder for the reference cell number.

I used to use LASTPASS ... but became worried about putting too much faith and trust in a company/group that exists on the other side of the wire.

This is the most boring technique of password management but I think its quite secure.

I am looking for someone to punch holes in my technique!

[mechBgon]

If you find this system workable, it's a lot better than most.

Nitpicks:

1. you need your hard copies on hand.

2. you have to type a random 12-character password correctly.

3. 12 characters may not hold up against hardware-accelerated brute-force cracking for very long if the website's encrypted hash database gets compromised and they don't notice for a while. It would depend on the encryption scheme; some are very fast for a GPU-accelerated crack rack to reverse. For my most critical sites, I use as long a password as the site permits (32 characters for my bank, for example).

4. some sites allow more variety of password characteristics than others. For example, if a site only allows alpha-numeric characters, then a password of a given length wouldn't be as strong as if you can also use common symbols. And if you can use high-ANSI characters like, say, ™ or š or Ž, that further complicates a brute-force attack by expanding the character set they have to try. So you could check which sites will allow an expanded character set, and tweak your passwords to include additional stuff as permitted.


The downside is that I'm suggesting even more complication than you're already putting up with In my case, I use a fingerprint reader and software to automate the process. One swipe, monster 32-character password entered, no errors. Unfortunately the company that makes the software got bought out, and the buyer (Apple) won't sell it anymore!

[corkyg]

Interesting. But, I agree with Mechbegon's last para. I let Roboform handle that on all my systems, all sync'd.