Six Clicks: How do you keep track of all your passwords?

Six Clicks: How do you keep track of all your passwords?

Summary: If you have just one password for everything it's easy to remember, but we all know that isn't safe. So how do you keep track of a large number of them - and not have to worry about it?

TOPICS: Security

 |  Image 1 of 6

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Worst: Your own internal memory

    Passwords are the great curse of the modern Internet user. The more you use the Internet, the more you rely on passwords, and the harder it gets to use them properly.

    To use passwords properly you need to make them complex, not reuse them on different sites and change them periodically. Not many people really follow through on all this, but some password management methods make it easier than others.

    The first one, the one everyone uses at first, is to remember them. This has the benefit of simplicity, but it's not really sustainable. If you have 50 different sites with passwords, can you really remember 50 different complex passwords?

    So people come up with tricks to remember them. One is to use one password and attach a site-specific prefix or suffix, e.g. fl00rb0ard.FB and fl00rb0ard.Twitter. This helps a little, but if one of your passwords is compromised, all of them are.

    There are more complex ciphers that some people use to make the specific password less obvious, but the more you obscure the result the more you give yourself to remember.

    The image nearby, a well-known XKCD cartoon, illustrates some of the issues with password ciphers, but the cartoonist misses one point: It's just one password. What about the other 49?

    And if you need a strong and unique password, you can generate one at

    Previously on Six clicks

    Simple and time-saving Google search tricks

     Can your browser do these tricks?

    Dead software we loved

  • Barely there: A piece of paper tacked up next to your desk

    This one depends on your physical surroundings. If you use your passwords from one private location, this could be a good solution for you.

    The fact is that the threats to most users' passwords are online threats, not physical threats. Another advantage of this technique is that normal people can relate to the risks more clearly than they can to the risks of using passwords online.

    On the other hand — obviously — anyone who can see your list can read it, take a picture of it, etc.

    Image courtesy Dan at

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I use Roboform

    I purchased Roboform Anywhere years ago, and it remains one of the best purchases I ever made. It will integrate with IE, Firefox, Chrome and Opera when it detects they are installed on your PC. It lets you generate random passwords with characters chosen from character sets you can select (lower case, upper case, numerals, and special characters). And it syncs your passwords in the cloud so changes on one device are immediately available on all other devices where you have Roboform installed.

    On my Windows PC's, I can set my browser home page to use the Roboform start page to display links to all my favorite sites and most-recently-visited sites, so I click the link and am taken to the site and logged in seamlessly.

    In addition, I can set Roboform to store and provide login information for Windows desktop applications as well, if I wish.

    There are versions for mobile platforms as well, including Android and Windows 8 phones.

    All in all, a VERY useful product that serves me. I couldn't live without it.
    • Horrible idea

      Locking your passwords into a proprietary cloud-based vault that makes it difficult to export/reclaim them is a horrible idea.

      From wikipedia: "When Siber Systems first released Roboform, they had lifetime free upgrades. In 2004, they released a Roboform Pro version and had limitations on the free version. In December 2010, they changed the policy for their new Roboform 7 version and purged from their website all mention of their previously-published free upgrades policy. See also Free Version Upgrades. Siber Systems also removed the option to export the user data with the full URL, making it harder to export to a number of competing password managers. They began offering two versions, a desktop version licensed for one computer only and the aforementioned Roboform Everywhere for every computer which is a yearly subscription fee.[1] The functionality of the previous Roboform version 6 will gradually cease as Roboform browser plug-ins are "frozen": not updated to support new browser versions.
      Following this controversy, Roboform's accreditation with the Better Business Bureau (BBB) Accreditation Standards was revoked on June 30, 2011 due to a failure to respond to and resolve complaints."
      • And so your preferred solution is?????

        I acknowledge that use of any particular password management service implies a high level of trust. At this point in time, Siber Systems has my trust, and they provide a highly-functional product that saves me a lot of time, and provides a level of convenience I find very useful.

        I am not sure I understand the 'complaints' you lodge (via Wikipedia) against Siber Systems. I certainly don't begrudge them the right to be compensated for their work to expand and improve their most current product version. Their decision to cease their free product, which I used as my first introduction, is understandable. I miss it, but I also welcome the new features of the paid version 7 product.

        As for not allowing Roboform data to be exported to competitor's products, Siber Systems is not alone in being reluctant to encourage use of other products. Ever try to export music from your iTunes account in Windows Media (.WMA) format? Good luck with that! My point is that no developer is obligated to make their product compatible with anything. If they do opt for compatibility with other products, it should be based on sound business reasons, not just to please users who want to jump ship.

        And complaining about loss of support for older versions??? Seriously??? We've ALL had to deal with that issue, and as a developer myself, I don't want to be chained into support obligations for aging, poorly-performing and feature-lacking products, when I've created much better-performing products with features that were impossible using the technologies of the previous versions.

        The bottom line is that customers are free to choose the products that best meet their needs, and to pay whatever amount they feel is justified. If you want to keep your password on a spreadsheet you have to manually update and which you must refer to each time you login to a web site, that's your choice. I pay Roboform for a service to avoid just that kind of nonsense, and the convenience is well worth the cost to me.

        Your mileage may vary...
        • Real solutions exist

          Locally encrypted password management tools combined with a cloud service is far better than wholly trusting the keys to the kingdom to some random company. People have posted a couple examples further down in the comments.

          You are one security breach from disaster. Do you trust all of Siber's employees? What security practices do they employ? Are they financially solvent? Do they have backdoors in their software? I doubt you can answer any of those questions...and there are more I could ask, like what happens if they suffer a catastrophic outage and data loss?

          If you feel comfortable with them, that's one thing, but to advise others that it is a secure solution is irresponsible.

          >"Ever try to export music from your iTunes account in Windows Media (.WMA) format? Good luck with that!"

          All my music is in FLAC format and has been for a long time. It's my music and I won't let anyone else lock it away from me in some stupid format that doesn't obey my wishes.

          >"My point is that no developer is obligated to make their product compatible with anything. If they do opt for compatibility with other products, it should be based on sound business reasons, not just to please users who want to jump ship."

          I'm a developer too, and while I agree that a developer can do anything he/she likes, a smart one will respect their users enough not to lock their data up and hold it hostage. When a company like Siber makes it difficult to retrieve YOUR data, they are behaving like cryptolocker malware...only varying in the degree which they hold your data hostage. Best to avoid them.
          • I'm not sure I see...

            how a 'locally encrypted password management tool combined with a cloud service' is fundamentally different than the Roboform I use. You didn't state if the 'cloud service' you speak of is passively storing a copy of your password data or if it is actively syncing across devices, but that's what Roboform does for me. If your product is storing your passwords locally, so is my Robofom. I can revert to my locally stored passwords at any time. My encrypted passwords are protected by an encrypted master password.

            Also, depending upon the cloud service you use, your cloud provider may have been the target of some data breaches. How confident are you with your provider, given some recent high profile breaches that went unreported for long periods. History has shown that many corporations are very reluctant to reveal data breaches, so you shouldn't be so quick to believe that your providers are immune, any more than I am.

            I agree that the questions you pose about the viability of Siber Systems are valid. But I'm not certain any of us have sufficient insights into the inner workings of the cloud (or desktop) developers who offer their products or services for sale. I am not any more antsy about Siber Systems' employees than I am about those of Box or Dropbox or Google Drive or any number of organizations that we have entrusted with our 'stuff.'

            Are we all too trusting? Probably. Is there any regulatory body with the authority to impose encryption and security standards on cloud service providers? Not currently. Any chance such an agency will emerge soon. Not hardly.

            We all deal with the organizations with which we feel comfortable. As the recent Target data breach shows, organizational size and a hefty balance sheet brings no greater assurance of data security. I'm no conspiracy theorist, but I'd venture to say that there are more data security issues than we are ever aware of. It's only human nature to play CYA when there are data theft problems that have consequences for your reputation and (consequently) profit$.

            I'm just trying to function in an increasingly password-enabled web-based world. I've found a tool that helps me do that. If your search leads you on another path that pleases you more or makes you feel your data is safer, I'm glad. I hope neither of us has any long-term regrets.
          • If it is encrypted locally using strong encryption...

            ...and I was certain the cloud provider had no access to the plain-text of my passwords, a lot of the objections go away. I honestly am not sure how Roboform works in that regard (how can I, since it is closed source).

            The solution is not to impose encryption standards on the providers, but to ensure the data is unintelligible to them by encrypting it locally before transmitting it. That way a provider data breach nets attackers nothing useful, including those from overzealous three-letter agencies.

            I will not trust any closed source software. I only run open source on my equipment. If I am forced to sometimes use closed source for work, I will only run it in a fresh, restricted virtual machine, i.e. minimal credentials, network restrictions (custom firewall, NAT), data transmissions logged, no access to important data, revert snapshots after every run, etc.

            > "I'm just trying to function in an increasingly password-enabled web-based world. I've found a tool that helps me do that. If your search leads you on another path that pleases you more or makes you feel your data is safer, I'm glad. I hope neither of us has any long-term regrets."

            Agreed. I think we all are. Ironically I don't use any of the methods discussed in the article. I juggle about thirty or forty passwords on a weekly basis. For throw away stuff I usually use around 20 character passwords. For everything else I use 45 characters and up. I just remember them. I guess I'm just lucky that way. :)

            It always irks me when sites put incredibly short maximum length limits and weird character restrictions (no spaces, no punctuation) on their passwords. What's up with that? I've even seen sites that wouldn't allow sql commands embedded in passwords. They must think I'm little Bobby Tables...or they have really crappy site developers who think that's how you prevent sql injection attacks.
          • ..password-enabled web-based world..

            Roboform..end of story. Desktop version and to be honest I couldnt get by without it...wont make me a coffee but hoping for this feature in next version.
            'For everything else I use 45 characters and up. I just remember them. I guess I'm just lucky that way'
            Not everyone has the time to juggle and reset passwords on a weekly basis and some people are just good at things other than memorising 45+char passwords. Will agree on one thing though..flac all the way and 24 bit vinyl rip wherever possible:}
          • Trust everyone?

            Whenever you wright a check, or send a check through the mail to pay for a purchase or a bill, are you TRUSTING everyone who might see or have their hands on your check? Your check has your Routing number (identifies your specific Bank) and you Account number printed at the bottom of the check. If you issue a check in a store, they put the check under the cash drawer, but how many people (authorized, or unauthorized) might have access to that check. There are honest, and there are dishonest people. Nothing is 100% safe. Even Companies like Life-Lock cannot guarantee 100% protection. Would you even know that ALL their employees are honest.
        • Good web services allow data export

          These days most *good* web services like, for example, most of Google's and Flickr, allow you to export your data in the event that you wish to move to another service.

          Keepass open source desktop password manager, which can be used as the basis of a complete cloud-based password management solution in conjunction with a service like Dropbox and a form-filling browser extension like Keefox, allows you to import and export from/to competing password managers. Works like a charm for me.
  • Microsoft Word

    Password protected naturally. Low tech, but it works. I tried using the Norton Password safe, but Norton requires a password for the safe that is so complex, I won't remember it; making it worthless for the task.
    • be careful

      If your Word document password is not especially complex, at least make it long, 11+ characters. This makes it much harder to brute-force.
      • Re: be careful....

        Larry, what I do is use an Excel sheet on a computer that is not and cannot be hooked to the Internet..

        If I have a lot of sites to visit then I print out a copy of the sheet, and when I'm done it gets burned up in the wood stove.

        I've been doing this for years and have never had any issues. While I'm sure it's not the solution for everyone, excel makes it a breeze, in my opinion..

        • Good system...

          ...except for the need for an otherwise redundant, offline computer and a wood stove!

          Surely you could memorise one short, meaningless phrase to use as the master password for a proper encrypted password database that you keep on your main computer? Then no more need for a 2nd computer, typing out logins manually and having to print out sheets of passwords.

          Seriously, check out a free secure password manager like Keepass, you will save yourselve a whole lot of hassle!
          • Actually the redundant PC is used fro a lot of back-up

            word and excel files. The woodstove, of course is not redundant, as it is the sole heating system for Fall / Winter/ and Spring, at least until it warms up enough, not to need it.

            Yes, you're quite right I could use a free password manager, but at some time it usually ends up becoming a paid service or your info is sold for one reason or another..

          • Fair enough

            I suspected you might just have another use for the 2nd PC and the wood stove ;-)

            Can't blame you for your wariness regarding free *services*. But my recommended solution, Keepass, is open source *software*, so it can only ever be free. Furthermore, the data is kept on your machine, and even if you choose to put it in cloud storage such as Dropbox for convenience of access from multiple machines, it is encrypted so that even if someone somehow gets their hands on the database, they can't (provided you choose a suitable key) access the data.
          • Re: Fair enough..

            Thanks aramando! I just might look into it!

            Have a great day!

    • You chose... poorly

      While Microsoft says that it cannot decrypt protected Office documents, there are plenty of tools available offering just that service. A quick search turns up, which offers three free tools.

      This of course ignores the various Microsoft Office bugs that keep being discovered.

      I hope you have a few other protections for your Word document. In particular, if you have Office 2013 don't use the default save location (OneDrive) - that just hands your passwords to Microsoft and anyone they permit to access OneDrive.
      • You chave chosen... wisely

        Upvote for the post title!
  • Lastpass

    Genuinely couldn't live without it.
    Brian O'Blivion
    • LastPass is good, but has a few glitches.

      First, only certain web browsers have the ability to give LastPass a plugin/addon interface to fill in passwords (and login names) on websites -- and some "cleanup" scanners insist that ANY plugins on a browser (looking at you, AT&T/McAfee) are a "problem" to be cleaned up, so after a scan you have to choose "manual" fix to save the one(s) you want.

      Second, some web sites go directly from the Logout command to their Login screen, so if LastPass is set to log in automatically, you cannot log out and close the page! You have to leave it at autofill but not autologin, but since autofill is the default, there is no way to turn it on when it doesn't work. And this is the case for a few commercial websites.

      Third, some web sites have a lost-password (or must-change-password for some reason) flow that takes you to a totally different URL than the normal login in order to change the password, so when LastPass tries to change its stored password to match the new one, it saves it under a different URL; then the normal login URL has the OLD password, and you get back into the lost-password flow. Plus you have an unnecessary "site" saved in LastPass.

      Fourth, just noticed recently, a few sites ALWAYS trigger the "authorize to send password information" popup from LastPass, even though they are good sites, and there seems to be no setting in a site profile to turn this off.

      And fifth, LastPass for applications assumes that there is one password per application, but some applications (such as Quicken) allow different password for each data file; as long as you are only accessing the current year's data file, no problem, but sometimes you want to open a past year's file. Since there is no way for LastPass store a filename-dependent password for each file, it's easier to keep a common, self-composed and remembered, password for all Quicken files, and change all of them once a year in a single session.

      I am glad I have LastPass premium, but it would be nice if some of these glitches were fixed, which prevent the exclusive use of generated passwords.