Six Clicks: How do you keep track of all your passwords?

Passwords are the great curse of the modern Internet user. The more you use the Internet, the more you rely on passwords, and the harder it gets to use them properly.

To use passwords properly you need to make them complex, not reuse them on different sites and change them periodically. Not many people really follow through on all this, but some password management methods make it easier than others.

The first one, the one everyone uses at first, is to remember them. This has the benefit of simplicity, but it's not really sustainable. If you have 50 different sites with passwords, can you really remember 50 different complex passwords?

So people come up with tricks to remember them. One is to use one password and attach a site-specific prefix or suffix, e.g. fl00rb0ard.FB and fl00rb0ard.Twitter. This helps a little, but if one of your passwords is compromised, all of them are.

There are more complex ciphers that some people use to make the specific password less obvious, but the more you obscure the result the more you give yourself to remember.

The image nearby, a well-known XKCD cartoon, illustrates some of the issues with password ciphers, but the cartoonist misses one point: It's just one password. What about the other 49?

And if you need a strong and unique password, you can generate one at correcthorsebatterystaple.net.

Previously on Six clicks

Simple and time-saving Google search tricks

 Can your browser do these tricks?

Dead software we loved

This one depends on your physical surroundings. If you use your passwords from one private location, this could be a good solution for you.

The fact is that the threats to most users' passwords are online threats, not physical threats. Another advantage of this technique is that normal people can relate to the risks more clearly than they can to the risks of using passwords online.

On the other hand — obviously — anyone who can see your list can read it, take a picture of it, etc.

Image courtesy Dan at TheDailyPrep.com

Many applications provide strong encryption support for their files, and it may be a good option to store passwords in those files. Microsoft Office has long had such support, but prior to recent Office 2007, the encryption was crackable with reasonable effort. With current versions attackers have to use brute force or at least know something about the password.

There are also plenty of data formats with password support where the encryption is trivial to break. ZIP files are a good example. One way to research is to look at the feature set for PassWare, a set of professional password cracking tools. (Note that Passware can recover or remove passwords in encrypted Office documents instantly if run on a system with the document open.)

There are also some dedicated offline programs with local, secure password storage. One good example is Bruce Schneier's Password Safe.

Combined with cloud storage, like Dropbox, you can make your document-stored passwords accessible anywhere. You also have the option of storing the passwords on a USB drive, potentially a hardware-encrypted one.

You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

Passwords in image courtesy Random.org Random Password Generator.

There are many services which provide secure storage online, and many of these provide specific support for passwords. They are not complete password managers because they don't fill fields; you have to copy the password and paste it into whatever program it is used for. Most will have a built-in strong password generator. Typically, password managers include these capabilities as well.

Examples include Masterlock Vault, which has a free version and a series of paid services. SecureSafe has a free version and iOS and Android apps. KeePass lets you drag passwords from it to other programs. Clipperz is open source and only accepts Bitcoin for payment.

You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

We didn't find any that supported two factor authentication, but it's a possibility with such services.

The gold standard for password management is a password manager built for the purpose. They have many of the features of the other techniques discussed here: For instance they provide secure cloud storage of your passwords and they can auto-generate passwords. But they go further, filling in the passwords where possible and automating the login. They detect changes to logins for the site you're on and they offer to create or save the login for new sites.

The best ones have the widest device support and support for USB storage, two factor authentication and other features allow a user to be as careful/paranoid as they want to be.

Some platforms create problems for these programs. Apple iOS is the most famous, but other mobile platforms and Windows 8.x Modern UI programs are also an issue. The password manager has to be able to plug into the application in order to fill username and password fields and, for legitimate security reasons, these mobile platforms don't allow it. ( LastPass recently figured out a hack to get these techniques to work, usually, on Android. )

Apple began adding password management and synching the iCloud Keychain in recent versions of iOS and OS X. It has almost all the key features of the major password managers. Its use is limited to the Apple ecosystem. iOS and Mac developers can build support for it into their programs.

You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

There are many good products in this category. Here are some of the better-known ones:

• LastPass
• RoboForm
• 1Password
• Norton IdentitySafe
• Dashlane
• PasswordBox