How do you manage your passwords?

We all know that passwords sucks, that they are the nightmare of all administrators and security guys. So many hacks have been eased because the victims reused the same password everywhere : email account, forum, bank, critical systems…

Sadly, so far, there is even not the beginning of a replacement solution. Passwords will be there for long, so we would better use them accordingly.

Yes, I am aware of many on-line services like FisrtPass, KeePass, 1stPassword, etc. However, I don’t feel comfortable with having all my password somewhere on-line, even if they claim – and I believe they are sincere, that they use strong encryption and can’t access to it.

Instead, I use a combination of the Firefox password manager and the Pwgen add-on. I use this add-on to quickly and conveniently generate a random password when I subscribe to a web service. When Firefox prompts for it, I just choose to remember the password automatically. SSO quick and dirty.

For the other passwords that I can’t and don’t need to memorize, I store them in a local encrypted file.

To edit the file, I simply use Vim with this nice GPG plugin:

  • copy gpg.vim to /home/$user/.vim/plugin
  • if not done yet, generate you GPG key : 
     $ gpg --gen-key
  • Encrypt your password file and erase it: 
    $ gpg --encrypt --recipient 'your name' passwords
$ rm passwords
  • Now, it’s done. Just edit password.gpg to decrypt and access to your passwords (you will be prompted for your passphrase): 
    $ vim passwords.gpg

If you don’t like the overhead of GPG, a more straightforward solution is to use the OpenSSL extension :

  • Copy the openssl.vim file to /home/$user/.vim/plugin as well.
  • Now, to encrypt to file to, say, AES (note the .aes file extension which makes sense for the plugin): 
    $ openssl aes-256-cbc -in passwords -out passwords.aes
  • Decryption will occur as soon as you edit the file with Vim: 
    $ vim passwords.aes

I believe that, if not perfect, it is pretty secure. I mean not more, not less than your system is. Anyway I don’t have any need for an on-line manager. And you, how do you manage your passwords? Let us know about your tips.