Password management: How the pros store their passwords

From sticky notes to PGP-encrypted text files, not all password management methods are created equal.

by James Gaskin - Passwords: We all have too many of them, and keeping track is a giant pain. So we asked eight experts in various fields how they track passwords.

Matthew Jonkman of Emerging Threats, a Web site dedicated to security issues and Snort, said, "Personally, I just make all my passwords my oldest daughters first name." Wait, there's more.

"OK, not all. The important ones I do a couple things. I use a password manager I wrote myself that PGP encrypts for things I don't use often. Mostly very long term storage of passwords. For daily stuff, I track usernames, and for many use a password scheme in my head that's a variation of the username and a pass pattern. The username isn't in the pass, but it's something I can figure out knowing the pattern I'm using in my head.

"For less used stuff that I need often I use a text file that's PGP encrypted on my drive. Not a great solution, but it works if you're vigilant about maintaining it encrypted. The open source PGP tools do it well.

"My recommendation is for folks to use a pattern in their head that they can create the password from the username, and can easily move to a new password scheme just by modifying the pattern in their head." Thanks, Matthew.

John Locke runs Freelock Computing, focusing on Web development using Drupal, PHP, Dojo, and Ajax. His method? "I've been using Revelation, a Gnome program, for storing passwords. It provides a little encrypted container, along with a convenient panel applet you can quickly search, and it locks itself up after 15 minutes if you aren't using it."

After these two good examples, let's look at a bad one, from someone who prefers not to be named, for reasons you will understand. "In terms of passwords, I use the Notes function in Outlook. Yeah, I know, it's very insecure and inappropriate and I wouldn't like to be quoted other than 'Anonymous - should know better'!"

"But, I have heard of others who use Excel and call it 'passwords.xls' or Word and the file is 'passwords.doc'. Most common spot I have seen at client sites is either in c:\ or c:\username\my documents for the password file locations and that is where any self respecting hacker would look. These should be called 'Anonymous - Plain Stupid'.".

"At least my method of using the Outlook Notes section is not that easiest to grab. My notes naming convention is cryptic enough to hide what am using." Thank you, Mr. Anonymous. No handy URL to your Web site as punishment for bad password management, but thanks for sharing.

As expected, RoboForm got a couple of mentions. First from Chuck Wilsker, President and CEO of the Telework Coalition. He said, "I personally use and recommend RoboForm, and have for years."

Mark Gibbs, Network World columnist and consultant, said, "I've been a long time RoboForm user. It's one of the best products of its kind I've ever used. While RoboForm is designed for Web work, it also provides a note taking feature where I've stored some of my server logins. For FTP I use Filezilla and let it store my passwords. As a backup for Web passwords I let my browsers manage passwords as well as RoboForm. On OS X I've been using Sxipper with Firefox."

Companies with strict password change rules may do more harm than good, especially when they go overboard on the change schedule. Allen Gwinn, senior director and chief technologist for the Edwin L. Cox School of Business at Southern Methodist University (SMU) in Dallas, deals with that issue daily.

"I have a method for assigning passwords based on the time when they're changed. So I have a "base" password for accounts, then I have a "modifier" that I stick on the end. One could argue that if someone figures out my system, I'm hosed. One could also argue that forcing password changes every three weeks creates more problems than it solves. Most people we encounter simply write theirs on a sticky note and put it in a desk drawer or stick it on their keyboard." Security people will tell you to check under the keyboard as well, where users hide their password note when they don't have a sticky note to hang on the monitor.

Todd Feinman, CEO of Identity Finder, uses another commercial product: his own. "I use Identity Finder's Password Vault, which is just like RoboForm but makes it easy for me to quickly move passwords from emails and other documents into the secure Identity Finder Password Vault." Self-serving, yes, but remember to check other software you already have just in case they have a secure password storage option.

Jesper Jurcenoks, CTO of network vulnerability assessment software company NetVigilance, uses e-mail. Yes, e-mail.

"I keep mine in a password protected mailbox with a difficult password (obviously the mailbox does not use POP3 or IMAP, which are protocols that send passwords in clear text). Only I have encrypted access to the mailbox."

Your Humble Narrator uses the notes function in a Personal Information Manager called Essential PIM. The system runs on a computer with whole disk encryption from TrueCrypt. The master TrueCrypt password is a construct based on letters and numbers with meaning to me, but so obscure they can't be guessed by reading my personal information.

Do you have a great password management method? Share (the method, not your passwords), in a comment below.


Want to cash in on your IT savvy? Send your tip to If we post it, we'll send you a $25 Amazon e-gift card.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon