December 22, 2009, 8:20 AM — by James Gaskin - Passwords: We all have too many of them, and keeping track is a giant pain. So we asked eight experts in various fields how they track passwords.
Matthew Jonkman of Emerging Threats, a Web site dedicated to security issues and Snort, said, "Personally, I just make all my passwords my oldest daughters first name." Wait, there's more.
"OK, not all. The important ones I do a couple things. I use a password manager I wrote myself that PGP encrypts for things I don't use often. Mostly very long term storage of passwords. For daily stuff, I track usernames, and for many use a password scheme in my head that's a variation of the username and a pass pattern. The username isn't in the pass, but it's something I can figure out knowing the pattern I'm using in my head.
"For less used stuff that I need often I use a text file that's PGP encrypted on my drive. Not a great solution, but it works if you're vigilant about maintaining it encrypted. The open source PGP tools do it well.
"My recommendation is for folks to use a pattern in their head that they can create the password from the username, and can easily move to a new password scheme just by modifying the pattern in their head." Thanks, Matthew.
John Locke runs Freelock Computing, focusing on Web development using Drupal, PHP, Dojo, and Ajax. His method? "I've been using Revelation, a Gnome program, for storing passwords. It provides a little encrypted container, along with a convenient panel applet you can quickly search, and it locks itself up after 15 minutes if you aren't using it."
After these two good examples, let's look at a bad one, from someone who prefers not to be named, for reasons you will understand. "In terms of passwords, I use the Notes function in Outlook. Yeah, I know, it's very insecure and inappropriate and I wouldn't like to be quoted other than 'Anonymous - should know better'!"
"But, I have heard of others who use Excel and call it 'passwords.xls' or Word and the file is 'passwords.doc'. Most common spot I have seen at client sites is either in c:\ or c:\username\my documents for the password file locations and that is where any self respecting hacker would look. These should be called 'Anonymous - Plain Stupid'.".