, , , ,

How to Keep Track of Passwords and Usernames

Input Username and Password

Control Panel Sample Logon Screen

With my rapidly growing list of over 165 passwords and usernames and an increase in mass password breaches, I decided today is the day to seek out a better and a safer way to create and to keep track of my passwords, usernames and other confidential information.  As it turns out, this is easier said than done!  There are lots of different ways to do this and each way has advantages and disadvantages.

Below are some basic password guidelines.  I admit I am guilty of one or two on the “Do not” list.  Gulp!

PASSWORD GUIDELINES

DO

  • Do use strong passwords with combinations of numbers, uppercase and lower case letters and special characters including punctuation
  • Do make passwords 8 to 20 characters long
  • Do change your passwords regularly – at least every 6 months

DO NOT

  • Do not use obvious passwords such as names and numbers pertaining to yourself and your family members’ birthdates and names  (Avoid Password1, which is one of the most commonly used passwords)
  • Do not use your username in your password in any form (backwards, doubled etc)
  • Do not store passwords in unencrypted documents on computers or cell phones as these become easily accessible if your computer or phone is hacked
  • Do not store written passwords on papers close to your computer where others can  access the information
  • Do not use the same logons and passwords for multiple accounts
  • Do not have your browser remember passwords for you
  • Do not copy and paste passwords from your computer
  • Do not provide your password to any person or any site

PASSWORD MANAGEMENT SOFTWARE

Many people use the following passport management programs to generate and keep track of passwords and other confidential information:  1Password, LastPass, KeePass, KeePassX, RoboForm and Firefox Sync.  Most users are very positive about these programs and say they don’t know how they managed without them.

While many people sing the praise of these password managers, I have a trust issue with them because personal information is stored on servers (in the cloud) that are owned by someone else.  Call me paranoid, but isn’t it just a matter of time before someone manages to hack the cloud?  Isn’t it better for me to be the only one with easy access to all my private information in one place, encrypted or not?

Risky to store info in the cloud?

Dropbox

Evernote Cloud Storage

EVERNOTE

For convenience, I use Dropbox to access non-confidential documents and photos from multiple computers and from my Android Smartphone.  Evernote is also popular for this purpose.  But I’m not comfortable storing any confidential information on someone else’s server, and that includes my usernames and passwords.

USING BIOMETRICS FOR PASSWORDS

Microsoft Biometric Reader replaces password lists

Biometric Fingerprint Reader

Biometric software uses fingerprint, hand and facial recognition and can even include DNA matching, signature verification and voice recognition.  Biometrics are used by individuals and organizations that have experienced phishing, hacking or key logging attacks and also by those that need to protect and monitor data, infrastructure, processes or equipment.  Users include but are not limited to the military, banking institutions, border control, airports, science, libraries, schools, labs and more.

Biometric fingerprint readers are the way to go, according to Anna Winningham, a former FBI agent and current Cyberspecialist.  I am in the midst of researching which is the best biometric reader for my needs and will report back after I purchase and test mine out.

Manual Password Tracker

Encoded Password Tracker

PASSWORD CODING

A  book called, “The 5th Dimension Password Keeper” keeps complex passwords hidden in plain sight by encoding them into a crossword-like matrix of random characters.  Passwords cannot be hacked as they are not stored on the computer.  Only the user knows where to begin and which direction to read.  This book is perfect for those that need occasional access via passwords – it’s too manual and cumbersome for my needs.

What method do you use to create and keep track of your passwords?  

Please share your valuable opinions, tips and recommendations  for creating and keeping track of passwords and usernames in the comments section below this article.

Until next time …

46 replies
  1. ally
    ally says:

    I put trigger words for my passwords in the address book of my phone for easy use. If you can guess which entry is the trigger word and then determine its translation to a non-sense eg. P@5$W0r&(and all its permutations) congrats – you’re in.

    Reply
    • Daniel
      Daniel says:

      Only problem with that is that an algorithm run by a computer would easily guess that password in under 3 days. It’s a simple 8 symbol password, for a computer that guess around 1000 times per second, any 8 digit password can be cracked in under 3 days. It’s a better system to use 4 random words strung together. It allows you to remember it easier by the password being actual words, as well as making it almost impossible for a computer that is randomly guessing to get it, usually it will take over 100 years for the same computer to crack the different password. However, the way you do it works just fine unless someone decides to send a bot out to crack ur computer, most people will never guess it.

      Reply
      • Hayley Kaplan
        Hayley Kaplan says:

        Daniel, you make a very important point. Password length is very important. But I’m not sure about using 4 random words strung together because I worry a computer can crack real words too easily. Also, it’s not a good idea to use the same password across sites so remembering different word combinations is tricky. I like the idea of using a similar base and then modifying that base on each site to fit a hard to guess pattern. For example, insert the code between each word. The code could be a special character in some order with the alphabetic first 1-3 letters of the site. Or the letters could be placed strategically within any of the words. Does that make sense?

        Reply
  2. carole lafreniere
    carole lafreniere says:

    I went to a seminar on cyber crimes and the agent told us that the best passwords have spaces in them. If you have several blank spaces it keeps your password hacker proof, and that includes the password breaker software.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Sounds like excellent advice. I haven’t tried that before but I will from now on. I also wonder if most sites will accept a blank in a password or not? Once I test it out a few times, I will share it in a new article. Thank you so much for sharing this information, Carole.

      Reply
      • Daniel
        Daniel says:

        A computer will test the blank password first every time, never a good idea, spaces are fine though, not just a completelyl blank password.

        Reply
        • Hayley Kaplan
          Hayley Kaplan says:

          Thanks, Daniel. I hope nobody would consider a blank password as that’s almost like having no password. Plus I suspect most sites won’t allow that. A lot of time has passed and I forgot to test the blank space within the password concept. Thanks for letting me know spaces are fine. Sounds like including one or more blanks within a password is a good idea.

          Reply
  3. Liatsis Fotis
    Liatsis Fotis says:

    Congrats!
    The article analyze the most important elements for storing and creating safe passwords. Also the Biometric way is one of the best way to keep safe your password but the problem exists when you are out and you will be in need to use a password without having the biometric tool.

    This period i’m in way of creating a tool that someone can save the username and the password from any site. Every time the pass accompanied by username and with a secret word.
    Tool includes the most known cryptography algorithms for maximum safe. Also the tool provides a couple o generators tool for random creation.
    All these passwords protected using a primary but strong one code which creating or randomly or manually.

    The most important is the remote activation or I/O of a password. For the purpose of this i create a safe server to store online the data using a safe form to login o create a profile. I know that the idea to store the passes in online server is not the best but hear that. The server stores only a generate code which is downloadable with a software and the user after that can use it adding the primary pass.

    How do you find it?

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Thank you, Liatsis for your thorough answer. I have received little information back from readers regarding biometrics so I will be researching it further on my own. I assume the biometric reader is portable (plugs in with a USB Cable) but that comes with the risk of being misplaced etc. There must be a solution for that – some sort of back up in a safe place … back to the books on that.

      Your solution sounds promising and intriguing. Please keep us posted with your ultimate results. Hope your final exams went well and thank you so much for taking the time to explain the tool you are working on. Wishing you much success with it and we look forward to hearing about it. Best Regards, Hayley

      Reply
      • Liatsis Fotis
        Liatsis Fotis says:

        Thank you Hayley. I ‘ll be wait for that solution cause i think it’s a good way to keep your pass data secure.

        Also i hope to finish this program. This week i ‘ll be on OWASP AppSec 2012 research event, so wait a special tutorial from the next week. I think i will have much information about 0101010 security.

        So, we are waiting for your next post asap.

        Regards

        Reply
  4. Tumara
    Tumara says:

    I have a series of passwords and user names that I shuffle through. Unfortunately, I do have a couple on the “Do Not Do” list. As awareness continues to grow, individuals are realizing how detrimental keeping passwords on a computer document can be and shifting their thinking. I plan on adjusting a few things that I do. Great article, Thank you!

    Reply
  5. Erik Sobczak
    Erik Sobczak says:

    Very informative article Hayley. I follow all the Do’s and a few of the Do Nots as well. I have a handful of different “strong” passwords that I like to use and typically do update them every 90-120 days or so (or whenever prompted to). I think the worst thing is to write them down, leaving them out in the open for anyone to access. I don’t believe I’ve had any security issues with any financial information, I think my email was hacked into a couple times, but now I am keeping my contact list clear and it hasn’t happened since then. Will be more aware of some of these tips moving forward. Thanks!

    Erik

    Reply
  6. Kerry Hickman
    Kerry Hickman says:

    Hi there

    This article is definitely food for thought. Like some of your other respondents I too have broken a significant number of the don’ts list. Eek! I will be reviewing how I chose and look after my passwords from now on though.

    Thanks for the nudge.

    Reply
  7. Shanthi Cumaraswamy Streat
    Shanthi Cumaraswamy Streat says:

    I’m afraid I am guilty of using some of the DO NOT items. I have yet to find a good way of storing my usernames and passwords. Thanks for the tip re not using the browsers to remember your password. I’d love to know what better ways there are to store and maintain passwords. They are the bane of my life!

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Thanks for the comment, Shanthi. Stay tuned for an update on this in a future article on the blog. (July or August) The update will be based on responses to this article, to a poll and to discussions in other social media forums. Seems like many of us could use a change or at least a tune up to the methods we are using now.

      Reply
  8. Jesse
    Jesse says:

    It’s really hard to keep track of how many accounts in how many websites I have… I am pretty sure that to some extent my privacy is in risk. Moreover, I often forget of services I’m not using frequently and it makes password management even harder, though I already follow some of your tips! (Will not reveal which, of course! Have to Keep Safe)

    Reply
  9. chandra
    chandra says:

    Hi Hayley, We have built a digital vault called SECURASI Vault+ ( for windows and Mac laptops) that encrypts your files first before it sends to cloud ( including dropbox). Very fast and easy to use. I use dropbox only via SECURASI; so, all my files are encrypted on my laptop before they are sent to dropbox. So, am at peace. No one will ever see my files without my permission. Even if cloud is hacked, my data is safe from being seen.

    If you (or any one here) like to try this software, I will send you guys a free copy . Write to me at: chandra@securasi.com . Cheers.


    Some more info about SECURASI products:
    In future, we are going to add bio metrics as a mode of authentication.

    The key issue about privacy is: who has the power to control your information. It must be the user. No one else. Not the apps like 1password that store your keys in their servers and there is potential for abuse. We need the tools that give 100% power /control to the end user. This is one of our core principles of design.

    We use AES256/512 bit encryption and manage the keys with state of the art tech; our core engine written in C++ is reverse engg proofed.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Thanks for the info, Chandra and also for the offer of testing out your software. I’ll let you know after I evaluate the feedback I am getting from many people in different social media forums.

      Reply
  10. Tanya
    Tanya says:

    I seem to have broken every single one of the guidelines from your “DO’s” and “DON’T’s” lists. I have a lot of work ahead of me!

    Reply
  11. Faye
    Faye says:

    OMG!!! Just realized I’m doing most of the “Do Not” list items 🙁
    Great tips! I will definitley apply these great steps to safe guard my passwords.
    Thanks!

    Reply
  12. 949goguard.com
    949goguard.com says:

    I pretty much follow the do’s and dont’s outlined above. I even go further by not talking about what I do to keep my passwords safe.

    Social Networking sites like Facebook worry me, because in many cases, you may be allowing software to post as you, without needing any permission…simply agreeing to the terms of the software may allow them God knows what reign over your accounts.

    If a facebook link to an article requires me to install an app, I will google the article title and find the article through other means.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Thanks for your feedback. I am right with you when it comes to links that require me to install apps. But even though I thought I’d not given any apps permission to use my Facebook data, I was surprised to recently find a bunch of activated apps anyway. I deactivated them immediately. We have to be more conscious then ever of what we’re doing when we’re using our technology these days! Best Regards, Hayley

      Reply
  13. Sean Jackson
    Sean Jackson says:

    1Password is my favorite password safe. I have a super-long master password, and then it creates for me the most unhackable, complex passwords. It keeps them all for me, and it integrates with my browsers. I don’t have to remember more than three passwords (my admin account, my regular account, my 1Password password). Happy as a clam, I am! I TOTALLY recommend it to everyone who asks me this question.

    Reply
  14. mark
    mark says:

    Funny, I have nearly the exact same number of passwords as Haley. I resisted ever using password software until I forced myself one day to figure out how much time I was wasting with my “systems” and how insecure my passwords actually were.

    I have a trust issue with keeping my passwords stored on the cloud as well, but there are a couple good desktop applications out there that address that worry. I used Keepass for a while, it was a good start for me, but I realized I was a better candidate for a commercial manager, and chose Roboform. I’ve used it for the last year. It’s much quicker and has a lot more features–it’s actually a very powerful piece of software.

    And being a web junkie, it’s probably the best software purchase I’ve ever made. And I’m someone who rarely purchases software, and even more rarely find any to sing praises about. One surprise for me was the form filler feature, which is actually almost as useful to me as the password management.

    As it’s a desktop client, I feel secure using it, and if I’m travelling without my laptop I just print my password list to a file and put it on a protected thumb drive. Works for me.

    Roboform does have a “cloud” app, and as paranoid as I still feel about this type of service in general, I’m warming up to the idea since I feel pretty confident in the company at this point. They’ve been around and I’ve seen they obviously take security serious.

    Here’s a little summary page and a short vid:

    http://roboform.weebly.com

    They’ve always had some form of free trials available as well. Mine was for 30 days, but I bought the full version literally within a few minutes after I “discovered” the form filler on the second day. Funny what difference a little add-on feature can make 🙂

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Thanks for your detailed and helpful answer, Mark. I bet you were surprised as I was when you discovered how many passwords and logons you have. I’m not quite ready to abandon my cloud storage paranoia but with so many strong advocates, like yourself, for programs like Roboform, I’m certainly considering it. Thanks again for taking the time to share your experience and opinion. Hayley

      Reply
  15. Hal Ngoy
    Hal Ngoy says:

    This is scary. I have found myself with more and more user names and the need for different passwords that I have them written down on index cards that I keep next to me. Now I know you have mentioned about the danger of casual hackers, and I have not worried about that before. I have my wife and young son. The only risk I face with this method – I store those index cards in one of my drawers on my home office desk – is that someone else would come in and – maybe a friend, relative, etc. – and if they were allowed access into my home office, then they might come across them.

    I have not trusted any type of password manager software. And I have had to just recreate my passwords so often it is really stressful. I run three businesses in the house, and my wife and I also have a Ministry (Non-Profit Organization) and I am the one managing everything to do with internet access, etc.

    Whenever I have to go and work from another location (i.e. a client’s place), I have to make sure I carry my index cards with me).

    I do not want to use the same password for all these various accounts. For instance, I have three different Twitter accounts. I have five different web sites and I manage them (including making updates, etc.) I have over five accounts with various financial institutions. How about all the vendor accounts, such as mobile phone, cable, internet service provider, etc.

    Honestly, it’s stressful. I need help. I am also aware of the fact that at some point, I cannot totally eliminate the risk. I carry my credit cards in my pocket and put them down on my desk at night, etc. I could drop my wallet somewhere, etc. Those risks are always going to stay with us. And I have just looked at carrying my index cards as a part of this. I also like to make sure that if anything happens to me even temporarily, then my wife should be able to access all these accounts easily.

    I would like to learn more here. So, let me see what innovative ideas are out there on this subject.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      You are right, Hal. It can be superstressful living in this day and age with all our technology and the associated risks. Keep tuned to this site. I am confident that by the time I get everyone’s input, I’ll have some solid suggestions put together for you. Thanks for sharing! Hayley

      Reply
  16. Jon
    Jon says:

    I use a combination of ex-girlfriend names (and nicknames) and childhood references, only known to me. The fact that I can remember all this is astounding. When I can’t, I just change my password. I wonder if I die, should I include my passwords in my will so my will executor can disable my accounts?

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      What a great way to keep track of your dating history! You must be quite the ladies’ man. And the paswords in the will isn’t a bad idea, at least for some of the important ones that are possibly connected to your financial information. But keep the will part private amongst those that know you or someone may have a good reason to kill you. Why hack accounts when you can just kill someone to get access to their will, right? 😉 Thanks for sharing, Jon.

      PS. Hope you know I’m kidding in my response here!

      Reply
  17. Andy
    Andy says:

    For me there are two kinds of hacker. There’s the casual hacker and the serious hacker. A casual hacker is someone you know, maybe your spouse, who either has direct access to your PC or knows the kinds of websites you use. These people will try to guess your password….so all the advice in the article is a good defence against these people. But a serious hacker uses a software tool to guess your password or a trojan to collect your passwords so the best defence here is to keep your passwords long, your anti-virus up-to-date and don’t visit dubious sites or open dubious e-mails.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      You make a good point, Andy. I was focused so much on hackers that I forgot about the obvious privacy issue related to “casual hackers” or simply put, nosey family members. Thanks for the excellent input.

      Reply
  18. Jorge
    Jorge says:

    Juow! No tenía ni idea de que el mantenimiento de la contraseña había llegado a este complejo. Este artículo fue muy útil para conseguir una idea de las mejores maneras de mejorar mi seguridad. Gracias en gran medida Hayley Kaplan!

    Reply
  19. greg
    greg says:

    165 passwords is amazing. Maybe an estate lawyer needs this info when your password list is so big. If not a lawyer than maybe a priest!

    Reply
  20. Jay
    Jay says:

    1st As a computer professional I spend much time lecturing my clients about their passwords.

    However I will admit for myself I would guess 90% of the accounts I use only have log on information so they can track my usage. I really don’t care if someone else logs on with my password, it makes no difference. So for these I use the same password and hardly every change it. Probably not very smart of me, but on the other hand they can’t do a lot of damage to me either.

    Because I an often logging on from other locations and other computers most password managers don’t work, I’m happier just remembering them.

    Here is a trick I use and I recommend for my clients.

    M2pnaE&A

    Which is remembered as “My 2 pets names are Emo and Ambrose”

    Not the strongest of passwords but you get the idea.

    In addition for all of those weird sites you have to register with, create a dummy email account with someone like gmail and use it, never use an account that you care about.

    Cheers
    Jay

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Jay,

      Thanks for sharing. I like the simple method you suggest of abbreviating a phrase that is easy to remember. The concept of creating an email account for the sites that only track usage is also a great suggestion that I will set up for myself from now on.

      Thanks again for your valuable input.
      – Hayley

      Reply
  21. Matthew Leeds
    Matthew Leeds says:

    Figuring out what to do about password security should follow two simple principles. First, never use the same password twice. Every account, every computer, every device should have its own password. Second, and this varies only in degree from individual to individual, you’ve got too many passwords to be able to memorize them all; you need a password manager. Once you use a password manager it becomes easy to use a unique password for each account, and to use strong passwords. Consider either long random passwords (w3-5jsdl40y6jgp;5fghe) or passphrases (Allg00dDog$G02Heaven) which are easier to type. Unique passwords protect against the intrusion at any single site, system, or account, and strong passwords insure against both guessing and the use of brute force methods.

    Once you accept those two principles lots of possibilities open up. I store much more than just passwords. I store membership numbers for my medical plan, my insurance, VIN numbers for the cars our family owns, prescription numbers and expiration dates, anything that I consider confidential but want at my fingertips.

    I spent time researching what was important for me in a password manager; your mileage may vary. For me, it had to run on my personal and work computer, and on my mobile devices. It had to offer a sync technology to keep the information on each of those devices up to date. It had to use encryption technology strong enough that I did not worry should I lose a mobile device or that some malware was able to steal the encrypted file that contained all that info. Take the time to research what would work for you. Search for serious reviews on the quality of the encryption used by the product you select.

    KeePass is a good open source solution. mSecure is a good commercial solution that runs on both the desktop and most mobile devices and syncs between each via DropBox.

    There is much debate about whether to periodically change your passwords and how often. I suggest that if you are using strong passwords, if you use a unique password for each account, that there is no reason to change passwords. I’ve literally hundreds, and changing each every, say six months, would be an enormous burden. It would make it difficult to maintain the discipline to keep each account’s password unique.

    As to storing or syncing across ‘the cloud’, if you’ve researched sufficiently to trust the encryption method your password manager uses, this should raise no concerns. Excel encryption is not secure as there are commercial tools for breaking that or any other MS Office product.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Matthew,

      Thank you very much for your thorough and valuable explanation. I still plan to test a biometric reader but you make a very convincing argument for a good password manager like KeePass. I am going to run your explanation by Anna Winningham, a Cybersecurity expert and ex-FBI agent that I was fortunate to meet at a presentation on Internet Security. I will let you know what she says. Again, thank you so much for taking your time to give such a detailed explanation.

      Best Regards, Hayley

      Reply
  22. Kastle
    Kastle says:

    I keep all of my passwords in a password-protected Word document so I can keep a record of all of them. Of course, if I forget the password to THAT, I’m in trouble!

    Reply
  23. Carpool Goddess
    Carpool Goddess says:

    Wow, you have a lot of passwords. Thanks for reminding me that I need to changed them every six months. I don’t think I’d feel comfortable either using outside servers to store my passwords.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      When I counted them up, I must say I was surprised at how many accounts I’ve accumulated over the years. These include both work and personal logins. Thanks for starting the conversation.

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *