Ask HN: Password managers?

4 points

18 years ago

I've been getting annoyed at dealing with passwords. I have a pretty good mental system for generating good, difficult-to-predict passwords, but even so, I've been thinking about switching to a password manager. I am primarily a Mac user, and it seems that 1Password is a highly-recommended Mac utility, but it makes me a bit nervous.

1. I often use machines other than my primary Mac. These machines include Linux and Windows installations. How can I visit registration-required sites if their long hex-string passwords are trapped on a different machine?

I see that 1Password provides something called my1Password (https://my.1password.com) for web-based password use, but I have just 1Password's word that everything is perfectly secure back-to-front, and that it doesn't have nasty exploits on its site. In addition, how exactly am I supposed to use this password from the browser? Does it show up in clear-text on my.1password.com, and then I'm supposed to copy and paste it into a password field, thereby exposing the password to the system clipboard on a potentially untrusted machine?

2. I don't know if I trust a password manager not to leak the password somehow, somewhere. This particularly applies to banks and other sensitive sites.

3. It doesn't look like 1Password supports passwords for things like remote Unix hosts using ssh. I use passphrase-based private key authentication with ssh, but this does not mean that every Unix machine I log into has passwords completely disabled, which still leaves me with a slew of passwords to track.

So, HN: how does everyone here deal with passwords? Password managers? Paper notes, as Bruce Schneier recommends (http://www.schneier.com/blog/archives/2005/06/write_down_your.html)? Mental systems? A hybrid approach (write hex strings on a sheet of paper and import them into password managers on every trusted computer)? Use "Passw0rd" everywhere?