Chase Seibert

Director of Engineering at Dropbox

The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system. Bruce Schneier

Six months ago, a gaming web-site I have a login to was hacked. There was no real data of any value on the site, but the attackers did make off with all the user name/passwords in the database. This turned into quite a problem for some of my friends, as the attackers proceeded to login to their email accounts. It turns out some of the users had used their email address as their user name, and the same password for the site as for their email.

Now, ideally web-apps would not store user passwords at all. These days, you should consider implementing OpenID if all you need to do is authenticate users. The second best option would be to store a non-reversible hash of the passwords. To authenticate someone, you just hash the candidate password and compare the hashed values. The up shot is that even if an attacker gets his hands on the entire database, they won't be able to reverse engineer the passwords.

There is plenty of fault on the sides of my friends here, as well. While it may not be widely known to average users users, this is an excellent illustration of why it's a very bad idea to share passwords or even user names between different services. Your entire network becomes only as secure as its weakest link!

Shortly after that, I started using PasswordSafe (Windows only). It's a free, open-source utility that can generate and securely store as many user name and password combinations as you want. You just come up with one "master" password, and your whole password database is encrypted with that key and stored locally.

In the last few weeks, I moved to KeePassX, a very similar software package with better cross platform support. There is also a very easy way to convert your passwords from PasswordSafe to KeePassX. Just install KeePass 1.x or 2.x, add the pwsafedbimport plug-in, import your database, then open the new .kdb database in the latest version of KeePassX.

Six months in, I don't even know what my passwords for most sites are. I don't need to, my password manager just takes care of it. I've even gone back and changed my passwords on every site I use to things like "qFSwLqajQc+7g_4>;%'{J35".

But I'm too lazy for that!

Thanks for being so honest. But actually, this will save you time. See, PasswordSafe has this great feature they call auto-type. Say you're on amazon.com staring at a login form. All you have to do is hit F10, type the first few letters of "ama" and hit Control-T. Boom, it logs you in!

I use a bunch of different computers. Copying this file around seems like a pain.

Use DropBox, it's awesome. Your password file will be automatically synced to any computer you use regularly. And because the file is encrypted, you don't have to worry about DropBox getting hacked.

What if I forget my master password?

Then you're fucked. Well, if you're that concerned about it you could save/print the PasswordSafe file in plain text format every once in a while. In my opinion, you're still better off than using the same user name and password on all these remote sites.