How to manage 199 passwords

I’m using 184 unique passwords for 199 different websites. The average length of these passwords is 15,7 characters. Using a different password for each site is a choice I made a few years ago. As soon as you use a password for one site, that site can see that password and try to use that password on other sites. Imagen you sign up with your gmail email address on a malicious site. Wouldn’t it be easy enough for that malicious site to try to login with that password on your actual gmail account?

You probably wonder how I deal with 184 unique passwords. Well, it’s easy, you can use a password manager. I use LastPass as password manager. It stores your passwords in an online vault. The vault is encrypted on your local computer/device, so the LastPass company does not have your actual passwords, only the encrypted ones.

It is integrated in your browser with a plugin. This means that as soon as you hit a website with a login form, it fills in your username and passwords, that way you only have to press the submit button to login, or it can even auto-login if you prefer that. Whenever you are register on a website, it sees the password field and suggest to generate a password. I usually use that. You can also generate a password with a keystroke (alt-g).

Actually that means I don’t really care about passwords anymore, they are (if the site allows it) 20 characters long, auto generated by LastPass and when i visit the site it automatically logs me in. You basically never get to see most of them.  You can also share passwords with friends and family, auto fill in forms, store notes safely, maintain records of important documents (id numbers to block if they get stolen for example) and it won’t fill in your password in phising sites if you ever make a mistake and end up there.

LastPass needs a master password to function, you better pick a safe one for that, but it can limit logins to a certain country, use several different types of 2 factor authentication and can use One Time Passwords if you like. I’m not saying LastPass is perfect, I’m not saying I can not be hacked, but I know for sure that it’s a lot safer than using only a handful of passwords on 199 sites.

17 thoughts on “How to manage 199 passwords”

    1. If you need to login to your vault on another persons computer, you might use an One Time Password you have created earlier. This way if that persons computer has a keylogger, it can not access your vault later on. Other options are to have lastpass on your mobile and avoid using that friends computer. If a keylogger is installed on that computer, your are walking on thin ice in any case. ( in other words: lastpass is no solution, but not using lastpass does not change that).

    1. Judging from the website, LastPass stores a local copy of the password database on your device and can export the database from that copy. Thus, even if LastPass-the-company dies, you can just switch to something else without losing anything.

    2. LastPass has export and import options. That import option reads the passwords from your browser if you have enabled that option in your browser. Which, if you think about it, is pretty scary. Every plugin in your browser can read all your passwords….

  1. The more portable solution is to use the free software, portable and written in Qt solution: KeePassX. http://keepassx.org

    It is available for Linux, OS X, and Windows and the next version (version 2) is in Alpha 4 and could probably use the experienced eyes of KDE hackers.

    1. Yes, there are alternatives. Some store the passwords locally, which is probably safer, but does not scale well to your phone or tablet. We use LastPass in our company, for example to share passwords between co-workers. And sharing passwords via email gets annoying soon and there is no need to do that. If some site decides it is time you change the password, the new password should spread instantly throughout our organisation. You need to pick the password manager that works for you and fits your workflow.

      1. While KeePass doesn’t have a sharing functionality (a pity) there are mobile applications for iOS and Android that can read and write the KDB format KeePass and KeePassX use.

        If LastPass works great for your needs that is great.

  2. I like to use Lastpass too because it clearly makes your life easier. But I don’t really trust in the confidentiality of LastPass company. Even If they do no store all your password on their server, which I find hard to believe, I guess they still can “listen to” the password that is entered when you log in to a given website.
    I am also wondering where they get their money from, do they sell datas to third party or somnething?
    The last drawback is that it stick you to browser that have lastpass plugins, namely, almost all browsers, at the exception of Konqueror/rekonq 🙁

    1. Its good to be cautious about these companies! Maintaining 184 different passwords with an average length of 15 characters is not something you can do from the top of your head. Often you see people reusing the same password. That means you trust all those sites to not abuse your password. So, do you trust one company (LastPass) or do you trust a dozen companies?

      They offer Premium services (LastPass on your mobile) and Company services (shared folders with passwords), that’s where they earn their money.

      Yes, not having support on konqueror/rekonq is a shame. But I have in the past developed two plugins for konqueror, and it was not fun. I hope this has changed since. If so, we can start a petition or something and ask LastPass to create it. I’m willing to ask them, if we have a good API to show them how to create such a plugin.

  3. I use KWallet integration addon for Firefox. The one of the most missing feature of Kwallet is cloud synchronization…

    1. I agree with Trapanator. What does LastPass have that KWallet doesn’t? It does not only work with KDE browsers, but with Firefox and Chromium as well, so if I already have a password manager running, why use another one?

      1. As I wrote before in the comments, pick the tool you want and fit your needs. This is not a place to bash one solution over the other, I really don’t care which tool fits your workflow.

        Just dont use the same password for each site.

    1. My washing machine has no password 🙁 … so unsafe!

      Anyway, this is a nice project for sure – but for me personally too unsafe.
      Even having a master key – I’m there on your site, you could even track my master key, or probably you one day forget to take your medication and clear my bank account (not that I’d ever save this data anywhere online :p).

      For me, personally, a Cloud where I can save my password file(s) and sync them to local clients where the company never gets my master key in their hands would be the solution.

  4. After reading your blog I had a look at LastPass. I wonder how this works security wise. After I created a LastPass Account I can log in to LastPass with my password and look at my passwords, edit them etc. If all this is possible with my LastPass password which I need to send to them in order to log in I wonder why it shouldn’t be possible for them or for someone who cracked into their servers to intercept the password and read my stored passwords. Also if I edit my passwords on their web page I wonder if the passwords are really encrypted/decrypted on my system only.

    Do you have more information about the security concept and how this works?

Comments are closed.