Brutal.
This brings to mind: it's nearly time for a total security sweep of all my personal accounts. It's a good thing to do every few months... at least twice a year. I do it every 4 months or so (approximately).

If you're like me with >50 sites that require authenticated accounts, it takes 4 to 5 hours to go through them all and change the passwords. Yes it is a laborious process. But if you consider how much time you've spent playing WoW or surfing Digg or watching Hamsters On Pianos Eating Popcorn, I think you'll agree it's a precaution worth the time spent.

I've done this a few dozen times, so here are some tips:

1) Keep a list of all your passwords in one place - a physical book, stored somewhere secure + hidden in your home. Don't save it as a digital file, and don't keep the list online or on your C://.

2) Use a binder. One page per account is a good idea. Then you have plenty of space to cross out the old PWD and write down the new one.

3) It may be convenient to use the same password for multiple accounts... but obviously it's not a good idea. If you have trouble remembering PWDs, come up with some kind of non-mathematical algorithm that you can use to translate the domain into a password. For example:

Amazon.com
Starts with A, ends with N. Like my cousin Aaron, who was born in 1978.
:. my amazon password is "%aaron(81)"
Ebay.com
Starts with E, ends with Y. Like my friend Eddy, who was born in 1965.
:. my ebay password is "%eddy(65)"

Obviously this is not my real formula, it's just an example

4) Whenever you sign up for a new account anywhere, write it in the book.
The physical book full of your passwords makes the security sweep really easy to do. Do one, turn the page. Continue to the end. Done. No guessing or wondering if you missed any.

5) For each site, record ALL the information you can use to authenticate. For instance, you'll almost always need a user name and a password, but sometimes there'll also be a "secret question", an account number, or even a URL which points to your profile or account management panel.

6) If it's a site you own, it goes in the book too. You'll have peripheral authentication like the server's FTP creds, SQL connection creds, DBA accounts, multiple Wordpress logins, Developer tokens, Affiliate id's, Analytics accounts, etc etc

7) Don't forget to do your online banking accounts too! Change your PIN frequently. That may require a trip to see a real human bank teller.

8) Do not allow the book to leave your residence! If you need reminders of certain passwords while you're out and about, make a copy of the ones you need on a slip of rice paper written with beet juice and put it in your wallet. When you're finished with the copy, eat it.

Making this a routine will keep your accounts secure, or at least relatively secure. But as an added bonus: if you perish, it's convenient for your heirs and executor to access your accounts if they're all enumerated in one place. Keep the book secure and safely hidden, but DO tell at least one other person where you keep it, like whomever is mentioned in your will as an executor or power of attorney.

Nice post httpwebwitch :-)

So if you have an account there, go change your password.

How much do you want to bet that Monster sees a huge traffic / profit spike as a result of all of the people logging into their accounts? ;)

Gotta love this one

8) Do not allow the book to leave your residence! If you need reminders of certain passwords while you're out and about, make a copy of the ones you need on a slip of rice paper written with beet juice and put it in your wallet. When you're finished with the copy, eat it.

But think of all the germs it picked up with the money ya got in there but if your like me there ain't none so i guess I will be ok with the rice paper and beet juice. :)

What do you guys think about Clipperz [clipperz.com] for password storage/retrieval? Supposed to be a secure way to save your passwords in an encrypted form online and access them from any browser - the decryption happens in your browser.

needed a course on password maintenance; i might as well put mine on a billboard.

I'm feeling kind of lucky right now...

A few months ago I got into an argument with their customer (dis)service, about the volume of spam they were loading into my inbox. 20 job postings a day that "met my criteria"... "in my area"....

a) I'd never asked for these mails, and hadn't touched the account in almost two years when they started sending the mails

b) "met my criteria" ran the gamut from structural engineer to shipper/receiver

c) "in my area" was apparently anywhere in Canada.

So why am I feeling lucky? The conversation with their customer service dept. ended up with them deleting all traces of my account. A result that pleased me at the time. And doubly so now.

As for password management, I've taken to using KeyPass. I keep one copy on two different USB sticks. One I carry with me and one I have in a drawer at home for backup. My password complexity has improved as a result, because I don't actually have to remember any of them.

httpwebwitch you should use Keepass [keepass.info...] which stores the passwords securely. You only need to remember one good password at that point and you can save the keyfile on a usb drive to always keep with you so it'll use "what you have, and what you know" like an ATM card with a pin fo maximum security. You should never write down passwords on paper and if you do don't call it a password, call it like "Serial Numbers" and add three bogus characters to either the front or back of the string of characters. hope this helps! It's saved me hours of frustration.

What do you guys think about Clipperz

I'm not even going there. In theory, I hate it. Just the idea that my pwds are "out there" in someone else's control is a liability.

If Google leaks my AdWords creds (an arbitrary example - it's never happened AFAIK), that's a trust issue between me and Google. That account could be compromised at any time, but the breach will be limited to my Google accounts, and won't affect my other online accounts (like banking, twitter, amazon, facebook, etc). Not only am I resistant to add a 3rd player into any trust relationship, but I don't want multiple passwords sitting in a central repository out there on the WWW with which a hacker (or insider) could destroy my online identity and empty out my life savings.

Rule #1:
ANY site can be compromised. It's not a suspicion, it's the truth. These things aren't always the work of hackers, sometimes it's insiders at the host, evil ISPs, network trollers, scammers picking up your creds via social engineering, phishers, or a virus silently keylogging on your own PC.

Plus... any decryption that happens in your browser is insecure. End of story.

obfuscating written passwords! great idea, and it appeals to my inner mystery gland... very DaVinci-esque.

keepass: also a great idea. Reminiscent of the physical toggles that used to ship with some software packages, eh? Something like that could replace my secret password binder. :)

I mis-type above, I was referring to KeePass. It's a great little program, and cross platform.

Another "obfuscation" technique I've used is bar-codes. Print out passwords as barcodes, (various different barcode schemes can be installed as fonts) and you can pretty much leave it lying around. It's just an 8&1/2 x 11 sheet of paper with a bunch of barcodes on it. No one looks at it twice.

But if you know the order/pattern that you've laid out the barcodes on the sheet, and have a USB barcode scanner...

What do you guys think about Clipperz for password storage/retrieval?

Interesting that a reference to a web site for storing passwords occurs in a thread about a web site being hacked for passwords . . . carry on . . .

I wouldn't keep records of passwords, unless you have dependents. Suppose someone finds or steals your book? You're scr*wed!

An easy way to remember passwords is to subsitute numbers for letters, and use memorable phrases which evoke images:

CheeseAndPickle becomes

Ch33s3AndP1ckl3

That's a hard one to crack using brute force, and very memorable.

Also: Have simple, same passwords for sites you don't care about. Have more complex, varied ones for sites you do.

I'm amazed no-one has mentioned Roboform?

I couldn't live without it.

Also have it on a USB stick for use on internet cafes (virtual keyboard to prevent keylogging)

Great topic for me, as It's been a long time since I've been to this site and had no idea of my user name or password. Had to do the "forgot password" thing then suddenly remembered it - and realised the site just sent my password to an old email address of a domain I stopped using a loong time ago. Had to quickly change my email and password if only to prevent the new domain owner logging in as me.

Roboform solves all that. As soon as arriving it it would

A. Show "Webmasterworld" in the little box, so I know it's the right site (handy against phishing sites)

B. Allow me to either fill fields or fill and submit

You just have to remember your master password (I've set mine to require it every 3 hours or upon reboot)

It's a HUGE timesaver. If you're not using Roboform you either didn't know about it or you're plain silly :)

P.