My Password File
Ok, I confess, I keep all my passwords in a single text file, and I keep it stored online.
How am I supposed to remember my username and password to the Oracle iExpense thingy at work? Or the Member ID for my health insurance? I gotta keep them online so that info is available whether I’m at work or at home.
Maybe I’ll be the next cyber-theft victim like the poor folks at Twitter who had their corporate documents compromised since they stored it all online using Google for Domains. Tsk tsk.
Well, the way I’ve been able to pull if off and sleep peacefully at night is using a combination of some awesome Mac tools (I’m sure there’s a similar PC equivalent):
- Dropbox: Online storage volume, backend is actually Amazon’s S3 service
- TrueCrypt: Open-source on-the-fly volume encryption — allows to you quickly mount and unmount secure volumes.
Dropbox is a great tool available for Windows and OS X that allows you to keep a virtual disk online, available everywhere. I know there are many other similar services and I’ve tried my share. However, I’m a big believer in Dropbox because it never crashes and never misses a sync. You can be moving files around in it, copying a large file in there, and then for kicks, yank the internet connection. Next time you log in, it syncs flawlessly. Beauteous!
Inside Dropbox, I store an encrypted file container created by TrueCrypt. I can mount that file container like a USB drive, and I can in turn store sensitive files in there.
I know there are password websites out there but I just don’t trust some third party to store my passwords. ”Store all your passwords in a single place!” Something about that value proposition gives me the creeps! Well, those sites are dime a dozen, and all startupy. Not my idea of real security. Ultimately, I want to be the only one who has the keys to the safe. There’s a similar technique which uses Disk Utility to create a password protected AES-encrypted .DMG file, but that requires you to remember to never click “Save Password” when decrypting it and the disk image itself is read-only so it’s a pain to make changes to its contents.
Creating your Encrypted File Container
After you install Dropbox, create a folder called Secure which will have a file called Secure Files (in case it isn’t any clearer):
Secure Files is actually an encrypted file container created by TrueCrypt. That’s basically fancy lingo for a .DMG disk image volume that has strong encryption (I’m using Serpent-Twofish-AES … three ciphers in cascade). You can easily create one using TrueCypt by clicking on Create Volume:
Save your encrypted file container in your Dropbox’s Secure folder or save it to your desktop and copy to Dropbox later. For the Encryption algorithm, it’s up to you. I chose the Serpent-Twofish-AES since it’s basically impossible to break. Next, set a volume size of 50MB (more if you need to store lots of stuff in there). Create a volume password (a very long one preferably and one you don’t use elsewhere) and a filesystem type (I’m using FAT for highest compatibility) and format the volume.
Now, drag your encrypted file container from Dropbox to TrueCrypt and mount it. Volia! Super-secure disk image to go. You can drag important documents and password files directly into the mounted volume (shows up like a USB disk in Finder):
When you unmount the volume (either through TrueCrypt or Finder), it is automatically re-encrypted. Even if your Dropbox account is somehow compromised, your secure volume files remain encrypted and protected.
I also keep a copy of the TrueCrypt application inside the Secure Files folder in case I’m on a Mac that doesn’t have it.
Now you can keep your password file guilt-free!
Categorized as Tech
awesome blog, ive followed this advice and appreciate the fact i’ll be sleeping better tonight my million passwords are secure and portable. kudos. Shane from Melbourne Australia.
I use the exact same technique, except that I use Disk Utility to create the encrypted image disk.
That’s one less tool to maintain, as it’s on every mac.
I read that they use this technique at Apple to transfer confidential files.
I do exactly the same, except I create a really small (just 1 MB) TrueCrypt volume since it’ll only contain a couple of plain-text files. It’s easy to store, quick to sync, and you can use it even over slow connections.
@raphael: the one advantage TrueCrypt has over the DMG is that it’s Windows/Mac compatible. So if I’m at a friend’s computer, I can go to getdropbox.com, grab my file and decrypt it on his Windows machine. The advantage of DMG however is that it’s fewer clicks (no need to open a separate application to decrypt).
Since you’re on a Mac, you ought to look at 1Password [1]. It is widely considered THE password manager for the Mac. And with 1Password 3 you now can access your passwords via a webpage through Dropbox so you can even use it on Windows if you’re so inclined. It’s called 1PasswordAnywhere (1PA) and it feels just like you are using 1Password, but it’s in your browser. If you’re concerned about security and browser caches, see the page where they discuss 1PA in detail on their blog [2]. They talk about encryption and browser caches in the comments.
It also stores wallet items (credit cards, drivers licenses, etc), software license keys, etc. Just about anything you want to keep secure.
Well worth the price.
PS – I don’t work for them. Just a happy switcher.
matte
[1] http://agile.ws/products/1Password
[2] http://www.switchersblog.com/2009/09/1password-3-feature-spotlight-1passwordanywhere.html