I second the 3 level password suggestion.

I have general password for all the forums, bulletin boards, random websites that I visit often but dont contain any of my financial info. I dont change it for a year or so

2nd level is for my email accounts & some store accounts, which are changed in 3/4 months

3rd level for all my financial accounts, I try to change them every so often say in 4-6 weeks.

Just store everything in ur brain.

humangenomics said:I use passwordmaker (http://passwordmaker.org), which is a firefox extension. Just remember a master password, and your site-specific password is calculated on the fly, and can be copied to the clipboard. Nothing to be stolen, and nothing can be key-logged. It also has some sort of fill-in capability. And an online version is also available.

passwordmaker looks intriguing and perhaps the most secure solution since it doesn't store any passwords or your computer. this makes it a lot more portable. the downside to it is that it does not remember the username.

edit: wrong. looks like it does store usernames.

kai2007 said:Seriously though, it seems odd to store all your password information on a piece of software residing on your computer. What if the company who designed the software designed it so they can pull your information in some manner?

I use Roboform because it received a clean bill of health from PC magazine, C-Net and others as being free from spyware. Its been in business a while and I have to believe that had they designed it to allow passwords to be compromised, somebody would have figured that out by now. BUT, that is certainly not a guarantee.

However, you are far more likely to have security compromised using a wireless hotspot that is being operated by a hacker/fraudster than you are to have a business such as Roboform selling software with backdoors in it. That being said, Sibersystems, the maker of Roboform, "is a privately-held company, incorporated in 1995 in the Commonwealth of Virginia, with offices in Germany, Japan, and Russia," so who really knows, eh?

By the way, the program is now offered for free if you sign up for some goofey deals such as "Stamps.com" and other offers, which you can cancel right away and still get the program for free. That should make you fat wallet folks happy. Just be warned, it is only the desktop version they are giving away for free. (If you have the thumbdrive version and when you are updating versions if it gives you the option to get the "pro" version for free, the code you get won't unlock the thumb drive, only the desktop version).

I *love* Roboform. Not only does it fill out your screen name and password but it memorizes them if you like when opening the account. It saves you from "fishing" sites because it only fills in the password if it is a the actual site used when memorizing the password, AND MOST IMPORTANTLY, it types out the HSBC Security Code on the freaking virtual keyboard (sadly it does not do so on the virtual keyboard of ING and Treasurydirect because those sites scramble the virtual keyboard!).

Also, it lets me easily encrypt notes, it has 5 credit cards on it and 5 banks with routing numbers and account numbers so I can fill out forms in a breeze. That way I can open up accounts in the time it takes to yawn, and have money transferred from and to wherever I like. AND it generates cool passwords like: B34fD6Ic6 I could never do that on my own.

I use Yodlee.
Then put codes like "Aw9" or "Br34" in the Yodlee Nickname field. Then I use autologin to allowed sites, and use the code to remember the password for the rest of the sites.

PGP encrypted disc

Password Safe: http://passwordsafe.sourceforge.net/ available in multiple languages and a U3 version. Also see: http://www.schneier.com/passsafe.html

Roboform is very handy and easy to use as well.

As previously mentioned, TrueCrypt looks very attractive for overall system encryption (http://www.truecrypt.org/). I have not tried it yet, but it's on my list to evaluate.

All these tools depend upon the security of the software (do you trust the code) and the underlying computer (are all applications and the OS kept up to date and patched). If the computer/network is compromised, you are potentially vulnerable to local keylogging or hijacking. You are also vulnerable to breaches in the remote system - not something you have control over, but by changing your passwords periodically, and using different strong passwords for each of the sensitive sites you access (i.e., sites involving money), you can exercise some control over your risk exposure.

For general security discussions, check out http://www.counterpane.com/crypto-gram.html. Previous newsletters are available online.