# Tools for managing multiple passwords

Passwords should not be stored in cleartext

# Local

- **1Password** – [https://agilebits.com/onepassword](https://agilebits.com/onepassword)
- **IronKey** – [https://www.ironkey.com/news/verisign-ironkey-otp-password-service](https://www.ironkey.com/news/verisign-ironkey-otp-password-service)
- **KeyPass** – [http://keepass.info/](http://keepass.info/)
- **PasswordSafe** – [http://passwordsafe.sourceforge.net/](http://passwordsafe.sourceforge.net/)

-

# Hosted

- **LastPass** – Best used with two-factor authentication, such as **[YubiKey](https://lastpass.com/support.php?cmd=getproductfaq&product=other_yubikey)**, **[Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en)**, or other option (**[http://twofactorauth.org/](http://twofactorauth.org/)**)
- Note: There always a possibility of a [breach](http://news.cnet.com/8301-1009_3-20060464-83.html "http://news.cnet.com/8301-1009_3-20060464-83.html") of the vendor

-

Password managers heavily rely upon a long and strong master password. One suggestion is to use an algorithm to create unique passwords based upon the site name or some other criteria. A tactic to consider is the use of a *pass phrase* versus *password*, as such emphasizes the length. Some good examples can be found at:

- [http://www.dc214.org/notes/july2005/Mnemonic-Password-Algorithms.pdf](http://www.dc214.org/notes/july2005/Mnemonic-Password-Algorithms.pdf)
- [http://www.seas.ucla.edu/security/passwords.html](http://www.seas.ucla.edu/security/passwords.html)