Ask MetaFilter questions tagged with password

How do I remove password protection for logged in users?

Solomon — Mon, 28 Dec 2009 13:06:45 -0800

How can I make password protected posts visible to logged in users, but still require a password from guests, in Wordpress 2.9? For example, I have a password protected post on my blog. I want it to be visible to all logged in users, just like any other post, but I want not-logged-in people to have to enter a password to view the post.

Logged in user: sees the post as if it wasn't protected in any way.
Guest: sees the password box on the post and is then able to view the post after adding the password.

How can I do this?

Can any RSS reader read private Blogger blogs?

freddymungo — Wed, 09 Dec 2009 22:21:07 -0800

How can I view private Blogger blogs in any RSS reader? Is there any way? I think it's silly that I can't in Google Reader, since I use the same account to read those blogs as in Google Reader. Bonus points if there's a good downloadable (not online) service that can finagle it.

Are login boxes on http:// pages secure?

mono blanco — Tue, 01 Dec 2009 18:39:33 -0800

Some major websites--such as Facebook, Vox and others (but not Metafilter!)--have users enter username & password on an http page rather than an https page. Is this as secure as logging in via https:// and if so, why?

Stand back! I don't understand regular expressions

specialagentwebb — Wed, 18 Nov 2009 12:44:17 -0800

How do I use regular expressions to express "at least one of each of these, but not necessarily in this order"? I'm working on setting password verification for a website (ASP .NET, if it matters), but I can't wrap my head around the regex. I've never been that great at regular expressions, but this has me boggled. I roughly understand the "one or more" part, and how to define letters, numbers, and special characters, but how to combine them?

Here are the rules:
The password must contain at least one lower-case letter, at least one capital letter, at least one number (0-9), and at least one special character (!@#$%^&*).
No whitespace allowed.
It must be at least 8 letters
It must have a special character in the first 7 positions
The first and last characters can not be numbers.
It can't contain the user's username (probably easier to make this a separate validation).

The first one is the one where I get really stumped. So what's the prognosis, Hivemind? Is it possible to evaluate all of this in one regex, or should I just do one validation for each requirement?

Please suggest a software to password protect and hide data on Windows 7.

libbrichus — Sun, 25 Oct 2009 01:08:02 -0800

How do I password protect a folder or partition in windows 7 and also not have its contents included in Windows index or Everything. I do not want encryption, only password protection, so please don't suggest Truecrypt. I was using a software called My Lockbox and it does the job well but its contents still get indexed by Windows and Everything. I can exclude its location but is there a software that just password protects the stuff and makes sure the files are not read by indexing softwares even while the folder is unlocked.

I am not looking to hide it from anyone seriously looking for anything who'll run software/Live CDs to access the data. Just want to hide the embarrassing stuff from casual family users.

A three-digit password is not "too long."

Captain Cardanthian! — Tue, 20 Oct 2009 15:46:23 -0800

The Blurst.com registration page tells me my (12-character) password is too long, while a string of 100 A's is OK. FFF is a fine password, but 777 is too long. What gives? (Somewhat long but delightfully pattern-y description follows)

Let's say my chosen password is 99clobdatz47. This, it tells me, is too long. 99clob47, which is only eight characters, is also deemed too long. I then try just clobdatz, another eight-character password, but this time I'm told it's OK! In fact, clobdatz4799 is OK as well. Testing my hunch that it's those leading 9's causing the problem, I discovered some interesting patterns.

First off, passwords must be at least three characters. Two-character passwords are too short, and three-character passwords are OK, with the exception of passwords beginning with two numbers. For these, the following rules apply:
- Any three-digit permutation of the numbers 1-9 (0 is exempt) is too long. For example,
3: too short
33: too short
333: too long, and

4: too short
47: too short
479: too long, but

000: OK. (00 is still too short, but there's no commentary at all on a single 0) This has held up for every set of three numbers I've tried.

- Any two numbers followed by a letter will be "too long," UNLESS the first number is a 1, in which case it's OK regardless of the second number, e.g.

23b: too long
75x: too long
94d: too long, but

11k: OK
17a: OK
14m: OK. 111 is still too long.

- When you start messing around with zeros, things get extra screwy. For "number-number-letter" passwords, a 0 in the second place acts as any other digit would, making the final result "too long," unless the first digit is a 1 or 2. It makes no difference in "number-number-number" passwords.

30k: too long
90d: too long

10g: OK
20z: OK

100: too long
206: too long, and so forth. For numbers beginning with 0, a (non-zero) number in the second and third places will make it too long, unless the second number is 1, in which case the third can be any number, or if the second number is 2 followed by a zero. Any number can be in the second place if a letter is in the third. If the first two numbers are zeros, any number or letter can be in the third. A number followed by two zeros is still too long.

064: too long
053: too long
030: too long

017: OK
011: OK
019: OK

020: OK
025: too long
028: too long

07s: OK
03m: OK
02w: OK

003: OK
008: OK
00t: OK

900: too long
600: too long

- Finally, there doesn't seem to be any password that actually is too long, provided it doesn't start with two digits. 100 A's in a row was fine, as was the letter B followed by several dozen 8's.

So my question to you is simply, "Why?" It seems unlikely that these patterns were intentionally implemented, so how could they have arisen? If no password is in actuality too long, why use that as a reason for limiting passwords at all? Why are 1 and 2 special? Why any of it?

I'm open to both informed answers from knowledgeable sources and wild mass guessing. Thanks, all.

Google, please believe me when I say this is my password.

banannafish — Tue, 13 Oct 2009 19:44:44 -0800

After getting a new logicboard installed on my MacBook Pro this past week, why does GoogleUpdateInstaller constantly ask for my password every few minutes? I'm only using GMail notifier and it is making me insane. Sooo, after a new logicboard (thank you cat vomiting all over computer) install this past week, I have been getting a log-in prompt every twenty or so minutes saying, "Type your password to allow GoogleUpdateInstaller to make changes" and has my computer name and blank password, but no option for "remember password" or the ability to add it to my password chain. After I type in my password and hit "OK" it brings up the Google Notifier, but there are no software updates available. I have uninstalled and reinstalled GMail notifier about five times now, and I'm still getting this error and it is driving me insane. How can I get this to disappear? As an added note, no other program has exhibited any of these problems, or even asked for my password. My Google-fu is completely busted.

Give me my Money!

asuprenant — Sat, 03 Oct 2009 18:56:47 -0800

How to recover/break MS Money password? Hi, I just migrated to a new computer and am bringing over a backup from Microsoft Money (2002 or 2005).

I backed up the account to a .mny backup file, but when I try to open the file on my new computer, I'm asked for a password, which I don't remember setting (or ever being asked for) on my old computer, and none of my standard passwords seem to work. Gargh.

To complicate issues slightly, I'm traveling this week and don't have access to my old computer, just my .mny file and new Money installation.

So - any way to break/workaround the Money password? I've seen a lot of purported services online, but they seem pretty shady. Thanks!

Catch a Thief

Anonymous — Mon, 21 Sep 2009 12:36:32 -0800

NearImpossibleFilter: Help me track down the owner of an email adress. Someone has somehow gotten ahold of my passwords or accounts and setup forwarding to an email address I'm unfamiliar with (@gmail) on four of my personal email accounts. All four are tied to my blackberry - which is practically taped to my head 24/7. No seriously this thing is never out of my sight.

I realize this maybe nearly impossible, but any regular tips or secret hack tools to help me get closer to finding out who the owner of this email address is?

And yes, I changed all of my passwords on any type of online account that I own to very secure and unrelated password (I think I've already forgotten two of them) and cleared out the forwarding.

Throwaway email: getthetheif@gmail.com (yes its spelled incorrectly)

Manipulate pdf file

Mr_Thirdworld — Thu, 06 Aug 2009 19:03:30 -0800

Possible to edit contents and remove password from pdf? I have a pdf document that I reference often. The thing is, it requires me to input a password every time i wish to view it. Is there any way that I can remove the password while keeping everything else in tack? I would also like to making changes to the information found in the footer of the document. Any ideas?

I just want to check my facebook!

wild like kudzu — Sat, 11 Jul 2009 13:38:12 -0800

Can anybody help me with my wireless router? So, I've set up a wireless network for my apartment, and when I set it up a few months ago I entered a password (although it may have been provided automatically, I don't remember if I made it up or not). My computer saved it, as did my roommate's, so we never thought about it again. Recently my roommate's computer bit the dust and her replacement computer requires the password. I wrote the password down, but I've since lost the paper it was written on. For the life of me, I can't seem to figure out what the password is or to change it.

When I pull up the advanced settings of my network I can see under the Association tab that it is an open connection and requires a WEP key. The space for the password shows that it is an 8-digit code, and whenever I try to change it simply by typing a new password into that space I get an error message that says: "The network password needs to be 40bits or 140bits depending on your network configuration. This can be entered as 5 or 13 ascii characters or 10 or 26 hexadecimal characters."

What does that mean? Is there anything I can do to change the password entirely?

Some facts you might need to know:

It's a Belkin G Wireless router
We use Comcast as our internet provider
I'm operating on Windows XP on an ASUS laptop
We are connecting through an Atheros AR5007EG Wireless Network Adapter

Any help or tips is much appreciated! Thank you :)

Syncing passwords between Windows, Mac and iPhone

snarfois — Sun, 14 Jun 2009 15:15:49 -0800

Help me synchronise my passwords across Windows, Mac and iPhone. Preferably without having to re-enter all my existing passwords. I use Passwordsafe on Windows, and I sync my password.dat file to my Macs using Dropbox, where I use Password Gorilla to open it, as described by Joel Spolsky.

Two problems with this:
(1) Password Gorilla is terribly shoddy, and is probably responsible for some data scrambling (fortunately non-destructive)
(2) I'd also like to sync my passwords to my iPhone

I'm prepared to spend money on software that'll do the trick. What I cannot see myself doing, however, is manually transferring the 100s of passwords in Passwordsafe to the new package. So it'll have to use or import Passwordsafe .dat files.

There are some other threads on AskMeFi related to this, but they don't have an answer.

How to prevent Outlook 2007 & Live Messenger from resetting username and password?

thomasck — Sun, 10 May 2009 01:07:49 -0800

Hi this problem occurs on my wife's PC where her Outlook 2007 (Gmail) & Live Messenger (Version 2009) password settings occasionally get 'reset'. It happens maybe once a month. How do I prevent this from happening? My wife saves her username and passwords to Outlook and Live Messenger so that she doesn't have to type them each time she turns on her PC. Normally when she opens up Outlook, it will start downloading emails. Same as Live Messenger. When she opens the program, it just logins automatically.

But on rare occasion when she turned on her PC, her username and password is no longer 'saved' - Live Messenger. As for Outlook, her passwords are gone, meaning she has to type them in again. Both problems happen at the same time.

I just want to know what could be causing Outlook to forget the 'passwords' and Live Messenger to completely delete her login info (both username and password). I have tried scanning her PC for viruses using Kaspersky online scan and Malwarebytes Anti-Malware, but didn't pick up anything. Her PC is currently running a live subscription of Norton Internet Security 2009.

PC details:
Microsoft Windows Vista SP1
Intel Core 2 Duo E6300
4gb RAM

Password safe exchange?

y6y6y6 — Mon, 06 Apr 2009 14:51:20 -0800

I want to build a flashdrive based password safe that my whole family can use. I have a good start I think, but I'd like some ideas for making it actually work. The overview -

I'm growing concerned that I'm wandering around with too mauch information that would be extremely hard to recover if anything happened to me - Passwords for everything from my on-line banking to my domain hosting, contact lists, various email accounts, billing information, etc. And I know my family is running around with their own ocean of sensitive information. I know there are third party services that can manage all of this, but I'd prefer to not host it somewhere that a) may go belly up at any time, and b) is a stranger that now has all my family's most secure data.

My plan is to hand out USB flashdrives to everyone. These drives will have KeePass for storing passwords, TrueCrypt to provide an encrypted space, and AxCrypt to encrypt files if things need to be emailed. KeePass would be the main application here.

KeePass allows seperate password databases to be password protected and passed around with each file being self-contained (though you still need KeePass to open them). So each family member could create there own password safe, put their own password on it, then mail the file to everyone else who would store it on their flashdrive. Updates would be just as easy. Everyone's password file would still be secure, since you'd still need their personal password to open their database.

So, in a nutshell, I would have a flashdrive that had several password safes. But I'd only be able to get into mine. Some mechanism would need to be established so I or other family members could get access to the other files.

Here is the tricky part, and my question - How do we secure everyone's personal password? We'd need to recover it in the case of a tragedy, but it should still be secure until then. I'd like to find a solution that was somewhat portable, like the flashdrive. And I'd rather not pay some third party such as an attorney.

What is my password again?

snowjoe — Tue, 03 Mar 2009 07:39:35 -0800

What do you do with your passwords? My passwords are killing me. I have been writing them down but I sure would like a better system. Are there any password programs that you would be willing to recommend? Other ideas? Bonus points if they are free.

"This Wu album is PHAT!"

AlbatrossJones — Sun, 25 Jan 2009 11:10:30 -0800

When I was 12, I did a good number of product reviews on Amazon. 10 years later, I'm embarrassed that someone might find my glowing reviews of (ugh) Eminem and Smash Mouth. I want to delete that Amazon profile (and subsequently all of the reviews), but I don't have the e-mail or password for that account--I wrote those back in the 28.8kbps dial-up days. NO RECOLLECTION WHATSOEVER. What can I do to get that account deleted? :-(

Someone is spamming from my gmail account.

roofus — Sun, 11 Jan 2009 23:08:11 -0800

Has my gmail account really been compromised? Someone, or something seems to have spammed my entire contacts list, from within my gmail account, despite my having a strong password. (Same problem described by this german gmail user).

Has someone really stolen or guessed my password, and do I need to take anti-virus precautions beside changing my password? I am running OS X 10.4.11.

The previous activity on my gmail account suggests someone was using it elsewhere at the time the emails went out, in a GMT+8 timezone:

Browser 115.49.96.23 5:28 am (1 hour ago)

The text of the email and the header (minus 500 email addresses) are below:

---
Dear,
Good day!!!
I would like to introduce a very good company, electronic products
Wholesale dealer.
I have bought some products from company,the price was very cheap,
and the products are very good quality!
Just have a look at this web page : http://www.hpp[redacted].com/
I am sure you will could save a lot of money!
Happy new year!!!!!
Best regards!!!
introduction give you of friend!!!
---

This is the header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:mime-version:content-type;
bh=K6tVhE5iH9jG8/7W3sL3UlYq6awTl26w2OX6rEz6znw=;
b=aEmoNLBhwOJd78gsKoXBSfQU7ZrUJ5yW9TwQe4BS9Z95uMciQgV0xulNnSwsF78wrz
K5BSCZPAJSWwTatBtW+N3lrFHYGRYnJxBXIY2n27cuFJf+C4pZk51F7oJwQUqQDwFzHT
uZqHFcLFBsyEYbK9C3ovp4b/IPtr8ra+Qq618=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:mime-version:content-type;
b=qtqP0ZUW3LzE837BnVjmCGEIxXrpddkhrjWNDruuZm4M372ePF8bBfUUq+/qvzKgdQ
xvqRgGgOLp9VAxhgPbhVNnAAA/thhEqJtw09/A61L0gREHySwCvINze1Yfi7sY6DEZKM
ewL1U02Pwa/pHMmAUIpFgrJMxEiKi2PrjIa4o=
Received: by 10.215.100.13 with SMTP id c13mr4320711qam.377.1231738078819;
Sun, 11 Jan 2009 21:27:58 -0800 (PST)
Received: by 10.214.43.15 with HTTP; Sun, 11 Jan 2009 21:27:58 -0800 (PST)
Message-ID:
Date: Mon, 12 Jan 2009 13:27:58 +0800

Best practices for self-service password reset solutions?

bda1972 — Fri, 26 Dec 2008 10:30:13 -0800

Best practices for self-service password reset solutions? My company is preparing to start a project to make self-service password reset available to our users. The technology of the project is fairly straight forward but I would appreciate some suggestions about how others have handled rolling this out. These are a couple of my concerns (but other suggestions are welcome as well):

- How did you secure the external web site so someone couldn't guess passwords all day? We use RSA SecurID so we're thinking about setting up a portal that only requires username and SecurID token which then takes you to the PW reset page. We have a decent amount of remote and traveling users so external access is a must.
- The system is worthless unless users register and answer their challenge questions BEFORE they forget their password. How did you get users to initially register? We've discussed nuisance messages upon login, raffle off a prize (day off, special parking spot, etc) to all registered users or shaming them by providing lists to all department heads. We have about 1200 users so it would be a huge pain to harass employees and their managers to register. Our best case scenario would be a way to literally force them to register.

I'd also be interested in hearing from users of self-service password reset solutions and what they like and don't like about their solution.

openldap password change webapp?

tarheelcoxn — Wed, 17 Dec 2008 08:17:24 -0800

Need a webapp to allow my users to change their own LDAP passwords. I've got slapd (openldap) running on an Ubuntu server. I have various webapps (mediawiki, trac, cacti, etc.) that auth against slapd. I'd like my users to be able to change their own LDAP passwords by going to a webapp, and I thought I might be able to use phpldapadmin for that, but no dice. Does anybody know of a (preferably standalone) webapp for allowing users to change their LDAP passwords? I do not currently give my users login shells, and most of them wouldn't be comfortable using a CLI to change a password anyway. If you know of something packaged for Fedora (the OS), that's good, too.

Demonstating password cracking

bent back tulips — Wed, 03 Dec 2008 06:51:21 -0800

I need a utility or small program to demonstrate password cracking. At work we're organising a day of "educational" games for 14-15 year old students. My game aims to teach them about safe online behaviour including importance of anti-virus software, not giving out personal details, etc.

One of the things I want to show them is the importance of good passwords. I plan to have them enter a password on the computer at the start of the session and then attempt to crack their passwords during the 25-minute session to (hopefully) demonstrate that weak passwords are bad. Essentially I want a program that will allow us to enter some passwords and then start trying to crack them.

The machine we'll have access to will be a fairly high spec laptop, 2.6GHz and (I think?) around 10-15 GFLOPS. There is a possibility of being able to tap into a mainframe and use that computing power to crack the passwords, but I'm not sure if that's going to happen.

For the laptop I'll probably need something that will run on Windows; Unix or z/OS for the mainframe. I'm prepared to do a bit of fiddling/scripting to get it to work as required.

Some kind of visible output would be nice on the screen while they're getting on with the other tasks. Not essential, but it will show them that it's doing something.

So, how feasible will it be to crack one or more passwords (entered by 14-year-olds, but nonetheless) in around 25 minutes? And how can I do it?

Plain Text Password in Welcome Email

TauLepton — Sun, 23 Nov 2008 23:50:51 -0800

Online Security Filter: Welcome email contained plain text password. Specific examples of why this is bad needed. I know this is a bad security practice. But why? My searching is coming up blank, so I'm turning to AskMeFi-ers.

I want to reply with documentation to the below conversation. No opinions, please; given that mine didn't really amount to much for them. :-)

(The site in question didn't ask for my cc # to sign up, but the same credentials would be used to make a purchase. At that time, a cc # is attached to the account.)

==============================
Comment: I just signed up for an account. As this is a shopping site, I used a password that I wish to remain secure. However, I just received an email thanking me for signing up. It contained my password in clear text. This type of security breach gives me concern for shopping with *****.
==============================
Thanks for the feedback Julie. I don't agree with you that this is a major security breach, but I will consider it in the next edition of our cart.

AJ
==============================

iPhone password manager that syncs with Windows

chefscotticus — Thu, 13 Nov 2008 19:28:57 -0800

Best iPhone password manager -- needs to sync with Windows (without storing on internet) -- How do I do this? Currently using KeePass on Windows to manage passwords. More about long-term storage than day-to-day passwords (think investment portfolio, not nytimes password).

I just got an iPhone and want a secure way to have access to my passwords from my iPhone, and in a way that syncs to a Windows-interface.

What should I do if I can't log in to my router all of a sudden?

rintako — Wed, 29 Oct 2008 13:26:16 -0800

My router password changed itself! I'm using the DD-WRT firmware on WRT54G v7 Linksys router, what can I do? Hi. I'm 99% sure that I didn't forget the password because I had been tweaking the router a week or two ago, and I had used the same password when installing a router for my friend.

I don't know what's going on, but I can't log on to my router anymore. I'm using the dd-wrt firmware version: DD-WRT v24 RC-7 (04/24/08) micro

What can I do?

Stop locking me out!

Anonymous — Wed, 22 Oct 2008 23:23:58 -0800

How can I keep PointSec from switching my screen saver preference? My company's IT recently installed the PointSec software package on my laptop. This is security software that is primarily designed to encrypt your hard drive. One of the secondary features it has is to make your screen saver password protected. Is there any way to turn this feature off?

Now, I know that this program by its nature is difficult to modify or remove without administrator passwords. I'm not interested in incurring the wrath of my IT department by trying to do so. However, I can temporarily turn off the password feature by going into the Display Properties dialog and unchecking the 'On resume, password protect' box. So, clearly, this particular aspect can be somewhat modified. It's just that every time I reboot, the box is again checked. I'd prefer to not have to undo that with every reboot. Is there any possible way to do so, by monkeying with the registry or something?

FWIW:
HP Compaq 6515b
Windows XP SP3
PointSec PC 6.3.1

My MacBook takes revenge on me for spilling bacon, beer and chocolate on it.

TomSophieIvy — Sun, 28 Sep 2008 18:26:03 -0800

My MacBook (2 years old) logs me out as soon as I log in. Exasperated details inside . . . Running OS X 10.4.11. Three logins - the other two are not affected. I've changed the password. I've googled and checked mac boards...
OK, my login is accepted - but then the login screen reappears after about 3 seconds. I try again, and again, and then the Three Stooges theme song cues in my head. The only thing that is different - the last thing I did was some kind of auto-update (no, I don't remember the program) and I don't recall if I signed in after that. (Yes, I am aware of how much that helps.)
Bonus points if the solution does not involve tracking down any of the original discs. Thank you!