Ask MetaFilter questions tagged with passwords

Restore deleted usernames and passwords to Firefox?

sockpup — Tue, 17 Nov 2009 16:11:03 -0800

I errantly deleted all of my saved usernames and passwords from Firefox. Is there any way to get them back? I wasn't paying attention and clicked "remove all" instead of "remove". Mac OS 10.5. Firefox 3.5.3.

A three-digit password is not "too long."

Captain Cardanthian! — Tue, 20 Oct 2009 15:46:23 -0800

The Blurst.com registration page tells me my (12-character) password is too long, while a string of 100 A's is OK. FFF is a fine password, but 777 is too long. What gives? (Somewhat long but delightfully pattern-y description follows)

Let's say my chosen password is 99clobdatz47. This, it tells me, is too long. 99clob47, which is only eight characters, is also deemed too long. I then try just clobdatz, another eight-character password, but this time I'm told it's OK! In fact, clobdatz4799 is OK as well. Testing my hunch that it's those leading 9's causing the problem, I discovered some interesting patterns.

First off, passwords must be at least three characters. Two-character passwords are too short, and three-character passwords are OK, with the exception of passwords beginning with two numbers. For these, the following rules apply:
- Any three-digit permutation of the numbers 1-9 (0 is exempt) is too long. For example,
3: too short
33: too short
333: too long, and

4: too short
47: too short
479: too long, but

000: OK. (00 is still too short, but there's no commentary at all on a single 0) This has held up for every set of three numbers I've tried.

- Any two numbers followed by a letter will be "too long," UNLESS the first number is a 1, in which case it's OK regardless of the second number, e.g.

23b: too long
75x: too long
94d: too long, but

11k: OK
17a: OK
14m: OK. 111 is still too long.

- When you start messing around with zeros, things get extra screwy. For "number-number-letter" passwords, a 0 in the second place acts as any other digit would, making the final result "too long," unless the first digit is a 1 or 2. It makes no difference in "number-number-number" passwords.

30k: too long
90d: too long

10g: OK
20z: OK

100: too long
206: too long, and so forth. For numbers beginning with 0, a (non-zero) number in the second and third places will make it too long, unless the second number is 1, in which case the third can be any number, or if the second number is 2 followed by a zero. Any number can be in the second place if a letter is in the third. If the first two numbers are zeros, any number or letter can be in the third. A number followed by two zeros is still too long.

064: too long
053: too long
030: too long

017: OK
011: OK
019: OK

020: OK
025: too long
028: too long

07s: OK
03m: OK
02w: OK

003: OK
008: OK
00t: OK

900: too long
600: too long

- Finally, there doesn't seem to be any password that actually is too long, provided it doesn't start with two digits. 100 A's in a row was fine, as was the letter B followed by several dozen 8's.

So my question to you is simply, "Why?" It seems unlikely that these patterns were intentionally implemented, so how could they have arisen? If no password is in actuality too long, why use that as a reason for limiting passwords at all? Why are 1 and 2 special? Why any of it?

I'm open to both informed answers from knowledgeable sources and wild mass guessing. Thanks, all.

How not to store plaintext passwords?

bottlebrushtree — Thu, 08 Oct 2009 09:56:51 -0800

Best practices for storing OracleDB/mysql/ldap/smtp/etc... system passwords for enterprise application integration use? I'm working with a vendor who currently is storing passwords in plain text in configuration files.

If you've ever configured Wordpress you are familiar with how your mysql password gets placed in plain text in the wp-config.php file.
This vendor is doing a similar thing for mysql, ldap, smtp, etc...

This has made some people uncomfortable.

I'd like some suggestions for best practices to minimize the use of passwords in plaintext (or trivially encoded text) in text configuration files.

These passwords are being used to drive external databases, ldap auth, smtp sending, etc...

Their Java / Tomcat application is expected to be running 24/7 as a Server. This particular instance will be on Windows Server 2003 though Linux is also supported.

It would be nice if it would be possible to have unattended restarting of the application without a user having to enter in a master password, but if that is the only solution we may be comfortable with it.

Some background:

The application uses LDAP to authenticate users (and hence has the LDAP system password in a configuration file)

The application stores its data in a SQL database (Oracle in this case, though they also support mysql. We have to stay on Oracle)

The application sends mail using SMTP

Thanks.

sudo apt-get install help!

mannequito — Sun, 20 Sep 2009 21:01:27 -0800

LinuxFilter : I seem to have lost sudo privileges in Ubuntu. How to fix please? About a month back I picked up an Asus eeepc and installed #!CrunchBang on it, which is a variation on Ubuntu. Sudo worked fine for a couple of weeks, but the other day I went to install something and received this message:

(username) is not in the sudoers file. This incident will be reported.

Usual googling and message-board combing led to this solution
. But attempting to follow it, I enter my password after 'su -' and get a reply stating that the password is incorrect.

SO ... is this a catch-22, or has my password somehow been changed?

Syncing passwords between Windows, Mac and iPhone

snarfois — Sun, 14 Jun 2009 15:15:49 -0800

Help me synchronise my passwords across Windows, Mac and iPhone. Preferably without having to re-enter all my existing passwords. I use Passwordsafe on Windows, and I sync my password.dat file to my Macs using Dropbox, where I use Password Gorilla to open it, as described by Joel Spolsky.

Two problems with this:
(1) Password Gorilla is terribly shoddy, and is probably responsible for some data scrambling (fortunately non-destructive)
(2) I'd also like to sync my passwords to my iPhone

I'm prepared to spend money on software that'll do the trick. What I cannot see myself doing, however, is manually transferring the 100s of passwords in Passwordsafe to the new package. So it'll have to use or import Passwordsafe .dat files.

There are some other threads on AskMeFi related to this, but they don't have an answer.

What is my password again?

snowjoe — Tue, 03 Mar 2009 07:39:35 -0800

What do you do with your passwords? My passwords are killing me. I have been writing them down but I sure would like a better system. Are there any password programs that you would be willing to recommend? Other ideas? Bonus points if they are free.

How Can a Freelancer Safely Fire a Client

Anonymous — Wed, 18 Feb 2009 13:27:02 -0800

What's the best way, once I tell a client I'm done with her, to protect myself from claims of unauthorized access or sabotage on the systems I configured for her? I'm breaking off relations with a client I installed and configured a number of software packages for. I have ongoing access to all the software I installed -- shell accounts, database & other passwords -- because I agreed to do hourly support once the software was up and running.

My first thought is to prepare a notarized letter and send it via registered mail, providing a list of administrative accounts/passwords and advising the client to change them. My second thought is that I'm overthinking this and should just e-mail my point of contact with the information she needs to reset the passwords for herself, assuming that if she eventually does something foolish and breaks something she won't do anything vindictive and shift the blame to me.

I do have reason to believe a certain amount of vindictiveness is worth planning for in this case. Even if it's not, this seems like the sort of thing I should know in the future: The sort of people I do work for are not hiring extra technical help when they contract with me -- I am the technical help -- so there's not an in-house admin or engineer to close and lock the door behind me.

Looking beyond this instance, are there standard contract clauses or procedures among technical contractors that deal with this sort of thing? I'm more of a shade-tree mechanic than a high-speed consultant, but if it means setting up an LLC or something similar I'll do it if that's what it takes to keep relatively lucrative side work coming in.

Help Me Secure my USB Drive

Irontom — Thu, 08 Jan 2009 11:20:49 -0800

I have a shiny new 4 GB USB drive, and I want to secure the information on it (bank info, passwords, etc). What's the best (free) way to do this? rushmc asked this question 4 years ago, but that was a very long time ago. I need for the solution to be limited to the usb stick only - I will be using it in multiple environments where I do not have admin rights to the machines I am using.

Why do I have to create an account?

alms — Sat, 27 Dec 2008 21:16:25 -0800

Why do an increasing number of e-commerce sites force me to set up an account, including an e-mail address and a password, as part of the checkout process. I understand (and don't mind) when this is optional. But when a store forces me to set up an account and give them a password before they will sell me a product (or accept a donation, even) I find it obnoxious. This seems to be more and more common.

What should the password policy at a small liberal arts college be?

andythebean — Wed, 17 Dec 2008 12:00:28 -0800

What should the password policy at a small liberal arts college be? My college has been using a system by which you are allowed to set your own access password which in turn allows you to log on to college-owned computers and access your college e-mail account. It was recently decided that once we all get back from winter break that the following password policy will be implemented.

1) Your password must be at least 8 characters
2) Your password must be changed every 90 days
3) You must use a password for at least 3 days before it can be changed.
4) You may not reuse the previous 12 passwords.

Is this a reasonable policy for base level access to computer labs and email? It seems like there will simply be a lot of people keeping their password written down somewhere quite public, most likely their college-issued planner.

How do I pretend I was never here?

M.C. Lo-Carb! — Fri, 08 Aug 2008 08:48:31 -0800

Today is my last day at my current job. How do I explain this to my office computer? I am leaving my current employ (and print journalism, w00t) for a new job, and today is my last day.

Over the years I've been here, I got to the point where my work computer is like my home computer, in that gmail, my bank account, ebay, amazon, various blogs and lots of other web sites automatically load up with my username. Or Firefox automatically fills in login info, etc.

Is there some simple way I can make this computer forget I was ever here?

It is unlikely that our dim-witted IT department will clean it off before the next employee plants his ass here, and I'd rather he not start posing as me on Metafilter, purchasing jesus cheetos on eBay or otherwise make use of my online identity.

My work computer runs on XP, if it matters, and only uses Firefox for browsing.

Ethical/Legal Reasons for keeping passwords secret?

chrisfromthelc — Wed, 06 Aug 2008 12:49:56 -0800

What are your ethical opinions on supervisors knowing thier direct reports login information? I work in IT for a small company (re: I AM the IT department). A supervisor recently requested all of his employees' login information under the guise that some employees leave certain programs logged in. Now, obviously this is not the true issue at hand. I informed this person that I could not, in good conscious, divulge that information (all new accounts are forced password changes at first login, and every X days afterwards) even if I had it.

I'm in an equal position as this person, so anything serious (firing, etc.) is extremely unlikely, but knowing this person, they will make my life difficult if they possibly can.

I've been in IT for over 10 years, and every employer has handled it the same way: if you have a specific need for something, we'll retrieve that data if it's work related, but we're not giving up passwords.

I'd love to hear the hive mind's thought on this. Yes, you are not my lawyer.

Someone hacked my… something... somehow

studentbaker — Tue, 05 Aug 2008 11:05:14 -0800

What do you do when you think you've been hacked, but don't know how? This morning, when I tried to check my gmail with my iPhone, I got an error that the username/password combination was wrong. I was connected to my home network at the time. I re-entered the password in the iPhone settings and tried check it again. I got the error that the connection to the server “imap.gmail.com” failed. Feeling funny, I went to my Macbook and changed my gmail password in the google account settings.

At lunch, I checked gmail from my work PC and noticed a spam message that got through which I found strange since gmail has been very good lately at blocking spam. The spam was sent from my account. I know that it’s easy enough to spoof this, but I did check my sent mail and there it was. Someone sent the email from me, to me. The email subject was: “Anjelina Jolie Free Video”. The content was: “The password on archive anjelina”. There was an attachment: Angelina_Jolie.rar which I did not open. It was sent at 12:32 pm. I was definitely at my desk during that time.

I quickly changed my password again, and I made sure the new one was very strong. But, what now? Check my home and work machines for keystroke programs? Check to see if my home network has been hacked? How would I go about doing this, anyway? I feel like I need to change all my passwords now – bank, social networks, etc. – but what if they are watching me… Right Now!?!

Password Manager Nirvana?

tcv — Sat, 15 Mar 2008 19:10:55 -0800

Is anyone aware of a password manager that will perform the following functions? Is anyone aware of a password manager that will perform the following functions:

1. Run on Windows machines.

2. Have both an admin and user mode.

3. Supports automatic sending of passwords and/or copy-pasting passwords to password dialogue boxes including web-sites, RDP sessions, customized applications?

4. Have said user-mode allow someone to put passwords into authentication challenges, but otherwise not allow the user to edit and/or see the password in plain-text.

I'm guessing not, but I thought I would ask...

Cheers,

m

Password heck

shownomercy — Thu, 03 Jan 2008 06:58:42 -0800

Any advice for a tri-platform, multi-computer, maybe not hashed, password manager for a large volume of ftp/ssh/ and misc logins? I have a lot of various logins I need to keep track of. Most are ftp/ssh so I use kde's network connections manager, and things like keychain in osx. The problem is that if used as the main storage, the passwords are hashed and basically unrecoverable. Using the same machine or operating system all the time is not an option. And of course these things are not linked together in any sane way; its a matter of remembering to enter them at the same time in three places.

Wiki type solutions are probably out, as I do not want to be storing all my sensitive information under one potentially insecure password, online. I have considered flat text files (which takes care of my misc logins) but this seems almost as bad. Any methods, scripts, or advice would be greatly appreciated.

How to store text files on my cellphone?

chairish — Fri, 03 Aug 2007 13:08:11 -0800

I'm looking for an application for my mobile phone that will look after passwords and short text files. I have a Motorola V6 Maxx which serves me well (decent camera, webbrowsing and music player). The one feature that I need is the ability to be able to store and read short text files on the device. I'd also like to be able to encrypt the files or password the application as well, just in case the phone goes AWOL.

I can't really justify the expense of changing phones - this one came to me as an insurance claim and it meets most of my needs. Storage space isn't an issue as I have a 2GB transflash inside the phone.

Any ideas?

Share a password without really sharing a password...

ud-gb — Mon, 09 Jul 2007 10:02:14 -0800

I'm looking to arrange a particular password setup with several unpaid staffers in my office. Here's the arrangement: 5-10 folks each day access one or more of ten online accounts that we communally use. I want to ut able to easily distribute the passwords and have the users be able to employ them without ever being able to see what it is. I want to find a system that look like this:
-For each user, they need me to enter a master password at the beginning of the day.
-They can then have the functionality of the passwords (so they can access any of the 10 or so websites they need to reach), but (here's the biggie) cannot delve into any settings and be able to see the password itself. E.g., no matter how much digging in the settings, all they would ever be able to see are asterisks.
-I am able to distribute updated passwords without manually entering them for each system.

Currently, I distribute a keepass file and log each user in at the beginning of the day, but cannot ensure that the user doesn't burrow into the settings and see or export the passwords.

Any thoughts on how I could give them this functionality without allowing them to ever see the passwords themselves?

Thank you in advance for the thoughts and any help. This is a wonderful community.

please help, Mac issue

cg2 — Thu, 21 Jun 2007 14:40:57 -0800

Need help bypassing password protection I have an iMac G5 OS X that was never password protected, until last weekend when I left it unattended with my roommates at my apartment. When I turn on my computer, it asks for a user name and password (both fields are empty) and I don't have any clue what either field are. Is there any way that I can bypass these fields or is it hopeless?

Why can't my Keychain.app settings work for both Safari and Camino?

invisible ink — Tue, 19 Sep 2006 14:29:21 -0800

I typically use Safari, and have my preferences set to store all of my passwords and user names in my Keychain.app. However when it starts acting up and giving me the spinning beach ball, I use Camino (v. 1.0.3.) When I try to log in to a website, it asks me for my user name and password - do I really have to fill in ALL those passwords and user names all over again? In other words, is there any way I can get Camino to access the passwords I saved using Safari? Note: I have the "Allow saving in Keychain" and "Autofill passwords in web forms" boxes checked off in my Camino preferences.

What is the point of using a salt when encrypting passwords in a web application?

chrismear — Sat, 26 Aug 2006 12:05:25 -0800

What is the point of using a salt when encrypting passwords in a web application? I've lately seen a lot of recommendations in the web app world to add a random salt to users' passwords before encrypting them (MD5 or similar). The salt is then stored in the database along with the encrypted password. People talk about this as if it adds a major extra layer of security, but I can't understand the benefit of it.

I can understand the benefit of doing this in a situation where the encrypted passwords are easily accessible (such as the traditional UNIX passwd file). Without a salt, the attacker can take the list of encrypted passwords and run a pre-encrypted dictionary against them quickly and easily.

But if you're trying to crack a login page on a web app, your two options are basically to either do a brute force dictionary attack against the login page itself, or somehow get hold of the (encrypted) password table.

In the first case, it doesn't matter what encryption or salting you've got going on behind the scenes, since your attacker is just firing normal plain text passwords at your login form. So salting doesn't help security here, does it?

And in the second case, if you've hacked the server to the extent that you're able to read a table of encrypted user passwords from the database, don't you have about as much access as you're ever going to need? Why not just read the other tables in the database to gain access to the confidential information? Why bother trying to crack the passwords? I suppose it would make sense if you were storing user credentials in one database and user data in another database, but this doesn't seem to happen often.

What am I missing? Why bother doing this?

Rocover forgotten windows xp pro admin password

JohnnyGunn — Wed, 21 Jun 2006 14:01:13 -0800

I cannot remember my windows XP Pro password. I am an administrator. Need to install software and change to a dynamic ip address. I have a pc that has been idle (not in use) for about 8 months. I was planning on using it again. I tried every password I have used in the past 5 years. None work. I have tried basic others like "password", "administrator", etc.

The person who built this pc for me is not reachable. He has moved with no forwarding info.

Is there a way to either reset the administrator's password, my password (I am an administrator), or upgrade the permissions of an existing user to be an/the administrator? I can login to an account that is not an administrator.

Or am I SOL?

Non-irritating password remembrance?

pornucopia — Sun, 09 Apr 2006 21:44:07 -0800

I want my browser to remember my password for a couple of sites, but it must assume that I don't want most of my passwords remembered. I hate browser popups that ask "Remember this password?" What's a good solution? I use Firefox on Windows.

How can I store my passwords online securely?

bkdelong — Thu, 02 Mar 2006 05:35:48 -0800

PasswordFilter: Any places to store passwords online? I keep running into a problem with storing my passwords - I use Password Safe but I tend to be hard on computers and lose a HD every 6mo or so, thus loosing both my Password Safe DB and my PGP Private Key.

I've been finding various "Web Services" sites to manage things like calendars, address books, and even archive all my email. What I'd really like to find is some sort of online version of Password Safe. A site with an https login or security like hushmail.com.

I've tried using a system.....but even if I write it down, sometimes I forget the system or loose the paper.

I'm afraid if I use a USB Key, I'll loose the key.

Is there an online site where I can store my passwords or at least automatically have my PWSafe DB and PGP Private keys get sent to? Perhaps a reliable WebDAV service that I can make a Web folder in which I can install PGP and PWSafe?

Password expiration best practices?

pzarquon — Mon, 27 Feb 2006 11:16:36 -0800

Is there an "industry standard" for password expiration periods? With the understanding that it depends on the "industry," and ultimately at the company/agency level, can a broad generalization be made that most corporate environments enforce {x}-day password expiration periods -- be it 30 days, 45 days, 60 days, 90 days, etc.? Is there a default starting point for IT security wonks?

There are some commonalities in password policies - longer than 8 characters, mixed characters, don't reuse old passwords, etc., but I've seen a huge range in expiration periods, all the way up to none.

Any security guys here who can point to some acronymed standards body or guideline with a number? Or will it always be, "it depends"?

Getting password from Firefox to Safari?

trey — Thu, 09 Feb 2006 06:58:05 -0800

How do I get a password out of Firefox and into Safari without some crazy encryption skills? I have a four-digit password to a site (specifically a site to check on the status of a PhD application) that is auto-saved in Firefox. I don't really use Firefox all that much, preferring Safari. How can I get the password into Safari so I don't have to load up Firefox every time I want to check on that application?

I already tossed the piece of paper with the password/PIN on it, so that option is out.