Ask MetaFilter questions tagged with passwords

Practical risks of a single password for keychain AND cloud

philosophygeek — Sat, 23 Mar 2013 10:14:02 -0800

I have a third party password manager app that I love. That app syncs to an online cloud service, so I can access all my passwords from all my devices (as well as from a web browser if necessary). In practical terms, how much worse is my risk of having info compromised by using a single password for both my password vault and the online storage service? Assume that the reason I'm using a single password is so I can devote all my password memory to a single ungodly long password with a mix of symbols, numbers, cases, non-dictionary words, etc.

In other words, what is the practical impact of having two strong passwords (say 15 characters each) vs. one mega-long strong password (say 25-30 characters)?

What's the newest/bestest way to sync browser data across browsers & PCs

RolandOfEld — Sun, 03 Feb 2013 23:46:43 -0800

What is the best (non-keyboard based) way to evolve my amalgamation of browser installs, saved passwords, bookmarks, and maybe settings/extensions into a cohesive, probably exclusively Chrome-based, install? So right now I'm at the end of the Firefox phase of my life and I'm also nearly ready to configure the browser install on my new HTPC build as well as reinstall a few other OS's around the house.

The bad part is that means I'm going to need to A) clean, B) cull dead links, C) organize, D) plan the future of, and E) transfer the things I mentioned above. I understand that A, C, and D are likely manual tasks by definition. But the culling and transferring is something I'd rather automate if possible.

I've recently gained a bit of a better understanding of the Chrome side of things (sync) and know that I can disable it and or remove certain machines from being synced... That's helpful but planning out how to best get the things that should be transferred (not forgetting the Firefox side of things) and then setting the isolation as needed (like my office/work computer not needing to have my home bookmarks for example) still needs some work.

What tools/resources/hints/tips do you have that might be useful?

Thanks!

Question about password security

pete_22 — Wed, 09 Jan 2013 10:27:49 -0800

With email and website passwords, are successful "brute force" attacks still common, where an automated bot tries thousands and thousands of passwords on the same user account until one works? It seems to me they should have been pretty well made redundant by the simple and widespread policy of locking an account after x number of false attempts within y time frame, and requiring some backup confirmation method thereafter to unlock it again. If any major sites are not following that policy, why not? If it's frequently being circumvented, then how?

And if in fact these brute force attacks are no longer common or effective, why are we still encouraged (and often required) to have complex passwords? Why do I hear things like "if your password is a word in the dictionary, you may as well not have one"? How can this be true? It seems like the complexity of the password is only a defense against brute force attacks, not phishing or large-scale server side hacks, keystroke loggers, leveraging one compromised account to get to others, and the other methods that now seem more common.

I mean, I realize that "password" is a dumb password, but is a random word like "vermouth" really less secure than "f3GveT8k"? I understand why it's much less secure in a theoretical sense, but in practical terms is it significantly more likely to get hacked?

What's the password?

Evilspork — Mon, 26 Nov 2012 14:55:49 -0800

What's the password? I'm interested in secret codes that different groups use to identify each other. The groups might be illicit (14/88 for Nazi sympathizers, representing the 14 words and H H or 8 8 for Heil Hitler) or persecuted (drawing one half of the Jesus fish which the other person would recognize and then draw the second half). I don't think something like using the Navajo language as code during WWII would count.

Beyond that I'm not really sure what I'm asking for, I understand it's pretty wide open and nebulous, and that more modern ones would be harder to come by.

This is your Mac. This is your Mac on lockdown.

Admiral Haddock — Tue, 20 Nov 2012 09:22:33 -0800

Looking for best practices for home data security for an exclusively Mac household. We've had questions about security on the Mac before (search), and for protecting files and folders, a password protected disk image sounds like the way to go (I might also try Knox, though I'm not sure what it adds--but I use 1Password religiously). I'd be happy to hear any new developments (i.e., have people stopped experiencing FileVault corruption issues?), but that seems straightforward enough.

The slap to the forehead moment, however, was realizing that 1) I don't know what Keychain has in it and who could use it (assuming access to the machine), and 2) I leave gmail logged in, and my wife has Mail.app always running, and if someone had one of the machines, access to the email could give them broad access using "forgot my password" links (D'oh! I realize as I'm writing this that I should have separate emails for those that don't stay logged in!). And those are just the holes that occurred to me at 4:00 in the morning--I'm sure you Mac boffins can think of a million other overlooked holes.

I know TimeMachine is unencrypted, but if I nuke the drive and start backing up once I've set up a encrypted disk image, I'm assuming that I'd be ok (although does the archive allow, e.g., a cookie or open browser session to be backed up? Is that just magical thinking?). I also am wondering about unencrypted iOS backups--would there be a way to extract anything from them? Can you pull anything out of a Spotlight index?

I'll probably add a screen saver / wake from sleep password, but I know that doesn't secure data, just the most casual snoops (target disk mode, password resets, etc.).

TL;DR: assume I'm an average Mac user who's been lazy about security (using Keychain, "keep me logged in" status on Gmail and other web sites), no password to access Mail.app, no encrypted data other than in 1Password). Please tell me anything I need to delete, update, uncheck, install, opt out of, opt into, or buy to make my Macs locked down tight. I don't mind spending money, I don't mind inconvenience.

If my Macs were lost or stolen, I don't want to give one second's thought to the security of sensitive data or backdoors through email or Keychain or iOS backups or whatever. Thanks!

Help me keep Chinese hackers at bay

bellastarr — Fri, 03 Aug 2012 11:00:11 -0800

Help me block China Our small company email server (and hence, our network) is hit regularly with Chinese hackers trying brute force attacks on accounts. In fact I would go so far as to say that 99% of attacks on our network originate in China.

Conceivably, I could create (or copy - I know there are sites that already list these) giant access lists for our Cisco ASA to block the entire nation of China but I'm not sure if this is the best approach. I assume our firewall will take a massive performance hit if I do this. Of course their regular, constant attacks are probably not helping performance or my time either.

Are there any other options besides ACL's or what do you do - or do you do nothing at all and rely on your users to create good passwords?

Pass the password app, please

dawkins_7 — Tue, 12 Jun 2012 14:28:12 -0800

How does our small company need to manage our passwords? We are a small web development firm that manages about 30 websites at a time, plus various google and other accounts. On occasion, someone from the team has to be let go and the rest of us spend that afternoon frantically changing passwords and just hoping that we didn't forget anything.

My boss just asked me if I could find some sort of application or service where he could enter all of the passwords and give us each a password to that system. Then we could log in, hit a link to a particular password and have it log in for us automatically (so that we never see the password). Neither he nor I are sure that something like this exists but we thought it might be worth a shot to ask.

Barring the existence of such a system, I think we need at least an online system that will keep track of our passwords for us. What is your favorite?

Password management: syncing some passwords but not all

pavane — Tue, 20 Mar 2012 13:02:04 -0800

Please help me find the password management solution I'm hoping exists: the ability to automatically, dynamically sync a specific folder of passwords between accounts w/o involving Dropbox. Short version: what do businesses use so that people can store both personal and shared passwords in one place, and sync the shared passwords?

Longer version:
I'm a tech person at my organization, and I need a password management system that allows both:
a) two other people to access certain work passwords (in case I'm out sick, die, etc.) that are frequently created (e.g. new CMS site admin accounts)
b) me accessing those work passwords in the same interface as other, private passwords (e.g. email, my personal account for x work website) that are not to be shared with others

Currently, I have a personal Lastpass account and a work Lastpass account; the password for the work Lastpass account is shared with those two other people, and the work Lastpass account contains only those passwords I want to share.

Problem with this: I need to be logged into my personal account so I can access those personal passwords, which means remembering to manually share out every password that should also be accessible from the work Lastpass account. I often forget to do this, and the two accounts end up not containing the same work passwords.

I've been Googling various solutions and reading this and this, but haven't seen any that clearly do what I want (and I really don't like the various Dropbox hacks for security reasons). Ideally, I could have a "work" folder inside my personal account that automatically shared out/synced with other people's accounts... or some other set-up that doesn't involve remembering to go through the somewhat inconvenient sharing process Lastpass allows. Bonus points if the solution is either Mac or browser-based.

Thank you for your help.

Alert the next of kin. And Netflix.

Anonymous — Wed, 22 Feb 2012 18:48:04 -0800

How do I make my passwords available to loved ones if I die suddenly, but keep them secure while I'm alive? I'm relatively young and don't have a general purpose lawyer.

Is there a way I can make sure my family can access all of my online accounts if I die suddenly, but keep them from doing so while I'm alive? Writing all of my passwords down and handing them to my mother in a sealed envelope seems really insecure, and I change them regularly. I'm looking for a clever yet simple technological solution. I'd like to be able to revoke access if something bad goes down in the future. I'd also like to be alerted if someone tries to access this information before I die.

There are some tiny online companies that will do stuff like this for you, but I don't trust them to stay in business indefinitely.

Is there an obvious way to do this that I'm not considering?

What's a good way to share passwords with a team?

zooropa — Fri, 20 Jan 2012 14:51:06 -0800

What's a good way to share passwords among members of a team? A few days ago, my Twitter account was hijacked. I accidentally clicked on a link I shouldn't have and voila, instant DMs to all may followers soon came after. As you would no doubt guess, much hilarity ensued.

I've changed my Twitter password to something much stronger, so that's taken care of. A good friend of mine who is also a security analyst recommended I check out a password protection application like 1Password or KeePass.

While I'm considering both for myself, that got me thinking. Right now, various members of the team I manage share various passwords using a locked spreadsheet. Obviously, this isn't sustainable since I've heard they can be cracked. I'd like to switch to something a little more appropriate as a password vault. Here are our rather simple requirements:

More secure

Easy to use

Multi-platform (primarily Win7, some Mac, Android, iOS)

Cheap-ish or free

Any ideas? Recommendations?

Password security

dfriedman — Tue, 22 Nov 2011 18:35:27 -0800

Password security strength question. So, I just came across a site, which I will not link to, which had an extensive list of password requirements, among which are a minimum length of 8 characters and a maximum length of 12 characters. The site publicly and explicitly announces these limits when one registers for the site.

Isn't this essentially a giveway to brute force attacks? Any cracker knows that this site has passwords that range within a 5-character range of length. (12 - 8 + 1) = 5.

Other password constraints which further compromise the security of passwords include:

--maximum repeated characters: 2
--starts with a numeric character

Am I totally off base here? Or is this, in fact, a relatively weak security system?

Server security: creating separate silos for applications & hashing passwords help

the mad poster! — Wed, 16 Nov 2011 12:13:09 -0800

Can you help me understand how to approach a couple issues of server security. (1) I want to run things in 'silos', so that if someone from the web has hacked and has code level access to example.com/blog they can't query the db of example.com/app (2) If they do get access to a user database, how do I make it harder for them to figure out passwords (beyond just storing them as md5)? I'm thinking one thing that can be done is to actually encrypt passwords and put the shared secret in a place that can't be accessed by anything except the login code, something like that?

This would be based on linux & apache and most of the code for now would be php/mysql. Thanks for any info!

No, no, thats my boy scout troupe number!

hal_c_on — Thu, 01 Sep 2011 17:06:45 -0800

Multiple password logins. How do they work? Do they work? Why or Why not? I want to have a login, say "Billy6969". But depending on what password I put in, I want to login to a different account.

So if user:Billy6969 and Password:12345
I am logged into account A.

But if I user:Billy6969 and Password:123456
I am logged into account B.

How can I do this on a Mac, Linux...and shit, even PC (if possible)?

If I can't do this, is there any practical reason why this would be a bad idea?

And no, not multiple desktops.

Thanks mefites.

From newbie to expert in encryption and network security, where to start?

querty — Mon, 29 Aug 2011 07:02:00 -0800

If I wanted banks or companies like LastPass to hire me to be on their security team to make systems safer and to block out hackers, what websites/books/resources should I dive into to go from n00b to pr0 ?? I'm interested in how banks and these password managing software keep things safe, whether if it's through encryption or dual passwords or offline security devices or other things I don't know about.

I have some programming experience but know very little about stuff like encryption, network security, etc. So what should I be looking into?

Statistics filter: How do I calculate the keyspace size of a password?

vmrob — Sat, 27 Aug 2011 01:35:00 -0800

How do I figure out what the size of this password's keyspace is? I currently work for a large company with an archaic IT infrastructure and am forced to change my password every 90 days. While I don't specifically think that such a policy is unwarranted, I am constantly annoyed by the arbitrary restrictions that are placed on the passwords that they will allow me to use. I'm currently estimating the total number of distinct passwords that are possible in this system to be in the realm of 160 trillion, an astonishingly small keyspace for a modern password.

Help me figure out what the exact size of the keyspace is given the following requirements:

Must be exactly 8 characters.

Must contain at least 1 uppercase character

Must contain at least 1 lowercase character

Must contain at least 1 number

Must contain a leading letter (upper or lower)

May contain up to 2 special characters ($ or # only)

May not have repeating characters

Oh Randall, you do confound me so.

Ahab — Wed, 10 Aug 2011 01:11:58 -0800

Is Randall Munroe right about passwords in today's xkcd? Are very long (all lower case) plain text passwords more secure than short ones using a mix of numerals and upper/lower case text? Or am I missing the point, and it's just about not using dictionary words, or something else?

Can I create a modestly secure diary online using Wordpress, .htaccess, and a few tricks?

jspierre — Fri, 01 Jul 2011 13:39:56 -0800

I want to access my personal diary from anywhere - and keep it as secure as possible at the same time. Here's my idea on how to do this...what do you think? I have a personal diary I want to set up on the internet for my use only - it will be private, but I need to be able to access it anywhere - from home, my phone, my laptop, etc., so I do realize there are inherent insecurities, but I plan to make it as secure as possible and well-hidden. Here's what I'm thinking of doind - am I'm being a total idiot or could this work given the limitations I agree to below?

1. The Setup
The server is a Linux VPS with sufficient power and RAM to run all necessary services; assume the server and VPS are sufficiently hardened. I am in complete control of the server and it serves only personal websites and email accounts (no one else's sites are on my server). The diary itself will be running the latest version of Wordpress. Software choice is not negotiable.

2. What I'm not concerned about
Obviously, administrators of the server the VPS is on can access anything on the VPS should they want to. I'm not concerned about that. The diary contains nothing illegal and it wouldn't interest anyone who doesn't know me. However, as with any diary, it would probably interest those who DO know me well, especially the things I may say about those people that would be unflattering or rude. Therefore, my concern is more that the diary itself is kept from (a) Search Engines, (b) The casual peruser, (c) those who know me well and might attempt to "break in" to the diary should they know it exists. I am well aware that a true "Hacker" could probably get at the diary and my server without much difficulty, but again, this information is not valuable, would at mose be embarassing if released, and would not really interest a hacker in any case. The security should just be enough to keep away people with only low-to-modest technical ability. Also, moving the diary offline or into my home is not possible or desired.

3. How I plan to set up security
a. It will be hosted on a directory within a subdomain of a domain; both the directory and subdomain will be nonsense words and letters. For example, http://x993zhd.mysitename.com/jjkda86111. This, I believe, will make it difficult to find when combined with the next item:

b. The subdomain itself will use .htaccess HTTP password protection and will have exactly ONE username and password that will be acceptable. Both the username and the password will be random, nonsense, words and letters that are not related to any other password or username I ever use. I believe this should prevent the site from being findable by search engines (since the spiders cannot crawl past the password authentication stage) AND should prevent anyone from getting in by trying to guess common usernames and passwords. Also, csf/lfd will automatically block the IP address of anyone who gets the username and password wrong five times in a row and will simultaneously notify me via text message if that occurs.

c. I will use the "Registered Users Only" plugin with Wordpress. This plugin will not allow ANYONE to view the diary/blog without first logging in (I've used this plugin before and it works perfectly). I will set up EXACTLY ONE username and password that will be, again, nonsense words and numbers that, again, are completely different from any previous nonsense words and passwords. Also, creating any new usernames and passwords will be disabled within Wordpress. That combined with the next item will ensure that no one can just randomly try guessing the user name and password to access the blog.

d. I will use the "Limit Login Attempts" pugin with Wordpress that will automatically permanently block the IP address of any user who attempts incorrectly to enter a user/password three times in a row.

e. I will use the "User Access Manager" plugin with Wordpress which will restrict the viewing of all posts to only those users I designate. If you are not on the "allowed users" list, you see nothing but a blank page. This is a catch-all solution in case either c. or d. above fail or are hacked past.

f. I will use the "Log User Access" plugin to keep a log of every time the blog is logged into. That way, I can review it periodically to see if there are any dates or times inconsistent with when I believe I actually logged in.

g. I will set Wordpress to "Block Search Engines"...just in case.

h. I will review the website statistics monthly to see what IP addresses successfully connected to the site and ensure that only my own IP addresses show up.

So, basically, to access my diary, I would need to first browse to the special, nonsense URL, then get past HTTP authentication using a nonsense user name and password, then log in to Wordpress with a different nonsense user name and password before I will even be able to see my diary or add to it.

Now, given the security level I'm after (keep it away from the general public, search engines, and those who know me well, none of whom are extremely tech-savvy), does this approach meet that goal? What am I not thinking of or should I add for additional security or peace of mind?

Fictional Encryption Code

baronessa — Wed, 13 Apr 2011 11:46:28 -0800

Can you give me an example of what this ridiculously-hard-to-decrypt code might have been? I came across this article from 2006 that describes a criminal who encrypted a database in such a way that it would have taken police 400 computers and 12 years to crack the code. I'm working on a writing project now where I want to include a scenario like this, but I have no idea what the parameters of the set-up would be (my background in CS is minimal at best).

I don't need to know how it's done per se (I probably wouldn't understand anyway), but I would like to know what a good example of the code (or codes) might be (are we talking hundred of characters? Millions? Is it randomly generated? ASCII characters? Unicode? Something totally different?

Also, could this sort of thing be done with a flash drive? Any input you can offer would be great.

Recipe for super-duper website cookies?

holterbarbour — Wed, 30 Mar 2011 17:21:36 -0800

Some websites I use log me in automatically (Facebook) with full access to the site. Some automatically log me on, but require PW confirmation if I want to do something that may potentially compromise my security (LinkedIn, Amazon). Some websites demand a login each time I access the page (banking/trading sites; some of which save my login ID, none of which save my PW).I know precious little about this stuff. Cookies, is it? But there are some sites I use that would really be best if I didn't have to log in every time. For instance, I'm doing a professional education course through www.bcplearning.com (http, unsecured) and I hate having to log in each time (especially given the miniscule font and text entry box). I've also been ordering stuff through www.iherb.com (https, secured), and I'd really like to not have to log in each time. Usually, when I have to log into a site I can just put the cursor in the text entry field and arrow down (or mouse scroll down) and pick my login from the list. (Autocomplete, is it? I don't even have the proper vocabulary for this. How frustrating.)

My question is: Is there some way I can force my browser (FF 4.0) to store my login and PW for these sites? In FF, I looked in Options-->Security-->Saved Passwords, and they're all there. How do I get them to automatically log me in with that saved info?

1Password/Lastpass confusion.

damiano99 — Thu, 10 Feb 2011 18:29:34 -0800

I have severe 1Password/Lastpass confusion. Does one supercede the other or are they meant to be used concurrently, in an ideal situation? I'm confused whether they perform the same function or not. Please help me organize my stuff! Right now for personal usage, I'm using SPB Wallet on Windows and iOS. For my web passwords, I'm using Firefox's built in manager.

I just discovered 1Password and Lastpass. Both sound like they do what I want. 1Password will store all my "wallet" and personal #'s without problem. Lastpass seems like it would be ideal to store web passwords and logins and the reviewers rave about it. SPB Wallet isn't easy to use and it's been nearly abandoned by it's creators, in all appearances.

However, 1Password also saves web passwords and logins. I'm confused on usage. Should I stick to just 1Password for my "wallet" stuff and use Lastpass for the other or both or what? Can someone with more experience in this area help me out with some advice?

I was feeling insecure, you might not love me anymore

goshling — Wed, 05 Jan 2011 20:43:31 -0800

Having a minor freak out about identity theft, and looking for advice on making sure all my online information is as secure as possible. In October, my bank called me as they had spotted some suspicious charges on my VISA card. I confirmed these charges were not mine, so the card was cancelled. (The charges were both to Netflix, one was for $1.04 the other was $1.07)

In December I started receiving email from a company in Canada welcoming me to the their club and informing me they were sending out my introductory order. This email was sent to my most used email address, and included my full name, but the postal address was Canadian. I ignored their email and have not directly contacted this company, but have verbally reported it to my bank.
On 25 December my (less than 3 months old) VISA card was again frozen by the bank, due to a charge to AOL. By this time a charge had appeared from the club who sent me the email, so not only has the new card been compromised, but whoever did it also has my full name & email address, and who knows what other information.

I am still waiting on the paperwork to finalise the disputed AOL & club charges.

Also on 25 December I was sent 2 emails within about 15 minutes of each other from Firefox Sync saying I had tried to reset my password, which I hadn't.

I just noticed that 2 days ago I was sent 2 emails from my mobile phone provider also saying that I had tried to reset my password.

I am now rather unnerved and looking for advice to lock down my information as securely as possible.
Is it it likely that these events are coincidental?

I'm on a Mac, using Firefox 3.6.13 & 1Password. Just about all of my passwords are generated in 1Password & and the 1Password data file is stored in a Dropbox account. I have no idea what most of the passwords even are.
I've only been using a Mac for a little over a year, and still don't know a lot about the ins & outs.

Internet connection is via WiFi routers at home & at work, using (I think, WPA).

I'm fairly confident no one with nefarious intentions has physical access to my credit cards or my computers.

Ive been on the internet since 1995, never had anyone access any of my accounts before (that I'm aware of). I have been guilty of reusing the same password(s) in multiple places but I'm fairly sure anything remotely important now has it's own mystery password thanks to 1Password.

So any advice on ensuring my passwords/networks/computers are as safe as possible (sans disconnecting from the internet and never using a credit card ever again) appreciated. I am too nervous to even use the new credit card yet or do any internet banking, and the outstanding bills are starting to pile up.

Password management

philosophygeek — Sat, 01 Jan 2011 17:18:48 -0800

Up to now, I have used Apple's Keychain program to manage my passwords. I recently got an iPad, and now I have lots of login passwords that I don't have memorized and can't access from my iPad browser. So, I'm looking for a password management setup that will do the following things (or as many as possible): - Sync passwords between my mac and iPad (I have a dropbox account, if that helps)
- Autofill passwords on webpages on both my iPad (Safari browser) and mac (Google Chrome)
- Import my old passwords from Keychain
- Cheaper is better

How safe are my passwords?

Joe Beese — Wed, 18 Aug 2010 05:44:54 -0800

How safe are my passwords? I decided to get serious and stop using the same flimsy password everywhere. So today I installed KeePass and used it to generate a different password for each of my log-ins. The KeePass database is stored in a public Dropbox folder where it can be accessed by the MyKeePass app I put on my iPhone.

The KeePass database is encrypted in 256-bit AES/Rijndael. Each of the passwords it generated has at least 128 bits of entropy. However, my master password has only 75 bits. [Since I'll frequently have to enter it on the tiny iPhone keyboard, I wanted it to consist only of letters.] It's a pair of nonsense words I made up in high school - so it ought to be resistant to dictionary attacks. But I'd be happier if it was at least 128-bit strong as well.

Or would that be overkill? I've considered using Diceware to make a stronger all-letters master password. But it would require a 10-word phrase to pass the 128-bit threshhold. And the FAQ says "... if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day." [But the FAQ copyright notice begins in 1996. So he could be talking about the Pentium 166 era of cracking power.]

Assuming the worst case scenario that a malefactor has already found the KeePass database in the public Dropbox folder and is already at work on it, how long might I hope for the current 75-bit master password to hold out?

The sun is shining...but the ice is slippery.

2bucksplus — Mon, 26 Jul 2010 10:15:37 -0800

Tell me about the early days of using passwords to verify information on computers or over the telephone: 1. When we're people first expected to do so? 2. Did it seem weird to you at the time? 3. Was there anything analogous to the password concept at the time? 4. (Most important to me) How was the concept introduced to the public? Were you around when passwords were first introduced to the general public? Did it seem "high tech"? Did it feel like "Open Sesame"?

N.B. To a lesser extent I am also interested in PIN (personal identification numbers) especially as it relates to later password adoption.

Blackberry PW Manager to iPhone PW App?

thankyoumuchly — Fri, 07 May 2010 06:48:41 -0800

How can I automatically transfer my Blackberry Password Manager contents to my Windows laptop or iPhone 3Gs I have a Blackberry Bold 9000 on AT&T that I no longer use as I now have an iPhone 3Gs. I need the contents of the Blackberry Password Manager automatically transferred to my Windows XP laptop and/or iPhone. I have Blackberry Desktop Manager installed on this Windows laptop but I don't see a feature to extract the BB Password Manager contents in plain-text, only to backup the BB in an encrypted file.

Anyone have a solution that doesn't involve me manually copying/retyping each username/password from my BB to my Windows machine?